Presentation on theme: "And the finer details of patient privacy TCH Confidential Understanding HIPAA."— Presentation transcript:
And the finer details of patient privacy TCH Confidential Understanding HIPAA
Agenda High-level HIPAA Review Privacy Rule Challenges Security Rule “The Golden Rule”
Agenda Examples of Inappropriate Access Hypothetical Case Studies CHCO HIPAA P&P and Conduct Review
HIPAA Privacy Rule Protected health information (PHI) can be accessed for purposes of: Treatment Payment Healthcare operations Research approved by COMIRB
HIPAA Privacy Rule Challenges Accessing PHI for Training, education, and quality improvement are permitted by HIPAA Challenge is granular definition of appropriate access Anyone at any time can claim: “I was accessing record for education or QI”, even if access was not appropriate CHCO provides guidance in the “Accessing PHI for Training, Education, and Quality improvement” policy and procedure.
HIPAA Security Rule Individually identifiable logins for every person that access electronic patient information or systems that handle patient information No login/password sharing Secure or logoff workstations and applications when leaving them unattended
HIPAA Security Rule It is not okay to walk away from a computer workstation that is logged into Epic and leave it unattended Examples: going to lunch going to care for a patient in another room or area being away long enough for someone else to access patient information with your ID
“The Golden Rule” If you do not need to access a patient record specifically to do your job, don’t access the record.
Examples of Inappropriate Access Outside of Treatment, Payment, or Operations: Accessing celebrity information Accessing friend or relative information Accessing information for other companies/providers who want the information for marketing purposes
Examples of Inappropriate Access Outside of Treatment, Payment, or Operations: Accessing information for personal reasons Accessing co-workers’ patient information Accessing your own information Accessing your child’s records Just Being Curious or Concerned
Case Study UCLA Health System Staff Member: Job termination and 4 months in prison with $2000 fine for HIPAA violation 12
Hypothetical Case Studies A tragic auto accident involving a family with two children happened on Colfax right in front of the hospital entrance and you are part of the care team.
Hypothetical Case Studies I decide to “Friend” the families and post updates to let the very upset families know how their injured children are doing.
Hypothetical Case Studies I decide to “Friend” the families and post updates to let the very upset families know how their injured children are doing. This is not appropriate.
Hypothetical Case Studies Alternative: I will let the families know that I understand their concern but to respect my professional boundaries and privacy of the patients, I cannot communicate over social media. I will be happy to communicate in person, over the phone or MyChart.
Hypothetical Case Studies Alternative II: I will let the families know that I understand their concern. We can discuss whether they want to sign an authorization to allow us to communicate their children’s progress over email.
Hypothetical Case Studies A supervisor approaches me and asks me to look at their child’s diagnosis and bill for a visit.
Hypothetical Case Studies A supervisor approaches me and asks me to look at their child’s diagnosis and bill for a visit. This is not appropriate.
Hypothetical Case Studies Alternative: Tell supervisor that they need to contact their child’s physician for diagnosis information and Patient Financial Services for billing information.
Hypothetical Case Studies The daughter of a neighbor, a close friend, will be having surgery soon and I want to look in the EMR to find when the surgery is scheduled so I can lend support.
Hypothetical Case Studies The daughter of a neighbor, a close friend, will be having surgery soon and I want to look in the EMR to find when the surgery is scheduled so I can lend support. This is not appropriate.
Hypothetical Case Studies Alternative: I will ask my friend when the surgery is and let her know I would like to meet her in the surgical waiting area to lend support.
Hypothetical Case Studies My sister is concerned about her young daughter’s experience at a CHCO clinic and wants help.
Hypothetical Case Studies Can I look in the EMR to provide documentation to support her conversation with customer service?
Hypothetical Case Studies Can I look in the EMR to provide documentation to support her conversation with customer service? This is not appropriate.
Hypothetical Case Studies Alternative: Provide customer service contact info. It is okay to act as an advocate as long as you separate that role from your position at CHCO.
Hypothetical Case Studies A patient with a very unique case was seen in our clinic this morning. I’d like to access the medical record to learn how the physician treated the patient.
Hypothetical Case Studies A patient with a very unique case was seen in our clinic this morning. I’d like to access the medical record to learn how the physician treated the patient. It is inappropriate for a care provider to directly access a patient medical record of a patient they did not treat for educational purposes outside of formal case review, M & M review, or sanctioned quality improvement initiatives.
Break the Glass in Epic We have “Break the Glass” to protect sensitive patient info, but just because you don’t see a break the glass warning doesn’t mean access is appropriate.
P&Ps and Code of Conduct Confidentiality Information Security Code of Conduct HIPAA - Uses and Disclosures of PHI
From POLICY CHCO is committed to respecting the privacy of patients and staff by safeguarding the confidentiality of information/PHI entrusted to them. CHCO will abide by state, federal and international regulations concerning privacy and confidentiality. Access to information will be based on a need to know in order to perform one’s job duties.
Information Security From POLICY Users are expected to take adequate steps to secure confidential or sensitive information assets: lock file cabinets, offices doors and other premises housing valuable information resources Users must log off after using a workstation.
From Code of Conduct “Staff must not abuse their access to confidential information or even worse, abuse their position to discover confidential information that their job does not require them to know.”
HIPAA – Uses and Disclosures of PHI From POLICY General Releases - Uses and disclosures of PHI are permitted only with a valid authorization signed by the patient or his/her personal representative.
HIPAA – Uses and Disclosures of PHI Exceptions to this rule (i.e., no authorization is needed) are as follows: …the PHI is being used or disclosed for the purpose of treatment, payment, or internal CHCO healthcare operations.