HIPAA Job Specific Education1 HIPAA Privacy Keys to Success Updated January 2010

HIPAA Job Specific Education 1

HIPAA PrivacyHIPAA PrivacyKeys to SuccessKeys to Success

Updated January 2010


HIPAA and Its PurposeHIPAA and Its Purpose

What is HIPAA?

Health Insurance Portability and Accountability Act of 1996

Title II – Administrative Simplification

It’s a federal law

HIPAA is mandatory, penalties for failure to comply

Purpose:

Protect health insurance coverage, improve access to healthcare

Reduce fraud and abuse

Improve quality of healthcare in general

Reduce healthcare administrative costs (electronic transactions)


HITECH and Its PurposeHITECH and Its Purpose

What is HITECH?

Health Information Technology for Economic and Clinical Health Act

Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA)

It’s a federal law

Purpose:

Makes massive changes to privacy and security laws

Applies to covered entities and business associates

Creates a nationwide electronic health record

Increases penalties for privacy and security violations

Key HITECH Changes– Breach Notification

requirements

– AOD for treatment, payment, and healthcare operations in electronic health record (EHR) environment

– Business Associate Agreements

– Restrictions

– Right to access

– Criminal provisions

– Penalties

– OCR Privacy Audits

– Copy charges for providing copies from EHR

– HIPAA preemption applies to new provisions

– Private cause of action

– Sharing of civil monetary penalties with harmed individuals



Civil Penalties for Non-Civil Penalties for Non-compliance*compliance*

Violation Category Each Violation All such violations of an identical provision in a calendar year

Did Not Know $100 - $50,000 $1,500,000

Reasonable Cause $1,000 – $50,000 $1,500,000

Willful Neglect – Corrected $10,000 - $50,000 $1,500,000

Willful Neglect – Not Corrected $50,000 $1,500,000

*As of 2/17/09


Criminal Penalties for Non-complianceCriminal Penalties for Non-compliance

• For health plans, providers, clearinghouses and business associates that knowingly and improperly disclose information or obtain information under false pretenses. These penalties can apply to any “person”.

• Penalties higher for actions designed to generate monetary gain

up to $50,000 and one year in prison for obtaining or disclosing protected health information

up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"

up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm


Facility Privacy OfficialFacility Privacy Official

• Your FPO is Cynthia Kean, HIM Director

• Responsible for:– Privacy Program– Privacy Rights of patients– Requests for Privacy Restrictions– Facilitating the training and education of staff


HIPAA TerminologyHIPAA Terminology

• HIPAA: Health Insurance Portability and Accountability Act• HITECH: Health Information Technology for Economic and Clinical

Health Act• PHI: Protected Health Information• CE: Covered Entity (Hospital)• ACE: Affiliated Covered Entity (Common ownership) OHCA:

Organized Health Care Arrangement (The hospital and medical staff will be considered an Organized Health Care Arrangement)

• DRS: Designated Record Set (medical record and billing record)• AOD: Accounting of Disclosures (patient’s right to receive)• Directory: Hospital census list used by volunteers and operators with

name and room


How will HIPAA affect you?How will HIPAA affect you?

• Coversheets with confidential statement need to be used on all external faxes.

• Screens will need to be placed out of public view when possible

• Patient charts will need to be placed in secure area• PHI will need to be placed in Cintas containers for

disposal• Patient family members will give a passcode for other than

directory releases• Patient information should only be accessed if there is a

need to know


How will HIPAA affect you?How will HIPAA affect you?

• Registration will be giving out a Notice of Privacy Practices brochure to every patient concerning our patient privacy protection policy.

• Patients will be given the option to “opt out” of our directory.

• Patients have a right to a copy of their medical record

• Authorizations need to be obtained from patient to release information for reasons other than for treatment, payment or healthcare operations (TPO)


What is Protected by HIPAA (PHI)?What is Protected by HIPAA (PHI)?• Name

• Address including street, city, county, zip code and equivalent geocodes

• Names of relatives

• Name of employers

• All elements of dates except year (i.e. DOB, Admission, Discharge, Expiration, etc.)

• Telephone numbers

• Fax Numbers

• Electronic e-mail addresses

• Social Security Number• Medical record number

• Health plan beneficiary number

• Account number• Certificate/license number• Any vehicle or other device

serial number• Web Universal Resource

Locator (URL)• Internet Protocol (IP)

address number• Finger or voice prints• Photographic images• Any other unique identifying

number, characteristic, code


What is a Covered Entity (CE)?What is a Covered Entity (CE)?

• Health plans, Health care clearinghouses, and Health care providers that transmit electronically for billing

– Examples• Hospitals

• Physician Practices

• Insurance companies

• Ambulance Transportation Services

• Hospice

• Home Health


What does that mean to me?What does that mean to me?

• You can share information without patient authorization as it relates to TPO

• Other covered entities will request only minimum necessary to perform their job

• You may request the minimal information necessary from them for reasons of TPO without patient authorization

• May need to verify the requestor according to policy


Disclosing PHI to Family Members Disclosing PHI to Family Members and Friends Who Call the Unitand Friends Who Call the Unit

• Patient will be assigned a four-digit passcode . Knowledge of this passcode will allow information, (PHI), to be shared with the family member or friend

• Distribution of passcode will be the responsibility of the patient

• Passcode may be changed during treatment – Revocation and password change form must be routed to FPO

• Passcode will be last 4-digits of patient account number


Verification of RequestorsVerification of Requestors

• Requestors via phone will need:– Patient SS#, DOB and one of the following:

– Account number, street address, MR#, birth certificate, insurance card or policy number

– Scenarios• Unknown physician calling from cell phone

• Family member or friend calling without passcode


External Faxing GuidelinesExternal Faxing Guidelines

• Limit when possible• Verify fax number• Utilize preset numbers when applicable• Fax machine located in secure location• ALWAYS use cover sheet with confidentiality

statement for transmittals• Highly sensitive information should not be faxed

(HIV status, abuse records, etc.)


Patient’s Right to AccessPatient’s Right to Access

• Forward to HIM for processing

• Must be able to provide access and/or hard copy of record

• If patient is in-house, HIM will manage access process


Patient’s Right to AmendPatient’s Right to Amend

• Forward request to HIM for processing

• Right of patient to request amendment to records. Request must be in writing

• Cannot change or omit documentation already in the medical record

• If patient is in-house HIM will manage amendment process


Patient’s Right to Opt out of DirectoryPatient’s Right to Opt out of Directory

• Patient can opt out of directory at anytime but will probably happen during admission process

• You may not acknowledge the patient is in the facility or give information about the patient to friends, family or others who may inquire

• Can still release information to family and friends with 4-digit passcode as defined in the Directory policy.

• Forward any request for opt out to Registration for processing


Right to Privacy RestrictionsRight to Privacy Restrictions

• Patients have the right to request a privacy restriction of their PHI

• NEVER agree to a restriction that a patient may request• All requests must be made in writing and given to the

FPO to make a decision on• NO request is so small that it should not be routed to the

FPO


Patient Privacy ComplaintsPatient Privacy Complaints• FPO must maintain complaint log in accordance with

the complaint process• ALL privacy complaints must be routed to the FPO• Responses cannot be accompanied by retaliatory

actions by the hospital• Disposition of complaint must be consistent with the

facility’s Sanctions for Privacy Violations• Risk Management module of Meditech may be used for

complaint tracking


Accounting of Disclosures (AOD)Accounting of Disclosures (AOD)

• Right to an accounting of disclosures of protected health information

• An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures:– For TPO– To the patient– For directory purposes– To law enforcement or correctional institutions– For national security

Additional requirements forthcoming as a result of HITECH regulations


How will Accounting of Disclosures How will Accounting of Disclosures (AOD) affect me?(AOD) affect me?

• You must enter information into the AOD for:– State mandated reporting

• Suspected Abuse Victims• Certain Disease reporting such as STDs• Brain Injury

– Organ and Tissue Donations– Health Oversight Activities (JCAHO)


Notice of Privacy PracticesNotice of Privacy Practices

• Patient will receive Notice upon each registration• Outlines patient rights

– Right to access

– Right to amend

– Confidential Communication

– Right to Privacy Restriction

– Right to Opt out of Directory


Sharing Information with Other Sharing Information with Other Treatment ProvidersTreatment Providers

• We can share information with physicians and office staff, hospitals, or other treatment facilities just as we do today

• Need to verify the requestor according to policy

• Patient information (PHI) can be released for reasons of treatment, payment or health care operations


Confidential CommunicationsConfidential Communications

• Request for use of alternate address or phone number for future contact

• Route any request for Confidential Communications to Admissions

• Should communicate only with alternate address given

Breach Notification• HITECH provisions require the following

notifications when breaches (as defined in the regulations) occur:– To the patient– To the Department of Health and Human

Services– To the media when the breach involves more

than 500 individuals in the same state or jurisdiction



Ensuring Security ComplianceEnsuring Security Compliance

• Ensure users log off terminals when not in use.

• PC’s should have screen savers whenever possible.

• Computer screens should be positioned so information (PHI) is not

readable by the public or other unauthorized viewers

• Printers should be positioned in protected locations so that printed

information is not accessible or viewable by an unauthorized

person.

• PHI must be properly disposed.


Common Exposures on Nursing UnitsCommon Exposures on Nursing Units• Discussions of patient information in public places such as

elevators, hallways and cafeterias

• Printed or electronic information left in public view (e.g., charts left on counters)

• Discussing patient information on social networking sites (e.g., Facebook, Twitter)

• PHI in regular trash

• Records that are accessed without need to know in order to perform job duties

• Unauthorized individuals hearing patient sensitive information such as diagnosis or treatment


SanctionsSanctions

• 3 levels of violations that require disciplinary action– Accidental and/or due to lack of proper education

– Purposeful violation of privacy policy or an unacceptable number of previous violations

– Purposeful violation of privacy policy with associated potential for patient harm

• FPO to review facility sanctions policy examples


Test Your KnowledgeTest Your Knowledge1. The FPO at JFK Medical Center is:

a) Gina Melby, CEOb) The President of the Medical Staffc) Cynthia Kean, HIM Directord) Jim Leamon, CFO

2. Does the patient have the right to access or obtain a copy their medical record?

a) Yesb) No

3. Can a patient amend their record?

a) Yesb) No

4. What is protected by HIPAA (PHI-Protected Health Information)?

a) Telephone numberb) Names of relativesc) Photosd) All the above

a) Where do you dispose of patient information?

Test Your KnowledgeTest Your Knowledge5. What right is NOT provided under HIPAA?

a) Right to Opt out of the dictionaryb) Right to not pay the billc) Right to amendd) Right to request Confidential Communication

6. Under HITECH when a breach occurs the following must be notified, EXCEPT:

a) The Department of Health and Human Services

b) The media when more than 500 individuals reside in the same state or jurisdiction

c) The patients next of kin

d) The patient

7. One of the purposes of HITECH is to create an electronic health record

a) True

b) False


To Test Your KnowledgeTo Test Your Knowledge8. Patients have the right to request a privacy restriction of their PHI. This request must always be forwarded to

the :

a) Admitting Physician

b) The FPO

c) The Chief Nursing Officer

d) The Quality Director

9. Criminal penalties for non-compliance can apply to any person

a) True

b) False

10. Examples of exposure would be

a) discussions of a patients diagnosis in the elevator

b) PHI in the trashcan

c) sharing PHI without an authorization when one is required

d) sharing of passwords

e) All of the above


Documents

HIPAA Job Specific Education1 HIPAA Privacy Keys to Success Updated January 2010