HIPAA Privacy Training

SullyMed Informatics 2003 1

HIPAA Privacy Training

Staff


HIPAA What?


What is HIPAA

Health Insurance

Portability and Accountability Act


What is HIPAA

A Federal Law intended to Improve portability and continuity of health

insurance coverageCombat waste, fraud and abuse in health

insurance and health care deliveryPromote use of medical savings account Improve access to long term care servicesSimplify administration


HIPAA

TITLE I--HEALTH CARE ACCESS, PORTABILITY, AND RENEWABILITY

TITLE II--PREVENTING HEALTH CARE FRAUD AND ABUSE; ADMINISTRATIVE SIMPLIFICATION; MEDICAL LIABILITY REFORM

TITLE III--TAX-RELATED HEALTH PROVISIONS TITLE IV--APPLICATION AND ENFORCEMENT OF

GROUP HEALTH PLAN REQUIREMENTS TITLE V--REVENUE OFFSETS


Immediate Impact

Transaction and Code Sets Security Rule Privacy Rule


Focus Today

Transaction and Code Sets Security Rule Privacy Rule


Scene I

Monday morning 10 A.M.Waiting room full, phones ringing, conversations

going on all overReceptionist sitting at in window

Phone on shoulder on hold Monitor in view of patient

“Good morning Mrs. Jones, you are here for your colonoscopy, did you bring the oncologists records?”


Scene 2

MA comes to get Mrs. Jones Says hello to another patient she knows

Inquires about her daughterHow did husband’s lab test come back

Patient surprised he had any test

Brings Mrs. Jones back to exam room


Scene 3

Records room and clerks all working and talking

Filing labs and asks coworker if they saw the results on Mr. Smith

Notices duplicate copies of results and throws one in trash can


Scene 4

Billing rep on phoneMrs. Jones we cannot send bill to a work

addressYou want to change the diagnosis in your

chart? We cannot do that!


Scene 5

End of dayCharts all over countertops, desks etc.Wastebaskets full of duplicate copies of

reports, letters etc.Filing cabinets openComputer screens remain on open to practice

management system


Do We Need a Privacy Regulation

No Federal law or national standard State laws inadequate and inconsistent False sense of privacy with paper charts Now the sharing of health information with

millions is only a mouse click away


Harm from Inappropriate Disclosure of PHI Mental anguish Personal Discrimination Economic harm Non-disclosure of important medical info is

important to physicians Core of health care today Harms patient – physician relationship Harms quality of care


Who does it apply to?

Health Plans Health Care Clearinghouses Health Care Providers

No distinction between small office and large tertiary care hospital

Same rule apply, only implementation differs


Definitions


Health Information

Any information in any form which Is created or received by the practiceRelates to past, present, future physical or

mental health or condition of an individualRelates to past, present, future payment for

providing health care Includes oral, written, electronic information


I I H I

Individually Identifiable Health Information Information that is a subset of health information

collected from an individual and that Is created or received by a provider Relates to past, present, future physical or mental

health of individ, payment for providing the health care or providing the health care

AND Identifies the individual OR There is a reasonable basis to believe it can be used to

identify the individual


Protected Health InformationPHI Individually Identifiable Health Information

that is transmitted or maintained in any form Excludes IIHI in

Educational records Family Educational Right and Privacy Act 20 U.S.C. 1232g

Employment records held by the office in its role as employer


T P O

Treatment Payment Operations

Health Care Operations


Use and Disclosure

UseSharing, analysis, utilization or examination of

IIHI within the office

DisclosureRelease, transfer, providing access to or

divulging IIHI outside the office holding the information


Confidentiality

Carried out or revealed in the expectation that anything done or revealed will be kept private

Entrusted with somebody’s personal or private matters


Privacy

Freedom from observation, intrusion or attention of others

The state of being kept secret About controlling access to information


So far……..

What HIPAA is Who it applies to Some important definitions


Now……..

