HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a...
Transcript of HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a...
![Page 1: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/1.jpg)
HIPAA
EJ Jung11/17/2010
![Page 2: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/2.jpg)
National Institute of Standards andTechnology, Computer Security Divisionhttp://csrc.nist.gov/index.html
Federal Information Security Management Actof 2002 http://csrc.nist.gov/groups/SMA/fisma/
HIPAA – Health Insurance Portability &Accountability Act of 1999
FERPA – Family Education Rights & Privacy Actof 2004
Federal laws
![Page 3: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/3.jpg)
1. Stolen laptop2. Virus or hack3. Inadvertent posting of information on the Web4. Stolen hard copies
Causes of data leak
![Page 4: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/4.jpg)
HIPAA, The Real World
April 29, 2010
Debbie ThomanAssistant Vice President for Compliance and Accreditation
University of Iowa Privacy Officer
![Page 5: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/5.jpg)
HIPAA Privacy Rule:HIPAA Privacy Rule:Protecting PatientProtecting Patient
PrivacyPrivacy……ItIt’’s Everyones Everyone’’ssResponsibilityResponsibility
![Page 6: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/6.jpg)
Why is patient privacy soimportant?
• Patient Privacy Breaches are still in theheadlines:– Nurse in Arkansas fired and faces 10 yrs in prison/$250,000
fines for Wrongful Disclosure of PHI for personalgain/malicious harm
– 27 hospital workers suspended without pay for 1 month forsneaking a peek at George Clooney’s records
– Confidential patient data sent to wrong company -- for 15months
– More than 300,000 patients' records stolen– 'Human error' exposes patients' Social Security numbers in
N.C.– US Dept of Veterans Affairs loses 26 Million patients’
records– Clerk at medical clinic in Florida left daughter unattended at
workstation while signed on to system
![Page 7: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/7.jpg)
Protected Health Information (PHI)Protected Health Information (PHI)
•• PHIPHI is defined by the Privacy Rule as is defined by the Privacy Rule as““individually identifiable health informationindividually identifiable health information””(1) (1) individually identifiableindividually identifiable means means
““information that could reasonably identifyinformation that could reasonably identifyan individual receiving healthcarean individual receiving healthcareservicesservices””
(2) (2) health informationhealth information means means ““informationinformationrelated to the physical or mental health,related to the physical or mental health,healthcare or healthcare paymenthealthcare or healthcare payment””
![Page 8: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/8.jpg)
PHI ElementsIndividually Identifiable• Name• Address• Phone Number/Fax
Number• Medical Record
Number• Social Security Number• Photograph• Billing and other
account numbers• Date of Birth• Date of Visit• Fingerprints
Health Information• Medical Charts• Billing Information• Lab Test Results• X-Ray and Films• Diagnosis and Treatment
Records• Flow Sheets
![Page 9: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/9.jpg)
Patient RightsThe Privacy Rule grants patients the following rights with
respect to their PHI*1. Right to Access PHI2. Right to a UIHC Privacy Notice3. Right to Correct or Amend PHI4. Right to an Accounting of Disclosures (Important)5. Right to Opt Out of the UIHC Facility Directory6. Right to Opt Out of Fundraising7. Right to Request Restrictions to PHI8. Right to Confidential Communications9. Right to File a Complaint*Prison inmates are excluded from these rights
![Page 10: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/10.jpg)
The Privacy Rule• The Privacy Rule requires that UIHC staff
safeguard the privacy of health information by:1) Limiting access to PHI to those involved intreatment, payment, or healthcare operations2) Restricting access and disclosure insituations other than those listed above unless aspecific exception exists as defined by thePrivacy Rule or if specific consent is obtainedfrom the patient3) Accessing health information on a “Need toKnow” basis only – viewing only the minimalamount of PHI necessary to perform assignedfunctions
![Page 11: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/11.jpg)
Minimum Necessary
What can staff access?• Info you “need to know” to do their job
Does Minimum Necessary apply inevery situation?
• Treatment – No, not for cliniciansinvolved in care of patient
• Patients – No, they can access their PHI
![Page 12: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/12.jpg)
How does the HIPAA Privacy Ruleimpact jobs?
Computer Security• System passwords (IDX, INFORMM, IPR, CERNER)
must be:– Kept secure,– Not shared, and– Changed regularly
• If possible, computer screens should not be kept in plainview
• Always, always, always…log off or close computerprograms containing patient information when not in use– staff are responsible for all activity under their user
name
![Page 13: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/13.jpg)
How does the HIPAA Privacy Ruleimpact jobs?
Key Question:• Prior to accessing, using, or disclosing any
Protected Health Information (PHI), alwaysask this question:
• Do I need to access, use, or disclose thisPHI to do my job?
