Presentation on theme: "HIPAA Privacy Training Health Insurance Portability & Accountability Act of 1996 Standards for Privacy of Individually Identifiable Health Information."— Presentation transcript:
HIPAA Privacy Training Health Insurance Portability & Accountability Act of 1996 Standards for Privacy of Individually Identifiable Health Information 45 CFR Parts 160 and 164 THIS INFORMATION MUST BE PRESENTED OR, IF THROUGH SELF-STUDY, REVIEWED IN ITS ENTIRETY. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and focused on improving health insurance accessibility for persons changing employment or leaving the work force (portability). HIPAA consists of several different parts. One part, called the Privacy Rule, concerns the privacy of health information. The Privacy Rule includes a requirement that all members of a health care provider’s workforce (including students) must be trained on the provider’s policies and procedures relating to privacy. This training program was developed through a collaborative effort of representatives of various Hawaii health care providers. The collaborative facilities developed and adopted a standard policy with regard to appropriate uses of health information for educational purposes. Although the policies of these facilities may be similar, specific procedures may vary from facility to facility. Therefore, when you begin your training at a facility, you should familiarize yourself with the specific policies and procedures of that facility.
2 The Privacy Rule Creates national foundation of privacy Does not preempt more stringent state laws Extends: Certain individual rights to privacy Protection of individual’s medical records and health information HIPAA addresses national standards for electronic data transmission, unique health identifiers, security standards, and standards for privacy and confidentiality. Covered Entities were required to comply with the Privacy Rule by April 14, 2003. The government believes a national foundation of privacy protections is necessary because technological advances have resulted in increasing electronic transmission of health care data. Standardization of the collection, storage and transmission of such data has been limited, while public concern about the privacy and security of health information have grown. It is important to note that HIPAA provides a floor of protection, and does not preempt more stringent protections provided under state law. Therefore, a health care provider must be familiar with both state and federal laws relating to the use and disclosure of health information.
3 Who’s affected? Direct impact: Health plans Health care clearinghouses Health care providers (who transmit health information electronically) Indirect impact: Business associates (vendors, consultants, contracted providers) All Covered Entities are required to comply with HIPAA regulations. Covered Entities include Health Plans that provide or pay the cost of medical care, including employer plans and programs, Health Care Providers (doctors, nurses, hospitals, etc.) who perform electronic transactions and Health Care Clearinghouses (entities that process data from non-standard format to standard format, or vice versa). Business Associates of a Covered Entity, including vendors and consultants, are usually required to comply with HIPAA regulations by means of a Business Associate Agreement with the Covered Entity. A Business Associate may or may not be a Covered Entity.
4 What’s protected? Protected health information (PHI) refers to: Individually identifiable health information relating to: Person’s past, present and future health or condition; Provision of health services to the person Past, present and future payment of health services to the person Information transmitted or maintained in any form Includes data considered individually identifiable Protected Health Information (PHI) means any individually identifiable health information about a person. PHI is protected under HIPAA and, therefore, cannot be disclosed by a Covered Entity without the agreement or authorization of that person, or as allowed by law. This requirement will be described in more detail later. PHI includes information about the person’s past, present and future health or condition; provision of health care services to the person; and past, present and future payment for health services to the person. Information transmitted or maintained in any form-- verbal, written (paper) or electronic-- is protected.
5 What’s individually identifiable? Name Geographic divisions smaller than State (with exceptions) All dates (except year) Phone & fax number E-mail address SSN Medical record # Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers Device identifiers and serial numbers Web URLs IP address numbers Biometric identifiers (including finger, voice prints) Full face photo and other images Any other unique identifier [164.514(b)(2)] The Privacy Rule identifies several data elements which, when used alone or in combination, may lead to the identification of a specific person. These data elements are referred to as “individually identifiable health information”, and are listed on this slide.
6 Rules for uses / disclosures of PHI Treatment, Payment, Health Care Operations (TPO) Opportunity to Object Agreement or Authorization not required (Exceptions) Authorization There are four general rules about the use or disclosure of PHI: 1.PHI can be disclosed for the purposes of Treatment, Payment or Health Care Operations (TPO) without the consent, agreement or authorization of the patient. 2.The patient has the opportunity to agree or object to certain use or disclosure of PHI. 3.In some situations-- usually as required under existing laws-- PHI may be disclosed without the patient’s authorization or agreement. 4.Finally, in any other circumstance not described above, the patient will need to provide written authorization for the use or disclosure of his/her PHI.
