HIPAA PRIVACY TRAINING

Similar documents
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

HIPAA Policies and Procedures Manual

HIPAA 201: Student Self-Learning Module & Test

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

The HIPAA privacy rule and long-term care : a quick guide for researchers

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

HIPAA Privacy Regulations Governing Research

HIPAA Privacy Rule. Best PHI Privacy Practices

HIPAA Notice of Privacy Practices

HIPAA Education Program

NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Training for Non-Clinical Workforce

ADVANCED PLASTIC SURGERY, PLLC. NOTICE OF PRIVACY PRACTICES

Associates in ear, nose, throat/ Head & Neck surgery, pllc

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

2018 Employee HIPAA Orientation (EHO) Handbook

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

CAPITAL SURGEONS GROUP, PLLC

Advanced HIPAA Communications and University Relations

CLINICIAN S GUIDE TO HIPAA PRIVACY

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

Patient Privacy Requirements Beyond HIPAA

For Payment. We will use and disclose your personal health information to obtain payment for health care services we have provided to you.

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

Health Information Privacy Policies and Procedures

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

CHI Mercy Health. Definitions

HIPAA Privacy Policies & Procedures Table of Contents

HIPAA PRIVACY NOTICE

MCCP Online Orientation

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

Information Privacy and Security

INFORMED CONSENT FOR TREATMENT

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

PATIENT INFORMATION. In Case of Emergency Notification

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

PROTECTING PATIENT PRIVACY IS NOT ONLY

NOTICE OF PRIVACY PRACTICES

The HIPAA Privacy Rule and Research: An Overview

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

Balance Fitness and Nutrition

HIPAA Notice of Privacy Practices

HIPAA Privacy Training Handbook/ Quick Reference

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

NOTICE OF PRIVACY PRACTICES

JOINT NOTICE OF PRIVACY PRACTICES

Senior Care Pharmacy Wichita

Notice of Privacy Practices

Compliance Program, Code of Conduct, and HIPAA

Commonwealth Health Corporation Notice of Privacy Practices CHC COMMONWEALTH HEALTH CORPORATION

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

Notice of Privacy Practices for Protected Health Information (PHI)

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

NOTICE OF PRIVACY PRACTICES Occupations, Inc. 15 Fortune Road West Middletown, NY 10941

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

Johns Hopkins Notice of Privacy Practices for Health Care Providers

PRIVACY POLICIES AND PROCEDURES

BON SECOURS RICHMOND NOTICE OF PRIVACY PRACTICES

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

Joseph Bikowski, M.D., Associates

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

NOTICE OF PRIVACY PRACTICES

The Queen s Medical Center HIPAA Training Packet for Researchers

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

HIPAA Health Insurance Portability and Accountability Act of 1996

A general review of HIPAA standards and privacy practices 2016

Notice of Privacy Practices

FAMILY PHARMACEUTICAL SERVICES NOTICE OF PRIVACY PRACTICES effective 9/23/2013

Catholic Charities Disabilities Services. In-Home Behavioral Support Services (2017)

Parental Consent For Minors to Receive Services

SUMMARY OF NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

OUR LEGAL DUTY PERSONS COVERED BY THIS NOTICE

Patient Registration Form Pediatrics

2201 Murphy Avenue, Suite 307 Nashville, TN Phone Fax Date. Patient s Full Name

NOTICE OF PRIVACY PRACTICES

Southwest Acupuncture College /PWFNCFS

SANTA RITA CARE CENTER Notice of Information Practices

NOTICE OF PRIVACY PRACTICES Revised

NOTICE OF PRIVACY PRACTICES

physicians, nurses, and technicians and other Facility personnel for review and learning purposes. We may also combine the medical information we

Notice of HIPAA Privacy Practices Updates

SUMMARY OF THE CIRCUMSTANCES AND PURPOSES FOR WHICH YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED

School Based Health Services Consent Form

NOTICE OF PRIVACY PRACTICES

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

Transcription:

