Presentation on theme: "NAU HIPAA Awareness Training"— Presentation transcript:
1NAU HIPAA Awareness Training Welcome!Hello, my name is ________________________ and I will be talking to you today about protecting patient’s privacy--how it is everyone’s responsibility.Today more than ever patients and consumers are both concerned and aware that their private information can be used or releases without their knowledge.Recently there was new federal law that protects a patient’s private medical information and also gives patients new rights in managing their health information.In this sessions, we will talk about patient concerns, the new patient rights, and your responsibilities in Protecting patient privacy.(Information Only: References to complete this presentation include:HIPAA 101 and 102: Allen Hospital SystemHealth Information Management, An Applied Technology. AHIMA, Merida JohnsandOregon Dept. of Human ServicesNAU HIPAA Awareness Training
2Health Insurance Portability and Accountability Act of 1996 What is HIPAA?A federal law dealing with the privacy and security of health informationHIPAAstands forHealth Insurance Portability and Accountability Act of 1996A Gallup survey commissioned by MedicAlert in November 2000 on just how important and concerned patients are about their privacy showed:77% of Americans feel that privacy about their personal health information is important; 84% said they were very/somewhat concerned that personal health information might be made available to others without their consent; Only 7% said they are willing to store or transmit personal health information on the Internet and 8% felt a website could be trusted with such informationIF PATIENTS ARE CONCERNED THAT THEIR HEALTHCARE INFORMATION ISN’T KEPT CONFIDENTIAL, QUALITY OF CARE IS COMPROMISED. CONDITIONS MAY BE LEFT UNTREATED AND THE PATIENTS MEDICAL RECORD IS INCOMPLETE OR INACCURATEHIPAA IS THE REGULATION THAT PROMOTES PRIVACY AND SECURITY
3How HIPAA applies to Health Care Systems: HIPAA applies to all management, employees, volunteers, temporary employees, students, residents, and trainees—the workforce—employed in health care systemsNAU is committed to provide students seeking careers in health occupations with HIPAA awareness trainingComplying with HIPAA is MANDATORY!Federal Privacy Regulations (April 2001)This new federal regulation establishes standards for most health care providers and payers in the protection of health information as well as established new patient rights related to the accessing their health information.Although HIPAA was officially passed by Congress in 1996, the privacy rules became effective in April 2001 and healthcare providers implemented these new rules in April Since April 2001, healthcare providers have been busy reviewing the HIPAA regulations, assessing and writing privacy and security standards in their facilities, and training employees on the regulations.Today, we will provide you with an overview of the HIPAA regulations that relate to privacy and security issues. We want to be clear up front that we are not going to be training you line for line on the new HIPAA regulations. We also won’t be specifically telling you how an office/clinic/hospital will be implementing the new law. Each facility will handle HIPAA differently. What you are going to be receiving today is a foundation to familiarize yourself with HIPAA.
4How HIPAA applies to Health Care Systems cont’d: There are fines and even criminal penalties if we do not take reasonable steps to comply.Every member of an organization has a role to play—even students!It is important to know that penalties for failing to meet the requirements of the privacy regulations or inappropriately disclosing or receiving confidential health information.Penalties can be either criminal or civil. An example of criminal would be the use of a person’s health information for malicious harm. An example of a civil case would be an inadvertent disposal of a PC with patient information stored on the hard drive.Monetary penalties can range from $100 to $100,00 depending on the severity of the violation. Penalty can also include imprisonment up to 10 years depending on the severity of the incident.Penalties will be more severe when information is obtained under false pretences or information is obtained with the intent to sell or transfer, use for commercial gain, use for personal gain, or use for malicious harm.Both the institution and individuals can be held liable for breaches in privacy--the penalties do not just apply to the organization.
5What is Privacy?Privacy refers to your duty to prevent others from seeing or using protected health information (PHI) about patients.Under HIPAA, a facility can only use and disclose PHI for certain permitted purposes.You SHOULD NOT see or obtain PHI unless you need it do your job.You SHOULD NOT disclose PHI to others unless that is part of your job.PHI Means protected health information under HIPAA. It is an important HIPAA term.Privacy is a concern to patients and breaches of patient privacy has outcomes.There have been cases when persons have lost jobs when bosses learn that employees sought treatment for drinking problems.In North Carolina, a woman was fired from her job after being diagnosed with a genetic disorder that required expensive treatment. Three weeks prior she had received an positive evaluation and a raise.A drug store made prescription records available to a marketing firm that sells pharmaceuticals.Thousands of patient records have been found in unlocked dumpsters and on the Web.Optional dialogue90% trusted their doctors to keep their information private and secure66% said they would trust a hospital42% said they would trust an insurance company35% said they would trust a managed care company
6How Privacy WorksPatients rely on their healthcare providers to keep their information privateBecause health care systems promise patient privacy, patients are willing to provide the personal details of their health to provide to help them diagnosis and treat themIf patients are not willing to provide information because of privacy concerns, care is compromised.
7What is Protected Health Information? Any information about past, present or future physical or mental health healthcare or payment for healthcare that identifies a patient.Example: name, address, date of birth, date of death, date of admission, date of discharge, telephone number, address, social security number, health record number, account number, and facial photographs.
8What forms of records are covered? All protected health information (PHI) about patients:WrittenVideoElectronicOralIn HIPAA privacy provisions, any individually identifiable information that is transmitted by electronic media, maintained in either paper or electronic form, or is transmitted or maintained in any other form is considered PHI.If you think about this, any information that can identify a patient can cause a possible breach of HIPAA violations.
9What is Security?Security refers to our duty to keep health information secure and availableFacility privacy practices prohibit member of the workforce from obtaining PHI unless they need it to do their jobSecurity safeguards limit access to PHIPrivacy and security go hand-in-handIn other words, Privacy determines who gets what information and when do they get it.Security will state who has access to information.
