Presentation on theme: "NCPD#1/jab 0803 1 Health Insurance Portability & Accountability Act."— Presentation transcript:
NCPD#1/jab Health Insurance Portability & Accountability Act
What I will learn from this program What is HIPAA Who is covered by HIPAA Goals of HIPPA Definitions What is “Protected Health Information (PHI)”, “Use”, and “Disclosure” What are “Security Rules” How does this affect you Why comply
What is HIPAA HIPAA – Health Insurance Portability and Accountability Act of 1996 Original Intent was to ensure portability of Insurance when employment changes.. Administrative Simplification Standardization of formats, codes and identifiers Increased security of electronic health data Increased protection of protected health information Simplify health care administration
Who is covered by HIPAA Covered entities include Health care providers Health plans Health care clearinghouses
Goals of HIPAA For Patients Control over their information The right to see their records and correct any mistakes in them. The right to know who has seen their information
Goals of HIPAA For Institutions Protect patient information Limit use of patient information Penalize those who misuse information
Definitions Protected Health Information = Individually identifiable health information in any form or media. Only authorized people will look at or use it for treatment, payment or health care operations (TPO) Privacy = Right of each person to keep certain personal information to him or herself, confident that only authorized people will look at or use it.
More Definitions Security = Protection of information, data and systems from accidental or intentional access by unauthorized users. TPO = Treatment, Payment and Operations Minimum Necessary = Minimum amount of information you “need to know” to do your job.
What is Protected Health Information Information that identifies a person A person who is living or deceased Past, present or future health information Electronic or paper form, or spoken in conversation Examples: Patient charts, lab reports, x- rays, billing systems, nursing notes, phone calls, and conversations about patients
What Makes Information Identifiable Name Address Phone or fax number address Social Security or medical record numbers Photos Names of relatives Voice, finger, retinal prints Date of Birth Employer Insurance account numbers
Who can access this information The privacy rules of HIPAA limit both the “Use” (how the information is used in the institution), and “Disclosure” (how the information is given out to other institutions for use). Patients typically give permission for use or disclosure of their information by signing a written form. Some disclosures are required by law, such as reporting of gunshot wounds, child abuse, infectious diseases and do not require patient permission
Internal Use Routine access will be limited by job functions “Need to know”, or minimum necessary needed for each task Example EKG: EKG technicians only need the information relating to the EKG, would not need to see patient progress notes or insurance information Non-routine access will be limited by policies and procedures of each institution
Disclosure Providing information to those outside of the institution Types Mandatory: dog bites, gunshot wounds Incidental: I accidentally faxed your records to the wrong department Malicious: I steal a list of consumer names and addresses to sell as a mailing list. Reasonable efforts should be made to give out only the least amount of information needed to meet the request Example: Transportation Service: a service that drives patients to and from appointments would only need certain information such as patient name, appointment details time/address, contact phone number, should not have details on other protected health information. GHC User: You may want to use this slide to show there are different types of disclosure: Mandatory: ie: dog bites, gunshot wounds etc Incidental: I accidentally faxed your records to the wrong department. Malishes ?spelling?: When I steal a list of consumer names and addresses to sell as a mailing list. All of these must be accounted for. GHC User: You may want to use this slide to show there are different types of disclosure: Mandatory: ie: dog bites, gunshot wounds etc Incidental: I accidentally faxed your records to the wrong department. Malishes ?spelling?: When I steal a list of consumer names and addresses to sell as a mailing list. All of these must be accounted for.
Security Rules Protect the systems that store protected Health information – The hardware and software Systems must be protected so that unauthorized people cannot get to the information. Ex: Computer systems will require you to change your password every so often to protect against someone else gaining access to the system using your password.
Security Rules (Continued) Protect Information itself from unauthorized use and misuse by those allowed to view the PHI Ex: a famous person, co-worker, or family member is a patient, can you check to see how he or she is doing? No! If you are not involved in the patient’s care you cannot view the information.
Summary of Privacy and Security Rules Patients have the right to control their information Institutions will limit the use and disclosure of information Institutions will protect information on the computer
So What’s New About This Law Sounds like what we have been doing all along, Privacy has always been a priority. Now the government has decided what the basic requirements are for protection of patient information and Institutions are being held accountable Patients can be more confident that their information will be kept private
Privacy…. Why? A Tampa Florida man stole a list of 4,000 HIV-positive patients from a state health worker and sent the list to the Tampa Tribune, which did not publish it. The man was found guilty and sentenced to jail New York congressional candidate's past suicide attempt was made public during a campaign. She won the election and sued the hospital for failing to maintain the confidentiality of her medical records An employee of a large Blue Cross/Blue Shield plan obtained unauthorized access to the medical records of the ex-wife of a friend and sent them to his friend.