HIPAA PRIVACY TRAINING

HIPAA Privacy Training Objective Present a general overview of HIPAA and define important terms Understand the purpose of HIPAA and the Privacy Rule Understand the term Protected Health Information Understand the rules for use and disclosure of Protected Health Information Understand the Notice of Privacy Practices and clients rights. Understand that Health Care Organizations may still share protected health information with its business associates while following HIPAA requirements. Identify who must comply Discuss the legalities and their everyday applications in health care Illustrate strategies for compliance that health care professionals and support staff must follow 2

Training Outline Complete Pre-Test Review Training Modules Complete Post Test You must receive 80% minimal passing score for completion of HIPAA Privacy Training Receive Certificate of Completion 3

Table of Content Topic Page Number What is HIPAA? 5 Who Must Comply with HIPAA 6 HIPAA and Privacy Rule 7 Health Care Provider s responsibilities under the Privacy Rule 8 What does the Privacy Rule means to you (health care professional and support staff) and patients? What is Protected Health Information 10 What Protected Health Information (PHI) Includes 11 Protected Health Information Use and Disclosure 12 The Importance of Protecting Patient Health Information 13 Patient Rights 14 Notice of Privacy Practices 15 Notice of a Person s Rights to Control Their PHI 16 Treatment, Payment and Health Care Operations (TPO) 17 General rules for treatment when written Permission IS NOT Needed 18 for Disclosure General rules for written authorization or permission 19 General rules when the Patient needs the option to decide 20 Minimum Necessary 24 Incidental Disclosures 25 Penalties for Violating the Privacy Rule 28 Frequently Asked Questions 29 Personal HIPAA Compliance Checklist 34 HIPAA Privacy and Security Training-Pre Test and Answer Key 35 HIPAA Privacy and Security Training-Post Test and Answer Key 37 Employee HIPAA/Confidentiality Agreement Form 41 9 4

What is HIPAA? Health Insurance Portability and Accountability Act The purpose of HIPAA is to improve the efficiency and effectiveness of the country s health care system. By establishing standards for electronically transmission of health information. By establishing standards to protect the privacy of individuals medical records and other protected health information. By ensuring the security of health care information. 5

Who Must Comply with HIPAA? Covered entities must comply with HIPAA. A covered entity is a: o Health Plan o Health Care Clearinghouse o Health Care Provider Providers are a covered entity under HIPAA and are subject to the privacy regulation. HIPAA clearly defines both permitted and illegal behaviors and outlines the consequences of sharing patient information improperly. One thing every health care professional or support staff must realize: HIPAA is a federal law, and compliance is not voluntary. It is mandatory. As an employee, staff member or volunteer of a health care provider, even if you work from home, you must be aware of the laws and of your obligations in protecting the privacy of patients. 6

HIPAA and Privacy Rule The Health Insurance Portability and Accountability Act (HIPAA) has many sections. The Privacy Rule was adopted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Privacy Rule: o Establishes safeguards to protect the privacy of health care information. o Sets boundaries on the use and release of health records. o Holds people accountable if they violate patient rights (civil and criminal penalties). 7

Health Care Providers Responsibilities under the Privacy Rule Notify patients about their privacy rights. Adopt and implement privacy procedures across the agency. Train employees on privacy procedures. Ensure that business associates protect patients information. Designate an agency Privacy Officer, a Privacy Complaint Officer. Establish a Complaint Procedure. 8

What does the Privacy Rule means Health Care Professional, Caregivers and Patients? The privacy rule gives patients more control over their Protected Health Information (PHI). What do you need to know under the Privacy Rule: Patients rights regarding the use of their PHI; Key terms and general rules that you can apply; and, When you can share patient information and when there are limits to what can be used or shared. 9

What is Protected Health Information? Protected Health Information or PHI is any information, whether oral or recorded in any form or medium; (transmitted or maintained in any electronic, written, or spoken format). It relates to the past, present, or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. It identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under HIPAA and the HIPAA Privacy Regulations, including, but not limited to, 45 CFR 164.501. 10