7 Permitted Uses of PHI Uses/disclosures permitted for: Treatment Some facilities may still require patient authorization for release of PHI Payment Health care operations (quality improvement, staff performance review, training in areas of health care, accreditation, medical review, audits, business planning and development, general administration, etc.) Use or disclosure of PHI is permitted for a Covered Entity’s Treatment, Payment and Health Care operations. A Covered Entity may also disclose PHI to a health care provider for treatment purposes. Many facilities now release PHI for treatment as long as they receive a request stating that the provider is involved in the patient’s treatment and the PHI is needed for the patient’s treatment. It is important to recognize, though, that a facility can be more stringent and may still require written authorization, consent or other verification to release PHI for treatment. Covered Entities can also release PHI to each other for for either Covered Entities’ payment purposes and certain health care operations as long as each Covered Entity has or had a relationship with the patient who is the subject of the PHI and the information released is relevant to that relationship. Examples are provided on slide 26.
8 Opportunity to Object Facility directories To clergy To persons involved in individual’s care Notification purposes Disaster relief purposes Under the Privacy Rule, a Covered Entity can use or disclose PHI for certain purposes as long as the patient verbally agrees, or the patient has been given an opportunity to object to the disclosure and has not objected. These purposes are listed above. Each facility has established procedures about how these uses or disclosures are implemented. See the Matrix for information about each facility’s procedures. Be sure to review this information before you begin your training at a facility.
9 Agreement or Authorization Not Required (Exceptions) Required by law Public health activities Victims of abuse/ neglect/domestic violence Health oversight Judicial/administrative proceedings Limited law enforcement purposes Coroners, medical examiners & funeral directors Organ/tissue donations Research purposes Serious threat to self/others Specialized government functions Worker’s comp In certain situations, disclosure is permitted without an authorization or an opportunity to object. This slide lists the types of disclosures that are allowed without the patient’s authorization or agreement. Many of these disclosures are to government officials acting in a professional capacity. In general, students would not make these types of disclosures. For each of these types of disclosures, the Covered Entity must follow certain rules, in terms of how and what PHI is released. In addition, the Covered Entity must track and account for these disclosures. Therefore if you receive an inquiry that relates to these types of disclosures, you must check with the patient’s attending physician, the facility’s nursing staff or the facility’s Privacy Officer before you release any information.
10 Authorizations For all other uses and disclosures of PHI A valid authorization from the patient is required for any other disclosure of PHI. For example, if a patient applies for life insurance, before the facility can disclose PHI to the life insurance company, the patient must provide a signed authorization form to the facility.
11 Notice of Privacy Practices Describes to patients how their protected health information may be used/disclosed Details patient’s legal rights in regards to their PHI and how to exercise these rights Details legal obligations of covered entity to protect PHI The Covered Entity must give the a Notice of Privacy Practices, which describes the ways the Covered Entity could use or disclose PHI. A health care provider who has a direct treatment relationship must provide the Notice at the time of the first service delivery, or in an emergency situation, as soon as possible. The Covered Entity must also make a good faith effort to obtain the patient’s written acknowledgement of receipt of the Notice. If the acknowledgement was not obtained, the Covered Entity must document the reason why the acknowledgement was not obtained.
12 Individual’s Rights To receive Notice of Privacy Practices To inspect and/or obtain copy of PHI To request to amend PHI To request limits on certain uses/disclosures of PHI To receive accounting of disclosures To receive confidential communications To file a complaint HIPAA gives the patient rights to privacy and accessibility with regard to his/her PHI. These rights are listed on this slide. Each facility has procedures about how the patient may exercise these rights. Refer any patient with questions about his/her rights under the Privacy Rule to the facility’s Privacy Officer.