How does it apply to us What we can and cannot do Office’s privacy practices Patient Rights When do we have to do all this What are the penalties if we don’t do this


Privacy Rule Intent

To protect IIHI from being wrongfully used or disclosed

To protect IIHI from being used or disclosed without an individual’s knowledge


Uses and Disclosures

Required Permitted Minimum Necessary Special Circumstances


Required Disclosures

To the individual when they request access to their information or they request an accounting of disclosures

When requested by the Secretary to investigate compliance with the Privacy Rule


Permitted Uses-Disclosures

To the individual For TPO Incident to another permitted use-discl Pursuant to a valid authorization As permitted under special circumstances


Minimum Necessary Standard


Minimum Necessary

Must make reasonable effort to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure


Minimum Necessary

Must use, disclose and request only the smallest amount of PHI needed to accomplish the purposeAccess only needed informationFollow office policies and procedures for

disclosuresBe careful about disclosing entire medical

records


When Minimum Necessary Does not apply Treatment

Provider requests PHI for treatment purposes

Individual Disclosures made to

the individual

Authorization Pursuant to a valid

authorization

Secretary When requests

Law When required

Compliance When required for

compliance with these requirements


Special Circumstances

Need to take additional steps


Special CircumstancesUse and Disclosure PHI

Personal representatives Deceased individuals Whistleblowers Victims of a crime


Personal Representatives

Must treat a personal representative as the individual except Unemancipated minorAbuse or neglect


Adults and Emancipated Minor

If a person has authority to act on behalf of adult or emancipated minor in making decisions related to health care, must treat that person as the individual with respect to PHIDurable Power of AttorneyAdult with Dementia


Unemancipated Minors

If parent or guardian has authority to act on behalf of unemancipated minor in making decisions about health care, must treat that person as the individual


Unemancipated Minors

May be able to act as individual when:Consents to health care and no law requires

other consent and has not requested the person to act as a personal rep

The personal rep agrees to confidentiality between minor and provider

Minor may lawfully obtain health care services and consents e.g. birth control, STD


Deceased Individuals

Must comply with all requirements regarding PHI of a deceased individual

Same rules apply to uses and disclosures Personal Representatives become

important


Deceased Individuals

If an executor, administrator, or person has the authority to act on behalf of a deceased individual, must treat that person as the personal representative of the deceased individual.


Abuse – Neglect - Endangerment

May elect not to treat a person as a personal representative if you believe Individual is or may be subject to domestic violence,

abuse or neglect by the person ORTreating the person as a personal rep would

endanger the individual AND Exercising professional judgment, decides it is

not in the best interest of the individual to treat the person as the personal rep


Whistleblowers

The organization is not in violation if a member of its workforce or discloses PHI provided that:The person or believes the organization is in

violation of the rule ANDDisclosure is to either

Health oversight agency or public health authority OR An attorney


Victims of a Crime

Organization is not in violation if a member of it’s workforce who is the victim of a crime discloses PHI to a law enforcement official provided that: PHI is about the suspected perpetrator AND PHI disclosed is limited to

Name, address, DOB, SSN, blood type Date and time of treatment or death Description of identifying characteristics

Ht, wt, gender, race, color eyes/hair, scars, tattoos


Authorizations


Authorization

Must obtain from the individual for any use/disclosure of PHI other than the following:TPOWhen required by lawAs listed in the Privacy Notice


Valid Authorization

Must include specific elementsCore elementsRequired statements

Use the office Authorization FormPreviously used authorization forms will not

be valid under new rules as they lack the necessary specific elements


Authorizations

Have right to revoke at any time In writing using office revocation form

Must document and retain signed authorization forms

Must give copy of signed authorization form to individual


Allowed uses and disclosures outside of TPO

Without authorization


Use-Disclosures Allowed outside of TPO Required by Law Public Health

Activities Victims Abuse-

Neglect, Domestic Violence

Health Oversight Activities

Administrative Proceedings

Law Enforcement Funeral Homes and

Coroners Organ Donations Specialized Govt

Functions


Prior to ANY Disclosure

What you must do


Prior to any disclosure must

Verify identity of person receiving PHI and authority to do so Ask for verification when on phone e.g. if lab calling

for info ask them for your tax id # Obtain any document, statement or

representation from the person requesting the info when such a statement is a condition of the disclosure Subpoena


