1. HIPAA Privacy Keys to Success Education for Nursing and all other Clinical Students Effective January 2010 HIPAA Job Specific Education1

2. HIPAA and Its Purpose What is HIPAA?  Health Insurance Portability and Accountability Act of 1996  Title II – Administrative Simplification  It’s a federal law  HIPAA is mandatory, penalties for failure to comply Purpose:  Protect health insurance coverage, improve access to healthcare  Reduce fraud and abuse  Improve quality of healthcare in general  Reduce healthcare administrative costs (electronic transactions) HIPAA Job Specific Education2

3. HITECH and Its Purpose What is HITECH?  Health Information Technology for Economic and Clinical Health Act  Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA)  It’s a federal law Purpose:  Makes massive changes to privacy and security laws  Applies to covered entities and business associates  Creates a nationwide electronic health record  Increases penalties for privacy and security violations HIPAA Job Specific Education3

4. Key HITECH Changes ◦Breach Notification requirements ◦AOD for treatment, payment, and healthcare operations in electronic health record (EHR) environment ◦Business Associate Agreements ◦Restrictions ◦Right to access ◦Criminal provisions ◦Penalties ◦OCR Privacy Audits ◦Copy charges for providing copies from EHR ◦HIPAA preemption applies to new provisions ◦Private cause of action ◦Sharing of civil monetary penalties with harmed individuals HIPAA Job Specific Education4

5. Civil Penalties for Non-compliance* HIPAA Job Specific Education5 Violation CategoryEach ViolationAll such violations of an identical provision in a calendar year Did Not Know$100 - $50,000$1,500,000 Reasonable Cause$1,000 – $50,000$1,500,000 Willful Neglect – Corrected$10,000 - $50,000$1,500,000 Willful Neglect – Not Corrected $50,000$1,500,000 *As of 2/17/10

6. Criminal Penalties for Non-compliance For health plans, providers, clearinghouses and business associates that knowingly and improperly disclose information or obtain information under false pretenses. These penalties can apply to any “person”.  Penalties higher for actions designed to generate monetary gain  up to $50,000 and one year in prison for obtaining or disclosing protected health information  up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"  up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm HIPAA Job Specific Education6

7. Facility Privacy Official (FPO) Your FPO is: Susan Armstrong, HIM Director Responsible for: ◦Implementation of Privacy and Information Security Program ◦Privacy Rights of patients ◦Requests for Privacy Restrictions ◦Facilitating the training and education of workforce members HIPAA Job Specific Education7

8. HIPAA Terminology HITECH: Health Information Technology for Economic and Clinical Health Act HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information CE: Covered Entity (Hospital) OHCA: Organized Health Care Arrangement (The hospital and medical staff will be considered an Organized Health Care Arrangement) DRS: Designated Record Set (medical record and billing record) Directory: Hospital census list used by volunteers and operators with name and room TPO: Treatment, Payment and Healthcare Operations HIPAA Job Specific Education8

9. What is Protected by HIPAA (PHI)? Name Address including street, city, county, zip code and equivalent geocodes Names of relatives Name of employers Birth date Telephone numbers Fax Numbers Electronic e-mail addresses Social Security Number Medical record number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Web Universal Resource Locator (URL) Internet Protocol (IP) address number Finger or voice prints Photographic images Any other unique identifying number, characteristic, code HIPAA Job Specific Education9

10. How will HIPAA affect you? Coversheets with confidential statement need to be used on all external faxes. Patient charts will need to be placed in secure area PHI will need to be placed in Cintas Shred containers for disposal Unless specifically authorized by the patient, patient family members should only be told the basic condition and location Patient information should only be accessed if there is a need to know Never discuss patient care in front of visitors– politely ask the visitors to step out for a moment – if the patient states they can stay be sure to document this in the chart. HIPAA Job Specific Education10

11. How will HIPAA affect you? Do not write down any names or identifiable patient information in your student notes – if in doubt check with your instructor Patient charts need to be placed in secure areas PHI will need to be placed in Cintas Shred containers for disposal – NOT IN TRASH CANS Patient information should only be accessed if there is a need to know Patients have a right to a copy of their medical record but they must go to medical records and sign a release and only after the chart is completed after discharge HIPAA Job Specific Education11

12. Patient Privacy Complaints FPO must maintain complaint log in accordance with the complaint process ALL privacy complaints must be routed to the FPO Responses cannot be accompanied by retaliatory actions by the hospital Disposition of complaint must be consistent with the facility’s Sanctions for Privacy Violations HIPAA Job Specific Education12

13. Notice of Privacy Practices Patient will receive a Notice upon each registration The Notice outlines patient’s privacy rights as: ◦Right to access your PHI ◦Right to amend (append or add to) your PHI – if you disagree with the information ◦Confidential Communication-alternative means or to an alternative location ◦Right to Privacy Restriction-use or disclosures of your PHI ◦Right to Opt out of Directory-no disclosure of patient’s name, location, condition of patient, or religious affiliation ◦Right to an accounting for disclosures – where your information went without your authorization HIPAA Job Specific Education13

14. Breach Notification HITECH provisions require the following notifications when breaches (as defined in the regulations) occur: ◦To the patient ◦To the Department of Health and Human Services ◦To the media when the breach involves more than 500 individuals in the same state or jurisdiction HIPAA Job Specific Education14

15. Ensuring Security Compliance Ensure users log off computer systems and medical devices when not in use. PC’s should have screen savers whenever possible. Computer screens should be positioned so information (PHI) is not readable by the public or other unauthorized viewers Printers should be positioned in protected locations so that printed information is not accessible or viewable by an unauthorized person. PHI must be properly disposed. HIPAA Job Specific Education15

16. Common Exposures Discussions of patient information in public places such as hallways and cafeterias Printed or electronic information left in public view (e.g., charts left on counters) Discussing patient information on social networking sites (e.g., Facebook, Twitter) PHI in regular trash Records that are accessed without need to know in order to perform job duties Unauthorized individuals hearing patient sensitive information such as diagnosis or treatment HIPAA Job Specific Education16