13 Other Requirements De-identification of PHI Minimum necessary Workforce Training Verification Process Business Associate Contracts The Privacy Rule includes several other requirements: De-identification is the process of stripping PHI of all individually identifiable elements (see slide 5). The minimum necessary standard (e.g. need-to-know) will be covered later. The Covered Entity must train all members of its workforce on its policies and procedures related to privacy. Students are considered part of the facility’s workforce, which is why you are completing this training. Verification process refers to a requirement that a Covered Entity must verify the identity and authority of a person who is requesting to have access to PHI. Finally, a Covered Entity must enter into a Business Associate Contract with a person or entity who provides certain types of services for the Covered Entity and who accesses PHI in the course of providing those services.
14 Other Restrictions Marketing Fundraising Specially Protected Health Information Additional protections under Hawaii State law relating to release of HIV, mental health and substance abuse treatment records The Privacy Rule imposes other restrictions on the use or disclosure of PHI for marketing and fundraising. Those restrictions will not be discussed here. If in the future, you are involved in marketing or fundraising, you will need to familiarize yourself with applicable sections of the Privacy Rule. As stated previously, the federal Privacy Rule does not preempt more stringent state law. In Hawaii, certain information, called specially protected health information, are afforded more stringent protection. Under Hawaii State law, release of specially protected health information requires the patient’s consent, including for treatment and payment purposes.
15 What’s consequence of non-compliance? Penalties: Civil: $100 per violation; up to $25,000 per year Criminal: up to $250,000 and or 10 years in prison There are penalties for violating or failing to comply with the Privacy Rule. A Covered Entity may be subject to civil and criminal sanctions that include monetary fines and imprisonment.
16 Sanctions Facilities required to sanction members of workforce (includes “students”) who violate policies and procedures relating to privacy and security of health information. Student sanctions may include suspension or termination of access privileges to PHI and/or participation in educational programs at facility. A Covered Entity is required to have a process for sanctioning workforce members who violate privacy policies and procedures. Student sanctions may be levied by the facility and/or the educational program with which you participate.
17 What you need to know to operate in different facilities Facility Directory Family Involvement Minimum Necessary Appropriate Educational Access/Use Requesting/Disclosing PHI for treatment Request/Disclosures to Govt. agencies Patient Requested Restrictions on use/disclosure As stated previously, privacy training includes training about the facility’s policies and procedures. Each facility may implement its procedures differently. See the Matrix for information about each facility’s procedures. Be sure to review this information before you begin your training at a facility.
18 What is a Facility Directory? The information a hospital releases to the media or the public when they call to ask about a patient This information is limited to: Location Condition May only release info in the directory to people who ask for patient BY NAME “Facility directory” requirements apply to hospital inpatients. The hospital maintains a list of inpatients. If a caller or visitor asks for a patient BY NAME, the hospital may: 1.Acknowledge the patient’s presence; 2.Provide the patient’s room number; and 3.Provide a one word description of the patient’s condition. This is the maximum amount of information that may be disclosed for facility directory purposes. Facility directory requirements apply to inquiries by members of the media, as well as other callers or visitors.
19 Facility Directory Patient may ask hospital to NOT release information to media or others who call Each hospital will have process to identify these NO INFORMATION patients YOU must be aware of each hospital’s codes and process to identify these patients DO NOT release information in violation of the patient’s information status The patient has the right to object to disclosures for facility directory purposes. In other words, patient may tell the hospital to disclose no information about him/her to callers or visitors. The hospital must honor the patient’s request for privacy. As a member of the hospital’s workforce, you must not disclose information about a patient with “No Information” status to callers or visitors. Each hospital has established procedures for honoring patient’s request. See Matrix for details.
20 Facility Directory NO INFORMATION STATUS PATIENT’S LOCATION/CONDITION WILL NOT BE DISCLOSED TO ANYONE, INCLUDING FAMILY/FRIENDS Anyone asking for patient will be told, “We have no information regarding the individual.” If patient has requested “No Information” status, the hospital will not: 1.Acknowledge the patient’s presence; 2.Disclose the patient’s room number; 3.Describe the patient’s condition; 4.Accept flowers, gifts or mail for the patient. This restriction applies to family members, friends, or any one else who may call or visit the hospital. They will be told, “We have no information about a person by that name.”
