HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA 2016 Denise M. Hill & CEI, Photos used Creative Commons. Disclosure & Disclaimer DISCLOSURE Denise Hill reports no actual or potential conflicts of interest associated with this presentation. DISCLAIMER Due to limitations and the nature of this program please understand that printed material and oral presentations or other data presented are not intended to be a definitive analysis of the subjects discussed. Users are cautioned that situations involving healthcare law questions are unique to each individual circumstance, and the facts of each situation will dictate a different set of considerations and varying results. Material contained on this site or listed as a reference is a general review of the issues, and must not be considered as a substitute for advice from your attorney on your own independent situations. 1
Always Be Prepared 1. Read assigned readings 2. Access and bring policies, procedures & other guidelines you are subject to 3. Remember that you must also be familiar with the privacy laws and licensing regulations in the state you practice. Photo by IPKat licensed By this CC BY 2.0 UK Training Objectives To meet privacy training requirements and ensure that you understand: 1. Your responsibilities to safeguard protected health information ( PHI ) in: oral written and electronic formats 2. The role and function of your organization s privacy policies and procedures 3. What you should do if PHI is disclosed without authorization 4. The ramifications for you and the organization for inappropriate disclosure 2
Learning Objectives Upon successful completion of this activity, participants should be able to: 1. List the major components of HIPAA 2. Define protected health information 3. Describe the HIPAA minimum necessary requirement 4. Determine when PHI can be disclosed 5. Apply lessons learned and institutional policies to case scenarios PART I HIPAA Training for Health Professionals Denise Hill, JD, MPA Health Law Program Director, Drake Law School Photo by The Art of Not Being Governed is licensed under CC BY-NC-SA 4.0 3
Why should you care about Privacy? Patient Impact Stigma & Discrimination Embarrassment Lose trust Lack of compliance Financial Disadvantage Ethics Your License is at stake Essential Job Skill Liability It s the Law HIPAA State Photo by Cato Institute is licensed under CC BY-NC 3.0. Privacy Duties in Healthcare Hippocrates Common law Contracts Ethics State Law Licensing Board Federal Law 4
Codes of Ethics Examples American Pharmaceutical Association Code of Ethics: With a caring attitude and a compassionate spirit, a pharmacist focuses on serving the patient in a private and confidential manner. (emphasis added) The American Medical Association Code of Ethics: WHAT DOES THE CODE OF ETHICS FOR YOUR PROFESSION SAY? A physician shall safeguard patient confidences and privacy within the constraints of the law. (emphasis added) State Licensing Boards Know the laws & Board regulations: for your profession AND in your state of practice! 5
Licensing Board Examples Iowa Board of Pharmacy Rules 657 I.A.C. 8.11(4) Nonconformance with law. A pharmacist, technician, support person, or pharmacist intern shall not knowingly serve in a pharmacy which is not operated in conformance with law, or which engages in any practice which if engaged in by a pharmacist would be unethical conduct. 8.11(8) Unprofessional conduct or behavior. A pharmacist shall not exhibit unprofessional behavior in connection with the practice of pharmacy or refuse to provide reasonable information or answer reasonable questions for the benefit of the patient. HIPAA Health Insurance Portability and Accountability Act of 2003 Several components privacy, security, transactions and code sets, uniform identifiers GOAL was to ensure that providers and plans NOT use or disclose an individual s health information except for Treatment, Payment, or Regular Health Care Operations 6
HIPAA/HITECH Omnibus Rule (January 25, 2013) New Terms Makes HIPAA provisions apply to BA Can now file complaint directs with HHS or State AG Marketing Fundraising Breach Shift in burden of proof PRIVACY PRE EMPTION: Who rules State or Federal Government? If state privacy laws are contrary to the HIPAA Privacy Rule; HIPAA preempts the state law IF your state law is STRICTER than HIPAA; follow STATE LAW! Photo by First Concepts Consultants is licensed under CC BY-ND 3.0 7