Protected Health Information (PHI) Includes: Names of the Patient Addresses including Zip Codes Dates directly related to an individual such as birth date, admission date, discharge date, and date of death Telephone numbers Fax numbers Electronic mail addresses Social security numbers Medical record numbers Identifying Number, Characteristic or Code Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Biometric identifiers, including fingerprints and voice prints Full face photographic images. 11

Protected Health Information Use and Disclosure Protected Health Information (PHI) includes information: Sent or stored in any form; That identifies the patient or can be used to identify the patient; That is created or received by a covered entity; That generally is about a patient s past, present and/or future treatment and payment of services. Use: generally refers to how PHI is handled by the health care company Disclosure: generally refers to how PHI is shared externally. 12

The Importance of Protecting Patient Health Information Employees with access to patient data may use or disclose it only on a need to know basis: Keep this information confidential. Access or use this information only as required to perform your job. Provide the minimum necessary information when responding to information requests. Do not discuss this information with others unless it is administrative ly or clinically necessary to do so. Do not use any electronic media to copy or transmit information unless you are specifically authorized to do so. 13

Patient Rights The Privacy Rule gives patients the right to: Have their PHI protected; Receive a written notice of the company s privacy practices. Require their authorization for the release of information. Request restrictions on the use of their PHI. Inspect and copy their PHI as documented by the Department. Request that improper uses are corrected. Obtain a report of disclosures of their PHI. File a grievance or complaint. 14

Notice of Privacy Practices Health care providers and health plans will give out a Notice of Privacy Practices (NPP) that describes how they use and share PHI, the patients rights, their responsibilities regarding PHI, and who to contact for more information. The company must distribute the notice to each patient at the first treatment encounter and obtain written acknowledgment of receipt. It is important that you know patients rights and responsibilities. 15

Notice of a Person s Rights to Control Their PHI Patients should receive a listing of disclosures required by law, public health, health oversight, child abuse reporting, FDA reporting, communicable disease exposure, wound or injury reporting, response to legal process, law enforcement, coroner or medical examiner, organ procurement, research protocols where the Institutional Review Board (IRB) has waived the individual s authorization requirement, or workers compensation. Patients have a right to request confidential forms of communication. Companies must accommodate reasonable requests to receive confidential communications. Patients have a right to request restricted uses and disclosures of PHI: o Requests for restrictions should be made in writing to the institution s privacy officer. Patients have a right to inspect and obtain a copy of their health information. Individuals have the right to inspect and obtain a copy of health information in the medical or billing record. Patients have a right to request amendment to medical and billing records. Patients have a right to file a formal complaint about violations of privacy with the agency or the Department of Health and Human Services. 16

Treatment, Payment and Health Care Operations (TPO) Health care providers may use or disclose PHI for its own Treatment, Payment, or Health Care Operations : Treatment generally means the providing, coordinating, or managing health care and related services among health care providers or by a health care provider with a third party; consultation between health care providers regarding a patient; or the referral of a patient for health care from one health care provider to another. Payment encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill coverage responsibilities, and to provide benefits under the plan. Health Care Operations are certain administrative, financial, legal, training, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. 17

GENERAL RULES TREATMENT Written Permission IS NOT Needed for Disclosure There are many myths about when patient permission is needed. Written permission is not needed: To use or share PHI to treat a patient, get paid for treatment or to evaluate the person who provided treatment (TPO); To share PHI with that patient; For public health purposes, such as to report births and deaths; For disclosure to Business Associates, vendors for TPO under a written contract. A Business Associate is a person or entity to whom an agency discloses PHI so that the person or entity may carry out, assist with, or perform a function on behalf of the agency (e.g., billing). The agency is required to have satisfactory assurance that any business associate will appropriately safeguard PHI received or created by the business associate in the course. of performing services for the agency. The agency must document the satisfactory assurances through a written contract. 18

GENERAL RULES When Written Permission IS NOT Needed -Cont d As required by HIPAA law. To report abuse or neglect. For law enforcement. For organ donation organizations. To medical examiners and funeral directors. To avoid threats to health and safety. For certain research activities if the Institutional Review Board (IRB) has granted a waiver. 19

