CVTE 113 HIPAA

Question 1

What does HIPAA stand for?

Answer 1

Health Insurance Portability and Accountability Act
1996

Question 2

Two (2) parts of HIPAA covered
in this presentation:

Answer 2

• HIPAA Privacy
• HIPAA Security

Question 3

What is HIPAA Privacy?

Answer 3

•HIPAA Privacy –

Protection for the privacy of Protected Health Information (PHI) effective April 14, 2003 (including Standardization of electronic data interchange in health care transactions, effective October 2003)

Question 4

What is the difference between Privacy and Security?

Answer 4

• The Privacy Rule sets the standards for how covered entities and business associates are to maintain the privacy of Protected Health Information (PHI)
• The Security Rule defines the standards which require covered entities to implement basic safeguards to protect electronic Protected Health Information(e-PHI)

Question 5

What is HIPAA?

Answer 5

• Protects the privacy and security of a patient’s health information.
• Provides for electronic and physical security of a patient’s health information.
• Prevents health care fraud and abuse

.•Simplifies billing and other transactions, reducing health care administrative costs.

Question 6

What is HIPAA?

Answer 6

• HIPAA is the Health Insurance Portability and Accountability Act of 1996, with guidelines implemented in 2003.
• HIPAA is a Federal Law.
• HIPAA is a response, by Congress, to healthcare reform.
• HIPAA affects the health care industry.
• HIPAA is mandatory.

Question 7

Who has to follow the HIPAA law?

Answer 7

• Admitting clerks
• Caregivers from the ED to the morgue
• Physical therapists
• Nutritionists
• Lab personnel
• Receptionists in MD offices
• Transport techs
• Respiratory therapists
• Billing clerks
• Insurance agents/clerks
• School teachers/nurses
• Home health personnel
• Medical records clerks
• Website managers

Question 8

Examples of Covered Entities

Answer 8

• Providers
• Health Plans
• Clearinghouses for Electronic Billing
• Business Associates (through contracts)

Question 9

When is the HIPAA implementation date?

Answer 9

2003

Question 10

Where does HIPAA apply to us?

Answer 10

HIPAA applies to us all—

in all settings.

That means at school, at home,

on the shuttle buses,

as well as the hospitals and clinics.

Question 11

Why is HIPAA important?

Answer 11

To protect our personal information from being misused in situations such as these:

Question 12

What does PHI stand for and what does it mean?

Answer 12

Protected Health Information (PHI) or Protected Medical Information (PMI)

This is any data about the patient that would tend to identify the individual:

name, hospital #, SSN, diagnosis, lab results, past or current photos, etc, etc.

Question 13

What does PO stand for and what does it mean?

Answer 13

Privacy Officer (PO)

Each facility will have an employee who is responsible for implementing and enforcing this law. Some may have one over a multi-facility network (Seton) others one at each site (St. David’s Partnership). As a nursing student this individual (after your instructor or preceptor) could be your point of information regarding HIPAA.

Question 14

What does CE stand for and what does it mean?

Answer 14

Covered Entity (CE)

This includes any health plan, healthcare provider, agency that processes claims, and any company that subcontracts with them are covered by this law.

Question 15

7 patient rights
regarding privacy of PHI

Individuals have the right to:

Answer 15

1. Receive notice of an agency’s privacy practices.
2. Know that an agency will use its PHI ONLY for treatment, payment, operations (TPO), certain other permitted uses and uses as required by law
3. Consent to and control the use and disclosure of their PHI.
4. Access their protected health information (PHI), except for psychotherapy notes (they might be charged for copies)
5. Request amendment or addendum to their PHI (not always granted)
6. Receive accountings of disclosures
7. File privacy complaints to agency officer

Question 16

What is the “Need to know” principle?

Answer 16

PHI should be shared with as few individuals as needed to ensure patient care and then only to the extent demanded by the individual’s role.

For example, the nursing assistant “needs to know” only the facts concerning the patient’s current admission.

