New Hire HIPAA Orientation

HIPAA Overview HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of HIPAA governs the use and release of a patient's directly identifiable health information. HIPAA limits the health information workforce members can disclose regarding patients. HIPAA also creates new standards for administrative transactions and the electronic security of individual health information.

WHY HIPAA? Patients’ concern about use or disclosure of personal health information without their knowledge Media coverage for high profile breaches Electronic transmission of information Secondary uses of information, e.g., employment decisions, marketing, etc Patients’ demand to control how their personal health information is used or disclosed

WHO MUST COMPLY WITH HIPAA? All Georgia Health Sciences University workforce (staff, faculty, researchers, students, volunteers and contracted employees, including MCG Health System employees) who have a work-related need to access, use or disclose health information are subject to the requirements of HIPAA.

WHAT INFORMATION IS PROTECTED UNDER HIPAA? All individually identifiable health records maintained by Georgia Health Sciences University or the MCG Health System In any format – verbal, paper, or electronic Usually located in: Medical Records, Human Research Records Paper or Electronic Records Photographs, Videos, Audiotapes, Radiographs, Scans Smart Phones, iPODs, Digital Cameras, Thumb drives s …..even in Conversation

WHAT IS OUR COMMITMENT TO PRIVACY? Georgia Health Sciences University supports a patient’s right to have his or her health information kept private. Georgia Health Sciences University balances protecting health information with ensuring our workforce have the information needed to properly care for patients, instruct students, and conduct research. Every November, we require HIPAA Refresher training be completed by all our workforce, including students.

New Employee HIPAA Training Within the first month of employment, Georgia Health Science University workforce (those with campus accounts) will receive ed instructions for accessing web-based HIPAA training. Upon receipt of this , new employees have 30 days to complete the training. Employees without computer access are provided paper-based HIPAA training supplied by their supervisors.

NOTICE OF PRIVACY PRACTICES HIPAA regulations requires covered entities, such as Georgia Health Sciences University and the MCG Health System, to provide all new patients with a notice detailing their privacy rights, how their health information will be used and disclosed, and for what purpose. Notices of Privacy Practices are posted throughout Georgia Health Sciences University clinics as well as the MCG Health System.

PATIENT PRIVACY RIGHTS  Right to Receive a Notice of Privacy Practices  Right to Request Restrictions on Uses & Disclosures of Protected Health Information  Right to Receive Confidential Communications

MORE PATIENT PRIVACY RIGHTS  Right to Access, Inspect, and Copy Protected Health Information  Right to Request Amendment of Protected Health Information  Right to Request Accounting of Disclosures of Protected Health Information

DISCLOSING PATIENT INFORMATION Unless a patient objects, the following information is made available in the MCG Health System’s hospital directory: Patient’s Name Patient’s Location in the Facility Patient’s Condition (general information only) Patient’s Religious Affiliation (for clergy use only)

SHARING INFORMATION FOR INTERNAL PURPOSES: Georgia Health Science University’s clinics and the MCG Health System are allowed to share health information for the following purposes: Treatment Payment Healthcare Operations, such as instruction, human research (with prior approval by the IRB), accreditation, compliance, etc.

DISCLOSING HEALTH INFORMATION IS SOMETIMES REQUIRED Here are some examples of required disclosures: Public Health Requirements Health Oversight Activities Judicial & Administrative Proceedings Organ Donation Public Safety Government Proceedings Workers Compensation

CHANGING OR AMENDING PATIENT HEALTH RECORDS If a patient believes that the health information in his health record is incomplete or inaccurate, the patient may request a revision or addition by: Contacting the provider who made the entry and pointing out the inaccuracy or by Contacting the Privacy Officer or the Health Information Management Services (HIMS) department to request an amendment

ACCESSING PATIENT HEALTH RECORDS Reasons why a patient may request access to health information: To provide past medical information to new healthcare providers who are caring for the patient To ensure the accuracy of the information contained in the records To verify charges for care

HIPAA Policies Georgia Health Sciences University’s adopted the MCG Health System’s set of HIPAA privacy and security policies: MCG Health System’s HIPAA Privacy and Security policies:

HIPAA RESOURCES Georgia Health Sciences University / MCG Health System Privacy Officer (706) Georgia Health Science University Security Officer(706) MCGHealth Hospitals and Clinics Security Officer (706) Physician Practice Group Security Officer(706)

WEB-BASED HIPAA TRAINING After Human Resources has completed processing your new employee status, you will be enrolled into the web-based HIPAA training. (This orientation does not constitute training) You will receive ed instructions for accessing this assignment within the first month of your employment. HIPAA regulations require all employees at Georgia Health Sciences University to complete this training. Please direct any questions about this training to the Privacy Officer at (706)

This concludes HIPAA Orientation