HIPAA Privacy Rule Best PHI Privacy Practices
Learning Objectives Define the acronym HIPAA. Understand your role and responsibilities under the privacy regulations. Know what patient s rights are in terms of protected health information (PHI). Identify safe practices in handling PHI. Responsibly handle PHI.
HIPAA privacy rule is part of the Health Insurance Portability and Accountability Act of 1996. This facet of the legislation establishes the first comprehensive federal protections for health care information. The rule does the following: Imposes new restrictions on the use and disclosure of personal health information. Gives patients greater access to their medical records. Gives patients greater protection of their medical records. Sets penalties for confidentiality violations. Requires all health care personnel to be trained on the Privacy Rule and to comply with it.
Why are privacy protections needed? Increasing public concern about loss of privacy. Broad availability of information stored and exchanged in electronic format. Concerns about genetic information. A conflicting patchwork of state laws.
HIPAA Terminology Covered entities Protected Health Information (PHI) Use and disclosure Minimum necessary TPO: Treatment, Payment, and Healthcare Operations
Covered Entities are groups or individuals who have to comply with the law. They are: Health Plans Individuals or group health care plans that provide or pay for medical care. Health Care Clearinghouses Private or public agencies involved in processing health information, i.e. billing services, vendors. Health Care Providers
Protected Health Information (PHI) PHI is any information that is created or received on paper or electronically by a covered entity. This information relates to past, present, or future physical or mental health conditions of individuals, the provision of health care to those individuals, and payments for their health care. PHI is anything that could be used to identify an individual including HIPAA s 18 identifiers. Name Date of birth Telephone number Medical record numbers E-mail address Certificate/license number Account numbers Web locators (URL s or website) Finger/voice prints Social security number Contact information Fax Number Mailing Address Health plan beneficiary numbers Vehicle identifiers Device identifiers/serial numbers Internet Protocol (IP) address Photographic images
Use and disclosure of PHI Use of PHI occurs when medical information is exchanged within an organization that maintains the PHI and provides patient care. Disclosure of PHI occurs when medical information is released to parties outside the organization. Remember disclosure does not pertain to medical information used for treatment, payment, or health care operations.
Release of Protected Health Information Written patient authorization must be obtained before releasing Protected Health Information for purposes other than Treatment, Payment, and Health Care Operations.
Minimum Necessary According to federal regulations, organizations must identify in a policy which persons need access to PHI to fulfill their job duties. The organization must limit the PHI used or disclosed to the minimum necessary to achieve job responsibilities. Person/class of persons who need access to PHI Permitted PHI access Need for Access Minimum Necessary Standard Medical Director Entire Chart Treatment Note: the Minimum Director of Public Health Entire Chart Health care operations Director of Patient Services Supervising Nurses and Staff Nurses Therapists MSW, OT, PT, ST, RT, Aud., PTA s and Nutritionist Entire Chart Entire Chart Entire Chart Health care operations, treatment, payment Treatment, payment, health care operations Treatment, payment, health care operations Necessary is not applicable for disclosures to or uses by a health care provider for treatment, payment, and health care operations, or disclosures to the patient, or disclosures pursuant to a valid authorization
Minimum Necessary (continued) Person/class of persons who need access to PHI Permitted PHI access Need for Access Minimum Necessary Standard Inservice Educator Clerical Staff Billing Staff Appropriate section of chart to fulfill job functions Appropriate section of chart to fulfill job functions Billing information, entire chart for private insurance Health care operations, treatment Data entry, filing, mail, telephone duties, copying records Billing and payment activities, copying records Note: the Minimum Necessary is not applicable for disclosures to or uses by a health care provider for treatment, payment, and health care operations, or disclosures to the patient, or disclosures pursuant to a valid authorization Nursing Instructor and Nursing Students Entire Chart Treatment Board of Health, UR, PAC, and QA Committee members Specific chart information to fulfill committee duties Health care operations
TPO : Treatment, Payment, Healthcare Operations A health care facility is permitted to use and disclose PHI without specific patient authorization when providing treatment, obtaining payment, or conducting health care operations. Health care operations include a number of processes, such as: quality-related activities; financial and business activities; state and federal audits; and investigation of complaints, etc.
The Privacy Rule governs a provider s use and disclosure of health information and grants individuals new rights of access and control. The regulation also establishes civil and criminal penalties and will result in corrective action which include suspension or termination of employment, fines, and/or jail terms. Violations include: Failure to comply with federal regulations and HIPAA policies and procedures. Wrongful access, use, and disclosure of PHI. Failure to safeguard a patient s PHI.
Health Care Provider s Responsibilities Health care providers understand that information about patients and their health is confidential. Our responsibility is: To effectively manage and safeguard patient s personal health information. To follow established policies and best practices for the management of PHI. To support and encourage patient s rights regarding their PHI. To obtain authorizations for disclosures. To report suspected privacy violations.
Proper Disposal of Paper Containing PHI Never dispose of paper containing patient information in the regular trash. Ask yourself Does this include any patient information?. If the answer is yes, then it doesn t go in the regular trash. Dispose of the above paper items in the unit shredding containers. Non PHI paper items may be put in the regular trash or brown paper bags for disposal. Never leave medical records or reports unattended or out in the open.
Sending Faxes When faxing information: Pre-program frequently used fax numbers. Use standard cover sheet with confidentiality statement. Designate a secure area for the fax machine. If information has been sent to the wrong number, send another fax to that number and ask the recipient to destroy the information. A quick, three check system: 1. CHECK the number before you dial. 2. CHECK the number on the fax machine display. 3. RE-CHECK the number before you press the SEND button.