21 What should I do? Scenario #1: Q: I am approached in the hallway by someone who asks me if I know what room a patient is in. I saw the patient’s name on the unit I just left. What should I do? A: Refer the person to the nurses’ station, information desk, or hospital operator. You do not know whether the patient has requested a NO INFORMATION status or other restrictions. This scenario may present a cultural change, as most healthcare providers want to be helpful to visitors, understanding that family members may be worried about their loved one. However, we need to be mindful of the patient’s right to privacy.
22 Family Involvement A patient’s health information may be disclosed to family/others if: Patient gives verbal agreement, Patient has opportunity to object and does not, or You can infer from circumstances that patient does not object Emergency/incompetent patients - Release information using professional judgement in best interests of patient Examples of Permitted Disclosures to Family, Friends or Others: 1.Daughter accompanies elderly patient into exam room. The patient says, “Can you explain it to my daughter?” You may provide instructions to the daughter. 2.Wife goes to pharmacy and asks to pick up the prescription that Dr. Young called in for her husband. You may give the medications to the wife. 3.Patient tells you that neighbor has been helping him with home exercise program. You may speak with the neighbor about the patient’s exercises. 4.You knock on the door and enter patient’s room. There are several visitors in the room. You don’t know who the visitors are. You say to the patient, “I’d like to talk with you about discharge planning. Can we talk now? Perhaps your visitors would like to have lunch? Or should I come back a little later?” Exception: In an emergency, when the patient is unable to express his/her wishes, use your professional judgment. Ask yourself, “Would it be in the patient’s best interest if I disclosed the information?”
23 Family Involvement Information released must be directly relevant to that person’s involvement in the patient’s care or payment for that care A patient has the right to request that you not release information to family/others. If a patient asks that you not talk with family/others, please refer patient to nursing staff. A Permitted Disclosure: Friend picks up patient after procedure. Patient will stay with friend for a few days. Friend asks, “What do I need to do?” You may explain to friend, “Here are her prescriptions. Be sure to keep the site dry. Sponge bath only. Call the doctor if the site gets red. No housework or lifting more than ten pounds.” Not A Permitted Disclosure: You may not describe the patient’s previous episodes of care to friend-- the Emergency Room visit when she was a possible DUI; results of the biopsy she had two years ago; etc. Responding to Patient’s Request: It’s important that you inform staff of patient’s request to limit involvement of family, friends or others. Staff will know how to document and follow-up on the request. Each facility has established procedures for responding to such a request. See Matrix for details.
24 What should I do? Scenario #2: Q: The spouse of a patient I am seeing approaches me in the hallway and begins asking me questions about the patient. During my assessment visit, the patient indicated that she did not want information shared with her spouse. What should I do? A: Patients have a right to not involve family members and others in their care. You should not share any information with the spouse per the patient’s request and you should alert the nursing staff about the patient’s request. The patient explicitly stated that she did not want her health information to be shared with her husband. As difficult as it may seem, you must honor her request. It is also important for you to promptly notify staff about patient’s request. They will know how to document and respond to patient’s request. Once a facility has agreed to a patient’s restriction request, everyone-- including students-- must abide by it.
25 Minimum Necessary Need-to-Know Rule Access is a privilege. Individuals with access privileges have an obligation to limit access and use to the minimum necessary to perform their duties and responsibilities. A key element of the Privacy Rule is the minimum necessary standard. This is the need-to-know rule. You are only permitted to access and use the minimum necessary amount of PHI for your specific duty, responsibility or purpose. In terms of educational uses of PHI, you must limit your access and use to the minimum amount of information required for your specific educational activity. Example: You would like to review records of ER patients admitted for near drowning for a presentation or paper. First, you must obtain the required approvals and determine the types of information or data that you will need to collect. Then, you must limit your access to only the episodes of care that relate to the study topic and record only the data elements that are necessary to prepare your presentation or paper.
