View
216
Download
1
Category
Tags:
Preview:
Citation preview
HIPAA
Office of Experiential Education
Kelli L. Coover, PharmD, CGP
Health Insurance Portability and Accountability Act
What is HIPAA?
Health Insurance Portability and Accountability Act
Enacted on April 14, 2003 A Federal Law written to:
Enhance data exchange: more effective and efficient for administrative and financial transactions
Improve healthcare information security and privacy
HIPAA Principles
1. Protect the privacy of protected patient information
2. Use and disclose the minimum necessary amount of protected information
3. Establish the rights of patients to approve who has access and use of their medical information.
Who is covered by HIPAA
Health care providers that transmit claims electronically
Health plans Healthcare clearinghouses
Health Information Disclosure
As a pharmacy student/intern you are a covered entity Covered entities have specific obligations toward
protected health information (PHI) which includes information transmitted or maintained in any medium, including oral communications
Providers and plans may NOT use or disclose an individual’s health information except for: Treatment Payment Regular health care operations
Any additional disclosures requires a signed authorization from the patient
What is Protected Health Information (PHI)?
Information resulting from demographic information being paired with physical or mental health or health insurance/prescription information.
Protected Health Information
Health information in any form is considered Protected health information (PHI) if it relates to:
The individuals past, present or future physical or mental health or condition
The provision of health care to the individual; or the past present or future payment for the provision of health care to the individual
The information identifies the individual or creates a basis to believe that the information can be used to identify the individual
Specific PHI Elements
Name All geographic info
City, County, State, Precinct, Zip Codes, Street Address
Elements of Dates Birth Dates, Admission, Discharge, Date of Death, and Ages
>89 years old
Telephone/Fax numbers Email address Social Security# Medical Record # Health Plan # Account # Certificate/license # Vehicle/serial # License plate # Device/serial# URL’s IP Address Biometric Identifiers:
Finger/voice prints Full face photo
Protected Health Information
Records kept in a pharmacy that would meet the definition of PHI Prescription records Billing records Patient profiles Insurance Cards May include certain phone calls from patients Verbal patient counseling
Where would a pharmacy student find PHI? Medical or Clinical Charts Medication Administration Records (MAR) Billing Records Rounding Lists Electronic Databases Rounding Conversation Faxes Emails
Use and Disclosure Rule
Must take reasonable efforts to use and disclose only the “Minimum Necessary” amount of PHI appropriate to the situation. Limit disclosure for payment and operations
Understand WHY the information is necessary Question if information seems unnecessary
Casual conversation Don’t discuss patients with health care professionals not
directly involved in their care Providers should limit access to patient information on
a need to know basis. Remember, do not use HIPAA as an excuse to report
adverse drug events.
For pharmacy student, what is the “Minimum Necessary”?
Access ONLY the PHI you need to provide medication therapy management.
This information will vary based upon the individual patient.
Can PHI be disclosed without authorization? Yes.
Public health activities Law enforcement, judicial proceedings Reports of abuse or neglect Health oversight activities Coroners, funeral directors Organ and tissue donation Certain research activities Threat to public safety Military functions Inmates Worker’s compensation Sale, transfer, merger or consolidation of all or part of
covered entity
What should be done when an employee makes an unauthorized disclosure of PHI?
Sanction the employee Attempt to contain the damage caused by the
disclosure Document the event
Description of what was disclosed Statement of the reason the PHI is disclosed Date The name and address (if known) of the person or entity that
you disclosed to
Must also make an accounting of the events to the affected patient(s)
Stiff penalties including fines and prison terms associated with noncompliance.
5 Tips for Staying Compliant
Never access a patients records unless you are managing that patient and need to access the record for those purposes. Violations have taken place when healthcare
practitioners accessed records of relatives, friends or persons of interest.
Even if you are the healthcare proxy for that person it’s not acceptable to access records in that way.
5 Tips for Staying Compliant
Use discretion when talking about a patient. HIPAA violations can arise when healthcare
practitioners discuss a patient’s health status in public area such as a waiting room or cafeteria in front of other people.
HIPAA violations can occur when patient information is shared on social media platforms.
5 Tips for Staying Compliant
Ensure that protected health information is safeguarded. The Office of Civil Rights (OCR) has held that
even insurance cards, presented at a pharmacy, are considered PHI and must be treated as such.
Patient medical records, test results and diagnostic information are all PHI.
5 Tips for Staying Compliant
Do provide health information where it is authorized. HIPAA violations can occur when a practitioner withholds PHI from those who are entitled to such information. Example: Doctor’s office violated HIPAA by
refusing to provide a minor child’s medical information to the patient’s mother.
5 Tips for Staying Compliant
Use care in labeling file. One practitioner’s office was fined for using
large red stickers with the word “AIDS” on the outside of the files of patients who were HIV positive.
