1. (The Health Insurance Portability and Accountability Act of 1996)
WHAT IS HIPAA?
(The Health Insurance Portability and Accountability Act of 1996)

2. HIPAA
Is a Federal Law;
Creates uniform standards for certain payment-related transactions (e.g., claims submissions and eligibility verification; and
Creates minimum standards for the privacy and security of patient information.

3. TRAINING REQUIREMENT
Compliance with the HIPAA regulations is the responsibility of the entire staff. This includes employees, medical staff, volunteers, residents, and students;
Everyone must take steps to protect the confidentiality and privacy of patient information, and
Everyone is required to receive HIPAA training.
At the end of this presentation, you will be asked to sign a certification which says you have received this training and agree to abide by the Hospital’s HIPAA policies.

4. HIPAA PRIVACY BASICS GENERAL PRIVACY RULE
You may not USE or DISCLOSE Protected Health Information (“PHI”) except as permitted by the privacy regulations.

5. WHAT IS PROTECTED HEALTH INFORMATION OR “PHI?”
PHI is any information relating to a person’s health status, treatment or payment for health services which is created or received by the Hospital and which may identify the individual.
Includes: Oral, written and electronic records and communications.

6. QUESTION Which of the following is PHI? A patient’s name
A patient’s address
A patient’s Medicaid number
A patient’s date of birth
All of the above

7. Answer:
Each of those items is considered PHI, or Protected Health Information.

8. EXAMPLES OF WHERE YOU MIGHT ENCOUNTER PHI:
A sign-in sheet that includes the patient’s name and reason for her visit
A code that documents a specific health procedure or test
A patient identification bracelet or band, or an insurance card
A conversation about a patient’s health over lunch with a colleague
An appointment reminder message left on an answering machine

9. MORE EXAMPLES OF PHI:
Physician dictation that is yet to be transcribed
Patient status boards
A telephone call to verify health insurance coverage
The OR schedule
PAY CLOSE ATTENTION TO AREAS WHICH LEND THEMSELVES TO PRIVACY VIOLATIONS – DO A WALK- THROUGH OF YOUR FLOOR/DEPARTMENT

10. PRIVACY NOTICE
Prior to providing services (except in an emergency or if the patient lacks capacity), the Hospital must provide each patient with a privacy notice and make a good faith effort to obtain a written acknowledgment from the patient that he/she has received the Hospital’s privacy notice.
If the Hospital is unable to obtain the acknowledgment, it must document the attempt that was made, and the reasons why such attempt was not successful.
The acknowledgement should be kept for at least six years.

11. PRIVACY NOTICE The Hospital’s privacy notice describes:
How the Hospital uses and discloses PHI
The patients’ rights concerning their PHI
How the patient can make complaints (both to the Hospital and to the Office of Civil Rights) concerning privacy or security issues
The Hospital’s notice is a “joint notice,” and it covers the Hospital and its medical staff with regard to services rendered at the Hospital

12. PERMITTED DISCLOSURES FOR THE HOSPITAL’S USE
The Hospital may use and disclose PHI without obtaining a HIPAA-compliant authorization form for the Hospital’s Treatment, Payment and Health Care Operations purposes.
Note: You must still comply with other more stringent laws (e.g., NYS law, HIV law, mental health law, and drug and alcohol laws).

13. TREATMENT
The provision, coordination and/or management of health care and related services including consultations and referrals.
Examples:
If a patient receives care at a Hospital, the Hospital may send the patient’s blood to a reference laboratory for analysis.
One physician may consult with another physician concerning the care of a particular patient.
Hospital discharge personnel may provide information to nursing homes/home health agencies who may subsequently treat the patient. 13

14. PAYMENT
The activities undertaken by a provider to obtain reimbursement for services provided.
Examples:
The Admitting Office is permitted to contact an insurance company to determine if a patient has insurance coverage.
The Billing Department is permitted to send a bill to the patient or the patient’s third party payor.

