Presentation on theme: "HIPAA Office of Experiential Education Health Insurance Portability and Accountability Act."— Presentation transcript:
HIPAA Office of Experiential Education Health Insurance Portability and Accountability Act
What is HIPAA? Health Insurance Portability and Accountability Act Enacted on April 14, 2003 A Federal Law written to: Enhance data exchange: more effective and efficient for administrative and financial transactions Improve healthcare information security and privacy
HIPAA Principles 1. Protect the privacy of protected patient information 2. Use and disclose the minimum necessary amount of protected information 3. Establish the rights of patients to approve who has access and use of their medical information.
Health Information Disclosure Covered entities have specific obligations toward protected health information (PHI) which includes information transmitted or maintained in any medium, including ORAL COMMUNICATIONS Providers and plans may NOT use or disclose an individual’s health information except for: Treatment Payment Regular health care operations Any additional disclosures requires a signed authorization from the patient
What is Protected Health Information (PHI)? Information resulting from demographic information being paired with physical or mental health or health insurance/prescription information.
Protected Health Information Health information in any form is considered Protected health information (PHI) if it is: (1) created or received by a covered entity (2) relates to a patient’s past, present or future physical or mental health condition (3) identifies the individual or creates a basis to believe that the information can be used to identify the individual.
Specific PHI Elements (This information must be de-identified or removed from patient information unless it is being used in the treatment of the patient.) Name All geographic info City, County, State, Precinct, Zip Codes, Street Address Elements of Dates Birth Dates, Admission, Discharge, Date of Death, and Ages >89 years old Telephone/Fax numbers Email address Social Security# Medical Record # Health Plan # Account # Certificate/license # Vehicle/serial # License plate # Device/serial# URL’s IP Address Biometric Identifiers: Finger/voice prints Full face photo
Protected Health Information Records kept in a pharmacy that would meet the definition of PHI Prescription records Billing records Patient profiles Insurance Cards May include certain phone calls from patients Verbal patient counseling
Where would a pharmacy student find PHI? Medical or Clinical Charts Medication Administration Records (MAR) Billing Records Rounding Lists Electronic Databases Rounding Conversation Faxes Emails
Use and Disclosure Rule Must take reasonable efforts to use and disclose only the “Minimum Necessary” amount of PHI appropriate to the situation. Limit disclosure for payment and operations Understand WHY the information is necessary Question if information seems unnecessary Casual conversation Don’t discuss patients with health care professionals not directly involved in their care Providers should limit access to patient information on a need to know basis. Remember, do not use HIPAA as an excuse not to report adverse drug events.
For pharmacy student, what is the “Minimum Necessary”? Access ONLY the PHI you need to provide medication therapy management. This would include: Patient name, date of birth, height, weight, past medical history, physical exam, lab values, diagnoses, tests performed and the results, and the medications.
Can PHI be disclosed without authorization? Yes. Public health activities Law enforcement, judicial proceedings Reports of abuse or neglect Health oversight activities Coroners, funeral directors Organ and tissue donation Certain research activities Threat to public safety Military functions Inmates Worker’s compensation Sale, transfer, merger or consolidation of all or part of covered entity
What should be done when an employee makes an unauthorized disclosure of PHI? Sanction the employee Attempt to contain the damage caused by the disclosure Document the event Description of what was disclosed Statement of the reason the PHI is disclosed Date The name and address (if known) of the person or entity that you disclosed to Must also make an accounting of the events to the affected patient(s) Stiff penalties including fines and prison terms associated with noncompliance.
What do I do if I need to speak to a patient in an institutional setting? Create a space that is private. Speak in the patient’s room Pull the curtain closed if it is a shared room If family members are in the room, explain to the patient that you will be discussing private information about their health and ask if they would like their family members to listen also. If not, if it is an appropriate time to speak to the patient, ask the family members to step out of the room for a moment while you speak to the patient.
As a student, can you keep written records about your patients? Yes, BUT you must safeguard this information. Don’t use your phone to take a picture of information in the patient’s chart Don’t photocopy information from the patient’s chart Don’t access information for patients you aren’t directly following even if they are relatives and/or friends.
