HIPAA Basics

HIPAA Basics: Privacy

2HIPAA Basics 2

The History of HIPAA As health care providers, we have always been called upon to maintain the privacy and confidentiality of a patient’s health information.

This is an ethical and legal obligation that we hold as nurses and as nursing students.

Until recently, a patient’s medical record was recorded and maintained primarily on paper and stored in the offices of physicians, hospitals, and other health care professionals.

These records were kept safe in locked cabinets or closets.

3HIPAA Basics 3

The History of HIPAAWith the advent of computers and other electronic technology, we are now able to maintain electronic files that allows us more flexibility in communicating information between offices, hospitals, and clinics, as well as cutting down on the space requirements for storage. In addition, we are better able to track and analyze data that helps us to be more effective in providing care as well as in controlling costs.

According to the American Health Information Management Association (AHIMA), an average of 150 people "from nursing staff to x-ray technicians, to billing clerks" have access to a patient's medical records during the course of a typical hospitalization. There are, however, concerns that the increase in electronic information result in a loss of privacy and confidentiality.

Because so many people potentially have access to patient medical information now, we need to do more to ensure that the only people who do access the medical information are those who need to have access in order to provide care.

4HIPAA Basics 4

The History of HIPAA

This Federal legislation is called the Health Insurance Portability and Accountability Act (HIPAA).

The Federal government passed a law in 1996 that creates national standards to protect patients’ medical records as well as other

personal health information.

5HIPAA Basics 5

The History of HIPAA

HIPAA became effective on April 14, 2003. It HIPAA became effective on April 14, 2003. It sets for minimum standards that facilities must sets for minimum standards that facilities must follow to protect patients’ health information. follow to protect patients’ health information. The key term associated with the privacy rules The key term associated with the privacy rules is Protected Health Information or PHI. It is Protected Health Information or PHI. It covers information that can be found in: covers information that can be found in: Information used within the facilityInformation used within the facility Verbal or written informationVerbal or written information Information stored in computer filesInformation stored in computer files Information stored in paper patient filesInformation stored in paper patient files Information shared with other health care Information shared with other health care

providers, payers or third partiesproviders, payers or third parties

6HIPAA Basics 6

Failure to ComplyEvery health care organization is expected to develop policies and procedures to guide practices within their facility. Every person who provides care or assistance to patients in that facility is expected to understand and comply with HIPAA regulations.

Each team member’s work is important for patient care. At the same time, it is essential that all patients’ health information be kept confidential.

Organizations or individuals that violate the Privacy rules are subject to monetary fines (up to $250,000!) and / or civil or criminal charges (up to 10 years in jail!).

Failure to comply may also hurt the reputation of the facility, put accreditation at risk, and result in costly lawsuits.

7HIPAA Basics 7

HIPAA GoalThe goal of the privacy program is to protect The goal of the privacy program is to protect confidential information from improper use or confidential information from improper use or disclosuredisclosure..

What does this mean to you? What does this mean to you?

8HIPAA Basics 8

Administrative Requirements

Every agency must:Every agency must: Appoint a Privacy Officer.Appoint a Privacy Officer. Develop policies and procedures that guide HIPAA Develop policies and procedures that guide HIPAA

implementation, evaluation and revision. These should implementation, evaluation and revision. These should include actions taken for people who do not follow the include actions taken for people who do not follow the directives.directives.

Provide education on HIPAA and organizational policies Provide education on HIPAA and organizational policies and procedures.and procedures.

Develop a process for handling privacy related complaints.Develop a process for handling privacy related complaints. Ensure no retaliation occurs against someone who reports Ensure no retaliation occurs against someone who reports

potential violations in good faith.potential violations in good faith. Take appropriate action to minimize any harm that may Take appropriate action to minimize any harm that may

result from breach of privacy.result from breach of privacy. Ensure processes are in place to demonstrate compliance Ensure processes are in place to demonstrate compliance

with documentation and record keeping.with documentation and record keeping.

9HIPAA Basics 9

YOUR ResponsibilityYou must respect confidential information about patients and use information only to perform your role as student nurse in that agency.