15. HEALTH CARE OPERATIONS
The Hospital’s routine activities such as quality assurance, case management, credentialing, accreditation, education of staff, business planning and customer service.
Examples:
Presenting case studies at a performance improvement meeting
Sending incident reports to malpractice carriers
Training of staff, residents and interns
Participating in JCAHO accreditation

16. PERMITTED DISCLOSURES FOR THE USE OF OTHERS
In addition, the Hospital may disclose PHI without an authorization:
For other providers’ Treatment, Payment purposes and certain Healthcare Operations;
To DHHS;
To a patient’s family and personal representatives;
In a facility directory; and
In all other situations authorized by HIPAA.

17. AUTHORIZATIONS
If the Hospital wants to use PHI for purposes other than treatment, payment or health care operations it must obtain a HIPAA-compliant authorization form.
Examples
Research
Marketing
Photographing patients
(for other than treatment purposes)
The authorization form must be signed by the patient or his/her legal representative
The authorization form must be detailed and specific to the use or disclosure.

18. QUESTION
A patient comes to a hospital. Which of the following can be performed without written authorization from the patient or his/her legal representative?
Doctors reviewing the treatment plan for elective surgery
Billing for elective surgery
Sending laboratory results to an outside lab
Discussing the patient’s care at a quality assurance meeting
All of the above

19. Answer:
Each of those actions can be performed without written authorization from the patient or his/her legal representative.

20. MINIMUM NECESSARY RULE
You must limit the PHI which you use, disclose or request to the minimum necessary to accomplish your job responsibilities. 20

21. MINIMUM NECESSARY RULE EXAMPLES
Example 1: When PHI is disclosed in response to a request from a health plan, only the information requested should be sent rather than the entire medical record.
Example 2: When PHI is used by health care provider, such as a Physical Therapist to treat a patient, the therapist limits their use of the medical record to those portions that are essential to the treatment of the patient. 21

22. MINIMUM NECESSARY RULE: EXCEPTIONS
The minimum necessary rule does not apply when PHI is disclosed to or requested by the patient himself, or by a provider in order to treat an individual. 22

23. MINIMUM NECESSARY RULE (Cont’d)
If you regularly receive reports containing PHI which you do not need to receive or if you have greater access to PHI than you need to perform your job, please contact
your Department Manager or
Terry Lillis, our Privacy Officer. 23

24. INDIRECT PROVIDERS
Deliver care based upon the orders of another health care provider;
Transmit the results of these services directly to the provider who ordered the service (not to the patient);
Are not required to obtain a privacy notice acknowledgment prior to providing services; and
Are not Business Associates.
EXAMPLES: Laboratories, pathologists, radiologists

25. HIPAA HOT SPOT HIPAA AND OTHER LAWS
As the Hospital implements HIPAA, it must continue to follow current Hospital policy (which may be based upon other Federal and State law) unless the policy directly conflicts with HIPAA.
• If HIPAA and State law address the same topic, HIPAA applies, unless the State law offers the patient greater rights.

26. HIPAA HOT SPOT HIPAA AND OTHER LAWS
EXAMPLES:
The Hospital must still follow New York State law relating to patient authorization for release of HIV records, even though these rules may be more strict than HIPAA.
Although HIPAA does not require a HIPAA specific consent for permitted disclosures of PHI, the Hospital is still required to obtain other types of consents for health care purposes if required by law or Hospital policy (i.e., informed consents and consents for treatment).

27. PRIVACY OFFICER
Terry Lillis, at ,is the hospital’s Privacy Officer and is responsible for ensuring compliance with the HIPAA Privacy Standards. If you have any questions or are aware of any HIPAA violations, contact her immediately.
Nick Casabona at , as the Hospital's HIPAA Security Officer, is responsible for overseeing the technical aspects of the security of the electronic information. 27

28. COMPLAINTS
Jean Zebroski, Director of Patient Relations at is responsible for responding to complaints regarding HIPAA violations.
Please refer any complaint relating to HIPAA directly to Jean.