26 Request/Disclose PHI for Treatment Purposes May request/disclose PHI for treatment where: Request is from a provider to whom you referred the patient for treatment or provider involvement in patient’s treatment is documented in medical record, or Patient has signed an authorization or release for the disclosure to the provider, or Provider has requested, in writing, the PHI for treatment purposes As a student, you may be asked to release PHI to another health care provider who is involved in the patient’s care. Under HIPAA, a health care provider may release PHI to another provider for treatment purposes without the patient’s authorization; however, this disclosure is subject to verification of the identity and authority of the requestor. At most facilities (see Matrix), you may disclose PHI to another health care provider for treatment purposes if: 1.The provider referred the patient to you 2.You referred the patient to the provider 3.The medical record contains documentation of the provider’s treatment relationship with the patient 4.The provider requests the information for treatment purposes and the request is made in writing 5.The patient has signed an authorization or other form for the disclosure of the PHI to that provider
27 Request/Disclosure of PHI to/from government agencies Refer to Nursing Staff/Attending Physician/Privacy Officer Only minimum necessary may be released Must do an accounting for the disclosure Hospitals are required to disclose PHI to government agencies for many reasons. Examples include reports of child abuse or neglect, infectious disease reporting, reports of unattended deaths to the Medical Examiner, etc. Most students will not be involved in reporting PHI to government officials. However, you may encounter a situation in which reporting is mandatory, or a government official, such as a police officer, asks you for information. Please consult with the facility’s nursing staff, your supervisor or the facility’s Privacy Officer before making such a report or releasing information to any person who is not a health care provider. Such disclosures must follow the minimum necessary rule. Additionally, the facility must track or account for such disclosures. Therefore, it is important that you know and follow the appropriate procedures before you release any information to a government official.
28 Patient Requested Restrictions on Use/Disclosure of PHI Facility may have agreed to patient requested restrictions on use/disclosures of PHI for treatment, payment or health care operations YOU must be aware of each facility’s practice in this regards and where such restrictions would be documented Under HIPAA, a patient has the right to request restrictions on the facility’s use or disclosure of PHI for treatment, payment or health care operations. The facility is not required to agree to the patient’s request. For example, a patient may not want students to be involved in his/her care or to access his/her health information. The facility will determine whether or not it will honor the patient’s request. Review the Matrix to familiarize yourself with each facility’s procedures with regard to such requests. Be aware that when a facility has agreed to a patient’s restriction request, as a student, you are obligated to honor the request.
29 Use of PHI for educational purposes Allowed without patient consent or authorization Parameters of use/disclosure of PHI for educational purposes: Appropriate access Minimum necessary for the purpose Protect/safeguard PHI Appropriate disposal upon completion Use or disclosure of PHI for educational purposes is considered one of the facility’s health care operations. Therefore, PHI can be used by and disclosed to health care students without the patient’s consent, agreement or authorization. However, HIPAA does place certain limitations on the use of PHI for educational purposes. 1.The facility must establish appropriate controls on the student’s access to PHI 2.PHI disclosed should be limited to the minimum necessary for the particular educational use or purpose 3.The student who accesses PHI is responsible for protecting and safeguarding that information and to properly dispose of any notes or class documents that contain PHI upon completion of the use or purpose. 4.The student must be aware of and honor any agreed-upon restriction.
30 Facially de-identified information Policy permits use of PHI that is “facially de- identified” for educational purposes. Remove same identifiers as in de-identified information, except may leave in: Patient medical record number Dates of Service Zip codes This information is still identifiable under HIPAA and remains under federal privacy protections. The collaborative facilities permit a student to use PHI that has been “facially de-identified” for his/her educational purposes. The only difference between de-identified information and “facially de-identified” information is that “facially de-identified” information can include the patient’s medical record number, dates of service and zip code. All other individual identifiers (see slide 5) must be removed from the information. Under HIPAA, “facially de-identified” information is still considered PHI. You must protect “facially de-identified” information in compliance with the Privacy Rule.
31 “Facially de-identified” means removing: Name Address Phone & fax number E-mail address SSN Health plan beneficiary numbers Account numbers Certificate/license numbers Web URLs Vehicle identifiers and serial numbers Device identifiers and serial numbers IP address numbers Biometric identifiers (including finger, voice prints) Full face photo and other images Any other unique identifier This slide lists the identifiers which must be removed from the PHI in order for the information to be considered “facially de-identified”.
32 Allowable educational access/use Treatment Observation Teaching Rounds Retrospective Record/Data Reviews Research (with IRB approval) Case Presentations Patient Logs This slide lists the types of educational uses or activities for which a student may access PHI. Access to PHI or an attempt to access PHI by a student for a use or activity other than what is listed above would be considered a violation of the facility’s policies and could result in sanctions against the student.