It is your responsibility to be sure patient information is only given or disclosed to others who have a legal right to it.

What information needs to be kept private?

All information that identifies an individual is considered confidential.

This includes, but is not limited to name, address, date of birth, phone/fax numbers, social security number, medical record number, and photographs.

It also includes nursing and physician notes, as well as billing and other treatment records used during a patient’s visit in a hospital or office.

10HIPAA Basics 10

HIPAA Patient RightsHIPAA guarantees several rights to patients:

Right to privacy Right to confidential use of their health information for their

treatment, billing process, and other health care operations (such as quality improvement)

Right to access and amend their health information upon request Right to provide specific authorization for use of their health

information other than for treatment, billing and other health care operations

Right to have their name withheld from our patient directories Right to request that information is not given out concerning their

care to specific individuals including the right to ‘opt out’ of our patient directory (name not listed as being present in our facility other than for treatment, billing, and other health care operations)

Right to request that individuals are not told of their presence in our facilities

11HIPAA Basics 11

HIPAA Patient RightsEvery patient should receive a

document called a Notice and be asked to sign an Authorization.

This Notice gives patients:

Information about their rights. A description of how their PHI may be used by the facility. A comprehensive list of others to whom their health

information may be disclosed.

The Notice must be given to the patient on the first treatment date or as soon as is practical in an emergent situation.

12HIPAA Basics 12

HIPAA Patient Rights

An Authorization is a form signed by the An Authorization is a form signed by the patient for the use and disclosure of patient for the use and disclosure of specific PHI that are not related to specific PHI that are not related to treatment, payment, or health care treatment, payment, or health care operations. operations.

There are some uses and disclosures There are some uses and disclosures where an authorization is not required. where an authorization is not required.

When in doubt about what information When in doubt about what information is required to have a signed is required to have a signed authorization for release, ask!authorization for release, ask!

13HIPAA Basics 13

HIPAA Patient Rights

What do you need to know? Patients have the right to register

complaints with Federal agencies and with the facility if they feel their rights have been violated.

Every facility has a Privacy Officer who is responsible for overseeing HIPAA implementation.

If you are uncertain about what information may be given out, talk to your instructor or one of the nurses on the unit where you are assigned, or contact the Privacy Officer.

14HIPAA Basics 14

Review QuestionHIPAA’s goal is to catch staff sharing patients’ health HIPAA’s goal is to catch staff sharing patients’ health information with those who do not need the information with those who do not need the information.information.

True or False?True or False?

To see the correct answer, click on

NEXT.

15HIPAA Basics 15

Answer

ANSWER: FALSE

The goal of HIPAA is to protect confidential patient information from improper use or disclosure.

If you see an apparent violation, you should report it to your instructor who will immediately assist you in contacting the Privacy Officer.

16HIPAA Basics 16

Unauthorized DisclosuresSome of the biggest threats to patient privacy is unintentional disclosure of information:

Discussing a case where other patients or visitors may overhear, such as in elevators, hallways or the cafeteria.

Leaving sensitive information out where patients or visitors can see it.

Another threat to patient privacy is when a workforce member intentionally uses or discloses information in an unauthorized way:

Copying information and taking it home. Removing medical records from the health facility and

giving them to others who have no legal right to them. Deliberately sharing information with unauthorized

persons (family members, friends, or news reporters). Using confidential information in gossiping about patients. Leaving a computer unattended after logging in to an

application. Sharing passwords with others or leaving passwords

around a computer.

17HIPAA Basics 17

Unauthorized Disclosures

It is essential that everyone who provides care and services to patients be aware of what is going on in their surroundings to ensure that confidential information is only shared with those who need to know, and at the minimum level necessary to enable them to carry out duties and responsibilities safely, effectively, and efficiently.

Always be aware of where you are, who is around you, and what information can be seen or heard. It may not be possible to ensure absolute privacy, but reasonable measures need to be taken to “minimize the chance of incidental disclosure to others.”

Don’t browse through a patient’s chart or other files out of curiosity. Access only the portions of medical record you need to perform your specific role as a student nurse.

