1

Alliance for Clinical Education (ACE)Student HIPAA Training

July 2008

2

Objectives

Describe the HIPAA Privacy rules and regulations

Identify patients’ rights and your role in protecting them

Discuss your responsibilities under HIPAA – related policies and procedures

Explain the penalties for non-compliance

3

Protecting Patient PrivacyIS EVERYONE’S RESPONSIBILITY

4

Your Responsibilities

Respect the patient’s right to privacy

Know the facility’s privacy policies

Be sensitive

5

Definitions HIPAA – the Health Insurance Portability and

Accountability Act of 1996. A federal law that specifies the types of measures required to protect the security and privacy of personally identifiable health information.

Patient Confidentiality – keeping information about a patient’s health care private. The information is shared only with those who need to know in order to perform their duties on behalf of the patient.

6

Definitions continued… Protected Health Information (PHI) – medical

information that can be traced to, or identified with, a particular patient. PHI is information created or received by a health care organization that relates to the past, present, or future health or condition of an individual.

Transaction – the exchange of information between two parties to carry out financial or administrative activities related to health care.

7

HIPAA

What is it?

“Patients have the right to have health information kept private and secure”

**HIPAA is mandatory, there are penalties for failure to comply

8

Covered Information

Confidentiality and PrivacyAll protected, identifiable health information (PHI) must be considered and treated as confidential and all patients have the right to request restrictions on who will see their PHI.

SecurityEstablishes the requirements for ensuring the confidentiality, availability and integrity of PHI

9

Patients have the Right to:

Expect privacy and freedom from intrusions or disturbances regarding his/her personal affairs.

Expect that all communications and records concerning his/her care will be treated as confidential. Information will be shared only with those who need to know the information to perform their duties on behalf of the patient.

Review the records pertaining to his/her medical care.

10

What must be

Kept

CONFIDENTIAL?

11

Confidential? How do I know?

Did you learn the information through caring for your patient?

If yes, then consider it confidential

12

Understanding PHI(Protected Health Information)

Protected Health Information Is created by a health care provider Is information that there is a reasonable

basis to believe it could be used to identify the patient

Relates to past, present or future physical or mental condition of an individual; provision of healthcare or for payment of care provided to an individual

Is transmitted or maintained in any form (electronic, paper or oral representation)

13

Privacy Protected Elements Health information is considered individually identifiable if any of the following are present:

Name Full address Names of relatives Name of employers Birth date Telephone numbers Fax numbers Electronic e-mail

addresses Social security number Medical record number Health plan beneficiary

number Account number

Certificate/license number Any vehicle or other

device serial number Web Universal Resource

Locator (URL) Internet Protocol (IP)

address number Finger or voice prints Photographic images Any other unique

identifying number, characteristic, code that could be used to identify the patient

14

Patients Right to Receive Notice of Privacy Practices

Items required to be included in the Notice:

How medical information is used and disclosed by an organization

How to access and obtain a copy of their medical records

A summary of patient rights and facility responsibilities under HIPAA

How to file a complaint and contact information for filing a complaint

15

Facilities Notice of Privacy Practices

The patient has the right to receive a Notice of Privacy Practices: Must provide the notice at the first

encounter with the patient Must attempt to obtain written

acknowledgement of receipt of the Notice of Privacy Practices

16

Minimum Necessary HIPAA

Requirement: Identify members of

the work group who need access to confidential information

Identify what information can be accessed

Limit access

WHAT GROUP DO YOU BELONG TO?

Complete Access:•Clinical departments•Health Information Management•Students: limited to assigned patient only

Limited Access:•Admissions/Business Office

No Access:•Departments or individuals whose job does not require any handling of PHI (Food Services, Environmental Services/Housekeeping)

17

Discussions of PHI Staff will discuss patient information to

share information and the treatment plan. Every effort should be made to protect the privacy of the patient by minimizing risk that others can overhear the conversation.

The discussion of PHI should never occur in public areas such as the cafeteria or elevators.

Discussions can occur at the nursing station and with a patient in a treatment area.

18

Minimum Necessary

What can I access as a student?

