Health Insurance Portability & Accountability Act
Download
Report
Transcript Health Insurance Portability & Accountability Act
Health Insurance
Portability &
Accountability Act
NCPD#1/jab 0803
1
What I will learn from this
program
What is HIPAA
Who is covered by HIPAA
Goals of HIPPA
Definitions
What is “Protected Health Information (PHI)”,
“Use”, and “Disclosure”
What are “Security Rules”
How does this affect you
Why comply
What is HIPAA
HIPAA – Health Insurance Portability and
Accountability Act of 1996
Original Intent was to ensure portability of Insurance
when employment changes..
Administrative Simplification
Standardization of formats, codes and identifiers
Increased security of electronic health data
Increased protection of protected health information
Simplify health care administration
Who is covered by HIPAA
Covered entities include
Health care providers
Health plans
Health care clearinghouses
Goals of HIPAA
For Patients
Control over their
information
The right to see their
records and correct
any mistakes in them.
The right to know who
has seen their
information
Goals of HIPAA
For Institutions
Protect patient
information
Limit use of patient
information
Penalize those who
misuse information
Definitions
Protected Health Information = Individually
identifiable health information in any form
or media. Only authorized people will look
at or use it for treatment, payment or
health care operations (TPO)
Privacy = Right of each person to keep
certain personal information to him or
herself, confident that only authorized
people will look at or use it.
More Definitions
Security = Protection of information, data
and systems from accidental or intentional
access by unauthorized users.
TPO = Treatment, Payment and
Operations
Minimum Necessary = Minimum amount
of information you “need to know” to do
your job.
What is Protected Health
Information
Information that identifies a person
A person who is living or deceased
Past, present or future health information
Electronic or paper form, or spoken in
conversation
Examples: Patient charts, lab reports, xrays, billing systems, nursing notes, phone
calls, and conversations about patients
What Makes Information
Identifiable
Name
Address
Phone or fax number
E-mail address
Social Security or
medical record
numbers
Photos
Names of relatives
Voice, finger, retinal
prints
Date of Birth
Employer
Insurance account
numbers
Who can access this information
The privacy rules of HIPAA limit both the “Use”
(how the information is used in the institution),
and “Disclosure” (how the information is given
out to other institutions for use).
Patients typically give permission for use or
disclosure of their information by signing a
written form. Some disclosures are required by
law, such as reporting of gunshot wounds, child
abuse, infectious diseases and do not require
patient permission
Internal Use
Routine access will be limited by job
functions
“Need to know”, or minimum necessary
needed for each task
Example EKG: EKG technicians only need the
information relating to the EKG, would not
need to see patient progress notes or
insurance information
Non-routine access will be limited by
policies and procedures of each institution
Disclosure
Providing information to those outside of the institution
Types
Mandatory: dog bites, gunshot wounds
Incidental: I accidentally faxed your records to the wrong
department
Malicious: I steal a list of consumer names and addresses to sell
as a mailing list.
Reasonable efforts should be made to give out only the
least amount of information needed to meet the request
Example: Transportation Service: a service that drives
patients to and from appointments would only need
certain information such as patient name, appointment
details time/address, contact phone number, should not
have details on other protected health information.
Security Rules
Protect the systems that store protected
Health information – The hardware and
software
Systems must be protected so that
unauthorized people cannot get to the
information. Ex: Computer systems will
require you to change your password every
so often to protect against someone else
gaining access to the system using your
password.
Security Rules (Continued)
Protect Information itself from
unauthorized use and misuse by those
allowed to view the PHI
Ex: a famous person, co-worker, or family
member is a patient, can you check to see
how he or she is doing? No! If you are not
involved in the patient’s care you cannot view
the information.
Summary of Privacy and Security
Rules
Patients have the right to control their
information
Institutions will limit the use and disclosure
of information
Institutions will protect information on the
computer
So What’s New About This Law
Sounds like what we have been doing all
along, Privacy has always been a priority.
Now the government has decided what the
basic requirements are for protection of
patient information and Institutions are
being held accountable
Patients can be more confident that their
information will be kept private
Privacy…. Why?
A Tampa Florida man stole a list of 4,000 HIV-positive
patients from a state health worker and sent the list to
the Tampa Tribune, which did not publish it. The man
was found guilty and sentenced to jail
New York congressional candidate's past suicide attempt
was made public during a campaign. She won the
election and sued the hospital for failing to maintain the
confidentiality of her medical records
An employee of a large Blue Cross/Blue Shield plan
obtained unauthorized access to the medical records of
the ex-wife of a friend and sent them to his friend.
How Does HIPAA Affect You
Faculty and Students are held to the same
obligations and accountability as
employees, they are seen as part of the
workforce under affiliation agreements
Whether you work directly with patients or
not, you may find yourself in situations
involving patient information. What do you
do?