As a student, you will discuss PHI only as it applies to your education or your patient’s care.

Question 17

How do we help to Protect PHI?

Answer 17

• Take all reasonable steps to make sure that individuals without the ‘need to know’ do not overhear conversations about PHI.
• DO NOT conduct discussion about PHI in elevators or cafeterias.
• Do not let others see your computer screen while you are working. Be sure to log out when done with any computer file.

Question 18

As a student, how do you protect PHI?

As an employee, what must you use to protect PHI?

Answer 18

In the student role, you are NOT to photo duplicate or fax patient documents in the process of working with your patient’s PHI.

As an employee of an agency you must use the agency’s security procedures to transmit PHI.

Question 19

What Patient Information
Must We Protect?

Answer 19

Protected Health Information (PHI)

1. Relates to past, present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual.
2. Is transmitted or maintained in any form (electronic, paper, or oral representation).
3. Identifies, or can be used to identify the individual.

Question 20

Examples of PHI:

Answer 20

PHI = Health Information with Identifiers

• Name
• Address (including street, city, parish, zip code and equivalent geocodes)
• Name of employer
• Any date (birth, admit date, discharge date)
• Telephone and Fax numbers
• Electronic (email) addresses
• Social Security Number
• Medical Records

Question 21

What is the law regarding PHI?

Answer 21

You may not use or disclose an individual’s protected health information,

except as otherwise permitted, or required, by law.

•

Question 22

How MAY we Use and Share a Patient’s PHI?

Answer 22

• Treatment of the patient, including appointment reminders
• Payment of health care bills
• Business and management operations
• Disclosures required by law
• Public Health and other governmental reporting

Question 23

What does “Treatment” Include?

Answer 23

• Direct patient care
• Coordination of care
• Consultations
• Referrals to other health care providers

Question 24

What does “Payment” inculde?

Answer 24

“Payment” includes any activities required to bill

and collect for health care services provided to patients.

Question 25

What does "Health Care Operations" include?

Answer 25

“Health Care Operations” include business management and administrative activities, quality improvement, compliance, competency, and training.

Question 26

When can you use PHI?

Answer 26

Only to do your job! As part of your job, you must protect the privacy of the patient’s PHI.

Question 27

What are practices you can implement to protect PHI from being compromised?

Answer 27

* Look at a patient’s PHI only if you need it to perform your job. * Use a patient’s PHI only if you need it to perform your job. * Give a patient’s PHI to others only when it’s necessary for them to perform their jobs. * Talk to others about a patient’s PHI only if it’s necessary to perform your job, and do it discreetly. At all times…Protect a patient’s information as if it were your own!

Question 28

For Example… 1. You are a physician whose friend’s wife is in a coma in the hospital after an accident. He asks you to review the admitting physician’s orders and see if you concur. What can you legally do under HIPAA? A.You can look at her chart so you can answer your friend’s questions about his wife’s condition. B.You can ask the charge nurse on the floor to look into her records for you. C.You can tell your friend that you can only look at his wife’s medical records if her physician, the patient, or in this case, the patient’s representative, allows you to do so. Suggest that your friend ask to discuss her treatment and progress with the attending physician.

Answer 28

C. ## Footnote Under HIPAA, you are only allowed to use information required to do your job. Since you are neither the attending physician nor part of the patient’s care team, it is against the law to access the patient record or ask someone to access it on your behalf—even though you may know the person and just want to be helpful. Remember that, if you were in a similar situation, you might not want your colleagues going through your own medical records, or those of your spouse or close friend.

Question 29

How can we protect PHI from Public Viewing / Hearing?

Answer 29

* Refrain from discussing PHI in public areas, such as elevators and reception areas, unless doing so is necessary to provide treatment to one or more patients. * Medical and support staff should take care when sharing PHI with family members, relatives, or personal representatives of patients. Information cannot be disclosed unless the patient has had an opportunity to agree with or object to the disclosure. * Personal representatives are those individuals who, under Louisiana law, are able to make healthcare decisions on behalf of the patient.

