Transcript Health Insurance Portability & Accountability Act

Health Insurance
Portability &
Accountability Act
NCPD#1/jab 0803
1
What I will learn from this
program





What is HIPAA
Who is covered by HIPAA
Goals of HIPPA
Definitions
What is “Protected Health Information (PHI)”,
“Use”, and “Disclosure”
 What are “Security Rules”
 How does this affect you
 Why comply
What is HIPAA
 HIPAA – Health Insurance Portability and
Accountability Act of 1996
 Original Intent was to ensure portability of Insurance
when employment changes..
 Administrative Simplification




Standardization of formats, codes and identifiers
Increased security of electronic health data
Increased protection of protected health information
Simplify health care administration
Who is covered by HIPAA
 Covered entities include
 Health care providers
 Health plans
 Health care clearinghouses
Goals of HIPAA
 For Patients
 Control over their
information
 The right to see their
records and correct
any mistakes in them.
 The right to know who
has seen their
information
Goals of HIPAA
 For Institutions
 Protect patient
information
 Limit use of patient
information
 Penalize those who
misuse information
Definitions
 Protected Health Information = Individually
identifiable health information in any form
or media. Only authorized people will look
at or use it for treatment, payment or
health care operations (TPO)
 Privacy = Right of each person to keep
certain personal information to him or
herself, confident that only authorized
people will look at or use it.
More Definitions
 Security = Protection of information, data
and systems from accidental or intentional
access by unauthorized users.
 TPO = Treatment, Payment and
Operations
 Minimum Necessary = Minimum amount
of information you “need to know” to do
your job.
What is Protected Health
Information
 Information that identifies a person
 A person who is living or deceased
 Past, present or future health information
 Electronic or paper form, or spoken in
conversation
Examples: Patient charts, lab reports, xrays, billing systems, nursing notes, phone
calls, and conversations about patients
What Makes Information
Identifiable