Protecting Spoken Information
What do you do?
You’ve just made it
through a long line in
the cafeteria and
scored an empty
table. As you settle in
to enjoy your lunch,
you can hear 2 coworkers discussing a
patient
Response
Remind them that confidentiality is
important, public areas may be convenient
but when it comes to PHI they are not
good choices.
Find a private space if your job requires
you to talk about patient information.
Do Not Discuss Patient Information in
Public Areas!
What do you do?
One day you walk
by a room and see
someone you know.
She is not looking
well and she seems
to be by herself.
You want to express
your concern and
see if you can help.
Response
Respecting privacy doesn’t mean you have to
ignore someone you know. But don’t ask for
Personal Health Information
She can tell you about her illness, but you can’t
ask, and if told you cannot repeat the
information you hear.
Unless you are involved in the patients care you
do not have the right to ask for information or
even tell others people who the patients are.
Don’t Ask For Information Even If You Know
The Person!
What do you do?
Lets say you
entered a patient’s
room to explain a
procedure. The
patient has several
visitors in the room
who may or may
not be family.
Response
Before entering the patient’s room, you
should first knock and ask permission to
enter.
If other people are in the room ask
permission from the patient to talk about
his or her care with visitors present.
Ask Permission From Patient
What do you do?
You are
walking down
the hall and
are stopped
by a visitor to
get directions
Response
If you can give a visitor directions without asking
for personal health information you are being
courteous and respectful of patient privacy
If it is not clear where the visitor is supposed to
go or if asked about a patients condition direct
them to the information desk.
Be Courteous and Direct Visitors to the
Information Desk
Protecting Spoken Information
Around Patient Rooms
Knock first and ask to enter
Close doors or curtains when talking about
treatments or doing procedures
Speak softly in semi-private rooms
In Public Areas
Don’t talk about patients
Direct Visitors to the information desk
Don’t leave messages on answering
machines about patient conditions
Protecting Written Information
What do you do?
Suppose you enter
a conference room
and find papers
with patient
information left on
the table
Response
Papers that have Protected Health
Information should be returned to the
person who left them. If you can’t find the
owner of the papers, give them to your
supervisor for shredding.
Find The Owner Of Lost Papers Or Give
Them to Your Supervisor
What do you do?
Suppose you work in an area where
several people share a fax machine in a
lounge. While you are in the lounge a fax
including PHI arrives but no one comes to
get it. Later that afternoon you notice the
fax is still there.
Response
Tell your supervisor about the fax
If you are someone who shares a fax or
printer, it is your duty to pick up papers
right away.
Fax machines and printers are best
located in a private area, away from public
view.
Don’t Leave Papers With Medical
Information Unattended
Protecting Written Information
Find the owner of “lost” papers
Shred Information no longer needed
Don’t leave papers unattended
Keep information away from public view
Protecting Electronic Information
Keep computer screens pointed away
from public
Never leave patient information in public
areas unattended
Log-off workstations when leaving the
area
You Are Responsible For Any Activity On
The Computer That Is Made With Your
User Name
Protecting Electronic Information
Protect Your Password
Don’t share it with anyone
Never write it down
Don’t say it out loud
Don’t e-mail it
Report any misuse or problems with your
password
Protecting Electronic Information
Handhelds and Laptops
Prevent loss or theft of equipment-never leave
this equipment unattended
Use Passwords to protect information
Close programs when not in use
Why Should We Comply
It is the right thing to do.
Patients have rights to privacy
It improves the quality of care
It is good business
Disciplinary Action
Can range from counseling to final written warning to
termination
Repeated offenses can result in more severe
discipline
Penalties
Civil and Criminal Penalties
Against both the individual and the institution
Consequences for Noncompliance
Violations
Wrongful disclosures
Gaining access by false
pretenses
Penalties
Up to $50,000 + up to 1
year in prison
Up to $100,000 + up to
5 years in prison
Intent to sell, transfer or
use
Up to $250,000 + up to
10 years in prison
Enforcement of HIPAA
The Office for
Civil Rights
has been
charged with
enforcing
HIPAA privacy
regulation
Questions About Privacy
In some situations it is not clear whether
privacy rules apply or what the best way to
handle the situation
HIPAA was never meant to interfere with
patient care
If questions come up or you don’t know
what to do ask your supervisor
When in Doubt Ask!
A Parting Thought
If your loved one was a patient wouldn’t
you want your family’s privacy to be
protected by the people caring for him
or her?
Resources
Federal Register August 14th, 2002 Notice
http://www.hipaapro.com/news/hipaa_download
s.cfm
Federal Register February 20th, 2003 Notice
http://www.hipaapro.com/news/hipaa_download
s.cfm
HHS Office of Civil Rights – HIPAA Page
www.hhs.gov/ocr/hipaa/