1. Confidentiality
HIPAA

2. Confidentiality
To put it simply, everything regarding patients is confidential, especially if it is in the patient’s chart.
The rule of confidentiality is extended to everyone who has access to the chart.
The patient’s record is a legal document and is not the place for stories, complaints or jokes

3. Confidentiality
Willfully entering incorrect information into a patient’s record legally constitutes fraud and is a complete breach of professional ethics.
Information therein should never be discussed in public
Failure to follow these rules can lead to legal action for breach of confidence

4. AS YOU LEAVE WORK OR YOUR CLINIC…….
Follow this rule!
What you see here
What you say here
What you learn here
LET IT STAY HERE
WHEN YOU LEAVE HERE

5. Health Insurance Portability and Accountability Act
HIPAA
Health Insurance Portability and Accountability Act

6. What is HIPAA? A federal law designed to protect health information
Went into effect April 14, 2003
Everyone who has access to a patients health information is required to follow rules related to sharing of that information.
Non-compliance with the law can result in fines or criminal penalties.

7. Privacy Rule: Cause for Concern
1 in 5 American adults believes their personal medical information has
been disclosed improperly
Half of these people believe that it resulted in personal embarrassment or harm
California HealthCare Foundation
Survey conducted by Princeton Survey Research Associates, January, 1999
Why did Congress find we needed this law?
Why is it clear that we need this law?

8. Privacy Rule: Cause for Concern
1 in 7 Americans has tried to keep their medical information confidential
Withhold information
Provide inaccurate information
Doctor-hop
Pay out-of-pocket for care
Avoid care altogether
California HealthCare Foundation
Survey conducted by Princeton Survey Research Associates
January 1999

9. Cause for Concern
A hospital in Montana posted the psychiatric records of dozens of children on its public web site, where they remained until discovered by a newspaper reporter.
In Jacksonville, FL, a woman brought her teenage daughter to work and left her unattended at a logged in computer. The girl looked up patient phone numbers, and phoned to tell them that they’d tested positive for HIV. One patient attempted suicide.
In Miami, Florida, several hundred hospital workers browsed though the records of a famous patient who had recently come to the facility.

10. Civil/Criminal Penalties
$25,000 for multiple violations of same standard in a calendar year
$250,000 and/or imprisonment up to ten (10) years for use of PHI for commercial advantage, personal gain, or material harm
These penalties apply both to institutions and to the individuals who breach the privacy regulations.
We haven’t seen any use of these yet, since the regulations just came into effect, but I’m sure none of you, nor do I want to be involved.

11. Permitted Disclosures
Patient
Personal Representative Examples:
Legal guardian
Power of attorney
Family, Relative, Next of Kin
Let’s talk about who you may disclose PHI to without getting an authorization from the patient:
Patient themselves – this has not changed – still send to HIM or staff must sit with patient as they read through their record
Personal representative of patient-
Examples include – legal guardian
- power of attorney
- family, relative or next of kin of a patient who does not have a legally appointed personal representative
They are treated as the patient- but should only be given information that is relevant to the matters for which they represent the patient.
For abuse, neglect – you may elect to not recognize the legal personal rep as the personal rep if:
-using professional judgment you believe
-patient has been or may be subject to abuse
-treating such person as personal representative would endanger patient and
-using professional judgment- decide it’s not in the best interest of the patient to treat as that person as their personal representative

12. Permitted Uses and Disclosures of PHI
Treatment
Payment
Health Care Operations
You can use PHI for treatment, payment and health care operations without needing to get an authorization from the patient in most cases.

13. Treatment Provision of health care by provider
Coordination of health care among providers
Referral of patient from one provider to another
Coordination of health care or other services with 3rd parties if authorized by patient
You may use patient’s information without needing to get their authorization for Treatment.
So – providing care
Coordinating care
Getting medical record from another provider – HIPAA doesn’t require an authorization – however, many entities require some sort of release of information signed – or filled out. You may need to take a look at your consent to release information and make sure it contains all of the mandatory elements required by the law. Sec so that you can easliy obtain records from other providers.
But the law does not require this.

14. Payment Determining coverage of health benefit claims
Billing, claims management and medical data processing
Review of health care services with respect to medical necessity, coverage, appropriateness
Utilization review activities
Minimum necessary applies

15. Health Care Operations
Quality assessment and improvement
Legal services
Evaluating performance of health care professionals
Training future health care professionals
General administrative functions
Minimum necessary applies

16. Patient Authorization
Must get authorization for all other uses such as:
Marketing
Clinical research
Mental health
Substance Abuse
HIV
Any others

17. Patient Rights Confidentiality of PHI Privacy Notice
Request Restrictions
Confidential Communications
Access to Medical Record
Accounting of Disclosures
Amend/Correct Medical Record
File a Complaint
We’ll now look at the rights that the Privacy Rule gives all patients.
All of these rights are now spelled out in our own UIHC policies, but all of them do not mean that new procedures are in place, in many instances, we have been providing these rights to patients and our procedures will not change, however in other instances, some procedures will change/ in all cases you are responsible for knowing the rights of patients and when a patient asks about a right, you should know where to direct the patient so that they may access their right.

18. What is Protected Health Information (PHI)?
Individually identifiable information
Health information
Demographics
ANY form or medium
Oral
Written
Electronic
Name
Photograph
Social security #
Finger prints
Health status
Admission date
Diagnosis
Medical record #
Address
Birth date
Telephone #
Fax #
So let’s take a look at the basics of the Privacy rule – what is covers and requires.
The privacy rule is protecting all health information of patient and specifically what it calls PHI.
The term “PHI” is used frequently in the Privacy Rule (HIPAA) and is a term that you should become familiar with …
As a rule of thumb, private information that you see, hear, or say must be kept confidential and can only be used or disclosed for specific purposes related to an individual’s treatment, related to payment for the services they received, or related to the operations of the healthcare organization.
Individually identifiable information is that if there is any reason to believe the information can be used to identify an individual

19. Suggestions
IF you are unsure if disclosure of health information is permitted, it is best to get authorization from the patient first.
Become familiar with your employers standard operating procedure related to HIPAA
Become familiar with your employers privacy forms.

20. Patient Rights: Confidentiality
Confidentiality of PHI
Never share PHI unless job related
You may never share this PHI with others unless that disclosure is required in the performance of your job duties and responsibilities.
This means not sharing health information that you learned at work with other co-workers at lunch or while walking through the hallways.

21. Internet Social Networking Sites such as My Space or Facebook etc
Be careful not to mention any patient information on those sites
Do not ask a patient to join your friends list

22. Patient Rights: Confidentiality
Confidentiality of PHI
Access PHI on need to know basis
Dispose of PHI confidentially
Once confidential information has been retrieved, it is your responsibility to properly dispose of the PHI by: distributing it to appropriate people; filing it securely or disposing of it confidentially or destroying the document(shredding)

23. Patient Rights: Confidentiality
Telephone- Calls to Patients
Appointment reminders
Voice message
Leaving information with family
Check to see patient preference
Telephone conversations involving PHI should be conducted where they cannot be overheard whenever possible.
Verify who you are talking to and their authority to receive the information.
Appointment reminders are ok over the phone. Whoever answers the phone in the household can be left with a simple message. “this is Dr. Brown’s office, Patty has an appointment tomorrow” BUT do not leave a message with too much specific information, stick to the minimum necessary. For example do not say, “This is Dr. Brown’s office, Patty has an appointment to talk about her HIV status tomorrow.”
If a patient requests to be contacted at a different address or phone number for appointment reminders, lab test results, bills, etc. the physician’s office must comply with their wishes.

24. Patient Rights: Confidentiality
Telephone- Calls from Family/Friends
What can be shared
Professional judgment
Use Privacy Rule when uncomfortable
Telephone conversations involving PHI should be conducted where they cannot be overheard whenever possible.
Verify who you are talking to and their authority to receive the information.

25. Patient Rights: Confidentiality
Security
Walk through with critical eye
Patient schedules
Simple changes
“Reasonable”
Increased awareness
Security- patient information that is no longer needed is discarded in an appropriate secure container(for shredding)
patient info is not left on unattended photocopiers, computer printers or fax machines, these devices should be kept in a secure area if at all possible.
Computers – passwords kept secure, not shared, changed regularly. Computer screens not in plain view.
Patient files never left in plain view – eg if on door rack- turn chart around
Patient schedules not left in public areas

26. Patient Rights: Confidentiality
Faxing
Pre-call
Cover sheet
Call if error occurs
Disposal
Faxing: patient info sent only o fax machines in known locations.
You need to verify the number you are sending the fax to.
There should always be confidentiality statement on the fax.

27. Patient Rights: Confidentiality
Non-secure
Patient consent
Subject line
Security regulations
- when used, it is only with patient’s permissions where patient understands the insecurity of its use.

