Post on 15-Dec-2015
HIPAA Privacy Training
Health Insurance Portability & Accountability Act of 1996
Standards for Privacy of Individually Identifiable Health Information
45 CFR Parts 160 and 164
The Privacy Rule
Creates national foundation of privacy Does not preempt more stringent state laws Extends:
Certain individual rights to privacy Protection of individual’s medical
records and health information
Who’s affected?Direct impact: Health plans Health care clearinghouses Health care providers
(who transmit health information electronically)
Indirect impact: Business associates
(vendors, consultants, contractors)
What’s protected?Protected health information (PHI) refers to: Individually identifiable health information
relating to:- Person’s past, present and future health or condition;- Provision of health services to the person- Past, present and future payment for health services to the person
Information transmitted or maintained in any form Includes data considered individually identifiable
What’s individually identifiable? Name Geographic divisions smaller
than State (with exceptions) All dates (except year) Phone & fax number E-mail address SSN Medical record # Health plan beneficiary
numbers Account numbers Certificate/license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
Web URLs IP address numbers Biometric identifiers
(including finger, voice prints)
Full face photo and other images
Any other unique identifier [164.514(b)
(2)]
Rules for Use or Disclosure of PHI
Treatment, Payment, Health Care Operations (TPO)
Opportunity to Object Agreement or Authorization not required
(Exceptions) Authorization
Permitted Uses of PHIUse or disclosure permitted for: Treatment
Some facilities may still require patient authorization for release of PHI
Payment Health care operations
(quality improvement, staff performance review, training in areas of health care, accreditation, medical review, audits, business planning and development, general administration, etc.)
Opportunity to Object
Facility directories To clergy To persons involved in individual’s
care Notification purposes Disaster relief purposes
Agreement or Authorization Not Required (Exceptions)
Required by law Public health activities Victims of abuse/
neglect/domestic violence
Health oversight Judicial/administrative
proceedings Limited law
enforcement purposes
Coroners, medical examiners & funeral directors
Organ/tissue donations
Research purposes Serious threat to self/
others Specialized
government functions Workers’ comp
Authorizations
For all other uses or disclosures of PHI
Notice of Privacy Practices Describes to patient how his/her protected
health information may be used or disclosed
Details patient’s legal rights with regard to own PHI and how to exercise those rights
Details legal obligations of Covered Entity to protect PHI
Individual’s Rights To receive Notice of Privacy Practices To inspect and/or obtain copy of PHI To request to amend PHI To request limits on certain uses or
disclosures of PHI To receive accounting of disclosures To receive confidential communications
To file a complaint
Other Requirements
De-identification of PHI Minimum necessary Workforce training Verification process Business Associate Contract
Other Restrictions Marketing Fundraising Specially Protected Health Information
Additional protections under Hawaii State law relating to release of HIV, mental health and substance abuse treatment records
Consequences of Non-compliance
Penalties: Civil: $100 per violation; up to $25,000
per year Criminal: Up to $250,000 and/or 10
years in prison
Sanctions
A facility is required to sanction members of workforce (including “students”) who violate policies and procedures relating to privacy and security of health information
Student sanctions may include suspension or termination of access privileges to PHI and/or participation in educational programs at facility
What You Need to Know About Each Facility
Facility Directory Family Involvement Minimum Necessary Appropriate Educational Access/Use Requesting/Disclosing PHI for Treatment Request/Disclosures to Govt. Agencies Patient’s Request to Restrict Use or Disclosure
What is a Facility Directory?
The information about a patient that a hospital releases to callers, visitors or the media
This information is limited to: Location Condition
May only release directory information to people who ask for patient BY NAME
Facility Directory Patient may ask that NO INFORMATION
be released to callers, visitors or media Each hospital has procedures for patients
with NO INFORMATION status You must be aware of the hospital’s
procedures Do NOT release information in violation of
patient’s information status
Facility DirectoryNO INFORMATION Status PATIENT’S LOCATION/CONDITION
WILL NOT BE DISCLOSED TO ANYONE, INCLUDING FAMILY OR FRIENDS
Anyone asking for patient will be told, “We have no information regarding the individual.”