Health Insurance Portability and Accountability Act of 1996 Privacy PRIVACY BASICS Who? What? When? Where? Why? How? Covered entities, health care providers & Business Associates Protected health information (PHI) Always unless patient consents or exception applies In custody setting and storage considerations To honors patients expectation of privacy, promote trust, & avoid misuse of information/stigma Take steps to safeguard & protect PHI For Education Not Legal Advice Health Plans Who is covered? Health Care Clearinghouses Health Care Providers every healthcare provider, regardless of size, who electronically transmits health information in connection with certain transactions That s you! Business Associates BAs (HITECH) 8
Students in the Practice Setting Considered Health Care Providers Approved under TPO provisions Must adhere to HIPAA standards & privacy policies of the organization What is protected? Protected Health Information (PHI)-information that is electronic, spoken or written and can only be disclosed with a patient s written consent: Account numbers Address All parts of dates except year Any other unique code, number or characteristic that can be linked to the individual Biometric identifiers (fingerprints/voiceprints) Device identifiers Email address Fax number Genetic information Full face photos or images Health plan beneficiary number Health care record number IP address, URL address License number Patient name Social security number Telephone number Vehicle Identifier number 9
Not All PHI is Equal: Special Records Mental Health Substance Abuse HIV/AIDS Genetic Information Photo by Dr. Scott Morris is licensed under CC BY-NC 4.0 PHI Students Will Likely Encounter Clinical charts Rx records Billing records Patient profiles Emails/faxes Some phone calls from patients Verbal patient counseling Rounding lists Photo from Wikipedia Commons 10
Common Exceptions Refill reminders (constitute treatment activity ) Drug recommendations Therapeutic substitutions Product recommendations (e.g. smoking cessation) Coverage and formularies Counseling and DURs Disease State Management ongoing education and counseling Basic Tenants: HIPAA Privacy 1. Protect the privacy of PHI 2. Use & disclose PHI only when authorized only the minimum necessary 3. Establish patient rights to approve who has access & use of their medical information 11
1. Secure & Protect PHI Photo by Ignasi Alcalde is licensed under CC BY-NC-SA 4.0 How is PHI Stored & Accessed? Verbal Communication Hard Copy Electronic Data Your duties to protect PHI will depend on this! 12
What must health organizations do? Develop and implement written policies and procedures (Privacy Practice Notice) Designate an official responsible for implementation Document any non routine disclosures Train the workforce employees, volunteers, trainees YOU! Who has to comply & be trained? Providers and those in direct contact with patient s PHI/medical records Hybrids? Work in a hospital or pharmacy but do NOT have anything to do with patient PHI or privacy do NOT need HIPAA training. For example: Hospital gift shop staff, cleaning staff, photo cashier at a chain pharmacy 13
Tips for Students Do not discuss patients in a public area Don t speak re: PHI too loudly Remove PHI when presenting patients Charts and computers should not be left open Follow Institutional Policies & Procedures Protect portable devices/encrypt etc. CAUTION: Be careful what you discard! Protected Health Information Photo by Sea Turtle is licensed under CC BY-NC-ND 2.0 14
Electronic Security Tips Computers Mobile Devices Major Cyber Security Risks Unintended access, change, or deletion of electronic information Curious employees snooping Viruses/malware/worms or hacking Emailing PHI offsite Carelessness or lending of passwords Disabling/Jailbreak timeout security functions 15
CAUTION: Cell Phones Photo by Suranga is licensed under CC BY-NC-ND 3.0 Can You Access Your Records? It is not a HIPAA violation to view your own medical record But not a good idea.it may violate policies & procedures Contact Privacy Officer or other person to follow process in policy. 16
Social Media Photo by Gianfranco Chicco is is licensed under CC BY-NC-SA 3.0 HIPAA & Social Media Myths Myth #1: It is okay to discuss patients as long as their name is not used Myth #2: Pictures at work are okay as long as they are not of patients Myth #3: Public figures don t have the same protections 17
Well Intentioned Social Media Risks 1. Terminated employee posts notice to prior patient by name on Facebook about new job. 2. Employee assists patient/family to post or blog (e.g. Caring Bridge). 3. Communal laptop and flash drives are not wiped after use. 5. Employee friends a client/patient boundary issues. 6. Mailing home encrypted data or disabling security. 7. Patient photos and geo tags. 8. Inadvertent, social sharing of PHI. 4. Client/patient misses appointment, provider reaches out on Facebook to ask why. 2. Use & Disclosure of PHI 18
