HIPAA Health Insurance Portability & Accountability Act

Program Objectives: Define HIPAA Who is covered by HIPAA? Goals of HIPAA How does HIPAA affect you? Why comply? Definitions Protected Health Information (PHI), “Use”, and “Disclosure” What are “Security Rules”

What is HIPAA? HIPAA-Health Insurance Portability and Accountability Act of 1996 Original intent was to ensure portability of Insurance when employment changes Administrative Simplification Standardization of formats, codes and identifiers Increased security of electronic health data Increased protection of protected health information Simplify health care administration

Definitions: PHI=Individually identifiable health information in any form or media. Only authorized people will look at or use it for treatment, payment or health care operations (TPO) Privacy=Right of individual to keep certain personal information to themselves with confidence that only authorized people will look at or use it. Security=Protection of PHI, data and systems from accidental or intentional access by unauthorized users.

Definitions Use=How information is used in an institution Disclosure=How information is given out to other institutions for use TPO=Treatment, Payment, and Operations Minimum Necessary=Minimum amount of information you “need to know to do your job”

Who is covered by HIPAA? Health care providers Health Plans Health care clearinghouses

Goals of HIPAA For Patients Control over their information (PHI) Right to see their records and correct mistakes Right to know who has seen their PHI For Institutions Protect patient PHI Limit use of PHI Penalize those who misuse PHI

What is protected health information? Information that identifies a person, living or deceased Past, present, or future health information Electronic, paper, verbal form Give examples?

What are Identifiers? NameNames of relatives AddressVoice, finger, retinal prints Phone or fax numberDate of Birth addressEmployer Social security or medical record numbers Insurance account numbers PhotosFacility name/Room no.

Who can access this information? HIPAA privacy rules limit both “Use” and “Disclosure” Patients typically give permission for use or disclosure of their information by signing a written form. Some disclosures are required by law, such as reporting of gunshot wounds, child abuse, infectious diseases and do not require patient permission.

Internal use of PHI Non routine access will be limited by policies and procedures of each institution Routine access will be limited by job function “Need to know”, or minimum necessary needed for each task Example EKG: technicians only need the information relating to the EKG. They would not need to see patient progress notes or insurance information

Disclosing information to those outside the institution

Security Rules Protect Information itself from unauthorized use and misuse by those allowed to view the PHI Protect the systems that store PHI – The hardware and software Systems must be protected so that unauthorized people cannot get the information.

Privacy and Security Rules Patients have the right to control their information Institutions will limit the use and disclosure of information Institutions will protect information on the computer

What makes HIPAA new? The Government has decided what the basic requirements are for protection of patient information Institutions are being held accountable Increased health care consumer confidence

Why Privacy? A Tampa Florida man stole a list of patient names New York congressional candidate’s suicide attempt made public Employee of large Insurance plan company views PHI of friend’s ex-wife

How does HIPAA affect you? Faculty and Students are held to the same obligations and accountability as employees. You may find yourself in situations involving patient information.

Protecting Verbal PHI You just made it through the long cafeteria line and sit down to eat. As you eat your lunch you can hear two co-workers discussing a patient. What do you do?

Protect confidentiality DO NOT DISCUSS PATIENT INFORMATION IN PUBLIC AREAS

Response Respect privacy. This does not mean you have to ignore someone you know. Just do not ask for personal health information. Do not repeat information to others “Need to know” Do not ask for information even if you know the person.

What do you do? You entered a patient’s room to explain a procedure. The patient has several visitors in the room who may or may not be family.

ASK PERMISSION FROM THE PATIENT

What do you do? You are waking down the hallway in the health care facility where you work. You and stopped by a visitor who asks for directions

Be courteous and Direct Visitors to the Information Desk

Protecting Spoken Information Around Patient Rooms Knock first and ask permission to enter Close doors or curtains Speak softly in semi-private rooms In Public Areas Do not talk about patients Direct visitors to the information desk Do not leave messages containing PHI on answering machines

What do you do? Suppose you work in an area where several people share a fax machine in a lounge. While you are in the lounge a fax including PHI arrives but no one comes to get it. Later that afternoon you notice the fax is still there.

DO NOT LEAVE MEDICAL INFORMATION UNATTENDED

What do you do? You enter a conference room and find papers with patient information left on the table.

Protecting Written Information Find the owner of “lost” papers Shred information no longer needed Do not leave papers unattended Keep information away form public view

Protecting Electronic Information Keep computer screens pointed away from the public Never leave patient information in public areas unattended Log off workstations when leaving the area Do not share your password verbally, in writing, or by with anyone Report any misuse of or problems with your password

You are responsible Any activity on the computer that is made with your user name is your responsibility Prevent loss or theft of handheld and laptop computers Use passwords to protect information Close programs when not in use

Why Comply? It is the right thing to do You will face disciplinary action There may be penalties

Consequences for Noncompliance Wrongful disclosures Gaining access by false pretenses Intent to sell, transfer or use Up to $50, year in prison Up to $100,000 + up to 5 years in prison Up to $250,000 + up to 10 years in prison

Enforcement of HIPAA The Office for Civil Rights has been charged with enforcing HIPAA privacy regulation

Questions About Privacy? Some situations are not clear HIPAA was not meant to interfere with patient care When in doubt ask!

A parting thought If you loved one was a patient wouldn’t you want your family’s privacy to be protected by the people caring for him or her?

Resources Federal Register February 20 th., 2003 Notice downloads.cfm HHS Office of Civil Rights – HIPAA Page Federal Register August 14, 2002 Notice downloads.cfm