Privacy Practices

Notice of Privacy Practices


Notice of Privacy Practices

Every employee must read the office’s Notice of Privacy Practice

Must make a good faith effort to give Notice once to every patient and document that effort

Must be prominently displayed in the office


Good Faith Effort

Must make good faith effort to give Notice to every patientGet written receipt of individual getting the

Notice Retain that receipt

If individual refuses, simply document your efforts and why they failed

E.g. ‘patient refused to take the Notice’


Patient Rights


Six Patient Rights

To request restrictions To receive confidential communication To inspect and copy PHI To amend PHI To receive accounting of disclosures To obtain a paper copy of notice


Patient Rights

Must know them all Must know how to implement them Each has a specific office policy and a

procedure on how to implement If ever in doubt, ask your Privacy Officer


Right to Request Restriction



Must allow individual to request a restriction on Uses and disclosures for TPO Uses and disclosures for involvement in the

individual’s care and notification purposes Other uses and disclosures in Privacy Notice

Not required to agree to the restriction request Must document agreed upon restrictions



If agree to restriction must abide by itMay use or disclose PHI during emergency

treatment when necessary butMust request provider receiving the info not

use or disclose the information any further An agreed upon restriction not effective to

prevent uses and disclosures permitted or required without authorization


Terminating a Restriction

May terminate agreement to a restriction if Individual agrees or requests the termination

in writing Individual orally agrees and this is

documented Inform individual you are terminating the

restriction effective after the notification


How to Request a Restriction

Follow policies and procedures Must be done in writing using the form

provided by the office Staff cannot agree to or deny the request,

only the Privacy Officer can do so.


Right to Confidential Communications


Confidential Communications

Must permit individuals to request receiving PHI by alternative means or at alternative locations Must accommodate if reasonable

Follow office policy and procedures Use proper form to obtain the request in writing

Only the Privacy Officer can determine if the request will be approved or rejected


Right to Access


Right to Access PHI

Right to inspect and or obtain a copy of PHI


Requests for Access

Follow office policy and procedureMust be made in writing

Staff members may not approve or reject the requestOnly Privacy Office can do so


Fees for Providing Copy of PHI

If individual requests copy or agrees to a summary of the PHI can charge reasonable, cost-based fees

This is described in the form individual completes to request access


Denial of Access

To the extent possible, must give access to PHI other than PHI to which there is a ground for denial

Must provide written denial in plain languageBasis for denialStatement of right to review if applicableDescription of how to complain


Right to Amend PHI


Right to Amend

Follow office policy and procedureUse proper form

May deny the request if the PHIWas not created by the organization Is not part of a designated record set Is excluded from the right to access the PHI Is accurate and complete


Accounting of Disclosures

Right to Request


Right to Accounting of Disclosures

Individual has right to receive accounting of disclosures made in the 6 years prior to date on which accounting requestedCan be for a shorter time period if requested


Concept of Disclosure Accounting

That every patient should be aware of disclosures of their PHI

If they are already aware of the disclosure then you need not keep track of it Authorizations

If they are not aware of the disclosure then you need to keep track of it so can tell them if they ever ask subpoenas


Accounting of Disclosures

Must keep track of disclosures as they are done

Follow office policy and proceduresUse proper form to document the disclosures

as they occur


Complaints


Complaints

Must provide a way patients can file a complaintConcerning policy and proceduresConcerning compliance

Must document all complaints Follow office policy and procedures


Safeguards

PhysicalTechnicalAdministrative


Physical Safeguards

Shred all documents with PHI prior to disposal Non-employees are not allowed in the medical

records area unless escorted Non-employees are not allowed in the patient

care areas unless escorted All printers and fax machines will be located in

non-public areas of the office


Technical Safeguards

Password based log in procedure to computer system

Limiting PHI access to the minimum necessary to perform job functionsRole Based Access Control