33 Is this okay? Scenario #3: Q: I heard about a very unusual case in the OR. As a medical student I am here to learn. I need to know more about the details so that I may gain a better understanding of the clinical course. I plan to review the records before I leave for the day. Is this okay? A: No. While it might be argued that educational benefit can be gained by reviewing unusual cases, such review should be formally approved and presented. Individual access to patients’ records in this type of situation is not appropriate. Electronic records and systems are monitored for inappropriate access. In this scenario, access may seem to fit under one of the allowable educational uses or activities. What do you think? The bottom line is that the case may indeed have educational value to you. But such review must be organized and approved by the appropriate individuals. Do not access patient information just because you personally believe it might be educational. Work through your instructors and the facility.
34 Some Do’s and Don’ts: Treatment and Observation Can Do Access medical records of the patients you are treating/caring for Prepare class work with patient identifiers removed Observe patient care with approval from department manager/ supervising faculty Cannot Do Obtain medical records of patients you are not treating/caring for Use data obtained from your cases with patient identifiers such as name, address, birth date left in Observe patient care without appropriate approval or where the patient objects Here are some do’s and don’ts relating to appropriate use/access of PHI for treatment and observation. This is not a complete list but will provide you with some general guidelines.
35 Some Do’s and Don’ts: Teaching Rounds Can Do Share patient information during teaching rounds Prepare class work using data from your cases with patient identifiers removed Cannot Do Discuss patients in public areas with no consideration to surroundings Include family members in rounds, unless patient has agreed or determination has been made by physician that inclusion is in patient’s best interest Here are some do’s and don’ts for participation in teaching rounds. One important point must be emphasized. Always use discretion and common sense when discussing cases in public areas. Do not verbalize details that would inappropriately disclose patient information.
36 Some Do’s and Don’ts: Retrospective Reviews Can Do Access medical records with written approval of supervising faculty member Prepare class work using collected data with patient identifiers removed Use aggregate or de- identified patient information Cannot Do Use information collected for research without IRB approval Publish or publicly present findings without IRB approval or waiver of authorization Contact the patient or the patient’s physician Abstract patient identifiers Here are some do’s and don’ts for retrospective reviews. If you are thinking of publishing your findings or making a public presentation, you must obtain the approval of the facility’s Institutional Review Board (IRB) before accessing or collecting patient information from medical records. See the Matrix for information about each facility’s procedures.
37 Some Do’s and Don’ts: Research Can Do With IRB approval: Build a database of patient information Access and use patient identifiable information as approved by IRB Do a public presentation or publish findings using aggregate or de- identified information Cannot Do Any research without IRB approval or waiver Publish or publicly present findings that identify the patient without patient authorization Access and collect patient data in preparation for a research project without IRB waiver or approval There are a number of regulatory requirements for research, and the requirements are quite complex. As a student, the key points to remember are: 1.Under the HIPAA Privacy Rule, the creation of a database or repository of patient information may be considered research 2.You should contact the facility’s Institutional Review Board (IRB) if you intend to review and collect patient information for research purposes. It is prudent to seek guidance from the IRB if you consider publication or public presentation to be future possibilities.
38 What should I do? Scenario #4: Q: My supervising faculty member has asked me to review 100 charts of newborn babies to determine whether or not the delivery room temperature has an effect on babies. Do I need IRB approval? A: Maybe. If the intent is purely for quality improvement without intent to publish findings and you will destroy the database upon completion, then you do not need an IRB approval or waiver. But, if you intend to publicize, publish or use the data you collected for any other purpose and do not get a patient authorization or an IRB approval or waiver you would be violating the patient’s rights. It is sometimes difficult to distinguish between quality improvement activities and research. If the patient information you are collecting might be considered for use in a future research project, it is best to obtain IRB approval. See the facility’s IRB for information about its application, review and approval procedures.