Only the information you “NEED TO KNOW” to care for assigned patient

DO NOT access information when you are not caring for that patient any longer or for any patients you are not assigned to care for

19

Patient Right to Access

Patients have the right to: Access or inspect their health record Obtain a copy of their health record from the

healthcare provider Reasonable fees may be charged for copying

Access and copying for as long as the information is retained

Facility must act on request for access no later than 10 days after receipt (Colo. Law)

Students: Refer requests for access to the facility staff

20

Patients Right to Request Privacy Restrictions The patient has the right to request an

organization restrict the use and disclosure (release) of their protected health information Can request restriction in use of information

for treatment, payment or healthcare operation purposes (TPO)

Organization is not required to agree with the request for restrictions

Requests must be made in writing No staff level individual should accept any

requested restrictions Students: Refer requests for restrictions to

the facility staff

21

Patients Right to Amend Patients have the right to

request an amendment to their PHI

Amend is defined as the right to add/revise information with which s/he disagrees. The original information is not removed from the record but the amended/corrected information is added to the record.

Students: Refer requests for amendments to the facility staff

22

As a Student How do I Handle….

An individual asking for access to their record?

Students: Refer requests for access to the facility staff

The staff will follow-up per specific facility policy

23

Disclosure ??? What is it???

The release, transfer, access or divulging of PHI (protected health information) to an outside person or entity

Students do not participate in this process

24

Disclosure can occur without the patient’s consent under the following conditions:

When required by law For public health activities to control

disease, injury or disability For disaster relief In cases of abuse and neglect For coroners, funeral directors and organ

donation For legal proceedings For worker’s compensation In cases of communicable diseases

25

Student Responsibilities In a patient room or exam room

Knock before entering room Identify yourself as a student Close door after entering the room Ask visitors to leave the room unless patient

requests otherwise Speak softly if roommate present

In a clinic or office setting Sign in sheets should contain minimal amount of

PHI Street address or reason for visit should not be on

sign in sheets

26

Student Responsibilities cont… At the Nurses Station

Do not leave patient information, e.g. flow sheets, charts, sticky notes, lab reports or x-rays out in the open where others may view. When finished working on it, put it back where it belongs

Shred all documents with PHI, do not put in garbage, do not take them home

When at the nurses’ station, speak softly when discussing PHI. It is best to use a private area to discuss the patient

27

Student Responsibilities cont… At the Computer

Have screen facing away from the public so it is not visible to patients, visitor and other unauthorized persons

Always log off when leaving the computer

Change the password on your computer if required by clinical facility

Do not share your log-in information or password with anyone else. You are responsible for what is done under your log-in

28

Student Responsibilities cont… Using E-mail

Always use protected, encrypted email to communicate with your faculty and clinical instructors

Never use PHI in e-mail attachments or in the email itself for the following reasons E-mail can easily be sent to the wrong

person, either on purpose or by accident

E-mail does not ensure privacy of information transmitted

29

Student Responsibilities cont…

Do not post PHI or discuss patients you have met on web-based chat rooms (My Space, Facebook)

Do not take photos of patients Do not photocopy medical records At the Fax

Students do not use the fax machine during the clinical experience

30

Student Responsibilities cont…

Using an Interpreter When interpreter services are needed,

follow clinical agency practice In Public

Never mention a patient’s PHI in public as people are often watching and listening, as you never know who knows the patient

Never carry, review, discuss or disclose a patient’s chart or PHI in a public place

31

Scenarios

Following are scenarios to help you think through privacy related situations in the clinical facilities

After reading each scenario, think how you would answer the question before going to the next slide

Scenario answers follow each scenario

32

Scenario #1

One of your fellow students who had lab work done recently, called you from home and asked you to look up her lab results on the computer and give her the results.

Do you look up your fellow students lab results?

33

Scenario #1 Answer

No. Since you are not providing treatment to your fellow student, you are not permitted to look up her lab results and provide them to her. She needs to get this information from her doctor

This applies to your own records as well

34

Scenario #2

You see your fellow student reading through a patient's medical record. She is not providing treatment for this patient.

What do you do?

35

Scenario #2 Answer

Tell your clinical instructor. He/she will follow-up with the student.

The clinical instructor then needs to notify the facility privacy officer of this action

36

Scenario #3

Your sister’s close friend is having surgery at the organization where you are doing a clinical rotation. She asks you to find out what you can about the friend’s condition. Should you call and ask around to the nurses you know? Should you look up the friend’s medical record?

37

Scenario #3 Answer No. Even if you and your sister have the best intentions

you have no right to look at private information about her friend’s health. Suggest to your sister that she call the facility or visit the information desk. If the patient has agreed to have her information available, hospital staff will assist her in obtaining information on her friend.

