Presentation on theme: "HIPAA Privacy Training Health Insurance Portability & Accountability Act of 1996 Standards for Privacy of Individually Identifiable Health Information."— Presentation transcript:
HIPAA Privacy Training Health Insurance Portability & Accountability Act of 1996 Standards for Privacy of Individually Identifiable Health Information 45 CFR Parts 160 and 164
The Privacy Rule Creates national foundation of privacy Does not preempt more stringent state laws Extends: Certain individual rights to privacy Protection of individual’s medical records and health information
Who’s affected? Direct impact: Health plans Health care clearinghouses Health care providers (who transmit health information electronically) Indirect impact: Business associates (vendors, consultants, contractors)
What’s protected? Protected health information (PHI) refers to: Individually identifiable health information relating to: - Person’s past, present and future health or condition; - Provision of health services to the person - Past, present and future payment for health services to the person Information transmitted or maintained in any form Includes data considered individually identifiable
What’s individually identifiable? Name Geographic divisions smaller than State (with exceptions) All dates (except year) Phone & fax number address SSN Medical record # Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers Device identifiers and serial numbers Web URLs IP address numbers Biometric identifiers (including finger, voice prints) Full face photo and other images Any other unique identifier [ (b)(2)]
Rules for Use or Disclosure of PHI Treatment, Payment, Health Care Operations (TPO) Opportunity to Object Agreement or Authorization not required (Exceptions) Authorization
Permitted Uses of PHI Use or disclosure permitted for: Treatment Some facilities may still require patient authorization for release of PHI Payment Health care operations (quality improvement, staff performance review, training in areas of health care, accreditation, medical review, audits, business planning and development, general administration, etc.)
Opportunity to Object Facility directories To clergy To persons involved in individual’s care Notification purposes Disaster relief purposes
Agreement or Authorization Not Required (Exceptions) Required by law Public health activities Victims of abuse/ neglect/domestic violence Health oversight Judicial/administrative proceedings Limited law enforcement purposes Coroners, medical examiners & funeral directors Organ/tissue donations Research purposes Serious threat to self/ others Specialized government functions Workers’ comp
Authorizations For all other uses or disclosures of PHI
Notice of Privacy Practices Describes to patient how his/her protected health information may be used or disclosed Details patient’s legal rights with regard to own PHI and how to exercise those rights Details legal obligations of Covered Entity to protect PHI
Individual’s Rights To receive Notice of Privacy Practices To inspect and/or obtain copy of PHI To request to amend PHI To request limits on certain uses or disclosures of PHI To receive accounting of disclosures To receive confidential communications To file a complaint
Other Requirements De-identification of PHI Minimum necessary Workforce training Verification process Business Associate Contract
Other Restrictions Marketing Fundraising Specially Protected Health Information Additional protections under Hawaii State law relating to release of HIV, mental health and substance abuse treatment records
Consequences of Non-compliance Penalties: Civil: $100 per violation; up to $25,000 per year Criminal: Up to $250,000 and/or 10 years in prison
Sanctions A facility is required to sanction members of workforce (including “students”) who violate policies and procedures relating to privacy and security of health information Student sanctions may include suspension or termination of access privileges to PHI and/or participation in educational programs at facility
What You Need to Know About Each Facility Facility Directory Family Involvement Minimum Necessary Appropriate Educational Access/Use Requesting/Disclosing PHI for Treatment Request/Disclosures to Govt. Agencies Patient’s Request to Restrict Use or Disclosure
What is a Facility Directory? The information about a patient that a hospital releases to callers, visitors or the media This information is limited to: Location Condition May only release directory information to people who ask for patient BY NAME
Facility Directory Patient may ask that NO INFORMATION be released to callers, visitors or media Each hospital has procedures for patients with NO INFORMATION status You must be aware of the hospital’s procedures Do NOT release information in violation of patient’s information status
Facility Directory NO INFORMATION Status PATIENT’S LOCATION/CONDITION WILL NOT BE DISCLOSED TO ANYONE, INCLUDING FAMILY OR FRIENDS Anyone asking for patient will be told, “We have no information regarding the individual.”
What should I do? Scenario #1: Q: I am approached in the hallway by someone who asks me if I know what room a patient is in. I saw the patient’s name on the unit I just left. What should I do? A: Refer the person to the nurses’ station, information desk, or hospital operator. You do not know whether the patient has requested a NO INFORMATION status or other restrictions.
Family Involvement A patient’s health information may be disclosed to family, friends or others if: Patient gives verbal agreement, Patient has opportunity to object and does not, or You can infer from circumstances that patient does not object Emergency/incompetent patient - Release information using professional judgement about best interests of patient
Family Involvement Information released must be directly relevant to that person’s involvement in the patient’s care or payment for that care A patient has the right to request that you not release information to family or others If a patient asks that you not talk with family or others, inform nursing staff of the patient’s request
What should I do? Scenario #2: Q: The spouse of a patient I am seeing approaches me in the hallway and begins asking me questions about the patient. During my assessment visit, the patient indicated that she did not want information shared with her spouse. What should I do? A: A patient has a right to not involve family members or others in his/her care. You should not share any information with the spouse per the patient’s request and you should alert the nursing staff about the patient’s request.
Minimum Necessary Need-to-Know Rule Access to information is a privilege. Individuals who are granted access have an obligation to limit access and use to the minimum necessary to perform their duties and responsibilities.