How Does HIPAA Affect You Faculty and Students are held to the same obligations and accountability as employees, they are seen as part of the workforce under affiliation agreements Whether you work directly with patients or not, you may find yourself in situations involving patient information. What do you do?
Protecting Spoken Information What do you do? You’ve just made it through a long line in the cafeteria and scored an empty table. As you settle in to enjoy your lunch, you can hear 2 co- workers discussing a patient
Response Remind them that confidentiality is important, public areas may be convenient but when it comes to PHI they are not good choices. Find a private space if your job requires you to talk about patient information. Do Not Discuss Patient Information in Public Areas!
What do you do? One day you walk by a room and see someone you know. She is not looking well and she seems to be by herself. You want to express your concern and see if you can help.
Response Respecting privacy doesn’t mean you have to ignore someone you know. But don’t ask for Personal Health Information She can tell you about her illness, but you can’t ask, and if told you cannot repeat the information you hear. Unless you are involved in the patients care you do not have the right to ask for information or even tell others people who the patients are. Don’t Ask For Information Even If You Know The Person!
What do you do? Lets say you entered a patient’s room to explain a procedure. The patient has several visitors in the room who may or may not be family.
Response Before entering the patient’s room, you should first knock and ask permission to enter. If other people are in the room ask permission from the patient to talk about his or her care with visitors present. Ask Permission From Patient
What do you do? You are walking down the hall and are stopped by a visitor to get directions
Response If you can give a visitor directions without asking for personal health information you are being courteous and respectful of patient privacy If it is not clear where the visitor is supposed to go or if asked about a patients condition direct them to the information desk. Be Courteous and Direct Visitors to the Information Desk
Protecting Spoken Information Around Patient Rooms Knock first and ask to enter Close doors or curtains when talking about treatments or doing procedures Speak softly in semi-private rooms In Public Areas Don’t talk about patients Direct Visitors to the information desk Don’t leave messages on answering machines about patient conditions
Protecting Written Information What do you do? Suppose you enter a conference room and find papers with patient information left on the table
Response Papers that have Protected Health Information should be returned to the person who left them. If you can’t find the owner of the papers, give them to your supervisor for shredding. Find The Owner Of Lost Papers Or Give Them to Your Supervisor
What do you do? Suppose you work in an area where several people share a fax machine in a lounge. While you are in the lounge a fax including PHI arrives but no one comes to get it. Later that afternoon you notice the fax is still there.
Response Tell your supervisor about the fax If you are someone who shares a fax or printer, it is your duty to pick up papers right away. Fax machines and printers are best located in a private area, away from public view. Don’t Leave Papers With Medical Information Unattended
Protecting Written Information Find the owner of “lost” papers Shred Information no longer needed Don’t leave papers unattended Keep information away from public view
Protecting Electronic Information Keep computer screens pointed away from public Never leave patient information in public areas unattended Log-off workstations when leaving the area You Are Responsible For Any Activity On The Computer That Is Made With Your User Name
Protecting Electronic Information Protect Your Password Don’t share it with anyone Never write it down Don’t say it out loud Don’t it Report any misuse or problems with your password
Protecting Electronic Information Handhelds and Laptops Prevent loss or theft of equipment-never leave this equipment unattended Use Passwords to protect information Close programs when not in use
Why Should We Comply It is the right thing to do. Patients have rights to privacy It improves the quality of care It is good business Disciplinary Action Can range from counseling to final written warning to termination Repeated offenses can result in more severe discipline Penalties Civil and Criminal Penalties Against both the individual and the institution
Consequences for Noncompliance Violations Wrongful disclosures Gaining access by false pretenses Intent to sell, transfer or use Penalties Up to $50,000 + up to 1 year in prison Up to $50,000 + up to 1 year in prison Up to $100,000 + up to 5 years in prison Up to $250,000 + up to 10 years in prison
Enforcement of HIPAA The Office for Civil Rights has been charged with enforcing HIPAA privacy regulation
Questions About Privacy In some situations it is not clear whether privacy rules apply or what the best way to handle the situation HIPAA was never meant to interfere with patient care If questions come up or you don’t know what to do ask your supervisor When in Doubt Ask!
A Parting Thought If your loved one was a patient wouldn’t you want your family’s privacy to be protected by the people caring for him or her ?
Resources Federal Register August 14 th, 2002 Notice s.cfm s.cfm s.cfm Federal Register February 20th, 2003 Notice s.cfm s.cfm s.cfm HHS Office of Civil Rights – HIPAA Page