T-shirts & Taglines: PART I Privacy Training for Health Professionals Denise Hill, JD, MPA Des Moines University Des Moines, Iowa Faculty Profile Denise is an Assistant Professor at Des Moines University teaching courses on health law and ethics. She has a Joint appointment with the College of Health Sciences, College of Medicine and College of Podiatric Medicine. She is also an adjunct health law professor at Drake Law School. Denise Hill Joined the Whitfield and Eddy law firm in the fall of 2006, where she currently services as an of counsel attorney engaged in general practice including: health hlaw, mediation i and administrative i i law. Previously she worked kdat Davis Brown law firm, the Iowa Medical Society, and the Iowa Department of Public Health. Denise is highly regarded speaker and writer on health law and ethics issue. In addition, her scholarship agenda focuses on using simulation to promote interprofessional relationships between law students, MHA students and other members of health care teams. She is a co author of the book Powerful Learning Communities published by Stylus in February 2013. Denise graduated with honors from Drake Law School and received her Masters in Public Administration from the Drake School of Business and Public Administration. Disclaimer A presentation can neither promise nor provide a complete review of the myriad of facts, issues, concerns, and considerations that impact upon a particular topic. This presentation is general in scope, seeks to provide relevant background, and hopes to assist in the identification of pertinent issues and concerns. This presentation does not constitute and is not meant to provide legal advice. Participants with legal questions are encouraged to seek the advice of legal counsel of their own choosing. Always Be Prepared 1. Read assigned readings 2. Access and bring policies, procedures & other guidelines you are subject to 3. Remember that you must also be familiar with the privacy laws and licensing regulations in the state you practice. Where are we going? Training Objectives To meet privacy training requirements and ensure you understand: 1. Your responsibilities to safeguard protected health information ( PHI ) in: oral written and electronic formats 2. The role and function of your organization s privacy policies and procedures 3. What you should do if PHI is disclosed without authorization 4. The ramifications for you and the organization for inappropriate disclosure Learning Objectives After this session, you should be able to: 1. Communicate the importance of privacy in health care 2. List the major components of HIPAA 3. Define protected health information 4. Describe the HIPAA minimum necessary requirement 5. Determine when PHI can be disclosed 6. Identify Penalties for unauthorized disclosure 7. Apply lessons learned and institutional policies to case scenarios Why should you care about Privacy? Patient Impact Stigma & Discrimination Embarrassment Lose trust Lack of compliance Financial Disadvantage Ethics Your License is at stake Liability It s the Law HIPAA State 1
Privacy Duties in Healthcare Codes of Ethics Examples Hippocrates Common law Contracts Ethics State Law Licensing Board Federal Law American Pharmaceutical Association Code of Ethics: With a caring attitude and a compassionate spirit, a pharmacist focuses on serving the patient in a private and confidential manner. (emphasis added) The American Medical Association Code of Ethics: A physician shall safeguard patient t confidences and privacy within the constraints of the law. WHAT DOES THE CODE OF ETHICS FOR YOUR PROFESSION SAY? State Licensing Boards Licensing Board Examples Iowa Board of Pharmacy Rules Know the laws & Board regulations: for your profession AND in your state of practice! Iowa Board of Pharmacy 657 I.A.C. 8.16(1) Definition Confidential information means information accessed or maintained by the pharmacy in the patient s records which contains personally identifiable information that could be used to identify the patient. Iowa Board of Physical Therapy 645 I.A.C. 201.2(5) Confidentiality and Transfer of records Physical therapists and Physical therapist assistants Shall preserve the confidentiality of patient records. Upon receipt of a written release or authorization signed by the patient, the licensee shall furnish such physical therapy records, or copies of the records, as will be beneficial for the future treatment of that patient. HIPAA Health Insurance Portability and Accountability Act of 1996 Several components privacy, security, transactions and code sets, uniform identifiers GOAL was to ensure that providers and plans NOT use or disclose an individual s health information except for Treatment, Payment, or Regular Health Care Operations PRIVACY PRE EMPTION: Who rules State or Federal Government? If state privacy laws are contrary to the HIPAA Privacy Rule; HIPAA preempts the state law IF your state law is STRICTER than HIPAA; follow STATE LAW! 2
Permitted Uses of PHI TPO treatment, payment and operations Patient authorization Agreements Laws When in doubt Find out! Ask your supervisor or request patient authorization Health Insurance Portability and Accountability Act of 1996 Who? Covered entities & health care providers What? Protected health information (PHI) When? Always unless patient consents or exception applies Where? In custody setting and storage considerations Why? To honors patients expectation of privacy, promote trust, & avoid misuse of information/stigma How? Take steps to safeguard & protect PHI For Education Not Legal Advice Health Plans Who is covered? Health Care Clearinghouses Health Care Providers every healthcare provider, regardless of size, who electronically transmits health information in connection with certain transactions That s you! Business Associates (HITECH) Students in the Practice Setting Considered Health Care Providers Approved under TPO provisions Must adhere to HIPAA standards & privacy policies of the organization What is protected? Protected Health Information (PHI)-information that is electronic, spoken or written and can only be disclosed with a patient s written consent: Account numbers Address All parts of dates except year Any other unique code, number or characteristic that can be linked to the individual Biometric identifiers (fingerprints/voiceprints) Device identifiers Email address Fax number Full face photos or images Health plan beneficiary number Health care record number IP address, URL address License number Patient name Social security number Telephone number Vehicle Identifier number Not All PHI is Equal: Special Records Mental Health Substance Abuse HIV/AIDS *NEW*: Genetic information (added in 2008) can t be used for determination of eligibility, premiums or pre existing conditions 3
Clinical charts Rx records Billing records Common PHI Students and Pharmacists may Encounter Patient profiles Emails/faxes Some phone calls from patients Verbal patient counseling Rounding lists Common Exceptions Refill reminders (constitute treatment activity ) Drug recommendations Therapeutic substitutions Product recommendations (e.g. smoking cessation) Coverage and formularies Counseling and DURs Disease State Management ongoing education and counseling Basic Tenants: HIPAA Privacy 1. Secure & Protect PHI 1. Protect the privacy of PHI 2. Use & disclose PHI only when authorized only the minimum necessary 3. Establish patient rights to approve who has access & use of their medical information How is PHI Stored & Accessed? Verbal Communication Hard Copy Electronic Data Your duties to protect PHI will depend on the this! What must health organizations do? Develop and implement written policies and procedures (Privacy Practice Notice) Designate an official responsible for implementation Document any non routine disclosures Train the workforce employees, volunteers, trainees YOU! 4
Who has to comply & be trained? Electronic Security Tips Providers and those in direct contact with patient s PHI/medical records Hybrids? Those who work in a hospital or pharmacy who do NOT have anything to do with patient privacy do NOT need HIPPA training and are not required to be compliant. For example: Hospital gift shop staff, cleaning staff, photo cashier at a chain pharmacy Computers Mobile Devices Protected Health Information CAUTION: Be careful what you discard! Tips for Students and Practitioners Do not discuss patients in a public area Don t speak re: PHI too loudly Remove PHI when presenting patients Charts and computers should not be left open Follow Institutional Policies & Procedures Protect portable devices/encrypt etc. 2. Use & Disclosure of PHI Use v. Disclosure of PHI USE "sharing, employment, application, utilization, examination, or analysis of PHI within an entity that maintains such information." DISCLOSURE "release, transfer, provision of access to, or divulging in any other manner PHI outside the entity holding the information." 5
Permitted Uses of PHI Disclosure: Rule of Thumb TPO treatment, payment and operations Patient authorization Agreements Laws Authorized Limited to Necessary Information Protect from others When in doubt Find out! Ask your supervisor or request patient authorization Permitted Disclosures Legal Representative Family & friends involved in care (unless says no) Other providers Business associates Business Associates (BA) Outside Entity/person with which sharing of PHI is necessary: Have BA agreements re: privacy practices They are responsible to comply with HIPAA Have safeguards and procedures to limit to minimum necessary for purpose Other Permitted Disclosures (that do not require patient authorization) EMERGENCY! UNAUTHORIZED disclosures of PHI are allowed for the following defined law enforcement & public health purposes: Public health activities Victims of abuse, neglect, or domestic violence Law enforcement purposes Legal (subpoena/court order) To comply with workers compensation To avoid serious threat to health or safety To DEA or state pharmacy board inspectors To report adverse events to the DEA It IS acceptable to release PHI in emergency situations without authorization. Remember: use your best judgment and keep the patient s best interest in mind! 6
More Permitted Uses & Disclosures Minimum Necessary Rule Discussing treatment plan with a patient s other providers (except psychotherapy, HIV test tresults & substance abuse) Transferring medical records during new ownership of a business Minimum Necessary Limit PHI to the minimum required to accomplish purpose: For example: When submitting a claim for a patient, there is no need to provide the diagnosis unless the payer NEEDS that info Company policies should identifywhatinformation information is needed by whom in order to perform their job duties It is NOT appropriate to access your own information you must follow the process/procedures in place AGAIN, use your PROFESSIONAL JUDGEMENT and keep the patient s best interest in mind! Designated Record Set (HIPAA) Formal requests re: designated records set: This set includes any records containing "medical... case or medical management... billing... enrollment, payment, [or] claims adjudication" information, used "in whole or in part, by or for the covered entity to make decisions about individuals." 45 CFR 160.103 Disclosure Tips Check correct email, phone number, fax Use confidential fax cover sheet Review chart and ensure minimum necessary Follow tracking procedure Incidental Disclosures Overheard by another person when counseling a patient or talking to another health care professional Piece of paper may be seen by somebody who should not see it Family or friends picking up prescriptions Not HIPAA penalize if policies to protect information Violations do NOT occur when: Disclosure could not reasonably be prevented Is limited in nature Is a byproduct of permitted disclosures 7