28. Patient Rights: Confidentiality
Incidental Disclosures
Calling out patient’s name
Sign-in sheet
Reasonable
Limit where possible
Incidental disclosures are allowed.
Privacy rule does not require that all risk of protected health disclosure be eliminated.
For example, clinics often call out a patient’s name in the waiting area for their appointment.
That said, we also must take reasonable steps to minimize these incidental disclosures. We are encouraging staff to lower their voices, to print off information for the patient to confirm, to ask individuals to step back when encroaching on a conversation with a patient or family member and to begin to look at common sense approaches to minimizing disclosures.
We will not be able to completely eliminate an individual’s ability to overhear conversations they should not, but with an increased awareness we hope to be able to decrease this occurrence.

29. Patient Opportunity to Object or Agree
Disclosing PHI to family, friends, others assisting in patient’s care
Patient present/conscious
Verbal agreement
Opportunity to object
Use professional judgment
Patient not present/unconscious
Best interest of patient
Relevant to person’s involvement
When disclosing PHI to family, friends and others assisting in the patients care (if they are not personal representatives) the patient must be given the opportunity to object or agree to the disclosure.
Process has not changed--
If patient is present, or otherwise available prior to a disclosure and has the capacity to make health care decisions, you may disclose health information (PHI) about the patient to those involved in the patient’s care if:
-obtain patient’s verbal agreement
-provide patient opportunity to object and patient does not object OR
-you reasonably infer from the circumstances, using professional judgment that patient does not object to the disclosure.
(Click for new portion of the slide)
If patient is not present or in capacitated, unable to make health care decisions, you may disclose PHI to people involved in patient's care if:
-using professional judgment determine that disclosure is in the best interest of the patient AND
-disclosure only the PHI that is directly relevant to person’s involvement with patient's health care.
Use professional judgment and experience with common practice to make reasonable inferences of patient's best interest in allowing person to act on behalf of patient to pick up prescriptions, medical supplies, x-rays or other forms of PHI

30. Disclosure of PHI Must verify identity and authority before disclosing
If not known to you require:
ID/badge
Verbal affirmations
Legal documentation
Use professional judgment
When making any disclosure – you must verify the identity or authority of the person/entity to whom you are disclosing PHI
This applies to any type of disclosure. YOU are responsible for making sure you are giving PHI to a person with the authority to receive it.
If you have suspicion or do not know the person you must get identification or some sort of documentation or verbal affirmation of who the person is and their authority to receive PHI.

31. Patient Rights: Privacy Notice
Patient has the right to receive a notice of privacy practices
Given to every patient at first encounter
One time – document
Acknowledgment form – to be filed

32. Patient Rights: Privacy Notice
Notice describes:
How medical information is used and disclosed by covered entity
Summary of patient rights
Who to contact
How to file a complaint and ask questions

33. Patient Rights: Request Restrictions
Informal
Ask caregiver to restrict what is told to others
Caregiver uses professional judgment
Inform patient of their decision
Applies to current episode of care
Formal
Refer to Privacy Officer
In writing
30 days

34. Patient Rights: Confidential Communications
Receive communication at alternate address
No reason given
Administratively reasonable
Patients have the right to request that they receive communications from the hospitals and clinics at an address different than their current permanent address.
For example: they don’t want abusive husband to know about their treatment here – ask that all communication be sent to their mother’s house.

35. Patient Rights: Access to PHI
Access or inspect their medical record
View with staff present
Obtain copies
30 days
Patients have the right to have access to the information in their medical record. .

36. Disclosures Permitted with no need for authorization from patient
Required by law
Public health activities
Health oversight agencies
Victim of abuse, neglect
Law enforcement purposes
Organ donation
To avert serious threat to health or safety
Specialized government functions
Workers compensation
Areas which we currently disclose and are still able to disclose include those on this lists
I’ll draw your attention to a couple:–
Public health – FDA, disease control, communicable disease; cancer registry
Health oversight agencies – audits, investigations, JHACO licensure – Medicaid investigation
For all other disclosures, we need to get patient authorizations:

37. Patient Rights: Corrections/Amendments
Informal process: Correct medical record
For inaccurate information
Use professional judgment
Formal process: Amend medical record
In writing
Determination based on circumstances
Patients have the right to correct or amend the information in their medical record if the information is inaccurate or incomplete.
Corrections follow an informal process.
Ex: a patient sees, while she’s with her care provider, that her record shows she has a latex allergy – she does not. She asks for this information to be changed. You may correct it if you are comfortable doing so.
Use professional judgment in corrections. Ex: patient sees her record states she has a history of obesity. She states it’s incorrect and wants it changed. You don’t feel comfortable changing the record. Inform patient of the formal process to amend the medical record.
Click for new portion of slide
When you don’t feel comfortable correcting a record, the formal process is to refer the patient to Health Information Management (HIM) for medical issues and Patient and Fiscal Registration Service for billing issues.
UIHC will respond to the request and agree to the amendment or deny it. Patient may then write a statement of disagreement about the denial and this will be attached to their medical record.