Question 30

For Example: Dr. Fortissimo was eating breakfast in the Med School Cafeteria one Monday morning, and talking on his cell phone to another doctor. During the conversation, he referred to the patient by name, and described her diagnosis. The cafeteria worker at the next table heard the call. What could have been done differently to protect the patient’s privacy? A.The patient’s privacy was protected; nothing was done wrong, since no PHI was mentioned. B.It is important to be aware of your surroundings when you discuss patient information (PHI). The patient’s case should have been discussed in a more private location, or, at least, in a low voice that could not be overheard. C.Other customers should not be allowed to eat in that section of the cafeteria so as to avoid such situations.

Answer 30

**B.** ## Footnote Although HIPAA allows incidental uses and disclosures, this type of disclosure is not allowed. PHI includes oral communications. The patient’s case should only have been discussed in a location that provided for the privacy of the information discussed.

Question 31

What if there is a breach of confidentiality?

Answer 31

Breaches of the policies and procedures or of a patient’s confidentiality must be reported to the appropriate officer at the institution.

Question 32

What are the possible Disciplinary actions for breach of patient privacy?

Answer 32

There may be internal disciplinary action or civil penalties (fines and/or prison). An employee who does not protect a patient’s privacy could lose his or her job!

Question 33

What is the policy about Downloading/Copying/Removing PHI? If an employee is terminated, what must they return?

Answer 33

* Employees should not download, copy, or remove from the clinical areas any PHI, except as necessary to perform their jobs. * Upon termination of employment, or upon termination of authorization to access PHI, the employee must return to the University all copies of PHI in his or her possession.

Question 34

What must faxes include to protect PHI?

Answer 34

Faxing is permitted. Always include, with the faxed information, a cover sheet containing a Confidentiality Statement: ## Footnote 1. The documents accompanying the transmission contain confidential privileged information. The information is the property of the [facility name] and intended only for use by the individual or entity named above. The recipient of this information is prohibited from disclosing the contents of the information to another party. 2. If you are neither the intended recipient, or the employee or agent responsible for delivery to the intended recipient, you are hereby notified that disclosure of contents in any manner is strictly prohibited. Please notify [name of sender] at [facility name] by calling [phone #] immediately if you received this information in error.

Question 35

Is faxing permitted?

Answer 35

yes

Question 36

What should we limit manual faxing too?

Answer 36

Limit manual faxing to urgent transmittals: •Medical emergencies Faxing PHI is appropriate when the information is needed immediately for patient care •Other situations considered urgent (e.g., results from lab to physician)

Question 37

Information that SHOULD NOT be faxed (except in an emergency):

Answer 37

* Drug dependency * Alcohol dependency * Mental illness or psychological information * Sexually-transmitted disease (STD) information * HIV status

Question 38

Where should PHI not be left?

Answer 38

PHI should not be left in conference rooms, out on desks, or on counters where the information may be accessible to the public, or to other employees or individuals who do not have a need to know the protected health information.

Question 39

What is e-PHI?

Answer 39

•e-PHI (electronic Protected Health Information) is computer-based patient health information that is used, created, stored, received or transmitted using any type of electronic information resource. •Information is an electronic medical record, patient billing information transmitted to a payer, digital images and print outs, information when it is being sent to another provider, a payer or a researcher.

Question 40

How do we protect e-PHI?

Answer 40

* Ensure the confidentiality, integrity, and availability of information through safeguards (Information Security) * Ensure that the information will not be disclosed to unauthorized individuals or processes (Confidentiality) * Ensure that the condition of information has not been altered or destroyed in an unauthorized manner, and data is accurately transferred from one system to another (Integrity) * Ensure that information is accessible and usable upon demand by an authorized person (Availability)

Question 41

What security measures do we use to protect e-PHI?

Answer 41

* Password for access to computers/workstations * Email encryption * Workstation security measures * Malware controls to guard against bad software * Control of memory devices (e.g., flash drives)