10How HIPAA affects a health care facility HIPAA regulates how health care providers use and disclose protected health informationHealth care providers are committed to complying with HIPAA regulationsHealth care providers have developed compliance plans
11What is a compliance plan? Policy explaining privacy rulesIdentifies risks, adopts safeguards to protect PHIClassifies all members of the workforceTrains all members of the workforceEstablishes Privacy officerPerson identifies in a facility as the contact with any questions, concerns, or complaintsCompliance Plans assist in the developing of internal controls that promote adherence to applicable federal and state guidelines. Facilities must be able to prove they are in compliance with regulations. Requiring employees to HIPAA orientation training is one example of maintaining compliance.
12What is a compliance plan contd. Mandatory ReportingIf you have first-hand knowledge of a breach of privacy policies or improper use or disclosure of protected health information you report to your supervisor and/or the Compliance (Privacy) Officer.Patients are given information on admission on how to report privacy rights violations to the identified Compliance (Privacy) officer within the organizationPatients can also file a complaint with the Secretary of the Department of Health and Human ServicesPersons reporting to Compliance officers are protected from retaliationAll health care facilities that are covered under HIPAA are expected to develop a compliance plan for reporting of violations. Guidelines generally identify a reporting hierarchy within an organization for employees and patients. A feature of the compliance plan is PERMISSIVE reporting. All health care facilities need to know if our compliance efforts are effective. By addressing concerns a facility can determine how its compliance plan is working.Compliance plans do provide protection for reporting and compliance activities. Policies will include protection from retaliation because you file a mandatory or permissive report or participate in good faith in compliance activities, such as a government investigation. Most compliance plans require discipline if you do not comply with mandatory reporting and if you are responsible for a security breach.All facilities must have a written procedure in place that allows individuals to file a complaint concerning its privacy and information security policy and procedures.
13Notice of Privacy Practice Notice of Privacy PracticesHIPAA privacy standard that requires an individual's right to receive a notice that outlines how medical information is used and disclosed by an organizationHow to access and obtain copy of their medical recordsA summary of patient rights under HIPAAHow to file a complaint and contact informationBy this time, many of you may have received a Notice of Privacy Practice from a covered entity. This may have been at the physician’s office, a hospital, rehab center, or even the dentist. The Notice if very important because it tells the individual of his/her rights with PHI and states how the record may be used in a HC facility. (Such as fundraising/research and for treatment, payment, and operation)Usually the Notice of Privacy Practice is given at the first point of contact: admissions and/or reception desk. It is also posted in a prominent place in the facility. Usually, the notice is given once. Health care facilities will make every effort to obtain a person’s written acknowledgement that the notice was rec’d.
14Disclosure of Protected Health Information Authority—PatientEvery use and disclosure of protected health information must be authorized by the patient or by State or federal lawsExamples:Patients can authorize release of information to a third partyState laws require reporting of child abuseWe cannot assume every use or disclosure is okayFacilities have developed policies and assigned procedures to dealt with this
15Sharing of PHIYou may share protected health information ONLY if you need it to do your jobNurse to nurse communication related to assigned clientsHealth staff to physician in charge of patient careAllied health professional (respiratory, therapists, etc) to those in charge of patient careChart reviewers for in-house projectsNEVER access patient information that is not needed in the performance of your job
16Incidental Disclosures are a reality An unintended or unavoidable disclosure of protected health information that occurs as part of a permitted disclosureExample:Quality review committee forgets to delete patient name from quarterly hospital infection reportNurse speaking to patient on phone is heard by another person walking by the nurses stationTwo patients in the same roomMust make reasonable safeguards to protect privacyIncidental disclosures are permitted under HIPAA. Some disclosure is unavoidable such as being heard when someone is walking by the nurses station. However, HIPAA does require a facility to make reasonable safeguards. For example, in a room occupied by two patients, the curtain should be drawn and voices lowered to protect the confidentiality of the patient. If the patient has visitors, always ask the patient’s permission regarding visitor’s hearing the information prior to discussing his/her medical condition.
17Safeguards for PHIAll covered entities must have in place reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability to prevent unauthorized or inappropriate access, use or disclosure of PHIIt’s the law!
18Doing your partOnly access confidential information (PHI) if you have a need to know to do your jobTake reasonable steps to verify the identify of persons to whom you disclose PHI (if someone asks for PHI and you don’t know if they have a right to information, you can ask for identification)Use or disclose PHI only in the performance of one’s responsibilities and duties (you cannot access patient information that is not a component of assigned work duty)Understand the law and the organization’s policyAttend training and education programsTreat patient information the way you would want your personal information treatedAlso, when working on the floor, don’t leave patient records unattended. At the nurse’s station, close patient records if you need to leave the area.OPTIONAL SECTION (May not pertain to all students)At NAU, some courses require the use of medical records. These records are de-identified. Deidentification is the process of eliminating all data that could identify the patient. This can include information such as name, birthdate, address, phone number, next of kin, religion, race, SSN, and employer.
19Use Technology WiselyONLY access patient information if you have a need to know it to do your jobProtect your password--never share it with anyoneLog off the computer when you leave the areaMake sure computer screens are not visible to the publicTake steps to ensure the privacy of faxed PHIAudit trails-facilities can monitor where you have been and what you have looked at!Technology will play a role in the work setting. Use precautions and protect access to electronically stored PHI. Many facilities can perform random audit trails to an employee’s log in history and what they may have accessed. Protect yourself by only accessing what you need to know.
20Protect Confidential Information Providing patients with quality healthcare includes protecting their informationEveryone is required to do their part!Oct 2011 Rev