18HIPAA Basics 18

Review QuestionOne of the privileges of working in health care is that we One of the privileges of working in health care is that we have access to our family and friends’ health information have access to our family and friends’ health information so we can find out when they have an illness.so we can find out when they have an illness.



NEXT.

19HIPAA Basics 19

AnswerANSWER: FALSE

We do not have a right to access anyone’s health information including family members unless it is directly needed for the completion of our job responsibilities for a patient.

If you accidentally see patient information that is not directly needed for you to perform your job, you cannot share that information with anyone else.

20HIPAA Basics 20

Verify Identity

Before you can release information about a patient, you must first confirm the identity of the person requesting information about the patient, whether in person, by phone, or in writing.

What methods can be used to verify identity? A photo ID Information that only the patient would

know, and which you can confirm, such as the patient’s middle name

21HIPAA Basics 21

Security RulesPrivacy rules identify what information is protected and

define when and how that information may be used or disclosed.

Security rules apply to PHI that is sent electronically from one location to another. Security rules identify steps to take to secure PHI that is in electronic format. They also apply to PHI that may be used or stored by the facility.

There are four key parts which work together to protect PHI. These are:

1. Physical Security: hands-on access to computer hardware, systems, areas, and buildings.

2. Technical Security: the process to identify the access and type of information individuals may access and view on a computer.

3. Technical Security Mechanisms: processes that automatically monitor systems activity and report suspicious activity.

4. Administrative Procedures: policies and procedures that define steps the facility will take to address the above.

These define the basic level of security that must be in place to comply with HIPAA

22HIPAA Basics 22

Electronic CommunicationPart of ensuring the privacy rules is to understand how information is stored, transmitted, and accessed by staff.

Faxes, e-mails, and computer printouts may contain patient information. Take precautions to ensure that these types of communications get to their intended destination.

As students, you will likely not be in a position to fax or email patient information to others. If you are placed in a situation where this becomes necessary, talk with your instructor about the proper procedure.

23HIPAA Basics 23

Case ScenarioDr. Williams asks Sue, a nurse, to bring up his patient’s lab results on the computer screen. Dr. Williams looks around and does not see any other staff or visitors in the area. He asks Sue to turn the monitor so he can see the chart. There is no other person around the desk when the screen is turned towards him. When Dr. Williams is finished, Sue turns the screen back around facing away from public view.

Dr. Williams and Sue violated the patient’s privacy by turning the screen and viewing the lab results.



NEXT.

24HIPAA Basics 24

Case Answer

ANSWER: False

They took the time to examine their surroundings and made certain that no unauthorized individuals were near. Turning the screen and then returning it to a secure position is an acceptable practice.

If visitors or others were present, the doctor would need to go behind the desk and view the screen.

25HIPAA Basics 25

Paper CommunicationYou will find during your clinical experiences that there is a lot of paper that contains confidential patient information. Make sure you keep this paper out of the public view.

Do not leave documents where the public can easily access them, even accidentally. Many of you may use visitors’ lounges for conferences. Do not leave your papers or any medical record information where it can be seen by others.

When documents containing patient When documents containing patient information are no longer needed, shred information are no longer needed, shred them or dispose in designated containers.them or dispose in designated containers.

26HIPAA Basics 26

Case Question

Julie is a nurse entering notes into a patient chart at the nurse’s station where visitors come to ask questions. Jeff, another nurse, steps out of a patient’s room and asks Julie for help. Julie leaves the chart open on the desk, then goes to assist Jeff in the patient’s room.

Q: Leaving the chart open on the desk when the nurse leaves the area is OK because she will be right back and trying to find her place would take too much time.



NEXT.

27HIPAA Basics 27

Case AnswerANSWER: False

The best way to maintain patient confidentiality is to never leave records unattended in public places. Closing the chart is a good first step. In a non-emergency situation, return the chart to its designated location before leaving the area. In an emergency situation, secure the chart using your professional judgment, then proceed to assist with the emergency.

28HIPAA Basics 28

Verbal CommunicationNursing is never practiced in isolation. It is a collaborative team operation. As a result, there are many times when you will need to discuss patient information with colleagues.

