Post on 27-Feb-2018
Self-Directed HIPAA Training Instructions
1. Review the following presentation
2. Review the FAQ’s near the end to know HIPAA’s impact on your daily work practices.
3. Print out and answer the QUIZ (2 pages) at the very end of this presentation
4. Turn in QUIZ to your Department Head /Administrative Assistant for compliance tracking.
5. Print out certificate and maintain for your own files the approved one (1) Level-1 Risk Mgmt CME hour
July, 2002
Core Training inPrivacy and Confidentiality
--
HIPAAHealth Insurance Portability and Accountability Act of 1996
Caring for patients while protecting their privacy hasalways been important to everyone at
Massachusetts General Hospital.
HIPAA now makes it a legal responsibility.
O i ll i ff
Content of Session
What is HIPAA and why is it important?
Examples of Breaches
What rights do patients have under HIPAA?
Safe Information Practices
Privacy and Security Compliance
How do you report a breach?
Resources
What is HIPAA?
Health Insurance Portability and Accountability Act
Signed into Law August 21, 1996 (Public Law 104-191)
Significant impact on health care industry
Goals “ To improve the efficiency and the effectiveness of the health care system”
the establishment of standards and requirements for the electronic transmission of certain health information (eligibility, referrals, and claims);and
create the first national legislation to give every patient across the nation protection of their health information
What Do You Have To Know?
Stronger Massachusetts privacy laws are followed over HIPAA rules in certain situations (like those covering Mental Health, HIV, Aids, Alcohol and Drug Abuse, Domestic Violence, Sexual Assault, Genetic Testing)
Patients have the right to file a complaint if they believe their privacy rights have been violated
What Do You Have To Know?
What is confidential?
“Protected Health Information” or “PHI”
any information that identifies who you are(as little as name, address and social security is PHI)
past, present or future physical or mental health or condition
type of treatment or services provided
past, present, or future payment for care provided
Patients will have the right to file a grievance or complaint if they believe their privacy rights have been violated
Why is HIPAA important to Massachusetts General Hospital?
Maintaining patients’ trust in their caregivers is critical to obtaining a complete history, medical record, and carrying out an effective treatment plan
It supports our mission
It’s the right thing to do
Protecting Patient Privacy
As healthcare workers we see and hear confidential information every day on the job.
We get so accustomed to being around this kind of information that it’s easy to forget how important it is to keep it private
Privacy and confidentiality is a basic right in our society.
Safeguarding that right is your ethical and legal obligation
Failure to Protect Patient Privacy Can Have Dire Consequences
It has been documented that failure to protect patient privacy has caused patients to:
Lose Jobs
Be Victims of False Rumors
Lose Insurance Coverage
Become Estranged from Friends and Family
Lose Custody Battles
Be harassed by the Media
Some examples…….
Examples of Breaches “Big” Breaches in the news
An error in a University of Minnesota database failed to suppress the names of deceased organ donors on computer- generated letters to the 410 patients who received their kidneys (Report on Patient Privacy, 3/02)
Examples of Breaches “Small” seemingly innocent breaches, or activities that could lead to breaches
An employee “checking” the record of a friend or family member, in order to see how they are doing
Leaving patient identifiable information on computer when you bring the next patient into the exam room
Neglecting to confirm accuracy of fax number before sending identifiable health information
Colleague in the hospital and so you access the system to get a discharge date to send flowers
A high profile patient comes in for tests and you say to your colleague, guess who I just took care of? …Joe Celebrity
Examples of Breaches “Small” seemingly innocent breaches, or activities that could lead to breaches
Leaving work at the end of the day and leaving patient information out on your desk rather than in a folder
Discussing patient information on your cell phone in the Treadwell Library, cafeteria or on the shuttle bus.
Not closing the exam room door or privacy curtain when discussing patient information
Walking up to a computer and using it while logged in under a co-worker’s password or not logging off computer when you leave the area
Enforcement of HIPAA Office of Civil Rights
HIPAA calls for severe civil and criminal penalties for noncompliance
fines up to $25K for multiple violations of the same standard in a calendar year
fines up to $250K and/or imprisonment up to 10 years for deliberate misuses of individually identifiable health information
Healthcare organizations must have sanctions in place for their workforce and business associates who violate their privacy policies
PRIVACYIt’s the LAW!