Request/Disclose PHI for Treatment Purposes May request/disclose PHI for treatment when: Request is from a provider to whom you referred patient for treatment, or provider’s involvement in patient’s treatment is documented in medical record, or Patient has signed an authorization or release for the disclosure to the provider, or Provider has requested, in writing, the PHI for treatment purposes
Request/Disclosure of PHI to/from Government Agencies Refer to nursing staff, attending physician or Privacy Officer Only minimum necessary may be released Must complete an accounting for the disclosure
Patient’s Request to Restrict Use or Disclosure of PHI Facility may agree to patient’s request to restrict use or disclosure of PHI for treatment, payment or health care operations You must be aware of facility’s procedures and where such restrictions would be documented
Use of PHI for Educational Purposes Allowed without patient consent or authorization Parameters of use or disclosure of PHI for educational purposes: Appropriate access Minimum necessary for the purpose Protect and safeguard PHI Appropriate disposal upon completion
“Facially De-identified” Information Use of “facially de-identified” PHI is permitted for educational purposes Remove all individual identifiers, except: Patient’s medical record number Dates of service Zip code This information is still considered PHI, and remains under federal privacy protections
“Facially de-identified” means removing: Name Address Phone & fax number address SSN Health plan beneficiary numbers Account numbers Certificate/license numbers Web URLs Vehicle identifiers and serial numbers Device identifiers and serial numbers IP address numbers Biometric identifiers (including finger, voice prints) Full face photo and other images Any other unique identifier
Allowable Educational Access/Use Treatment Observation Teaching Rounds Retrospective Record or Data Reviews Research (with IRB approval) Case Presentations Patient Logs
Is this okay? Scenario #3: Q: I heard about a very unusual case in the OR. As a medical student, I am here to learn. I need to know more about the details so I can gain a better understanding of the clinical course. I plan to review the records before I leave for the day. Is this okay? A: No. While it might be argued that educational benefit can be gained by reviewing unusual cases, such review should be formally approved and presented. Individual access to patient records in this type of situation is not appropriate. Electronic records and systems are monitored for inappropriate access.
Some Do’s and Don’ts: Treatment and Observation Can Do Access medical records of the patients you are treating/caring for Prepare class work with patient identifiers removed Observe patient care with approval from department manager/ supervising faculty Cannot Do Obtain medical records of patients you are not treating/caring for Use data (obtained from your cases) that include patient identifiers such as name, address, birth date Observe patient care without appropriate approval or when the patient has objected
Some Do’s and Don’ts: Teaching Rounds Can Do Share patient information during teaching rounds Prepare class work using data from your cases with patient identifiers removed Cannot Do Discuss patients in public areas with no consideration of surroundings Include family members in rounds unless patient has agreed, or physician has determined that inclusion is in patient’s best interest
Some Do’s and Don’ts: Retrospective Reviews Can Do Access medical records with written approval of supervising faculty member Prepare class work using collected data with patient identifiers removed Use aggregate or de- identified patient information Cannot Do Use information collected for research without IRB approval Publish or publicly present findings without IRB approval or waiver of authorization Contact the patient or the patient’s physician Abstract patient identifiers
Some Do’s and Don’ts: Research Can Do With IRB approval: Build database of patient information Access and use patient identifiable information as approved by IRB Make a public presentation or publish findings using aggregate or de-identified information Cannot Do Any research without IRB approval or waiver Publish or publicly present findings that identify the patient without patient authorization Access and collect patient data in preparation for a research project without IRB approval or waiver
What should I do? Scenario #4: Q: My supervising faculty member has asked me to review 100 charts of newborn babies to determine whether or not the delivery room temperature has an effect on babies. Do I need IRB approval? A: Maybe. If the intent is purely for quality improvement without intent to publish findings and you will destroy the database upon completion, then you do not need an IRB approval or waiver. But if you intend to publish, present or use the data you collected for any other purpose and do not have the patient’s authorization or an IRB approval or waiver, you would be violating the patient’s rights.
Some Do’s and Don’ts: Case Presentations or Grand Rounds Can Do Access medical records with written approval of supervising faculty member Prepare for presentation using “facially de-identified”, aggregate or de-identified information Limit audience to healthcare students or professionals if patient’s identify might be inadvertently revealed Cannot Do Display or reveal patient’s name or medical record number in your presentation Present a high-profile or unusual case that may compromise patient’s privacy without patient’s written authorization for disclosure
Patient Logs You must “facially de-identify” all information collected and submitted on a Patient Log
Some Do’s and Don’ts: “Facially De-identifying” Patient Data Can Do Use general terms to describe a patient 36 year old White male Living in Arizona Admitted in October 2002 Construction worker Black-out, delete or cut-out patient identifiers on hard copy Cannot Do Leave patient identifiers in information used/removed Patient’s or relatives’ names Birth dates Address Employer Take copies of dictated reports home with you (unless reports are “facially de-identified”)
Some Do’s and Don’ts: Accessing PHI Can Do Request access to PHI through appropriate channels Request access to medical records through Medical Records Submit completed appropriate data request form for data reports Cannot Do Remove medical records from facility Leave patient records or data in break room or other areas that are not secure Out of curiosity, access the records of a celebrity patient or the records of a patient with an unusual medical condition
Is it okay? Scenario #5: Q: My friend was admitted yesterday after she collapsed during a bike ride. I am very concerned about her progress and would like to visit, but I don’t know which room she is in. Is it okay if I look up the information in the computer system? A: No. Using your access privileges to look up information about a patient when there is no need-to-know (based upon your responsibilities in the hospital) is a violation of patient confidentiality.
Some Do’s and Don’ts: Safeguarding Information Must Do Password-protect laptops or PDAs Shred “facially de- identified” papers when no longer needed Ensure memory/hard drive has been wiped clean when selling/disposing of a PC, laptop or PDA Encrypt PHI sent over Internet Cannot Do Leave information unsecured or in public areas Discuss patients in elevator, hallways or cafeteria Dispose of “facially de- identified” information in trash can; (it is still PHI under HIPAA!) Share your access codes or cards
Questions? For further information or questions, please contact the facility’s Privacy Officer