GENERAL RULES Written Authorization or Permission HIPAA requires health care providers to obtain a written authorization to disclose or release any PHI that is not for treatment, payment, or health care operations, or otherwise permitted by the rules Examples of disclosures requiring written authorization under HIPAA: Other third parties such as other health care providers, Schools, camps, airlines, hotels, community care organizations, outside attorneys. These authorizations must contain the following elements: A description of the information to be used or disclosed. Who is authorized to use or disclosure. To whom the disclosure may be made. A description of each purpose of the disclosure. An expiration date or an expiration event. Signature of the individual and date. Required statements: o The individual s right to revoke the authorization and directions how to revoke. o The ability or inability to condition treatment or payment. The risk that re-disclosure by the recipient may occur. 20

GENERAL RULES When Written Permission IS Needed Patient permission or authorization is needed to use or share PHI for certain marketing and fund-raising activities. For example: A doctor cannot give a diaper company the names of pregnant patients without an authorization. For example: A home care cannot use patient full face photos or names in their brochures with without an authorization. For example: A physical therapy practice must request a written authorization to request patient information from a home health agency. 21

GENERAL RULES When Written Permission IS Needed - cont d Clinical research is uniquely affected by the regulations. Patient permission or authorization is needed to use or share PHI for research. For example: A researcher cannot enroll a patient in a study without an authorization that includes what the PHI will be used for, who can use it and for how long. 22

GENERAL RULES When the Patient Needs the Option to Decide Patients are allowed to decide if they want some or their entire PHI to be used or shared, such as: for patient directories; and to friends and family members involved in patient care or payment.. 23

Minimum Necessary GENERAL RULES Generally, the amount of PHI used, shared, accessed or requested must be limited to only what is needed. For example: When a billing company bills for a blood test, it does not need the patient s complete medical record. In some cases, this rule does not apply, such as when PHI is shared among health care providers for treatment. Workers should have only such PHI as their job responsibilities require. For example: Someone who schedule staff for home care services may need to know the patient s phone number and address but does not need to know the patient s medical history. 24

GENERAL RULES Incidental Disclosures Incidental Disclosure: generally refers to a sharing of PHI that occurs related to an allowable disclosure of PHI. For example: visitors may hear patient s name as it s called out in an office setting or overhear a clinical discussion as they are walking down a hallway in the office. Incidental disclosure that occurs as a by-product of an otherwise permitted use or disclosure is permitted: If it cannot be reasonably prevented. If it is limited in nature. To the extent that reasonable safeguards exist. 25

GENERAL RULES Incidental Disclosures Continued Take steps or reasonable safeguards to secure and protect PHI. For example: Keep patient information on white boards/locator boards to a minimum. Reduce unnecessary incidental disclosures during check-in processes and in waiting rooms. Take care to limit the amount of information disclosed on an answering machine. Do not discuss patients in public areas. Consider location when posting patient schedules and storing patient charts. Keep voices low when discussing patient issues in joint treatment areas. Position workstations so screen does not face public areas; consider using screen filters. Use (but do not share) computer passwords. Lock cabinets that store PHI. 26

GENERAL RULES If Protections Are in Place: You can talk with other providers or patients, even if you may be overheard. You can orally arrange services You can discuss a patient s condition with the patient, other providers or family members over the phone or in a patient s semiprivate room or home. You can talk about patient conditions in education programs. Prescriptions can be discussed by the patient over a drugstore counter or by you or the patient by phone. Messages can be left on answering machines or with those who answer the phone, but the message should be limited to minimum necessary and sensitive information should not be used. Charts at bedsides or outside exam rooms are allowed, but consider having them face backwards. Charts are secured or placed in a locked cabinet if services are provided to patients in their home. Patient care signs are allowed, such as for diet needs. Whiteboards are allowed. PHI can be shared in group therapy settings for treatment. 27