Automatic logoff after inactivity


Administrative Safeguards

Remind employees to protect patient confidentiality

Enforce use of strong passwords to access computer system

No sharing of passwords Limit information left on answering

machines or with family members


Administrative Safeguards

Have sender of a fax verify the number is correct for the intended recipient before sending the fax

Sanctions have been developed for employees violating the office’s privacy policy and procedures


Sanctions


Sanctions

Sanctions have been developed for employees who fail to comply with the office’s Privacy Policies and Procedures

All sanctions applied will be documented and retained for 6 years


Violations

Level 1 Inadvertent or accidental unauthorized use or

disclosure of PHI Level 2

Purposeful or intentional unauthorized use or disclosure of PHI

More than two Level 1 violations Level 3

Malicious unauthorized use or disclosure PHI More than two Level 2 violations


Sanctions

Level 1 violationVerbal warning

Level 2 violationWritten warning in employee file

Level 3 violationEmployee termination immediately


Sanctions

Will not apply To whistleblowersFor filing a complaintFor participating in an investigation


No Retaliatory Acts


Refraining from Intimidating or Retaliatory Acts May not intimidate, threaten, coerce,

discriminate against or take retaliatory action against Individual for filing a complaint Testifying, assisting or participating in investigation,

compliance review or hearing Opposing any practice that individual believes is

unlawful and does not involve PHI disclosure


Penalties


Civil Penalties

Up to $100 per person per violation Up to $25,000 per person per violation of a

single standard for a calendar year


Criminal Penalties

Up to $50,000 and/or imprisonment for 1 year

If offense is under false pretenses, up to $100,000 and/or 5 years in prison

If offense is with intent to sell, transfer or use info for commercial advantage, personal gain or harm, then up to $250,000 and 10 years in prison


Compliance


Compliance Date for Initial Implementation of Privacy Rule Health Care Providers

April 14, 2003 Health Plans

April 14, 2003Small Health Plans – April 14, 2003

Health Care ClearinghousesApril 14, 2003


Revisit Scenarios

Put your HIPAA hat on


HIPAA Scene 1 Monday morning 10 A.M.

Waiting room full, phones ringing, conversations going on all over

Receptionist sitting at in window Phone on shoulder on hold (put patient on hold) Monitor in view of patient (monitor should be facing in

direction so only employee can see it)

“Good morning Mrs. Jones, you are here for your colonoscopy, did you bring the oncologists records?” (can ask if she brought records but not be specific)


HIPAA Scene 2

MA comes to get Mrs. Jones Says hello to another patient she knows

Inquires about her daughter (OK if done so in general terms)

How did husband’s lab test come back (cannot share PHI unless have authorization from husband; if she inquired about results simply say cannot share that information without written permission from him)

Brings Mrs. Jones back to exam room


HIPAA Scene 4

Records room and clerks all working and talking

Filing labs and asks coworker if they saw the results on Mr. Jones (should not be looking at PHI unless necessary to do job)

Notices duplicate copies of results and throws one in trash can (must shred all documents with PHI before disposing)


HIPAA Scene 5

Billing rep on phone Mrs. Jones we cannot send bill to a work address

(must have first identified who you are talking to is the correct person; if patient requesting then should accommodate but get request in writing from patient)

You want to change the diagnosis in your chart? We cannot do that! (you are right, you cannot change the info but you need to inform patient of their right to request an amendment to their PHI)


HIPAA Scene 6

End of day Charts all over countertops, desks etc. (charts need

to be filed properly) Wastebaskets full of duplicate copies of reports,

letters etc. (these should have all been shredded) Filing cabinets open (if possible, they should all be

closed) Computer screens remain on open to practice

management system (computers should all be logged off from the system)

HIPAA Privacy Training

Documents

Transcript of HIPAA Privacy Training