In doing so, remember you must: Only discuss information relevant to the patient’s care. Only include those involved in the patient’s care. Select an area that is as private as possible, and check the

surroundings to ensure no one will overhear confidential information who shouldn’t.

29HIPAA Basics 29

Case Scenario

Jennifer, a nurse, and Tom, a physical therapist, are eating lunch together in the cafeteria. They begin discussing a patient that they are both treating. The cafeteria is crowded and others around them can hear them referring to the patient’s name and other confidential information.

Q: They are violating the patient’s privacy in this situation.



NEXT.

30HIPAA Basics 30

Case AnswerANSWER: True

Never discuss a patient’s health information in areas where there are others that don’t need to know about it. If you need to discuss a patient’s care with a co-worker, speak softly in an area away from the public.

31HIPAA Basics 31

Case and QuestionAn adult daughter of an elderly patient is present in the room when his doctor enters to speak with the patient about test results. The patient introduces his daughter to the doctor, and then asks the doctor if the test results are back. The doctor begins to explain the results to the patient.

Q: The doctor violated the patient’s privacy by talking about the test results with the daughter present in the room.



NEXT.

32HIPAA Basics 32

Case AnswerANSWER: False

Since the patient asked about the results with his daughter in the room, the doctor can assume that it is appropriate to share the results at that time.

33HIPAA Basics 33

Case Question

In a Radiology waiting room, an x-ray technologist calls the next patient by name saying “Jane Smith, we are ready for your to get your sonogram now.”

Q: The x-ray technologist violated the patient’s privacy by calling out her name and test to be performed.

True or True or False?False?


NEXT.

34HIPAA Basics 34

Case AnswerANSWER: True

Employees in doctor’s offices and waiting rooms are allowed to publicly call a patient’s name. However, care should be taken to limit any other information communicated.

The x-ray technologist should not have mentioned the test to be performed. Stating that the patient is having a sonogram is unacceptable. “Jane Smith, we are ready for you now.” is acceptable.

35HIPAA Basics 35

Non-Retaliation Policy

There should also be a policy in place to safeguard the There should also be a policy in place to safeguard the rights of a person who, in good faith, reports a privacy rights of a person who, in good faith, reports a privacy violation. violation.

Action should not be taken against anyone who, in good Action should not be taken against anyone who, in good faith:faith: Exercises her or his rights, including filing a Exercises her or his rights, including filing a

complaint.complaint. Contacts or sends a complaint to the Department of Contacts or sends a complaint to the Department of

Health and Human Services.Health and Human Services. Testifies, assists, or participates in an investigation, Testifies, assists, or participates in an investigation,

compliance review, proceeding, or hearing.compliance review, proceeding, or hearing. Believes that an act or practice is against the law.Believes that an act or practice is against the law. The person reporting the violation must have a The person reporting the violation must have a

reason to believe that there is a problem and may reason to believe that there is a problem and may not use or disclose PHI to address her or his concern.not use or disclose PHI to address her or his concern.

36HIPAA Basics 36

Complaints

If you feel there has been a privacy violation, inform your instructor who will immediately assist you in contacting the Privacy Officer.

Refer patients who have a privacy concern or complaint to the nurse in charge of the unit.

37HIPAA Basics 37

Summary AllAll health information that health information that

specifically identifies an individual is specifically identifies an individual is considered confidential.considered confidential.

Protecting the privacy of patient Protecting the privacy of patient information is everyone’s information is everyone’s responsibility.responsibility.

Even though you are a student nurse, Even though you are a student nurse, you are an active part of this you are an active part of this program. Use patient information program. Use patient information only to perform your responsibilities only to perform your responsibilities as assigned.as assigned.

Be aware! Don’t intentionally or Be aware! Don’t intentionally or unintentionally disclose patient unintentionally disclose patient information. Help others to do the information. Help others to do the same.same.

If you suspect any privacy violations If you suspect any privacy violations or concerns, notify your instructor or concerns, notify your instructor who will immediately assist you in who will immediately assist you in contacting the Privacy Office.contacting the Privacy Office.

38HIPAA Basics 38

Thank You!

We are HIPAA We are HIPAA compliant...compliant...

Are You?Are You?

Documents

HIPAA Basics