Patient Rights In regard to their health information
The right to receive a written notice of how their health information will be used and disclosed--this is called the Privacy Notice
The Privacy notice must:
Contain patient’s rights and the covered entities’ legal duties
Be made available to patients in print
Be displayed at the site of service and posted on our web site
Patients must receive a copy of our Privacy Notice concerning the use/disclosure of their PHI on the first date of service delivery, or as soon as possible after an emergency
Receipt of
Privacy Notice
Patient Rights In regard to their health information
All new and established patients must receive a MGH/Partners Privacy Notice one time only at their initial visit following implementation.
We must ask patients to sign an Acknowledgement form of having received the Privacy Notice or document reasons why the acknowledgement was not signed
The Acknowledgement form will be sent to Health Information Services to be maintained in patient’s medical record and recorded in the electronic record
Receipt of
Privacy Notice
Patient Rights In regard to their health information
The right to access their own record, and to request that their record be amended if it contains incorrect or incomplete information
The right to request a limitation on information used and disclosed
such as their information blocked from the hospital directories and unavailable for people who call information to ask for them
or their religious preference blocked from clergy
or to request that you limit what information you may share with their family or friends
Patient Rights In regard to their health information
The right to receive a list of disclosures
we must track anyone we disclose information to without a signed authorization from the patient
patients have the right to receive a list of these disclosures
The right to sign an authorization
prior to most non-routine uses or disclosures of their health information:
with employers for employment decisions,
with life, disability, or other insurers,
for marketing activities. and
for targeted fundraising activities
When is an Authorization to Release PHI Required?
General Rule:
if the use or disclosure is for something other than treatment, payment or hospital operations
Exceptions:
Specific authorization is required for use and disclosure of specifically protected or privileged information, such as HIV testing, Genetic testing, Alcohol and Drug Abuse records (Federal Confidentiality Rules 42 CFR Part2) Domestic Violence Counseling, Sexual Assault Counseling, Psychotherapy Notes
Disclosures required by law
Key Definitions under HIPAA: You may use or disclose PHI if it is for...
Treatment: providing, managing and coordinating care; consulting with other care providers; and referring a patient to other providers.
Payment: provider’s request for reimbursement, eligibility and medical necessity determinations, claims management and related activities
Health Care Operations: quality assessment and improvement, evaluation of providers, training, legal services, auditing, compliance, limited marketing and fundraising activities and other business and administrative operations.
Reasons for Releasing Confidential PHI
Providers are required to report certain communicable diseases to state health agencies.
The Food and Drug Administration (FDA) requires that certain information about medical devices that break or malfunction be reported.
To inform appropriate agencies during disaster relief.
To inform family members or other identified persons involved in the patient's care, or notify them on patient location, condition or death
Reasons for Releasing Confidential PHI
Providers are required to report suspected child abuse
Police have the right to request certain information about patients to determine whether they are suspects in a criminal investigation--MGH Police can verify need
The courts have the right to order providers to release PHI
Providers must report cases of suspicious deaths or certain suspected crime victims, such as people with gunshot wounds.
Safe Information Practices
Rule number one
Any person to whom information is communicated must:
Be authorized to receive the information
Have a legitimate “need to know”
What can I do to protect “need to know”?
Verify people’s identity and employee badge when they come to the unit, pull a medical record or ask for information
Remember that access to a system on the computer does not imply that it is appropriate to search any patient information that may be stored within the system at will, simply to satisfy curiosity
Safe Information Practices
Confidential subjects are discussed only in a private setting (not in Treadway library, cafeteria, elevator, locker rooms,etc.)
Cautious use of cellular phones, PDA’s, e-mail and faxes for confidential information
Hard copy documents are secured (kept out of sight) of unauthorized persons
Safe Information Practices
No dictating in the hallway outside the exam room
Following MGH policies and procedures for release and disclosure of health information
Write your medical note as if the patient were reading it over your shoulder
Do not discuss care issues such as test results with the exam room door open
Safe Information Practices
Computer Security
Never share passwords
Click on the yellow lock at the bottom right corner of your screen when leaving a workstation
Make sure there is no prior patient information left on the computer screen before you place the next patient in the exam room
Safe Information Practices
Computer SecurityPersonal databases containing patient
information are prohibited unless:they contain “de-identified” information
(as per HIPAA definition), or you have received an IRB waiver, or
other IRB approval
Diskettes with patient information are never thrown out without being cleaned off
Safe Information Practices Electronic Mail
E-mail containing patient identifiable information should not be transmitted over the internet, as security cannot be guaranteed, however:
Follow best practice for confidentiality
Explain this to patients before you agree to communicate with them this way
Do not put patient name or identifier in subject heading
Keep information to a minimum necessary
Create a second auto-signature in your Outlook e-mail with a confidentiality statement
Safe Information Practices Electronic Mail
E-mails using the intranet between all Partners entities is secure
For example: Outlook system we use daily for e-mailing colleagues at the Brigham or Newton Wellesley Hospital is secure
Patient Gateway is secure
E-mail guidelines on the MGH web site clinical policy http://healthcare.partners.org/mgh/policies/default.htm
Safe Information Practices Faxing
Faxes are the least controllable type of communication
ALWAYS use a cover sheet with a confidentiality statement and your location and phone number even on internal faxes
Never leave faxes sitting on fax machines unattended
It is critically important when faxing information:
to verify the sender has the correct fax number, and
that the fax machine is in a secure location, and/or the receiver is available immediately to receive the fax
What can you do? Be on your guard
Your responsibility for protecting patient privacy and confidentiality does not end with your work shift
Don’t divulge any patient information when in an informal atmosphere or social setting
If asked about a patient, simply reply “I’m sorry, that information is confidential”
Respect everyone as if they were your family member!
How to Report a Privacy Concern or Breach
Contact the Compliance Hotline to report a breach anonymously: (617) 726-1446
orHealth Information Services: (617) 726-2465
Privacy Complaints/Breaches What you should tell a Patient or Family Member
A patient or family member can contact the Office Manager (in the office practice) or the MGH Patient Advocacy Office at (617) 726-3370
Privacy Resources To learn more…….
Intranet sites where privacy/HIPAA information is available:
HIPAA Central on Partners Web Site (all employees) http://healthcare.partners.org/phsirb/hrchipaa.htm
Policies and Procedures/Forms
FAQ’s/Training Resources
MGH Policy Manuals
Administrative Policy Manual
Clinical Policy Manual
Human Resource Manual
Patient Gateway (patients)
Policies and Procedures/Forms
Privacy Resources To learn more…….
Internet Sites
Dept. of Health and Human Services
http://aspe.hhs.gov/admnsimp/Index.htm
http://www.hhs.gov/ocr/hipaa/whatsnew.html
Mass Health Data Consortium
http://mahealthdata.org
Workgroup for Electronic Data Interchange (WEDI)
http://www.wedi.org
Privacy Resources To learn more…….
MGH Contact Persons:
Deborah Adair, Director of HIS, Privacy Officer
Maryanne Spicer, MGH Compliance Officer
Eileen Bryan, HIPAA Manager, Privacy Office
embryan@partners.org
(617) 726-6360
Q&A: Privacy
What are examples of the “minimum necessary” rule in your daily work; do changes in practice need to be made?
Patient Sign in sheets
Appointment reminder calls
Answer --> YES and YES
Sign in sheets are permitted, although they should kept to minimum information, some examples
First name last initial or last three numbers of Medical record number;
Have a blank sheet covering list
Place stickers over patients already taken care of to remove name
use small single sheets that are then deposited in a hanging folder on reception desk
Calls are permitted as long as patients are notified through our MGH Privacy Notice and patients agree to give primary phone contact
Remember minimum necessary information to get the job done
Use professional judgement around privileged/protected PHI
Q&A: Privacy
HIPAA allows identifiable health information to be shared among Partners-owned (or “controlled”) entities on a need-to-know basis for certain purposes (without obtaining a signed authorization).
What are these reasons?
Example: patient is brought by ambulance to the Faulkner Hospital. The nurse in the ED calls and asks for patient’s last discharge note.
Answer
Identifiable health information may be shared among health care providers for TPO:
Treatment
Payment
Healthcare Operations (QA/QI, Utilization Review, Disease Management, Credentialing, Auditing, Accreditation, etc.)
Since the information was needed by Faulkner Hospital for treatment purposes this is allowed without written authorization.
Q&A: Privacy in Inpatient Floors
Mary is transported by Medflight to MGH for specialized care. She is admitted to White 7 and being treated by a specialist. An employee from Medflight calls the Nursing station on White 7 the following day and asks for follow up information on Mary.
Can the nurse give Medflight the information they are asking for?
Answer -- Absolutely YES!
This is considered a “business associate” who assists MGH in treatment and hospital operations.
MedFlight needs the follow up information for billing purposes and also to meet their own requirement to report patient information to DPH.
Have a procedure in place for verifying identity of the caller; that is actually a Medflight employee
Q&A: Privacy in Job Roles
Olivia is a Nurse in the O.R. She has completed her evening shift and is changing in the locker room. Another nurse coming on for the day says she heard there was a bad accident and that the patient was in surgery all night. She asks Olivia what the blood alcohol level of the patient was.
How should Olivia respond?
What are the risks here?