GENERAL RULES Penalties for Violating the Privacy Rule The privacy regulations penalties include: Civil penalties of $100 per person for each violation, with a $25,000 limit per calendar year. Criminal penalties up to $250,000 and 10 years in jail. Company policies may include disciplinary action up to and including discharge. 28

Frequently Asked Questions Protected Health Information Q: Is PHI the same as the medical record? A: No. HIPAA protects more than the official medical record. A great deal of other information is also considered PHI, such as billing and demographic data. Even the information that a person is a patient here is Protected Health Information. Q: What if I m accidentally overheard discussing a patient s PHI record? A: It is not a violation as long as you were taking reasonable precautions and were discussing the protected health information for a legitimate purpose. The HIPAA privacy rule is not meant to prevent care providers from communicating with each other and their patients during the course of treatment. These "incidental disclosures" are allowed under HIPAA. Q: If I overhear patient care information in the elevator or in the hallway, how should I handle it? A: If it seems appropriate, remind the speakers of the policy in private. If the conversation clearly violates policies or regulations, report it to the Company Privacy Officer. 29

Frequently Asked Questions Protected Health Information--- Continued Q: What if i don't need to access PHI for my job, but every now and then a patient s family member asks me about a patient. What should I do? A: Explain that you do not have access to that information, and refer the individual to the patient s health care provider. Q: I know that patients have a right to their PHI. What about parents and guardians of incompetent patients? A: If someone other than the patient has the legal right to make health care decisions for the patient, that person is the patient's personal representative and has the right to access the patient's PHI. However, if you have good reason to believe that informing the personal representative could result in harm to the patient or others, then you do not have to disclose the PHI. Q: What should I do if a government agency or law enforcement person requests information about a patient? A: If working with law enforcement is not part of your responsibility, contact your supervisor. If it is your responsibility, provide only the minimum amount necessary to support the investigation after verification of the authority of the individual or organization making the request. Always consult your supervisor or the Privacy Officer if you re not sure what to do. 30

Frequently Asked Questions Protected Health Information--- Continued Q: As part of my job, I have access to a patient s PHI. How do I know which family and friends can be told this information? A: Always ask the patient who can receive this information and document the patient s response in the medical record. Q: When I am speaking to a patient, and friends or family members are near, do I assume the patient has given me permission to speak of the PHI in front of these persons or do I need to ask them to leave? A: It is proper to speak, unless the patient objects. If you are uncertain, you can ask the patient if it okay to discuss their PHI in front of the person. 31

Frequently Asked Questions Protected Health Information--- Continued Q: If the patient is not conscious, to whom can we disclose the PHI? A: You will have to decide this on a case-by-case basis. If you know the patient's preferences, as in you can tell my spouse, but not my sister, then document the request and follow it. Otherwise, use your professional judgment. Always use the Minimum Necessary standard: disclose only information that is directly relevant to the person's involvement with the patient's health care. Once a patient has regained consciousness, he or she will determine when and how we can share protected information. When in doubt, please contact the Company Privacy Officer. Q: What if I get approached by an individual who just says he s a friend of a patient? A: Check to see if this individual has been approved by the patient for disclosure of PHI or the patient s representative or approved individual. If so, ask for one or more pieces of identification, including a picture ID. 32

Frequently Asked Questions Protected Health Information--- Continued Q: What about requests to leave information on voice mail or an answering machine? A: If you are asked to phone or leave confidential information via voice mail, for example, you should verify with the patient or other approved individual that it is okay to leave messages this way. Make sure you confirm the number. Your unit may have more restrictive policies, so check with your supervisor or department head. Q: What if I find a fax went to a wrong number? A: In the event you find that a fax went to a wrong number, try to retrieve the communications containing the PHI that were faxed to the wrong number, or ensure that they have been destroyed in a secure fashion. 33

Personal HIPAA Compliance Checklist I will familiarize myself with the company or the site s specific HIPAA policies. I will know and understand when and where patients must be given HIPAA notices. When reviewing records or discussing patients I will be mindful of the privacy rules. If I have any questions about the appropriateness of a request for information, I will check with my supervisor or an appropriate institutional staff member. 34

NOTES 35

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback