HIPAA Privacy Keys to Success

HIPAA PrivacyHIPAA PrivacyKeys to SuccessKeys to Success

Education for Nursing and all other Clinical Students

Effective January 2010

HIPAA Job Specific Education 1

HIPAA and Its PurposeHIPAA and Its Purpose

What is HIPAA? Health Insurance

Portability and Accountability Act of 1996

Title II – Administrative Simplification

It’s a federal law HIPAA is mandatory,

penalties for failure to comply

Purpose: Protect health

insurance coverage, improve access to healthcare

Reduce fraud and abuse

Improve quality of healthcare in general

Reduce healthcare administrative costs (electronic transactions)


HITECH and Its PurposeHITECH and Its Purpose

What is HITECH? Health Information

Technology for Economic and Clinical Health Act

Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA)

It’s a federal law

Purpose: Makes massive changes

to privacy and security laws

Applies to covered entities and business associates

Creates a nationwide electronic health record

Increases penalties for privacy and security violations


Key HITECH ChangesKey HITECH Changes

◦ Breach Notification requirements

◦ AOD for treatment, payment, and healthcare operations in electronic health record (EHR) environment

◦ Business Associate Agreements

◦ Restrictions◦ Right to access

◦ Criminal provisions◦ Penalties◦ OCR Privacy Audits◦ Copy charges for

providing copies from EHR

◦ HIPAA preemption applies to new provisions

◦ Private cause of action◦ Sharing of civil

monetary penalties with harmed individuals


Civil Penalties for Non-compliance*Civil Penalties for Non-compliance*


Violation Category Each Violation All such violations of an identical provision in a calendar year

Did Not Know $100 - $50,000 $1,500,000

Reasonable Cause $1,000 – $50,000 $1,500,000

Willful Neglect – Corrected $10,000 - $50,000 $1,500,000

Willful Neglect – Not Corrected

$50,000 $1,500,000

*As of 2/17/10

Criminal Penalties for Criminal Penalties for Non-complianceNon-compliance

For health plans, providers, clearinghouses and business associates that knowingly and improperly disclose information or obtain information under false pretenses. These penalties can apply to any “person”.

Penalties higher for actions designed to generate monetary gain up to $50,000 and one year in prison for obtaining or disclosing

protected health information

up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"

up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm


Facility Privacy Official (FPO)Facility Privacy Official (FPO)

Your FPO is: Susan Armstrong, HIM Director

Responsible for:◦Implementation of Privacy and Information

Security Program ◦Privacy Rights of patients◦Requests for Privacy Restrictions◦Facilitating the training and education of

workforce members


HIPAA TerminologyHIPAA Terminology

HITECH: Health Information Technology for Economic and Clinical Health Act

HIPAA: Health Insurance Portability and Accountability Act

PHI: Protected Health InformationCE: Covered Entity (Hospital)OHCA: Organized Health Care Arrangement (The

hospital and medical staff will be considered an Organized Health Care Arrangement)

DRS: Designated Record Set (medical record and billing record)

Directory: Hospital census list used by volunteers and operators with name and room

TPO: Treatment, Payment and Healthcare Operations


What is Protected by HIPAA What is Protected by HIPAA (PHI)?(PHI)?

NameAddress including street, city,

county, zip code and equivalent geocodes

Names of relativesName of employersBirth dateTelephone numbersFax NumbersElectronic e-mail addressesSocial Security NumberMedical record number

Health plan beneficiary number

Account numberCertificate/license numberAny vehicle or other device

serial numberWeb Universal Resource

Locator (URL)Internet Protocol (IP) address

numberFinger or voice printsPhotographic imagesAny other unique identifying

number, characteristic, code


How will HIPAA affect you?How will HIPAA affect you? Coversheets with confidential statement need to be used

on all external faxes. Patient charts will need to be placed in secure area PHI will need to be placed in Cintas Shred containers for

disposal Unless specifically authorized by the patient, patient

family members should only be told the basic condition and location

Patient information should only be accessed if there is a need to know

Never discuss patient care in front of visitors– politely ask the visitors to step out for a moment – if the patient states they can stay be sure to document this in the chart.


How will HIPAA affect you?How will HIPAA affect you?Do not write down any names or identifiable

patient information in your student notes – if in doubt check with your instructor

Patient charts need to be placed in secure areasPHI will need to be placed in Cintas Shred

containers for disposal – NOT IN TRASH CANSPatient information should only be accessed if

there is a need to knowPatients have a right to a copy of their medical

record but they must go to medical records and sign a release and only after the chart is completed after discharge


Patient Privacy ComplaintsPatient Privacy Complaints

FPO must maintain complaint log in accordance with the complaint process

ALL privacy complaints must be routed to the FPO

Responses cannot be accompanied by retaliatory actions by the hospital

Disposition of complaint must be consistent with the facility’s Sanctions for Privacy Violations


Notice of Privacy PracticesNotice of Privacy Practices Patient will receive a Notice upon each registration The Notice outlines patient’s privacy rights as:

◦ Right to access your PHI◦ Right to amend (append or add to) your PHI – if you

disagree with the information◦ Confidential Communication-alternative means or to

an alternative location◦ Right to Privacy Restriction-use or disclosures of your

PHI◦ Right to Opt out of Directory-no disclosure of patient’s

name, location, condition of patient, or religious affiliation

◦ Right to an accounting for disclosures – where your information went without your authorization


Breach NotificationBreach NotificationHITECH provisions require the following

notifications when breaches (as defined in the regulations) occur:◦To the patient◦To the Department of Health and Human

Services◦To the media when the breach involves more

than 500 individuals in the same state or jurisdiction


Ensuring Security Ensuring Security ComplianceCompliance

Ensure users log off computer systems and medical devices when not in use.

PC’s should have screen savers whenever possible.

Computer screens should be positioned so information (PHI) is not readable by the public or other unauthorized viewers

Printers should be positioned in protected locations so that printed information is not accessible or viewable by an unauthorized person.

PHI must be properly disposed.


Common ExposuresCommon Exposures

Discussions of patient information in public places such as hallways and cafeterias

Printed or electronic information left in public view (e.g., charts left on counters)

Discussing patient information on social networking sites (e.g., Facebook, Twitter)

PHI in regular trashRecords that are accessed without need to know

in order to perform job dutiesUnauthorized individuals hearing patient

sensitive information such as diagnosis or treatment


HIPAA Privacy Keys to Success

Documents

Transcript of HIPAA Privacy Keys to Success