What Not To Toss and Other HIPAA Basics

Bill Dobbins

UAMS HIPAA Office

2

Why HIPAA Matters

• HIPAA is the law, but in the end protecting patient confidentiality is how we show we care.

• 99.2% of our patients - “It is important to me that members of my health team respect my privacy when I am at the hospital or clinic”

Guard PHI!

3.1.31 De-identification of PHI• It isn’t just a patient’s name or social security number that has to be protected. Any of the

items below can identify a patient and shouldn’t be included on paper that goes in the regular trash. To be considered de-identified the following identifiers of the patient or of relatives, employers or household members must be removed:

1. Name2. Geographic subdivisions smaller than a state3. All elements of dates except year4. Telephone and Fax numbers5. E-Mail, IP, and URL addresses6. Social Security Number7. Medical Record Number8. Health Plan Beneficiary Number9. Account Numbers10. Certificate/license Numbers11. Vehicle Identifiers and Serial Numbers12. Device Identifiers & Serial Numbers13. Biometric Identifiers, including finger and voice prints14. Full Face or other comparable photographic images15. Any other unique identifying number, characteristic, or code.

What Am I Looking For?

• Patient Labels and Stickers

• Documentation from our patient computer systems

• Handwritten Notes

• IV bags

• Sample tubes which are printed with patient labels

3.1.38 Safeguarding Policy

• If you find PHI on the floor, ask the nurse or clinic manager if it is needed before discarding in the shred bin.

• If you find PHI in wastebaskets or in trash bags, notify the HIPAA Office immediately.

• Double check that you don’t pick up feeder containers destined for the shred bin by mistake.

• Notify the HIPAA Office immediately if you see a broken Shred bin.

• Our number is 603-1379• Also, keep an eye out for handouts that include patient

information that might have been left in conference rooms or break rooms.

• Add slides here for Honey, how was your day? Picture of couple at dinner.

3.1.15 Confidentiality Policy

• Confidential information must be protected. For example, you cannot tell a friend or co-worker about someone being a patient in our hospital or clinic.

3.1.25 Minimum Necessary Policy

• Employees may not access patient information except to meet needs specific to their job/position.

• For example, you shouldn’t read any patient information you might encounter while cleaning a clinic or working on one of the nursing units. If the nurses and doctors are discussing a patient, “move on” and don’t try to overhear. Never repeat any patient information you do happen to hear.

3.1.20 Release of Patient Directory Information

• If a visitor asks you for a location of a specific patient, do not automatically tell them even if you know. For example, if you are working on 6C and someone asks if you know what room John Doe is in, you would not tell them because that patient may not want that information shared.

• Instead you should take them to the nurses station or the patient information desk or direct them there in a courteous and friendly manner. Of course, it is always fine to assist with general directions such as “where is E5 or “can you tell me where the Dermatology Clinic is?”

3.1.17 Mobile Device Safeguards

• A mobile computing device can contain PHI. If you find any mobile computing device like a Blackberry, Palm Pilot, Thumb Drive or laptop that has been left behind by mistake, call the UAMS Police Department at 686-7777.

• You can then take the device to the clinic manager or unit nurse manager’s office for safekeeping until it is retrieved by the police.

2011 HIPAA Annual Update Reminder

• 5-10 minute computer based update module with no quiz

• Can be accessed from both on campus and home • http://www.uams.edu/cctc/Online_Training/HIPA

A/2011HIPAAAnnualUpdate/2011HIPAAAnnualUpdate_fs.htm

• The are open labs on campus where it can be completed

• Must be completed by July 1st, 2011

Your HIPAA Team • Vera Chenault, UAMS HIPAA Campus Coordinator (501-

603-1379)• Anita Westbrook, Medical Center Privacy Officer (501-

526-6502)• Jennifer Sharp, Research Privacy Officer (501-526-

7559)• Steve Cochran, Security Officer (501-603-1336)• Bill Dobbins, Informatics Manager & Auditor (501-526-

7436)• Yolanda Hill, HIPAA Compliance Manager (501-614-

2098)• Evelyn Churchville, HR and Training Coordinator (501-

603-1379)• http://www.hipaa.uams.edu