What should I do?Scenario #1:Q: I am approached in the hallway by someone who
asks me if I know what room a patient is in. I saw the patient’s name on the unit I just left. What should I do?
A: Refer the person to the nurses’ station, information desk, or hospital operator. You do not know whether the patient has requested a NO INFORMATION status or other restrictions.
Family Involvement A patient’s health information may be
disclosed to family, friends or others if: Patient gives verbal agreement, Patient has opportunity to object and does not, or You can infer from circumstances that patient
does not object Emergency/incompetent patient - Release
information using professional judgement about best interests of patient
Family Involvement Information released must be directly
relevant to that person’s involvement in the patient’s care or payment for that care
A patient has the right to request that you not release information to family or others
If a patient asks that you not talk with family or others, inform nursing staff of the patient’s request
What should I do?Scenario #2:Q: The spouse of a patient I am seeing approaches
me in the hallway and begins asking me questions about the patient. During my assessment visit, the patient indicated that she did not want information shared with her spouse. What should I do?
A: A patient has a right to not involve family members or others in his/her care. You should not share any information with the spouse per the patient’s request and you should alert the nursing staff about the patient’s request.
Minimum Necessary
Need-to-Know Rule Access to information is a privilege.
Individuals who are granted access have an obligation to limit access and use to the minimum necessary to perform their duties and responsibilities.
Request/Disclose PHI for Treatment Purposes
May request/disclose PHI for treatment when: Request is from a provider to whom you referred
patient for treatment, or provider’s involvement in patient’s treatment is documented in medical record, or
Patient has signed an authorization or release for the disclosure to the provider, or
Provider has requested, in writing, the PHI for treatment purposes
Request/Disclosure of PHI to/from Government Agencies
Refer to nursing staff, attending physician or Privacy Officer Only minimum necessary may be
released Must complete an accounting for the
disclosure
Patient’s Request to Restrict Use or Disclosure of PHI
Facility may agree to patient’s request to restrict use or disclosure of PHI for treatment, payment or health care operations
You must be aware of facility’s procedures and where such restrictions would be documented
Use of PHI for Educational Purposes
Allowed without patient consent or authorization
Parameters of use or disclosure of PHI for educational purposes: Appropriate access Minimum necessary for the purpose Protect and safeguard PHI Appropriate disposal upon completion
“Facially De-identified” Information
Use of “facially de-identified” PHI is permitted for educational purposes
Remove all individual identifiers, except: Patient’s medical record number Dates of service Zip code
This information is still considered PHI, and remains under federal privacy protections
“Facially de-identified” means removing:
Name Address Phone & fax number E-mail address SSN Health plan beneficiary
numbers Account numbers Certificate/license
numbers Web URLs
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
IP address numbers Biometric identifiers
(including finger, voice prints)
Full face photo and other images
Any other unique identifier
Allowable Educational Access/Use
Treatment Observation Teaching Rounds Retrospective Record or Data Reviews Research (with IRB approval) Case Presentations Patient Logs
Is this okay?Scenario #3:Q: I heard about a very unusual case in the OR. As a medical
student, I am here to learn. I need to know more about the details so I can gain a better understanding of the clinical course. I plan to review the records before I leave for the day. Is this okay?
A: No. While it might be argued that educational benefit can be gained by reviewing unusual cases, such review should be formally approved and presented. Individual access to patient records in this type of situation is not appropriate. Electronic records and systems are monitored for inappropriate access.
