TRIAGE LOGIC 2013

 The Health Insurance Portability and Accountability Act of 1996 was part of the Clinton healthcare reform agenda. Its original intention was to provide for "portability" of insurance for the insured. This means that those persons with chronic conditions that changed employers would not loose coverage. However, this bill grew as it moved through Congress and contains five "Titles."  Title II is entitled, "Preventing Healthcare Fraud and Abuse." Under Title II is subsection "F" which is entitled, "Administrative Simplification." This subsection is what is currently known as HIPAA. This law applies to all providers, payers, and clearinghouses. These are considered "covered entities."

 The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

 The Privacy Rule gives patients more control over their Protected Health Information (PHI).

 To standardize the electronic transaction formats of the healthcare claim or encounter, claim payment and remittance advice, health plan enrollment and disenrollment, premium payments, health plan eligibility, healthcare claim status, referral certification and authorization, healthcare claim attachment, and first report of injury.  To provide for privacy of patient information.  To provide for security of electronic information.

 Information sent or stored in any form.  Information that identifies the patient or can be used to identify the patient.  Information that is created or received by a covered entity-that generally is about a patient’s past, present and/or future treatment and payment of services.

 A patients address is not HIPAA protected information?

 Names  Address Including Zip Codes  All Dates  Telephone & Fax Numbers  Addresses  Social Security Numbers  Medical Record Numbers  Health Plan Numbers  License Numbers  Vehicle Identification Numbers  Account Numbers  Biometric Identifiers  Full Face Photos  Any Other Unique Identifying Number, Characteristic or Code

 The Privacy Rule gives patients the right to:  have their PHI protected.  inspect and copy their records.  request that PHI in their records be corrected or changed.  ask for limits on how their PHI is used or shared.  ask that they be contacted in a specific way, such as at work and not at home.  get a list of disclosures made of their PHI.

 Patients can decide (written permission is not needed) if they want some or all of their PHI to be used or shared, such as:  for patient directories.  to friends and family members involved in patient care or payment.

 As required by law, such as reporting abuse or neglect.  For law enforcement.  For organ donation organizations.  To medical examiners and funeral directors.  To avoid threats to health and safety.  For certain research activities if the IRB has granted a waiver.

A. Keeping your computer screen tilted away from public areas B. Locking up laptops and other portable devices when not in use C. Leaving a shared computer logged on, so your coworker doesn’t have to log on all over again D. Selecting secure passwords E. Making sure doors and desks are locked as appropriate

 Turn your computer off when not working.  Minimize your screen when others walk into view  Do not share your passwords with anyone in your household  Do not allow others to utilize your work computer  Work in a quiet environment with a door as to block out “home noise”.

 Incidental Disclosure: generally refers to a sharing of PHI that occurs related to an allowable disclosure of PHI. An “incidental disclosure” is allowed if steps are taken to limit them.  For example, visitors may hear a patient’s name as it’s called out in a waiting room or overhear a clinical discussion as they are walking down a hallway on the unit.

 Take steps or reasonable safeguards to secure and protect PHI.  For example:  Speak in soft tones when discussing PHI;  Do not discuss PHI in public hallways or in elevators;  Use (but do not share) computer passwords; and  Lock cabinets that store PHI.

 You can talk with other providers or patients, even if you may be overheard.  You can orally arrange services at nursing stations.  You can discuss a patient’s condition with the patient, other providers or family members over the phone or in a patient’s semi-private room.

 You can talk about patient conditions in our education programs.  Prescriptions can be discussed with the patient by phone.  Messages can be left on answering machines or with those who answer the phone, but the message should be limited to minimum necessary and sensitive information should not be used.

 You must try to honor patient requests about how and where to reach them, such as at work instead of at home.  Patients’ names can be called in waiting rooms or over speakers.

A. a one-year prison sentence and a $50,000 fine B. a 10-year prison sentence and $250,000 fine C. a five-year prison sentence an $100,000 fine D. a $100 fine E. none of the above

 HIPAA details civil and criminal penalties for non-compliance. The civil monetary penalty is $100 per violation with a maximum of $25,000 per violation of the same standard per year. The criminal penalties include up to 10 years imprisonment and fines up to $250,000.  CHKD policies include disciplinary action up to and including discharge.

 On February 14, 2011, HHS entered into a Resolution Agreement with The General Hospital Corporation and Massachusetts General Physicians Organization, Inc., (Mass General) to settle potential violations of the HIPAA Privacy and Security Rules. In the agreement, Mass General agrees to pay $1,000,000 and enter into a Corrective Action Plan (CAP) to implement policies and procedures to safeguard the privacy of its patients.

 The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. The Office for Civil Rights (OCR) opened its investigation of Mass General after a complaint was filed by a patient whose PHI was lost on March 9, OCR’s investigation indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule. l

 The HHS Office for Civil Rights (OCR) has issued a Notice of Final Determination finding that a covered entity, Cignet Health of Prince George’s County, MD (Cignet), violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued by the Department for violations of the HIPAA Privacy Rule. The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

 In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The civil money penalty (CMP) for these violations is $1.3 million.

 OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million.

 Rite Aid Corporation and its 40 affiliated entities have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. In a coordinated action, Rite Aid also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

 OCR, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

 All healthcare workers are legally and ethically responsible and accountable for maintaining the privacy and confidentiality of protected health information (PHI).