Recent Case – July 2013
Woman awarded $1.44 million after finding Walgreens and pharmacist violated privacy.
Pharmacist violated privacy by looking up and sharing prescription history.
Pharmacist admitted she was aware of strict privacy policy and knew she was violating it.
Walgreens contends this is a misapplication of the law to hold an employer liable for the actions of one employee. Currently under appeal.
Walgreens must pay woman $1.44 million over HIPAA violation, Jul. 26, 2013, written by Tim Evans, indystar.com.
Recent Case - 2009
CVS fined $2.25 million after local media discovered that the pharmacy’s trash violated HIPAA regulations. Pharmacy employees were disposing of old
prescription drug bottles with labels containing PHI still intact.
https://www.pbahealth.com/5-hipaa-violations-you-might-not-know-about/
As a student, can you keep written records about your patients?
Yes, BUT you must safeguard this information. Don’t use your phone to take a picture of information
in the patient’s chart Don’t photocopy information from the patient’s chart Don’t access information for patients you aren’t
directly following even if they are relatives and/or friends.
As a student, can you keep written records about your patients? Do not leave any written materials, smart
phones or lap-tops with patient information on tables or in lab coats that you are not wearing.
Always put paper with patient information in locked containers to be shredded.
Remember to keep smart phones and lap-tops password protected when they contain patient information and delete information when it’s no longer needed.
Helpful TIPS
Keep conversations about patients as private as possible.
Use discretion when calling out names in waiting rooms or pharmacies.
Keep patient lists and schedules out of public view.
When discussing cases with fellow students, strip identifiers from the case.
Helpful TIPS
Never leave the patient’s medical record unattended or open.
Respect patient’s privacy when requesting medical information over the phone. Do not repeat names, numbers, etc. so that these can be overheard.
Verify the identity of the individual requesting patient information.
Helpful TIPS
Use passwords on computers that only you know. Do not share passwords. Log off any computer if you get up and leave. Protect the security of lap-tops, and smart phones
with a password. Remove/destroy PHI when it is no longer needed.
Rights of Individuals to PHI
Patients have the right to access their health information.
Requests for information must be honored within 30 days.
Patients can “amend” their health record. Requests must be acted on within 60 days. You may deny a request if it is not appropriate.
Patients have the right to request that health care providers restrict disclosure of information to health plans in situations in which a patient has paid for an item or service in full.
Privacy Official
To ensure that any covered entity (including pharmacies) is committed to developing and implementing the HIPAA guidelines, an individual must be named as a “privacy official”.
This individual is responsible for developing and implementing HIPAA-related policies and procedures
Security Rule
Requires entities to: Protect ePHI against unauthorized access and
improper alteration or destruction Protect against threats or hazards to the security
integrity of ePHI Protect against unauthorized uses or disclosure of
ePHI Make ePHI readily available to authorized
personnel when needed Institute security measures that must be followed
by all members of the workforce including students, management, and vendors or contractors
Security Rule
Applies only to electronic protected health information
Computer systems should be up to date, but it is your responsibility to ensure the safety of the ePHI
Conclusions
PHI must be treated with great care in all its forms, whether paper records, faxes, computer records, pharmacy logbooks or oral discussions.
You may use protected health information when speaking with other health care professionals involved in the treatment of the patient.
If you have questions about the use of PHI, ask you preceptor or supervisor.
References “HIPAA and Its Impact on Pharmacy Practice”, written by Robert P. Giacalone,R.Ph., J.D. and Gary G.
Cacciatore, PharmD., and J.D. Continuing Education: September, 2002, p.14-22. Health Insurance Portability and Accountability Act, Pharmacy Student Training Module, University of
Kansas School of Pharmacy HIPAA: How to Reduce Your Risk, written by Michele A. Faulkner, Pharmacy Practice Update, Creighton
SPAHP, October 2, 2003 Pharmacists and HIPAA, Editorial, AmJHealth-Syst Pharm Vol 60 Mar 1, 2003 HIPAA: Understanding the Security Requirements, written by Alan R. Spies, R.Ph., J.D., Ph.D. Cand.
and Virgil Van Dusen, R.Ph., J.D., U.S. Pharmacist, 7/15/03, Vol 28, No. 7. HIPAA & Security 2013: A Survival Guide to the Law, Pharmacist’s Letter, Volume 2013 course No.
301. HIPAA & Privacy: A Refresher for 2013, Pharmacist’s Letter, Online Training Course. HIPAA & Security 2013: A Survival Guide to the Law, Pharmacist’s Letter, Volume 2013 course No.
303. Overview of Modifications to the HIPAA Privacy, Security and Enforcement Rules. Compliance Date:
September 23, 2013, National Community Pharmacists Association.
Recommended