Some Do’s and Don’ts:Treatment and Observation
Can Do Access medical records
of the patients you are treating/caring for
Prepare class work with patient identifiers removed
Observe patient care with approval from department manager/ supervising faculty
Cannot Do Obtain medical records of
patients you are not treating/caring for
Use data (obtained from your cases) that include patient identifiers such as name, address, birth date
Observe patient care without appropriate approval or when the patient has objected
Some Do’s and Don’ts:Teaching Rounds
Can Do Share patient information
during teaching rounds Prepare class work using
data from your cases with patient identifiers removed
Cannot Do Discuss patients in public
areas with no consideration of surroundings
Include family members in rounds unless patient has agreed, or physician has determined that inclusion is in patient’s best interest
Some Do’s and Don’ts:Retrospective Reviews
Can Do Access medical records
with written approval of supervising faculty member
Prepare class work using collected data with patient identifiers removed
Use aggregate or de-identified patient information
Cannot Do Use information collected
for research without IRB approval
Publish or publicly present findings without IRB approval or waiver of authorization
Contact the patient or the patient’s physician
Abstract patient identifiers
Some Do’s and Don’ts:Research
Can Do With IRB approval:
Build database of patient information
Access and use patient identifiable information as approved by IRB
Make a public presentation or publish findings using aggregate or de-identified information
Cannot Do Any research without IRB
approval or waiver Publish or publicly present
findings that identify the patient without patient authorization
Access and collect patient data in preparation for a research project without IRB approval or waiver
What should I do?Scenario #4:Q: My supervising faculty member has asked me to review
100 charts of newborn babies to determine whether or not the delivery room temperature has an effect on babies. Do I need IRB approval?
A: Maybe. If the intent is purely for quality improvement without intent to publish findings and you will destroy the database upon completion, then you do not need an IRB approval or waiver. But if you intend to publish, present or use the data you collected for any other purpose and do not have the patient’s authorization or an IRB approval or waiver, you would be violating the patient’s rights.
Some Do’s and Don’ts:Case Presentations or Grand Rounds
Can Do Access medical records with
written approval of supervising faculty member
Prepare for presentation using “facially de-identified”, aggregate or de-identified information
Limit audience to healthcare students or professionals if patient’s identify might be inadvertently revealed
Cannot Do Display or reveal patient’s
name or medical record number in your presentation
Present a high-profile or unusual case that may compromise patient’s privacy without patient’s written authorization for disclosure
Patient Logs
You must “facially de-identify” all information collected and submitted on a Patient Log
Some Do’s and Don’ts:“Facially De-identifying” Patient Data
Can Do Use general terms to
describe a patient 36 year old White male Living in Arizona Admitted in October 2002 Construction worker
Black-out, delete or cut-out patient identifiers on hard copy
Cannot Do Leave patient identifiers in
information used/removed Patient’s or relatives’ names Birth dates Address Employer
Take copies of dictated reports home with you (unless reports are “facially de-identified”)
Some Do’s and Don’ts:Accessing PHI
Can Do Request access to PHI
through appropriate channels Request access to medical
records through Medical Records
Submit completed appropriate data request form for data reports
Cannot Do Remove medical records from
facility Leave patient records or data
in break room or other areas that are not secure
Out of curiosity, access the records of a celebrity patient or the records of a patient with an unusual medical condition
Is it okay?Scenario #5:Q: My friend was admitted yesterday after she
collapsed during a bike ride. I am very concerned about her progress and would like to visit, but I don’t know which room she is in. Is it okay if I look up the information in the computer system?
A: No. Using your access privileges to look up information about a patient when there is no need-to-know (based upon your responsibilities in the hospital) is a violation of patient confidentiality.
Some Do’s and Don’ts:Safeguarding Information
Must Do Password-protect laptops or
PDAs Shred “facially de-identified”
papers when no longer needed Ensure memory/hard drive
has been wiped clean when selling/disposing of a PC, laptop or PDA
Encrypt PHI sent over Internet
Cannot Do Leave information unsecured
or in public areas Discuss patients in elevator,
hallways or cafeteria Dispose of “facially de-
identified” information in trash can; (it is still PHI under HIPAA!)
Share your access codes or cards
Questions?
For further information or questions, please contact the facility’s Privacy Officer