WELCOMEPrivacy And Security Training

Melissa MichaelMHA690

Healthcare CapstoneDr. Hwang-Ji Lu

June 16, 2016

What is HIPAA?• Health Insurance Portability &

Accountability Act 1996 • Is the framework nationwide for the protection of

patient confidentiality, security of electronic systems, and standards and requirements for electronic transmission of health information(HHS.gov, 2016).

What is HIPAA?The main role of the Privacy Rule is to make

sure that patient’s health information is protected but also allowing the flow of the information needed to provide and promote the high quality health care as well as protect the public’s health and well being (HHS.gov, 2016).

Privacy RulePrivacy Rule went into effect April 14, 2003.Privacy is the protection of an individual’s health care

data.Defined as how patient information is used and disclosed.Patients have more control over their own health

information and privacy rights.Outlines ways to safeguard Protected Health Information

(PHI) (HHS.gov, 2016)

Security RuleSecurity (IT) regulations went into effect April 21, 2005.

Security means controlling:Confidentiality of electronic protected health information

(ePHI).Storage of electronic protected health information (ePHI)Access into electronic information (HHS.gov, 2016)

Electronic Data Exchange (EDI)Defines transfer format of electronic information between

providers and payers to carry out financial or administrative activities related to health care.

Information includes coding, billing and insurance verification.

Goal of using the same formats is to ultimately make billing process more efficient (HHS.gov, 2016)

Why Comply With HIPAA?Showing our organization is committed to protecting privacy

As employees of our organization, you are obligated to comply with our privacy and security policies and procedures

Our patients/members are placing their trust in us to preserve the privacy of their most sensitive and personal information

Compliance is not an option, it is required.

If you choose not to follow the rules:You could be put at risk, including personal penalties and sanctionsYou could put the organization at risk, including financial and

reputational harm (HHS.gov, 2016)

HIPAA RegulationsHIPAA Regulations require our organization protect our patients’ PHI in all media including, but not limited to, PHI created, stored, or transmitted in/on the following media:

Verbal Discussions (i.e. in person or on the phone) Written on paper (i.e. chart, progress notes,

prescriptions, orders, and explanation of benefit (EOBs) forms)

Computer Applications and Systems (i.e. electronic health record (EHR) and all applications used that have patient information)

Computer Hardware/Equipment (i.e. PCs, laptops, fax machines, servers and cell phones) (HHS.gov, 2016)

Why is HIPAA Privacy Training Important?

Shows ways to prevent accidental and intentional misuse of PHI.

Makes PHI secure with minimal impact to staff and business processes.

It’s not just about HIPAA – it’s about doing the right thing!

Commitment to managing electronic protected health information (ePHI) with the same care and respect as we expect of our own private information (HHS.gov, 2016)

Why is HIPAA Privacy Training Important?

It is everyone’s responsibility to take the confidentiality of patient information seriously.

Anytime you come in contact with patient information or any

PHI that is written, spoken or electronically stored, YOU become involved with some facet of the privacy and security regulations.

The law requires us to train you.

To ensure your understanding of the Privacy and Security Rules as they relate to your job (HHS.gov, 2016)

How Do Privacy Violations Happen? Lauren, a billing department employee, saw her son’s girlfriend, Megan,

in the hospital. Lauren was concerned so she looked at Megan’s medical record to make sure she was OK. Lauren was upset when she saw Megan’s diagnosis. Lauren texted her son and told him about Megan. When Lauren returned home, she learned that Megan read her text message and called the hospital to file a privacy complaint.

Discussion points: Does it matter that Lauren meant well? What is the policy for accessing medical records? What is the policy for role-based access control? What is the policy for snooping discipline?

How Do Privacy Violations Happen? Assuming the auto lock would activate soon, the nurse did not lock her

computer when she left the patient in an exam room. While waiting, the patient got bored with the old magazines in the room and looked at her electronic record. Not only did the patient see her prescription for Prozac and diagnosis of depression, but she also read her psychotherapy notes.

Discussion points: What is the policy on locking computers? Why are psychotherapy notes included in this patient’s EMR? What is the policy on workforce members accessing sensitive information? What is the policy for patients to request copies of their records?

No Harm No Foul? The Labor & Delivery Department is crazy busy this morning. As a nurse you’re

running from one crisis to another. Around 11:00 am you are finally able to get a break and you leave for a cup of coffee. While you’re usually diligent about securing your computer when you walk away, this time you were so distracted you forgot. You leave up two patient records, one of whom is the wife of the hospital administrator who had a miscarriage. When you come back from your break, a unit clerk is sitting at your desk intently reading the screen.

Will you confront her? Self-report the incident to the Privacy Officer? Ignore her and walk away until she leaves. Make a deal with her, you won’t tell if she doesn’t

Consider This: Who is subject to disciplinary action in this case? You? The unit clerk or both of you?

I Have a Right to Know!Mr. Richardson has called your organization. He tells

you that his wife was in the clinic yesterday for lab work and he wants to know her results of the urinalysis immediately. You explain that his wife has individual privacy rights and such information can be disclosed only to her. You suggest he talk directly to her. He is very angry! “I have a right to know since I pay the bills. I’m going to report you for a HIPAA violation.” Should you cave and tell him?

Consider This: Upon review of Mrs. Albertson’s record, you see a signed authorization permitting the clinic to exchange PHI with Mr. Albertson regarding her care and treatment. Does this change your response?

ConclusionYou should only access records that are

necessary for you to access because of your job.

You should never access records for personal reasons.

HIPAA violations can be expensive consequences to you and the organization.

HIPAA is a federal law that protects patient privacy

ReferencesU. S. Department of Health and Human

Services. (2016). Health Information Privacy. Retrieved from http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/