Use v. Disclosure of PHI USE "sharing, employment, application, utilization, examination, or analysis of PHI within an entity that maintains such information." DISCLOSURE "release, transfer, provision of access to, or divulging in any other manner PHI outside the entity holding the information." Permitted Uses of PHI Patient authorization Agreements Laws TPO treatment, payment and operations When in doubt Find out! Ask your supervisor or request patient authorization 19
Permitted Uses of PHI TPO treatment, payment & operations Patient authorization Agreements LawsWhen in doubt Find out! Payment Ask your supervisor or request patient authorization Treatment Operations Photo by LawyersandSettlements.com is licensed under CC BY-ND 3.0 Photo by Edublog is licensed under CC BY-NC-SA 3.0 CC BY 4.0 Photo by enfermeriauva.blogspot.com is licensed under CC BY-NC-SA 3.0 Disclosure: Rule of Thumb Authorized Limited to Necessary Information Protect from others When in Doubt Find Out!!! 20
Permitted Disclosures Legal Representative Family & friends involved in care (unless says no) Other providers Business associates Family or Friends: Yes or No? May a doctor give information about a patient s mobility limitations to a friend driving the patient home from the hospital? YES. HIPAA Privacy Rule permits to share information directly relevant to May a care hospital with the administrator spouse, family, discuss friends, a patient s or others payment when: options with her adult daughter? Identified by a patient as someone who PHI can be released to; Person May is involved a hospital in the pharmacist patient s care instruct or payment a patient s for care; roommate about proper medicine dosage when she comes to pick up her medication before The patient she is discharged? present and has the capacity to make health care decisions; If the patient agrees or does not object when given the opportunity; and May physician may discuss a patient s treatment with the patient in If it can the be reasonably presence of inferred, a friend based when on the professional patient asks judgment, if the that friend patient can does come not object. into the treatment room. 21
Patient Right to Deny Insurance Patients who pay for costs of treatment can direct that insurance not be informed of treatment Can deny insurance access to the records Business Associates (BA) Outside Entity/person with which sharing of PHI is necessary: Have BA agreements re: privacy practices They are responsible to comply with HIPAA Have safeguards and procedures to limit to minimum necessary for purpose 22
Other Permitted Disclosures (that do not require patient authorization) UNAUTHORIZED disclosures of PHI are allowed for the following defined law enforcement & public health purposes: Public health activities Victims of abuse, neglect, or domestic violence Law enforcement purposes Legal (subpoena/court order) To comply with workers compensation To avoid serious threat to health or safety To DEA or state pharmacy board inspectors To report adverse events to the DEA EMERGENCY! It IS acceptable to release PHI in emergency situations without authorization. Remember: use your best judgment and keep the patient s best interest in mind! 23
More Permitted Uses & Disclosures Discussing treatment plan with a patient s other providers (except psychotherapy, HIV test results & substance abuse) Transferring medical records during new ownership of a business Minimum Necessary Rule 24
Minimum Necessary Limit PHI to the minimum required to accomplish purpose: For example: When submitting a claim for a patient, there is no need to provide the diagnosis unless the payer NEEDS that info Company policies should identify what information is needed by whom in order to perform their job duties It is NOT appropriate to access your own information you must follow the process/procedures in place AGAIN, use your PROFESSIONAL JUDGMENT and keep the patient s best interest in mind! Designated Record Set (HIPAA) Formal requests re: designated records set: This set includes any records containing "medical... case or medical management... billing... enrollment, payment, [or] claims adjudication" information, used "in whole or in part, by or for the covered entity to make decisions about individuals." 45 CFR 160.103 25
Disclosure Tips Check correct email, phone number, fax Use confidential fax cover sheet Review chart and ensure minimum necessary Follow tracking procedure Incidental Disclosures Overheard by another person when counseling a patient or talking to another health care professional Piece of paper seen by person who is not authorized Family or friends picking up prescriptions Not HIPAA penalize if policies to protect information Violations do NOT occur when: Disclosure could not reasonably be prevented Is limited in nature Is a byproduct of permitted disclosures 26