As a student, can you keep written records about your patients? Do not leave any written materials, PDA’s or lap-tops with patient information on tables or in lab coats that you are not wearing. Always put paper with patient information in locked containers to be shredded. Remember to keep PDA’s and lap-tops password protected when they contain patient information and to delete information that is not needed.
Helpful TIPS Keep conversations about patients as private as possible. Use discretion when calling out names in waiting rooms or pharmacies. Keep patient lists and schedules out of public view. When discussing cases with fellow students, strip identifiers from the case.
Helpful TIPS Never leave the patient’s medical record unattended or open. Respect patient’s privacy when requesting medical information over the phone. Do not repeat names, numbers, etc. so that these can be overheard. Verify the identity of the individual requesting patient information.
Helpful TIPS Use passwords on computers that only you know. Do not share passwords. Log off any computer if you get up and leave. Protect the security of lap-tops, PDA’s with password protections. Remove/destroy PHI when it is no longer needed.
Rights of Individuals to PHI Patients have the right to access their health information. Requests for information must be honored within 30 days. Patients can “amend” their health record. Requests must be acted on within 60 days. You may deny a request if it is not appropriate. Patients have the right to request that health care providers restrict disclosure of information to health plans in situations in which a patient has paid for an item or service in full.
Privacy Official To ensure that any covered entity (including pharmacies) is committed to developing and implementing the HIPAA guidelines, an individual must be named as a “privacy official”. This individual is responsible for developing and implementing HIPAA-related policies and procedures
Security Rule Requires entities to: Protect ePHI against unauthorized access and improper alteration or destruction Protect against threats or hazards to the security integrity of ePHI Protect against unauthorized uses or disclosure of ePHI Make ePHI readily available to authorized personnel when needed Institute security measures that must be followed by all members of the workforce including students, management, and vendors or contractors
Security Rule Applies only to electronic protected health information Computer systems should be up to date, but it is your responsibility to ensure the safety of the ePHI
Conclusions May use protected health information when speaking with other health care professionals involved in the treatment of the patient. Use common sense when dealing with health care information. Questions about the use of PHI should be directed to your supervisor.
Common Questions Q. Can I allow customers to see the signature of others (such as in a log documenting an offer to counsel)?
Common Questions Q. Can I call a customer to the pharmacy over a loud speaker?
Common Questions Q. Do I have to remodel the pharmacy to provide a private counseling area?
Common Questions Q. If a pharmacist calls a patient’s home to talk to them about an issue and the patient is not home, can a message be left with another person?
Common Questions Q. Does a pharmacy have to comply with a patient’s request to further restrict uses and disclosures for treatment, payment or operations?
Common Questions Q. Can a pharmacy specify in its Notice of Privacy Practices that a spouse provide a signature of acknowledgement on their own behalf and on behalf of their spouse and minor children?
Common Questions Q. Can PHI be faxed to another practitioner?
Common Questions Q. Can a patient have a family member or a friend pick up a prescription?
Common Questions Q. Can a pharmacist disclose information about a patient to another individual who is picking up that prescription?
References “HIPAA and Its Impact on Pharmacy Practice”, written by Robert P. Giacalone,R.Ph., J.D. and Gary G. Cacciatore, PharmD., and J.D. Continuing Education: September, 2002, p.14-22. Health Insurance Portability and Accountability Act, Pharmacy Student Training Module, University of Kansas School of Pharmacy HIPAA: How to Reduce Your Risk, written by Michele A. Faulkner, Pharmacy Practice Update, Creighton SPAHP, October 2, 2003 Pharmacists and HIPAA, Editorial, AmJHealth-Syst Pharm Vol 60 Mar 1, 2003 HIPAA: Understanding the Security Requirements, written by Alan R. Spies, R.Ph., J.D., Ph.D. Cand. and Virgil Van Dusen, R.Ph., J.D., U.S. Pharmacist, 7/15/03, Vol 28, No. 7. HIPAA & Security 2013: A Survival Guide to the Law, Pharmacist’s Letter, Volume 2013 course No. 301. HIPAA & Privacy: A Refresher for 2013, Pharmacist’s Letter, Online Training Course. HIPAA & Security 2013: A Survival Guide to the Law, Pharmacist’s Letter, Volume 2013 course No. 303. Overview of Modifications to the HIPAA Privacy, Security and Enforcement Rules. Compliance Date: September 23, 2013, National Community Pharmacists Association.