Do not seek out confidential patient information unless you need it to do your job. When you happen to hear confidential information, do not repeat it to anyone.

Looking at patient records for any non business reason is cause for disciplinary action and can have possible legal consequences.

38

Scenario #4

You are called to work in a patient's room to perform a routine job. You knock on the door and are invited in. You see that a nurse is in the room discussing the patient’s condition or medication.

What should you do?

39

Scenario #4 Answer If you must do the job immediately to properly care for

the patient, ask whether you can interrupt. If the job can wait, explain that you are there to perform a routine job and will return in 15-20 minutes. This protects the patient’s privacy by allowing him/her to openly discuss his/her condition without being overheard

Some patients may say that it is acceptable for you to stay in the room during the conversation. But remember that a patient may not feel comfortable sharing everything about his/her symptoms or medical history while you are in the room. They also might not feel comfortable asking you to leave. It would be best for you to come back later.

40

Scenario #5 You are working the ER when you see that

a neighbor has arrived for treatment after a car crash. You hear someone saying he will be taken to surgery soon. Your neighbor’s wife works in another part of the hospital.

Should you notify her that her husband is in the ER?

41

Scenario #5 Answer No. Tell the nursing staff that you know the patient

and his wife. Tell them that if they need to locate her, you can help. When patients are in the hospital, they have the right to decide who should know that they are there. Your neighbor has a right to privacy and may not want to notify his family of the accident. If he is conscious, the ER staff will allow him to decide whom to notify that he is there.

If he is unconscious, the doctors and nurses will use their professional judgment about whether to notify his wife. Leave the decision up to the ER staff. They will let you know whether they need your help to find the patients wife.

42

Scenario #6

You are in the nurses station where the patients medical records are located in the chart rack. You spot the name of a close friend.

Should you stop by her room?

43

Scenario #6 Answer

No. if you learned of your friend’s stay only by seeing the name on a medical record on the chart rack, you should not go to her room.

You should inform your clinical instructor of your relationship with her so that you are not assigned to care for her.

If you find out from the patient or her family member that she is a patient there, feel free to visit her after your shift.

44

Scenario #7

You are walking by a trashcan and notice a pile of photocopied records has been laid on top of the trash.

How should you handle this?

45

Scenario #7 Answer

Don’t just take the records to a shredder or locked disposal container yourself. Gather the records and take them to your clinical instructor. He or she will report it to the Manager of the unit who will investigate the incident and report it to the organization’s privacy officer.

46

Scenario #8

A woman provides the name of a patient and asks for information.

What can you tell her?

47

Scenario #8 Answer Refer the woman to the information desk Check the facility directory. If the patient

is listed in the directory, you can tell the woman the patient’s location.

If the patient has requested that his name not be included in the directory, you can not give out any information about them to anyone or even acknowledge that they are here, regardless of the person’s relationship to the patient.

48

Scenario #9

At the nursing station, you are approached by someone asking to see a patient record.

What do you do?

49

Scenario #9 Answer

Refer to agency staff for clarification of identification and appropriateness of request.

50

What Happens If….

A privacy policy is violated?

Patients have the right to file a complaint and

Civil and criminal penalties could occur

51

Patient’s Right to File a Complaint The patient has the

right to file a complaint if s/he believes privacy rights have been violated*

*Organization must provide contact information for filing a complaint

52

Doing Your Part Access confidential

information ONLY if you need it to care for your patient.

Protect your computer passwords

Understand the facility’s privacy policies

Report problems to the facility staff

53

As a Student Patient identification

Cannot use patients initials Need to assign a number to the patient

for identification

Care plans Any notes with PHI gathered must be

shredded after the assigned shift The use of PDAs or pocket PCs to RECORD

patient information is not allowed

54

Penalties……. Both criminal and civil penalties for:

Failure to comply with HIPAA requirements Knowingly or wrongfully disclosing or receiving

individually identifiable health information Obtaining information under false pretenses Obtaining information with intent to:

Sell or transfer it Use it for commercial advantage Use it for personal gain Use it for malicious harm

Fines as high as $250,000 and prison sentence of up to 10 years

55

References

HIPAA Programs from: ACC Craig Hospital Centura HCA-HealthONE Denver Health P/SL Regis University