29. HIPAA HOT SPOT PATIENT DIRECTORY INFORMATION
HIPAA allows Hospitals to provide directory information to the public, but patients may request to opt out of being included in such directory. If they opt out, our Secured Patient Policy will be used to safeguard all of their information. 29

30. PATIENT RIGHTS Under HIPAA, patients have the following rights:
To request that the Hospital limit its use and disclosure of their PHI;
To receive communications by alternative means (e.g., or fax) or to alternative locations (the Hospital must accommodate all “reasonable” requests);
To access their PHI;
To request amendments to their PHI, and
To receive an accounting of certain disclosures of their PHI.

31. IMPLEMENTING PATIENTS’ RIGHTS
Example: A patient requests that PHI not be disclosed to any person other than his son.
The Hospital is not required to agree to such a request, but if it does, it must modify the uses and disclosures it and its staff typically make.

32. ACCOUNTINGS
HIPAA requires the Hospital to provide patients, upon request, with an accounting of certain disclosures of their PHI.
The following disclosures do not need to be included on the accounting if performed in accordance with the HIPAA regulations:
Disclosures of PHI that were made for purposes of Treatment, Payment or Health Care Operations.
Disclosures to the patient requesting the accounting;
Disclosures that are incidental to a permitted or required use of PHI;

33. ACCOUNTINGS (Cont’d)
Disclosures pursuant to a valid HIPAA authorization;
Disclosures to the Hospital’s patient directory;
Disclosures to persons involved in the patient’s care and notices to family members or friends regarding the patient’s location, general condition and/or death;
Disclosures for national security or intelligence purposes;
Disclosures to correctional institutions or law enforcement officials, if involving criminal conduct that occurred on the Hospital’s premises;
Disclosures of a limited data set; and
Disclosures made prior to April 14, 2003. 33

34. ACCOUNTINGS (Cont’d)
The following are examples of disclosures that are required to be included in an accounting:
Disclosures in response to a subpoena, without a HIPAA authorization;
Infection control disclosures; and
Disclosures to regulatory agencies such as the department of health. 34

35. DISCUSSIONS WITH PATIENT’S FAMILY AND FRIENDS
In general, the Hospital may disclose to a family member, relative, or close personal friend of the patient, or any other person designated by the patient, patient information directly relevant to the person’s involvement with or payment for the person’s care (except HIV-related information, alcohol and/or substance abuse or mental health treatment).

36. DISCUSSIONS WITH PATIENT’S FAMILY AND FRIENDS (Cont’d)
If the patient is present, PHI may be disclosed with patient’s agreement. If the patient is given the opportunity to object and does not object or if the Hospital reasonably infers from the circumstances that the patient does not object to the disclosure, then Hospital may disclose the information to the family member or friend.
If the patient is not present, or the opportunity to agree or object cannot practically be provided (incapacity or emergency), the Hospital may determine disclosure is in the patient’s best interest.
Disclose only the information directly relevant to the person’s involvement with the patient’s health care.

37. HIPAA HOT SPOT THE MEDIA
Unless a patient requests otherwise, if a caller asks for information on a particular patient, HIPAA permits the Hospital to release one-word condition information and location information without obtaining prior authorization.
At Winthrop, ALL communication with the Media are to be directed to the Vice President of External Affairs.
REMEMBER: Other laws may be more stringent (e.g., laws regarding HIV, mental hygiene, and substance abuse).

38. THE MEDIA (Cont’d)
The media should not contact patients directly – they should request an interview through the External Affairs Department at ext During off-hours, the operator will contact the Vice President of External Affairs for you.
The Hospital may deny the media access to the patient if it would aggravate the patient’s condition or interfere with patient care.