Answer
Olivia should ask herself if this meets the need to know criteria, if the nurse coming on was not going to be treating this patient then Olivia should state that she can’t discuss the case because of confidentiality.
Employee should limit amount of PHI discussed in open work areas such as the locker room, cafeteria or nursing station.
Next Steps – Recommendations
Appoint a Compliance Privacy and Security Official for your practice/department (Office Manager)
Review current practices for how your department uses or discloses protected health information
Do you get a valid written authorization when required
How do patients amend their records
Do you follow minimum necessary policy
What guidelines do you have in place for communicating health information over the telephone
How do you send health information (fax, e-mail, etc.)
Make a list of all “Business Associates” If you outsource a certain service,
such as transcription, follow below guidance:
HIPAA Definition: a person or organization that performs or assists in the performance of a function that involves the use or disclosure of individually identifiable health information
Review business associate contract for privacy and security policies and procedures; also what sanctions will be taken if these policies are breached
MGH Legal has drafted contract language for new and amended business associate contracts-see Partners Intranet Web site HIPAA Central to use these templates and further guidance
Materials Management has created a log of all hospital business associates and will be reviewing and updating these contracts-- compare your list with Materials Management
Next Steps -- Recommendations Review “high risk” areas identified in the survey
location of computer monitors
move to non public area
order privacy filter from Staples
Are charts/patient information in or near public areas (door racks, reception desk, fax or copy machine, etc)
Place so patient name is not visible if possible
do not leave papers unattended and close and lock doors as feasible
photocopying patient health information
Play it safe and get written authorization from patient
taking health information off-site
only take information off site if absolutely necessary
maintain the same level of privacy and security standards off site -- don’t leave out in viewable location
Additional “high risk” areas
discussions regarding patients; scheduling patient procedures/tests near public area
limit details, keep voices down
place white noise machines near public waiting area
disposing of health information
request more blue recycle bins for white paper and gray recycle bins for colored paper from environmental services
We shred all paper products put in these recycle bins
Discussing patient information in open areas
do not discuss in health club, library, cafeteria, waiting room, locker room, shuttle bus--be aware of your surroundings
Massachusetts General Hospital Privacy and Confidentiality
Guiding Principles
A practical interpretation of the HIPAA regulation
A commonsense approach to this endeavor;
A positive change that does not impede quality patient care; and
Unquestionable concern for safeguarding our patient’s protected health information
HIPAA
Key Points: Keep your actions reasonable
Most importantly -- do not let HIPAA impede our quality care and patient’s trust -- that is not the goal of HIPAA
We already do a really good job at protecting health information -- what’s different -- we now have a legal obligation
Patients will be more knowledgeable in regard to accessing, copying, amending and tracking disclosures of their own health information -- so we must be knowledgeable too -- both as employees and health consumers ourselves
Key Points: Keep your actions reasonable
All health information is protected whether it is spoken, written in a record or written and stored electronically
View every decision about use and disclosure of health information through the lens of:
Treatment
Payment
Hospital Operations and
the Minimum Necessary information to get the job done If it meets this criteria HIPAA does not require a change in
our everyday work practices
Take pride and ownership in the fact that Massachusetts General Hospital
is concerned about privacy and recognizes its importance in providing
quality healthcare.
Above all honor our patients trust
Thank you !
Eileen BryanMGH HIPAA Privacy ManagerHealth Information Services
HIPAA QUIZ
1. HIPAA’s privacy rule protects a patient’s fundamental right to privacy and confidentiality of:
a) Patient information in electronic form
b) Patient information in paper form
c) Patient information communicated orally
d) all of the above
2. Now that there is a federal law protecting patient privacy, all individual health information shares the same level of protection, including psychotherapy notes, HIV test results, genetic testing, sexual assault, domestic violence,etc.)
a) True
b) False
HIPAA QUIZ
3. Patients have the right to amend inaccurate or incomplete information contained in their individual health record
a) True
b) False
4. Health information is considered confidential if it identifies the patient and relates to:
a) A person’s past, present, or future physical or mental health condition
b) A person’s present health condition only
c) A person’s past and present condition only
Massachusetts General HospitalTraining in
Privacy and Confidentiality
HIPAAHealth Insurance Portability and Accountability Act of 1996
This is to certify that
_______________________________
has attended the Training in HIPAA Privacy and Security Regulations
Approved for One (1) level one Risk Management CME Hour
� PowerPoint Presentation Granted: , 2003
� PowerPt Presentation and Quiz Mar ilyn A. McMahon, J.D.
� Self Learning Materials and Quiz Risk Manager
� Video and Quiz Office of the General Counsel
for patients whilerespecting their
Privacy
Caring