• If not, then do not access, use, or disclose
![Page 14: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/14.jpg)
ScenariosThe names and facts in the following
scenarios have been altered to protectthe innocent (and the not soinnocent). The scenarios are intendedto provoke discussion of the basicprinciples that guide our evaluation ofpotential Privacy Rule violations.
![Page 15: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/15.jpg)
Dining OutYou and your family are at a restaurant andyou notice someone staring at you whoseems very familiar. You approach theperson and ask “Don’t I know you fromsomewhere?” The person becomes visiblyuncomfortable and simultaneously yourealize the person was a recent patient forwhom you cared. What should you do?
![Page 16: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/16.jpg)
A. Remind the patient that you met at thehospital while you were caring for him andask him how he’s doing.
B. Ask the person if he comes here often andwhat he recommends from the menu.
C. Politely say, “I must be mistaken, have a nicemeal.”
![Page 17: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/17.jpg)
Big Dude Sports StarBig Daddy, super sports star, is a patient in the hospital
before he dies of injuries sustained in a car accident.Your friends are begging you to find out moreinformation about what happened to Big Daddy.Your position gives you access to patient records inthe computer and it would be easy to find outeverything everyone is curious to know. Big Daddywon't know or care. He might even have beenpleased to know that everyone is so concerned abouthim. Plus, some of the information will come out inthe press in a few days anyway. What do you do?
![Page 18: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/18.jpg)
AnswerA. Sneak a peek at the chart but refuse to share any
information with friends.B. Sneak a peek at the chart on your own personal time and
share only information that will become public anyway.C. Explain to friends that health care professionals cannot
look at patient records without a good reason to know theinformation for health care or billing purposes.
D. Explain to friends that the institution has an audit systemthat will track anyone who looks at the patient’s recordand that you will lose your job unless you had a goodreason to look at the chart.
![Page 19: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/19.jpg)
Ross and RachelRoss and Rachel work together and are friends.
They are such good friends that Ross oftenleaves his terminal without logging off of thesystem. Rachel has noticed this habit. On aparticularly busy day Ross frequently needsleave his terminal. On one of these occasions,Rachel uses Ross’s terminal to access her ex-husband Chandler’s health information.Chandler runs an INFORMM “Show StaffInvolved in My Care” report and sees Ross’sname. He requests a full investigation. Thetracking log confirms that Ross (or someoneusing his user ID) accessed Chandler’s records.Ross is disciplined for inappropriate access. Isthis fair?
![Page 20: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/20.jpg)
Answer
• Yes; every employee is responsible for theaccess and activity that occurs under their username and password in the electronic medicalrecord systems. That is why you must nevershare your passwords and why you must alwayslog off the systems or lock your personalworkstation when not in use.
![Page 21: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/21.jpg)
Concerned Ex-HusbandYour ex-wife receives her care at UIHC. She has a
chronic heart problem and has hinted at refusingongoing treatment. You have joint custody overthree young children and are concerned that shemight experience a heart attack while transportingthe children to and from their activities. You haveasked her about this issue several times and sherefuses to discuss this with you. You just read anarticle in Reader’s Digest about a man who had aheart attack on a Los Angeles freeway while hisdaughter was in the car. You are now veryconcerned and you consider looking at herappointment information just to make sure thatshe is keeping appointments with her cardiologist.Is this permissible?
![Page 22: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/22.jpg)
Answer
• No; even though you may have good intentionsof ensuring the safety of your children, this doesnot give you the right to access the records ofyour ex-spouse.
![Page 23: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/23.jpg)
You had a very difficult day in the operating roomand are deeply troubled that one of your patientsalmost died due to an unanticipated situation. Youare concerned that you may not have recognizedthe signs of trouble soon enough and you need todiscuss the case with someone you trust. At theend of the day you go home and share your difficultday with your partner. Have you violated the HIPAARule?
Patient Rights: Confidentiality
![Page 24: HIPAA - USF Computer Scienceejung/courses/686/lectures/18HIPAA.pdflook at patient records without a good reason to know the information for health care or billing purposes. D.Explain](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5cbbe16433ff40f21bd37c/html5/thumbnails/24.jpg)
A. Yes. HIPAA prohibits the sharing of any patient informationexcept for treatment, payment, or health care operations.
B. No. Clinicians must be able to vent to loved ones at the end ofthe day to preserve their mental health.
C. Maybe. It depends on the level of detailed information that wasshared with the partner. No information that could identify thepatient clinically, physically, or socially should have beenshared. All individuals need to be able to vent and sharetroubles at the end of a difficult day. Perhaps sharing the detailswith a colleague involved in the case is a better option. If noinformation of sufficient detail to identify the patient was sharedthis would not be a violation.
Patient Rights: Confidentiality