39. FINAL MEDIA TIPS
The following activities require written authorization from the patient:
Drafting a detailed statement (i.e., anything beyond one-word condition) for approval by the patient’s legal representative
Taking photographs of patients
Interviewing patients
In general, if the patient is a minor, permission for any of these activities must be obtained from a parent or legally authorized representative.

40. HIPAA HOT SPOT FAXING
If you are faxing documents that contain PHI be sure to take the following steps:
Include a fax cover sheet with the approved HIPAA confidentiality statement on it.
Perform random audits of sent faxes to ensure receipt by the correct party.
Pre-program fax numbers.
Routinely update fax number listings.
Maintain the fax machine in a secure location.

41. HIPAA HOT SPOT PUBLIC CONVERSATIONS
Avoid holding conversations about PHI in public areas such as lobbies, elevators, cafeterias and hallways. If you must do so, keep your voice low and be aware of people who may overhear your conversation.
Note: Conversations between providers, and between providers and patients, are permissible, even if incidentally overheard, as long as reasonable precautions were taken.

42. HIPAA HOT SPOTS REASONABLE SAFEGUARDS
Do not leave PHI in public view (e.g., lying around on desks or nurses stations or unattended on a fax machine), and take care when disposing of PHI (e.g., shred paper when feasible or place paper in locked confidential waste baskets).
Never place PHI in an unsecured waste basket, including the BLUE recycling bin.

43. MARKETING/FUNDRAISING
HIPAA allows the Hospital to use PHI for certain limited marketing and fundraising, provided that specific requirements are met. If you wish to use PHI for marketing or fundraising contact
John Broder,Vice President of External Affairs
at for guidance.

44. RESEARCH
There are several rules related to the use or disclosure of PHI for research purposes. These rules include:
Creation of a Privacy Review Board (which can be the current IRB) to review all use or disclosure of PHI for research purposes
Use of HIPAA authorizations
Use of Limited Data Set/Data Use Agreements
De-identification of PHI
If you participate in research activities, contact the Director of IRB, at for a detailed description of HIPAA research requirements.

45. REMEMBER:
When you:
Limit your own use and disclosure of or requests for information to the minimum necessary to perform the assigned task and
Verify that information is being properly provided to an authorized person,
You will:
Avoid the harmful effects of HIPAA violations.

46. HIPAA SECURITY BASICS
Security of PHI must be an ongoing and comprehensive process, not an event.

47. SECURITY RISKS Human error Nature (fire, earthquake, flood)
Technology failures
Deliberate security breaches (internal and external threats)

48. MANAGE YOUR PASSWORD
Use letters and numbers to create passwords (e.g., axw49).
Avoid common selections (e.g., your name, pet’s name, child’s name, etc.).
Do not post your password on your computer or near your work area.
Do not share passwords. If you forget you password, call the HELP Desk ( ).

49. PROTECT YOUR WORK AREA Avoid having PHI in public view.
Do not leave unattended PHI on your computer screen or work station.
Sign off when you are finished using a computer.
Turn computer screen away from public view.

50. BEWARE OF VIRUSES AND OTHER HARMFUL SOFTWARE
Viruses and other malicious software are a serious threat to the Hospital. To protect against them:
Do not load information from outside on your computer without authorization
Do not download information from the Internet without the express authorization of your Department Manager
Do not open s from unknown senders
The Hospital will send you routine alerts when threats of new viruses become known.

51. FOLLOW HOSPITAL POLICY REGARDING REMOVAL AND INSTALLATION OF HARDWARE AND SOFTWARE
You may not install new hardware/software on the Hospital systems or remove hardware/software from the Hospital premises unless expressly authorized to do so by the Director of MIS or his designee. 51

52. REPORT INCIDENTS It is your responsibility to report:
Unauthorized successful or unsuccessful log-in to the system
Any breaches in the security of PHI of which you become aware
Sharing of passwords
Incidents can be reported to Nick Casabona, our Security Officer at

53. QUESTION Are any of the following HIPAA violations?
A social worker posts her password on the side of her computer.
Jane has a friend who forgot her password and wants Jane to “lend” her Jane’s password.
A physician is sitting at a computer terminal and reviewing a patient’s information. The physician then gets an emergency call to assist with a patient. The physician leaves the computer terminal on showing the information.