Incidental Use: Examples Specifically states that no violations occur by calling patient s name in office or pharmacy Pharmacies not required to use extraordinary means to soundproof counseling areas De identified Information De identified information is NOT protected stringent requirements (45 CFR 164.514(b).) CAUTION do not include data that could reasonably lead to individual identification. Not protected DOES NOT mean info can be disclosed freely without care. USE YOUR PROFESSIONAL JUDGMENT! 27
There are SERIOUS Consequences! Audits Civil penalties (OCR) Minimum fine is $100 Maximum is $1.5 million Criminal penalties (DOJ) KNOWINGLY violated HIPAA laws Fines up to $250,000 Imprisoned up to 10 years Consequences for Employees Employees placed on immediate leave pending investigation Disciplinary action: Fired Suspension Reprimand & Document employee record Probation Peer review Further training on HIPAA Privacy Student consequences? 28
3. HIPAA Patient Rights Patient Right to: Notice of Privacy Practices Review & get copies of medical & financial records Request corrections Notice of Privacy Practices Content (in plain language): How the covered entity may use & disclose their PHI The individual s PHI rights & how to exercise rights The covered entity s legal duties re: PHI Contact information for more information privacy officer Must Include this language: THIS NOTICE DESCRIBES HOW MEDICAL INFO ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION PLEASE REVIEW IT CAREFULLY 29
Distribution & Acknowledgement Distribution No later than the first date of service In the case of emergency, as soon as reasonably practicable Anyone who asks for it Prominently posted in facility & on any website that contains information about its customer services/benefits Acknowledgement Good faith effort to obtain an acknowledgement of notice Must receive written acknowledgement Acknowledgements kept 6 years from date they were created Patient Access to Records Patients may request and are entitled to: Copy of their medical record See your the covered organization s entity has up to 30 days to Medical comply. May charge a reasonable fee for actual costs Records, Accounting HIPAA, of non routine and/or disclosures: Release of Health Care Information Description of what was disclosed Why it was disclosed policies The date & procedures! Name of individual receiving the information and their address if available 30
What could happen if patients are not given timely access to their records? Cignet denied 41 patients access to medical records requested 9/2008 to 10/2009 Did not cooperate with HHS investigation Government imposed $1.3 million penalty for violation of the HIPAA rule to provide patients with their medical records within 30 days Also fined $3 million for failing to cooperate with the investigation HITECH Act What if there is a breach? Photo by LawTechTV is licensed under CC BY-SA 2.5 31
Handling Breaches HITECH Act If the covered entity discovers a breach of unsecured PHI Must notify patients. If more then 500 also have to notify media and HHS. Three step procedure, to decide whether or not to disclose a HIPAA breach: 1) Was there an impermissible use or disclosure of PHI under the privacy rule? 2) Does the impermissible use or disclosure pose a significant risk of financial, reputational, or other harm to the individual? 3) Are the exceptions to the definition of breach or the notification requirement inapplicable to the impermissible use or disclosure? If the answer is no= likely do not have to report perceived problems. Burden to decide if reasonable not to report under circumstances. Compliance program must include detailed record keeping procedures to justify why you did or did not think reporting would be required. Must designate: Privacy Officer A "privacy official" responsible for the "development and implementation" of the policies/procedures for HIPAA compliance. A "contact person or office" responsible for providing information, receiving complaints and handling the administration of patients' records and rights. 45 CFR 164.530(a) 32
Reporting Privacy & Security Violations If YOU are aware or suspect a violation YOU are REQUIRED to report it to: Supervisor Privacy Office Information Security Office Compliance Hotline There are also Institutional requirements Employee training You are Part of the Culture of Compliance Employee acknowledgment of policy Enforce security policies No one is above the policy 33
Conclusion Advocate for your patient protect their privacy There are significant consequences for failing Review the policies/procedures & be prepared for areas where you are vulnerable. Know: Patient rights What PHI is how you can use & protect it How to disclose PHI & safeguards Use common sense & seek help! You can do it! 34