Name
Address
Phone or fax number
E-mail address
Social Security or
medical record
numbers
 Photos
 Names of relatives
 Voice, finger, retinal
prints
 Date of Birth
 Employer
 Insurance account
numbers
Who can access this information
 The privacy rules of HIPAA limit both the “Use”
(how the information is used in the institution),
and “Disclosure” (how the information is given
out to other institutions for use).
 Patients typically give permission for use or
disclosure of their information by signing a
written form. Some disclosures are required by
law, such as reporting of gunshot wounds, child
abuse, infectious diseases and do not require
patient permission
Internal Use
 Routine access will be limited by job
functions
 “Need to know”, or minimum necessary
needed for each task
 Example EKG: EKG technicians only need the
information relating to the EKG, would not
need to see patient progress notes or
insurance information
 Non-routine access will be limited by
policies and procedures of each institution
Disclosure
 Providing information to those outside of the institution
 Types
 Mandatory: dog bites, gunshot wounds
 Incidental: I accidentally faxed your records to the wrong
department
 Malicious: I steal a list of consumer names and addresses to sell
as a mailing list.
Reasonable efforts should be made to give out only the
least amount of information needed to meet the request
 Example: Transportation Service: a service that drives
patients to and from appointments would only need
certain information such as patient name, appointment
details time/address, contact phone number, should not
have details on other protected health information.
Security Rules
 Protect the systems that store protected
Health information – The hardware and
software
 Systems must be protected so that
unauthorized people cannot get to the
information. Ex: Computer systems will
require you to change your password every
so often to protect against someone else
gaining access to the system using your
password.
Security Rules (Continued)
 Protect Information itself from
unauthorized use and misuse by those
allowed to view the PHI
 Ex: a famous person, co-worker, or family
member is a patient, can you check to see
how he or she is doing? No! If you are not
involved in the patient’s care you cannot view
the information.
Summary of Privacy and Security
Rules
 Patients have the right to control their
information
 Institutions will limit the use and disclosure
of information
 Institutions will protect information on the
computer
So What’s New About This Law
 Sounds like what we have been doing all
along, Privacy has always been a priority.
 Now the government has decided what the
basic requirements are for protection of
patient information and Institutions are
being held accountable
 Patients can be more confident that their
information will be kept private
Privacy…. Why?
 A Tampa Florida man stole a list of 4,000 HIV-positive
patients from a state health worker and sent the list to
the Tampa Tribune, which did not publish it. The man
was found guilty and sentenced to jail
 New York congressional candidate's past suicide attempt
was made public during a campaign. She won the
election and sued the hospital for failing to maintain the
confidentiality of her medical records
 An employee of a large Blue Cross/Blue Shield plan
obtained unauthorized access to the medical records of
the ex-wife of a friend and sent them to his friend.
How Does HIPAA Affect You
 Faculty and Students are held to the same
obligations and accountability as
employees, they are seen as part of the
workforce under affiliation agreements
 Whether you work directly with patients or
not, you may find yourself in situations
involving patient information. What do you
do?
Protecting Spoken Information
What do you do?
 You’ve just made it
through a long line in
the cafeteria and
scored an empty
table. As you settle in
to enjoy your lunch,
you can hear 2 coworkers discussing a
patient
Response
 Remind them that confidentiality is
important, public areas may be convenient
but when it comes to PHI they are not
good choices.
 Find a private space if your job requires
you to talk about patient information.
Do Not Discuss Patient Information in
Public Areas!
What do you do?
 One day you walk
by a room and see
someone you know.
She is not looking
well and she seems
to be by herself.
You want to express
your concern and
see if you can help.
Response
 Respecting privacy doesn’t mean you have to
ignore someone you know. But don’t ask for
Personal Health Information
 She can tell you about her illness, but you can’t
ask, and if told you cannot repeat the
information you hear.
 Unless you are involved in the patients care you
do not have the right to ask for information or
even tell others people who the patients are.
Don’t Ask For Information Even If You Know
The Person!
What do you do?
 Lets say you
entered a patient’s
room to explain a
procedure. The
patient has several
visitors in the room
who may or may
not be family.
Response
 Before entering the patient’s room, you
should first knock and ask permission to
enter.
 If other people are in the room ask
permission from the patient to talk about
his or her care with visitors present.
Ask Permission From Patient
What do you do?
 You are
walking down
the hall and
are stopped
by a visitor to
get directions
Response
 If you can give a visitor directions without asking
for personal health information you are being
courteous and respectful of patient privacy
 If it is not clear where the visitor is supposed to
go or if asked about a patients condition direct
them to the information desk.
Be Courteous and Direct Visitors to the
Information Desk
Protecting Spoken Information
 Around Patient Rooms
 Knock first and ask to enter
 Close doors or curtains when talking about
treatments or doing procedures
 Speak softly in semi-private rooms
 In Public Areas
 Don’t talk about patients
 Direct Visitors to the information desk
 Don’t leave messages on answering
machines about patient conditions
Protecting Written Information
What do you do?
 Suppose you enter
a conference room
and find papers
with patient
information left on
the table
Response
 Papers that have Protected Health
Information should be returned to the
person who left them. If you can’t find the
owner of the papers, give them to your
supervisor for shredding.
Find The Owner Of Lost Papers Or Give
Them to Your Supervisor
What do you do?
 Suppose you work in an area where
several people share a fax machine in a
lounge. While you are in the lounge a fax
including PHI arrives but no one comes to
get it. Later that afternoon you notice the
fax is still there.
Response
 Tell your supervisor about the fax
 If you are someone who shares a fax or
printer, it is your duty to pick up papers
right away.
 Fax machines and printers are best
located in a private area, away from public
view.
Don’t Leave Papers With Medical
Information Unattended
Protecting Written Information
 Find the owner of “lost” papers
 Shred Information no longer needed
 Don’t leave papers unattended
 Keep information away from public view
Protecting Electronic Information
 Keep computer screens pointed away
from public
 Never leave patient information in public
areas unattended
 Log-off workstations when leaving the
area
You Are Responsible For Any Activity On
The Computer That Is Made With Your
User Name
Protecting Electronic Information
 Protect Your Password




Don’t share it with anyone
Never write it down
Don’t say it out loud
Don’t e-mail it
 Report any misuse or problems with your
password
Protecting Electronic Information
 Handhelds and Laptops
 Prevent loss or theft of equipment-never leave
this equipment unattended
 Use Passwords to protect information
 Close programs when not in use
Why Should We Comply
 It is the right thing to do.
 Patients have rights to privacy
 It improves the quality of care
 It is good business
 Disciplinary Action
 Can range from counseling to final written warning to
termination
 Repeated offenses can result in more severe
discipline
 Penalties
 Civil and Criminal Penalties
 Against both the individual and the institution
Consequences for Noncompliance
Violations
Wrongful disclosures
Gaining access by false
pretenses
Penalties
Up to $50,000 + up to 1
year in prison
Up to $100,000 + up to
5 years in prison
Intent to sell, transfer or
use
Up to $250,000 + up to
10 years in prison
Enforcement of HIPAA
 The Office for
Civil Rights
has been
charged with
enforcing
HIPAA privacy
regulation
Questions About Privacy
 In some situations it is not clear whether
privacy rules apply or what the best way to
handle the situation
 HIPAA was never meant to interfere with
patient care
 If questions come up or you don’t know
what to do ask your supervisor
When in Doubt Ask!
A Parting Thought
If your loved one was a patient wouldn’t
you want your family’s privacy to be
protected by the people caring for him
or her?
Resources
 Federal Register August 14th, 2002 Notice
http://www.hipaapro.com/news/hipaa_download
s.cfm
 Federal Register February 20th, 2003 Notice
http://www.hipaapro.com/news/hipaa_download
s.cfm
 HHS Office of Civil Rights – HIPAA Page
www.hhs.gov/ocr/hipaa/