Confidentiality in… Hospitals Skilled Nursing Facilities Doctor’s Offices Employers Schools Anyone with your health information must keep it confidential and abide by HIPAA. It applies to ALL health care providers. 4
HIPAA is… Related to all medical records. ▫Written ▫Computerized ▫In use or stored. 5
According to HIPP all of the following can be used to identify a patient: Addresses Dates Telephone or fax numbers SSN Medical Record Numbers Patient Account Numbers Insurance Plan Numbers Vehicle Information License Number Photographs Fingerprints Email & Internet addresses What is Protected Health Information (PHI)?
Protected Health Information (PHI) PHI is information that is can identify an individual personal health information. Removing a person’s name is no longer a sufficient way to de-identify a patient. ANY Health information that identifies someone or can be used to identify someone MUST BE PROTECTED.
Why HIPAA? Health information continues to grow and become more sophisticated. It requires more protection than ever. Identity theft. Put in place penalties for violations of the law. 8
When HIPAA? Mandated to be in place by April 2003. ▫Although the actual law was on the books much earlier in 1999. 9
So tell me what you know… Who has to obey HIPAA laws? What does HIPAA stand for? Where does HIPAA apply? When was HIPAA mandated to be in place?
HIPAA Compliance Read only charts and information you need to do your job or assignment. Ensure any questions you ask of others to enhance your learning are done when others are not within hearing range. 12
HIPAA Compliance When discussing patient conditions in the classroom, do not use names or anything that would allow others to pick the patient out of a room. Good: A male in his mid-forties had… Bad: The male in room 224. Good: A teenage girl… Bad: The 16 year old girl, with brown hair wearing a plaid skirt…
HIPAA Compliance Discuss patient information/ condition only with those who need to know as a part of their job. Do not discuss patient information in the halls or in public areas. You never know who may be listening. 14
So tell me what you know… Explain what HIPAA Compliance means to you. What can you do to protect patient privacy? Describe someone in this room in a way where we may not know who they are. Now describe someone in a way we will be able to guess.
Patients (only) may request their records be released to others for any number of reasons. All consents must be in writing and need to be kept with the medical record. 17
Consents Life insurance Family records Family physician 18
Consents Some releases or authorizations require a non- staff member to sign as a witness. Students may not fulfill this request. 19
What is TPO? Treatment- Providing care to patients Payment- Getting paid for caring for patients Operations- Normal business activities; such as, quality improvements, training, auditing, customer service, and resolution of grievances.
So tell me what you know… Why are consents important? Who can give consent? Where should consents be stored? What are a few examples of why a patient may want their medical records.
Covered Entities If a facility bills their sources of payment (insurance companies, MediCare, etc.) via electronic means, they become a covered entity. Covered Entities may share information, as needed to do their job, without the consent of the individual. 23
Covered Entity – Example of sharing information appropriately. 24 For example, the hospital bills MediCare for a patient’s stay. MediCare request additional medical records to support the reason for the length of stay at the hospital. The hospital may send the information to MediCare without consent.
So tell me what you know… Who is a Covered Entity? When can a facility share information with them? Does the patient need to consent when records are sent to a Covered Entity? Does the patient need to consent when records are given to a marketing firm?
Why a Business Agreement? 26 If a healthcare provider does business with another who is not a covered entity. The non-covered entity requires information about patients in the healthcare facility to do their job properly. The healthcare provider may enter into a Business Agreement with the non-covered entity.
What is a Business Agreement? A contract between a non-covered entity and a healthcare provider. Non-covered entity agrees to use patient information strictly as a part of their job (i.e. billing, providing home health services, etc). Non-covered entity will not use information inappropriately (sell info to marketing company, to solicit patient, etc). Non-covered entity will protect information, destroy information properly, and abide by HIPAA rules and laws.
What is a Business Agreement? The Agreement must be reviewed and approved by the appropriate Officer within the organization, often the Privacy Officer or Compliance Officer. An example would be a DME company who provides custom wheelchairs to rehabilitated patients. DME → Durable Medical Equipment 28
So tell me what you know… Who needs a Business Agreement? What is a Business Agreement? Why is a Business Agreement necessary? Can any staff member approve a Business Agreement?