Incidental Use: Examples Specifically state that no violations occur by calling out patient name in MD office or pharmacy Pharmacies are not required to go to extraordinary means to provide soundproof counseling areas De identified Information De identified information is NOT protected stringent requirements (45 CFR 164.514(b).) CAUTION do not includedata data that could reasonably lead to individual identification. Not protected DOES NOT mean info can be disclosed freely without care. USE YOUR PROFESSIONAL JUDGEMENT! There are SERIOUS Consequences! Audits Civil penalties (OCR) Minimum fine is $100 Maximum is $1.5 million Criminal penalties (DOJ) KNOWINGLY violated HIPAA laws Fines up to $250,000 Imprisoned up to 10 years Consequences for Employees Employees placed on immediate leave pending investigation Disciplinary action: Fired Suspension Reprimand & Document employee record Probation Peer review Further training on HIPAA Privacy Student consequences? 3. HIPAA Patient Rights Notice of Privacy Practices Patient Right to: Notice of Privacy Practices Review & get copies of medical & financial records Request corrections Content (in plain language): How the covered entity may use &disclose their PHI The individual s PHI rights & how to exercise rights Thecovered entity s legal duties re: PHI Contact information for more information privacy officer Must Include this language: THIS NOTICE DESCRIBES HOW MEDICAL INFO ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFO. PLEASE REVIEW IT CAREFULLY 8
Distribution & Acknowledgement Distribution No later than the first date of service In the case of emergency, as soon as reasonably practicable Anyone who asks for it Prominently posted in facility & on any website that contains information about its customer services/benefits Acknowledgement Good faith effort to obtain an acknowledgement of notice Must receive written acknowledgement Acknowledgements kept 6 years from date they were created Patient Access to Records Patients may request and are entitled to: Copy of their medical record the covered entity has up to 30 days to comply. May charge a reasonable fee for actual costs Accounting of non routine disclosures: Description of what was disclosed Why it was disclosed The date Name of individual receiving the information and their address if available Expensive Denial of Patients Access Cignet denied 41 patients access to their medical records requested between September 2008 and October 2009. Did not cooperate with investigation Government imposed $1.3 million penalty for violation of the HIPAA rule requiring Cignet to provide patients with their medical records within 30 (and no later than 60) days Also $3 million fine for failing to cooperate HHS investigations Privacy Officer Must designate: A "privacy official" responsible for the "development and implementation" of the policies/procedures for HIPAA compliance. A "contact person or office" responsible for providing information, receiving complaints and handling the administration of patients' records and rights. 45 CFR 164.530(a) Handling Breaches HITECH Act If the covered entity discovers a breach of unsecured PHI Must notify patients. If more then 500 also have to notify media and HHS. Three step procedure, to decide whether or not to disclose a HIPAA breach: 1) Was there an impermissible use or disclosure of PHI under the privacy rule? 2) Does the impermissible i ibl use or disclosure pose a significant ifi risk ikof financial, i reputational, or other harm to the individual? 3) Are the exceptions to the definition of breach or the notification requirement inapplicable to the impermissible use or disclosure? If the answer is no= likely do not have to report perceived problems. Burden to decide if reasonable not to report under circumstances. Compliance program must include detailed record keeping procedures to justify why you did or did not think reporting would be required. Reporting Privacy & Security Violations If YOU are aware or suspect a violation YOU are REQUIRED to report it to: Supervisor Privacy Office Information Security Office Compliance Hotline Also Institutional requirements 9
Conclusion Advocate for your patient protect their privacy There are significant consequences for failing Review the policies/procedures & be prepared for areas where you are vulnerable. Know: Patient rights What PHI is how you can use & protect it How to disclose PHI & safeguards Use common sense & seek help! You can do it! CPE Instructions Return to MY PORTFOLIO within the CEI website, www.gotocei.org Scroll down to My Activities and complete the Exam and Evaluation associated with this activity Your CPE is successfully recorded when you can access your STATEMENT via the hyperlink. Upon completion of the exam and evaluation, be sure to click the SUBMIT button associated with this activity within your CEI profile to transmit the completion data to CPE Monitor. Questions? csmith@gotocei.org, 515.270.8118 57 10