54. Answer:
Answer: Each of those actions would be a violation of HIPAA.

55. AUDIT TRAILS
The Hospital is required to maintain records and review its employees’ use and access to information on the Hospital computer network. 55

56. OTHER SUGGESTED SECURITY PRACTICES
ALWAYS wear your name tag.
Ensure that all vendors are properly supervised and log in and out of the Hospital.
Shred or discard PHI in secure trash bins.

57. HIPAA HOT SPOT
Communications sent over an open network (which includes over the internet) must have certain safeguards, which might include encryption. Review the Hospital’s security policies to determine the steps that must be taken in relation to and the Hospital's policy on sending/receiving PHI by .

58. SUMMARY
Protection of PHI is everyone’s responsibility. Here is a summary of a few topics that were discussed in this presentation:
Do not discuss patient information in public areas of the Hospital (e.g., cafeteria, lobby).
Do not discuss patient information at home or at social gatherings.
Do not share your password.
Do not leave PHI lying around unattended.
Do not send PHI over the internet unless authorized to do so.
Do inform the Privacy or Security Officer about any concerns you may have about release of PHI.

59. ELECTRONIC TRANSACTION STANDARDS GENERAL RULE
If a provider (either itself or through an agent, (e.g., billing company)), conducts a payment-related transaction electronically, the transaction must be conducted using the HIPAA format.
Note: If a payor still accepts covered transactions in paper format (e.g., paper claims), then such paper transactions do not necessarily have to conform to the new HIPAA formats.
Those involved in Electronic Transaction Standards will be contacted directly and trained as appropriate.

60. WHAT DOES IT MEAN TO STANDARDIZE A TRANSACTION?
Standardized Formats
Standard Data Content: A new Federal definition of “clean claim.”
Standard Codes: ICD-9-CM, CPT-4, HCPCS, CDT-3, and HCPCS “J” codes.

61. HOW DOES HIPAA AFFECT YOUR RELATIONSHIP WITH THE HOSPITAL
If you are an employee, student or volunteer :
You are part of the Hospital’s workforce
You must comply with the Hospital’s HIPAA compliance program
Failure to comply will result in disciplinary action
Failure to comply could trigger individual liability with penalties

62. INTERNAL SANCTIONS
The Hospital is required to have policies regarding the disciplinary actions which may be taken if an employee fails to comply with these HIPAA policies.
An employee who violates the Hospital’s HIPAA policies may be subject to various sanctions including written censure, suspension or termination.
Medical Staff Members who violate these HIPAA policies may be subject to disciplinary action under the Medical Staff By Laws.

63. FEDERAL SANCTIONS
Under HIPAA, violations may result in the Hospital and the employee being subject to civil monetary penalties and criminal actions, depending on the nature and extent of the HIPAA violation.

64. CIVIL FINES
Civil Fines of no more than $100 per violation with a maximum of $25,000 in each calendar year for violations of an identical requirement.
Enforcer: Office of Civil Rights

65. CRIMINAL PENALTIES FOR “KNOWING MISUSE” OF PHI: - THREE DEGREES
Simple violations – up to $50,000 plus up to 1 year in prison.
Violation committed under false pretenses – up to $100,000 plus up to 5 years in prison.
Violation committed for gain or harm – up to $250,000 plus up to 10 years in prison.
Enforcer: OIG/Department of Justice

66. DISCUSSION/QUESTIONS

67. REVIEW CODE OF CONDUCT AND SIGN YOUR TRAINING ACKNOWLEDGEMENT FORM!