38. Patient Rights: File a Complaint
Privacy Officer
Secretary of Health and Human Services
The final right of patients is the right to file a complaint.
Patients with complaints should be referred to the Patient Representatives.
If they have a specific question or concern about HIPAA refer them to the Privacy Officer.
Patients also have the right to file a complaint with the Secretary for Health and Human Services and will be given contact information if necessary.

39. Patient Rights: Confidentiality
Big Daddy, super sports star, was injured during a game and comes to your practice wanting to get some emergency dental work. All your friends are begging you to find out more information about what happened to Big Daddy. Your position gives you access to patient records and it would be easy to find out everything everyone is curious to know. Big Daddy won't know or care. He might even have be pleased to know that everyone is so concerned about him. Plus, some of the information will come out in the press in a few days anyway. What do you do?
Read slide

40. Patient Rights: Confidentiality
Sneak a peek at the chart but refuse to share any information with friends.
Sneak a peek at the chart on your own personal time and share only information that will become public anyway.
Explain to friends that a professional in any health care institution cannot look at patient records without a good reason to know the information for health care or billing purposes.
Explain to friends that the institution has an audit system that will track anyone who looks at the patient’s record and that you will lose your job unless you had a good reason to look at the chart.
Not allowed, you have no reason to be looking at the chart- this is a breach of patient confidentiality that will be disciplined
Same as A
D. True, but not the reason to refuse to take a look at patient’s information. The question to be asked is whether you have consent to look, not whether you’ll get into trouble for doing so.
C. The best answer. The issue is that you cannot look at PHI unless it is necessary to do you job. It’s good to let the public know this.

41. Patient Rights: Confidentiality
Sneak a peek at the chart but refuse to share any information with friends.
Sneak a peek at the chart on your own personal time and share only information that will become public anyway.
Explain to friends that a professional in any health care institution cannot look at patient records without a good reason to know the information for health care or billing purposes.
Explain to friends that the institution has an audit system that will track anyone who looks at the patient’s record and that you will lose your job unless you had a good reason to look at the chart.
Not allowed, you have no reason to be looking at the chart- this is a breach of patient confidentiality that will be disciplined
Same as A
D. True, but not the reason to refuse to take a look at patient’s information. The question to be asked is whether you have consent to look, not whether you’ll get into trouble for doing so.
C. The best answer. The issue is that you cannot look at PHI unless it is necessary to do you job. It’s good to let the public know this.

42. Patient Rights: Confidentiality
You are a health care professional caring for Mr. Linn, a patient. Dr. Herra approaches you and asks to see Mr. Linn’s chart. She is not his physician but is his next door neighbor. “I just want to know what he has so I can help,” she explains. What do you do?
Hand over the chart so she can help manage his care. She’s a doctor and knows what she’s doing.
Smile and ask, “Do you have his permission?”
Hand over the chart and tell your supervisor what happened.
Ask Dr. Herra to complete an acknowledgment releasing the medical record to her.
Good intentions do not create patient consent. Patient has the final word-not well meaning neighbors
C. Don’t put the responsibility on your supervisor, you are responsible for handing the chart to Dr. Herra, who has no authority to receive that information. Not the best answer. This does not accomplish the hospitals goal of making sure everyone understands the patient’s right to privacy.
D. There is no such acknowledgment to sign. It’s the patient that must give their authorization, not Dr. Herra in this situation.
B. The best answer. The issue is whether Dr Herra has the patient’s consent. If he does not, he cannot see the chart.

43. Patient Rights: Confidentiality
You are a health care professional caring for Mr. Linn, a patient. Dr. Herra approaches you and asks to see Mr. Linn’s chart. She is not his physician but is his next door neighbor. “I just want to know what he has so I can help,” she explains. What do you do?
Hand over the chart so she can help manage his care. She’s a doctor and knows what she’s doing.
Smile and ask, “Do you have his permission?”
Hand over the chart and tell your supervisor what happened.
Ask Dr. Herra to complete an acknowledgment releasing the medical record to her.
Good intentions do not create patient consent. Patient has the final word-not well meaning neighbors
C. Don’t put the responsibility on your supervisor, you are responsible for handing the chart to Dr. Herra, who has no authority to receive that information. Not the best answer. This does not accomplish the hospitals goal of making sure everyone understands the patient’s right to privacy.
D. There is no such acknowledgment to sign. It’s the patient that must give their authorization, not Dr. Herra in this situation.
B. The best answer. The issue is whether Dr Herra has the patient’s consent. If he does not, he cannot see the chart.

