Post on 26-Dec-2015
CONFIDENTIALITY GUIDELINES FOR PA STAFF
Based on HIPAA Regulations & General Confidentiality Protocols
What is HIPAA?
A federal lawGeared to improve the health
insurance systemDefines rules for protection of patient
information More on that later
Does the PA Have to Comply w/ HIPAA?
Yes, it’s recommendedHIPAA guidelines cover three basic
groups: Health plans, health care providers, and
health care clearinghouses. Expansive regulatory definition of health
plan above includes:Employee benefit plans
But We’re Not A Health Plan!
True, but we are: An organization that routinely handles
protected health information from a health plan, in any capacity, is in all probability a covered entity.
Routinely handles, includes: “administration”
The PA is likely considered the plan administrator
• However, this hasn’t been officially determined• In the meantime, better to err on the side of
caution
We Contract w/ A Health Plan
Business associate contracts required by HIPAA Organizations performing functions involving
PHI on behalf of “covered entities” would be reached.
The PA is considered a business associate of the AAH, Delta & EyeMed
How does that business association effect all PA staff? All PA staff are supposed to comply Behavior of individuals in the business
associates' workforces would be covered by HIPAA rules.
What Does the PA Have to Do to Comply?
Generic requirements for covered entities: Training workforce members so that they
understand the privacy procedures Designating a privacy office/officer Adopting adequate security policies and
procedures for records containing individually identifiable health information
What Am I Protecting?
Patient informationPHI
Individually identifiable health information
What is Patient Information?
Patient information, a.k.a “patient health information,” is: “Any information, whether oral or recorded in
any form or medium that is… “Created or received by an employer...” and “Relates to the provision of health care to an
individual…” or “…the past, present, or future payment for the
provision of health care to an individual."
What is PHI? (Protected Health Information)
Protected health information includes any individually-identifiable health information.
Health information with data items which reasonably could be expected to allow individual-identification.
Individually-identifiable health information should not be interpreted narrowly
Beyond a patient's name and social security number, other information: Spouse's name, & emergency contact individual
and number, could be used to individually identify a patient.
HIPAA Privacy Rule
Mandates the protection and privacy of all protected health information.
Specifically defines the disclosures of "individually-identifiable" health info.
What If I Don’t Handle Medical Information?
You should still abide by general
confidentiality protocols for sensitive information
Let’s learn What confidentiality means What’s considered confidential How to handle confidential data
Confidentiality
Confidentiality defined by the International Organization for Standardization (ISO) “Ensuring that information is accessible
only to those authorized to have access" Adaptation of the military's "need-to-
know" principle Forms the cornerstone of information
security today
Sensitive Data- What is It? Why Keep It Confidential? Data required to hire, pay, and manage
employees is by nature sensitive. Information could be misused to commit
fraud, discrimination, and other violations. Job discrimination based on breech of medical
data or DOB Identity theft
If data is misused, employer could face costly lawsuits.
Employer may lose employee trust and confidence
How Do Other Employers Handle Sensitive Information?
Most employers voluntarily protect employee’s personal information They follow the laws willingly
Abide by current laws Laws passed to protect employee confidentiality
include: ADA (federal) HIPAA (federal)
State laws limit how an employee's SSN number can be used or transmitted
Information Practices Act of 1977 On PA M:/ drive
Protocols for Handling Sensitive Information Develop policies that address workplace
confidentiality Train managers and supervisors about
confidentiality issues and legal requirements
Guard against indiscreet behavior Even seemingly minor incidents
Tossing sensitive info. in the trash Speaking too loudly where other’s can overhear Leaving employee data displayed on visible monitor
Coordinate with external employee services Benefit providers, payroll services (HRM), outsourced HR service
centers (HRM)
More Protocols (General) for Handling Sensitive Information
Store confidential information securely Traditional “lock & key” for hard copies Electronic methods for electronic data
Firewalls, encryption, password protection Secure disposal Stay current on legal requirements and
best practices Professional HR associations are a good source of
updates You also can attend seminars sponsored by
consulting, outsourcing, and law firms
Confidentiality “How To”: Begin with Mindfulness
Develop your confidentiality “higher consciousness” Keep confidentiality in the forefront of your mind
Continually ask yourself, “Am I dealing with something considered sensitive or confidential?”
Hone your “Spidey” confidentiality sense Make peace with confidentiality protocols
Don’t fight them, adopt them
Confidentiality “How To”
Best: exchange sensitive files via secure FTP
Good: zip & encrypt files; send via email Win Zip or other software
OK: password protect docs w/ out zipping; send via email
Turn monitor off if displaying sensitive info. Monitor off & lock computer (cntrl, alt,del) if away
from desk for more than a minute or two
More Confidentiality “How To”
Keep your voice down Don’t discuss/share sensitive info. where others
can hear you Just close the door
Keep hard copies in a locked file cabinet Restrict access to locked cabinet
Use file folders to keep hard copy docs from public view when working with them
Even More Confidentiality “How To”
Tell callers that you are bound by State & Federal laws that limit what you can discuss
Steer callers away from disclosing personal medical information/sensitive info. if not necessary The less you know, the less you may
potentially misuse