39 Some Do’s and Don’ts: Case Presentations/Grand Rounds Can Do Access medical records with written approval of supervising faculty member Prepare for presentation using facially de-identified, aggregate or de-identified information Limit audience to healthcare students/professionals if presentation might inadvertently reveal patient’s identity Cannot Do Leave/show the following in your presentation Patient Name Medical Record Number Openly present a high profile or unusual case where patient’s privacy may be compromised without patient’s written authorization for disclosure Here are some do’s and don’ts for case presentations or grand rounds. Although you are permitted to retain the patient’s medical record number for certain educational purposes, this information should not be displayed or revealed during your presentation. If the case you plan to present is high-profile or extremely rare, obtain the patient’s authorization before you use his/her PHI in the presentation or, at minimum, ensure that the audience is limited to healthcare students or professionals.
Patient Logs Information collected and submitted on a patient log of your educational activities must be facially de-identified Your educational program may require you to keep a Patient Log, a list of patients to whom you have been assigned, and to conduct follow-up reviews. As you keep your Patient Log, please follow the rules for “facially de-identifying” patient information.
41 Some Do’s and Don’ts: “Facially De-identifying” Patient Data Can Do Use generic terms to describe a patient 36 year old white male living in Arizona Admitted in October 2002 Construction worker Black out/delete/cut out patient identifiers on hard copy Cannot Do Leave patient identifiers in information used/removed Patient/Relatives’ Name Birth dates Address Employer Take copies of dictated reports home with you (unless facially de- identified) Here are some examples about how to “facially de-identify” patient information. Remember that you are only permitted to retain the patient’s medical record number, dates of service, and zip code for certain educational purposes.
42 Some Do’s and Don’ts: Accessing PHI Can Do Request access to PHI through appropriate channels Request access to medical records through Medical Records Submit completed appropriate data request form for data reports Cannot Do Remove medical records from facility Leave patient records/data in break room or other areas where they are unattended Out of curiosity, access the records of the celebrity who was admitted last week or the records of a patient with an unusual medical condition Each facility has established procedures for obtaining access to PHI. See the Matrix for more information. If you are assigned to a facility that has implemented an electronic medical record, you will probably be able to access information about patients with whom you do not have a treatment relationship. Keep in mind that simply because you are able to access the information does not mean you have permission to do so. Each facility has implemented audit trails to monitor users who have accessed a patient’s electronic medical records. If a facility discovered that you accessed a patient’s record and you had no legitimate reason for doing so, you could be subject to sanctions.
43 Is it okay? Scenario #5: Q: My friend was admitted yesterday after collapsing during a bike ride. I am very concerned about her progress and would like to visit her but I don’t know which room she is in. Is it okay if I look up the information in the computer system? A: No. Using your access privileges to look up any information for any patient when there is no need to know based on your responsibilities in the hospital is a violation of patient confidentiality. Unless you are directly involved in providing health care for your friend, it is not appropriate for you to access her electronic medical record. Your friend is entitled to privacy, as are all patients. As discussed on the Facility Directory slides, please ask for your friend by name at the nurses station or information desk. As long as your friend has not requested “No Information” status, staff will be able to tell you her room number and you will be able to visit.
44 Some Do’s and Don’ts: Safeguarding Information Must Do Password protect laptops/PDA’s Shred facially de-identified papers when you are done with them Insure memory/hard drive has been wiped clean when selling/ disposing of a PC, laptop or PDA Encrypt any PHI sent over Internet Cannot Do Leave information in open or other public areas Discuss patients in elevator, hallways or the cafeteria Dispose of facially de- identified information in your trash can (it is still identifiable under HIPAA!) Share your access codes/cards Remember that under HIPAA, “facially de-identified” information is still Protected Health Information (PHI). You are responsible for keeping the information confidential and secure. Here are some examples of safeguards you should follow: 1.Maintain control over your PDA, class work and other documents that contain patient information. Know where they are at all times. 2.Do not let a friend borrow or share your access codes (log-in) or cards for any reason. You are responsible for inappropriate access to data or secured areas that occurs under your identification. 3.When you no longer need health information you have collected, dispose of it appropriately. Do not throw it away in your trash can! 4.Do not send PHI over an open network unless the information is encrypted. 5.Always use discretion and common sense. Consider how you would want others to protect your personal health information.
45 Questions? For further information or questions, please contact the facility’s privacy officer.