44. Patient Rights: Confidentiality
You attend a weekly meeting where a list of patient names, medical record numbers and diagnoses are distributed for purposes of discussion. After everyone else leaves the meeting you notice that several copies of the patient list are still on the table. What do you do?
Read slide

45. Patient Rights: Confidentiality
A. Toss them in the wastebasket to make sure the next group using the room doesn’t see them.
Alert the person who distributed the list to make sure the problem doesn’t happen again.
Pick up all the copies and dispose of them confidentially to make sure the information does not become public.
Pick up all the copies, dispose of them confidentially, and raise the issue of privacy practices at the next meeting.
Throwing the confidential lists in the wastebasket is not good enough, they need to be disposed of confidentially, either in a locked container for shredding or shredded immediately.
You have the responsibility yourself to take action, while alerting the person who passed them out is a reminder to that person, you should take the responsibility o yourself to dispose of the copies confidentially.
Your action may prevent a problem today, but what about next time.Although consider option D-raising the issue at the next meeting-even it may not be easy.
The BEST answer – although it may seem difficult to bring it up, we all must do our part to bring privacy issues up so that our patient’s privacy is maintained.

46. Patient Rights: Confidentiality
A. Toss them in the wastebasket to make sure the next group using the room doesn’t see them.
Alert the person who distributed the list to make sure the problem doesn’t happen again.
Pick up all the copies and dispose of them confidentially to make sure the information does not become public.
Pick up all the copies, dispose of them confidentially, and raise the issue of privacy practices at the next meeting.
Throwing the confidential lists in the wastebasket is not good enough, they need to be disposed of confidentially, either in a locked container for shredding or shredded immediately.
You have the responsibility yourself to take action, while alerting the person who passed them out is a reminder to that person, you should take the responsibility o yourself to dispose of the copies confidentially.
Your action may prevent a problem today, but what about next time.Although consider option D-raising the issue at the next meeting-even it may not be easy.
The BEST answer – although it may seem difficult to bring it up, we all must do our part to bring privacy issues up so that our patient’s privacy is maintained.

47. Dr. Good is discussing a patient’s care with a nurse just outside the patient’s door. Another patient wandering in the halls hears what is being said. Dr. Good later discusses the case in the elevator with Dr. Timely. Everyone in the elevator hears the conversation. Has Dr. Good violated the privacy regulations?

48. No, because the privacy regulations only cover written or electronic information.
No, because the regulations allow health care providers to discuss anything they want, anywhere they want.
Yes, conversations about a patient should occur only where there is no possibility of being overheard.
Maybe. It depends on whether Dr. Good could reasonably have found more private times and places to discuss the case.
Incorrect, the Privacy Rule covers all communications of PHI, written, electronic, and oral
Incorrect, while the regulations do not place many limits on clinicians use of PHI for treatment, they are still expected to take reasonable steps to protect privacy.
Incorrect, only reasonable measures are required to protect privacy. Sometimes it will not be possible to find a totally private place to exchange information about a patient.
This is the correct answer, the regulations only require reasonable efforts. Not an absolute guarantee of privacy. In the first instance there may have been no alternate location to communicate important patient care needs to the patient. In the second situation, Dr. Good, may have been in the process of responding to an emergent situation and the only place to discuss the care of the patient was while enroute via the elevator. Certainly care providers need to become cognizant of alternate venues to discuss patient care or simply lowering ones voice. But ultimately, communicating to the health care team takes priority over location.

49. No, because the privacy regulations only cover written or electronic information.
No, because the regulations allow health care providers to discuss anything they want, anywhere they want.
Yes, conversations about a patient should occur only where there is no possibility of being overheard.
Maybe. It depends on whether Dr. Good could reasonably have found more private times and places to discuss the case.
Incorrect, the Privacy Rule covers all communications of PHI, written, electronic, and oral
Incorrect, while the regulations do not place many limits on clinicians use of PHI for treatment, they are still expected to take reasonable steps to protect privacy.
Incorrect, only reasonable measures are required to protect privacy. Sometimes it will not be possible to find a totally private place to exchange information about a patient.
This is the correct answer, the regulations only require reasonable efforts. Not an absolute guarantee of privacy. In the first instance there may have been no alternate location to communicate important patient care needs to the patient. In the second situation, Dr. Good, may have been in the process of responding to an emergent situation and the only place to discuss the care of the patient was while enroute via the elevator. Certainly care providers need to become cognizant of alternate venues to discuss patient care or simply lowering ones voice. But ultimately, communicating to the health care team takes priority over location.

50. Helpful Websites http://www.hhs.gov/ocr/newfaq
OCR frequently asked questions

51. QUESTIONS?