Receiving Faxes When receiving faxes: Immediately remove fax from machine and deliver it to the recipient. If information has been received in error, notify the sender by return fax or phone call, and destroy/shred the information. Faxes are covered by the Privacy Rule, not the Security Rule.
Under the Privacy Rule, patients have the following rights: Receive a Notice of Privacy Practices from their provider. Access, inspect and copy their medical records. Request amendments or corrections to their medical record. Request alternative communication of PHI. Request restrictions on PHI use and disclosure. Request an accounting of disclosures of PHI. Request an Opt-out for inclusion in a patient directory. File a complaint to the institution and/or to the Secretary of the Department of Health and Human Services.
Notice of Privacy Practices The Notice of Privacy Practices explains: 1. To patients how PHI is used and disclosed 2. Patient s rights regarding their PHI 3. Our legal responsibilities with respect to PHI The notice must be provided to patients on the first day of the provision of homecare services. All patients will be asked to sign a written acknowledgement that they received the Notice of Privacy Practices ; it must be filed in the patient s medical record.
Right to Access, Inspect, and Copy Patients have a right to access, inspect, and receive a copy of their medical record. The request must be put in writing. A patient can not be denied a copy of their records based on their inability to pay. There are a few exceptions where a patient s request may be denied, but they have the right to have denials reviewed. The person who denied the first request can not be the person to review the denial.
Right to Request Amendment Patients have a right to request corrections or amendments to their medical record. The request must be submitted in writing, if they believe the information is inaccurate or incomplete. The regulation has stipulated that any facility or agency must respond within 30 days of a request.
Right to Request Alternative Communication Patients may request an alternate means of receiving their healthcare information. For example, a patient may request information be sent to an alternate fax number, alternate address, or alternate phone number.
Right to Request Restriction Patients have a right to request restrictions on disclosures of their PHI to others. This request must be put in writing. A restriction request is decided on a case-by-case basis and does not have to be granted. The granted request must be documented and kept on file for 6 years.
Right to an Accounting of Disclosures Patients have a right to request an accounting of certain disclosures of their PHI made outside of the agency. This accounting would include disclosures that the patient may not be aware of. Disclosures made for treatment, payment, or healthcare operations do not have to be listed.
The following are disclosures which may be made without a patient s authorization. These are exceptions to the confidentiality regulations: 1. Disclosures made in accordance with statutory reporting requirements, all instances of criminal wounds including gunshots and poisoning. 2. Disclosures to public health authorities, such as, reporting communicable diseases. 3. Disclosures to social services or protective service agencies, such as, child and adult abuse cases. 4. Disclosures to health oversight agencies, such as, audits and record reviews. 5. Disclosures in response to a subpoena, discovery request, or other lawful process.
The following are disclosures which may be made without a patient s authorization. (continued) These are exceptions to the confidentiality regulations: 6. Disclosures to law enforcement officials in response to a court order, a warrant or summons. 7. Disclosures to coroners, medical examiners, and funeral directors, for example, to identify a deceased person or determine the cause of death. 8. Disclosures to organ procurement organizations. 9. Disclosures for research purposes. 10. Disclosures to Workers Compensation. 11. Disclosures to military and government agencies to help prevent a serious threat to the public or an individual.
Patient Directory If an agency maintains a patient directory, by law, patients must be asked if they want their name and general condition to be provided. If agreed to, this information may be disclosed to family members or friends who ask for the patient by name, but are not listed as someone directly involved in the patient s care. It is a violation of federal law to reveal or even confirm the identity of a patient in any psychiatric setting or any drug or alcohol rehab program.
Patient Complaints Patient complaints or concerns regarding handling of their PHI practices may be made by submitting a written complaint to one of the County s Privacy Officers or to the Secretary of Health and Human Services. This information is on the Notice of Privacy Practices and no one will be retaliated against for filing a complaint.
Clinton County Must Meet Three Major Areas for HIPAA Compliance: Clinical requirements Computer security requirements Administrative requirements
Clinical Requirements Deliver the Notice of Privacy Practices to our patients Limit uses and disclosures in accordance with legal requirements. Accommodate privacy requests from patients. Maintain an accounting system to track nonroutine disclosures. Manage PHI as set forth by the HIPAA regulations.
Computer Security Requirements Install firewalls for data integrity. Encrypt internet transmissions of PHI. Maintain password protections on file containing PHI. Limit access to patient files located on computer systems and based on job descriptions.
Administrative Requirements Designate a Privacy Official. Establish policies and procedures regarding PHI. Train all workforce members. Establish a complaint mechanism. Enforce sanctions (civil and criminal penalties).
The Privacy Message Remember the adage see no evil, hear no evil and speak no evil ; apply this proverb to PHI. Our commitment to patient care includes maximizing patients rights regarding PHI.
References: HIPAA: Privacy in Home Healthcare Handbook. Coastal Training Technologies Corp. Virginia Beach, VA. c. 2003. Marland, Sandra, Inservice Educator, Homecare Unit, CCHD HIPAA Privacy Rule, 2009. powerpoint HIPAA Training Handbook for the Nursing/Clinical Staff. OPUS Communications, P.O. Box 1168, Marblehead, MA. c. 2001. HIPAA: Security Compliance Handbook. Coastal Training Technologies Corp. Virginia Beach, VA. c. 2004. HIPAA Security Training Handbook for the Healthcare Staff, HCPro Inc., P.O. Box 1168, Marblehead, MA. c. 2003. www.hhs.gov/ocr/privacysummary.pdf. www.hipaa.org/- www.dhhs.gov/ocr/hipaa/- www.kumc.edu http://www.chsd.org/documents/hipaa%20documents/self_training_m odule_062603.doc