HIPAA Health Insurance Portability and Accountability Act
Download
Report
Transcript HIPAA Health Insurance Portability and Accountability Act
HIPAA
Health Insurance Portability
and Accountability Act
HIPAA is a law that JIRDC staff must follow.
This program will focus on the rights of people
who live at JIRDC and their guardians.
As a consumer of health care, you also have
these rights.
Click to go to the next slide.
The Health Insurance Portability
and Accountability Act (HIPAA)
What is HIPAA?
What does this mean to us at JIRDC?
What are the six Privacy Rights?
What is Protected Health Information (PHI)?
What do we do with PHI?
What changes must we make here at
JIRDC?
How long do we have and what if we don’t?
Click to go to the next slide.
HIPAA - What is it?
Congress passed a law – the Health
Insurance Portability and Accountability
Act (HIPAA) - in order to require
insurance companies, hospitals, and
other health care providers to protect
people’s privacy.
JIRDC has been classified as a health
care provider, so we must meet the
requirements of this law.
Click to go to the next slide.
What does it mean to us?
People who live at JIRDC and their
guardians have six Privacy Rights.
We must understand what Protected
Health Information (PHI) is.
We must be very careful with PHI and
learn to use “minimum necessary.”
All staff must receive Privacy training.
Click to go to the next slide.
Residents Have Six Privacy Rights
Please click to read each of the rights.
1. The right to receive a copy of JIRDC’s Notice of
2.
3.
4.
5.
6.
Privacy Practices
The right to inspect and receive a copy of
information in files we keep
The right to request a change in information
The right to know who we have shared their
information with
The right to request restrictions on who we share
information with
The right to request an alternative method of contact
Because the people living at JIRDC each have a legal guardian,
the guardian will be the person who exercises these rights.
Click to go to the next slide.
Notice of JIRDC Privacy Practices
We have developed a detailed notice of
JIRDC privacy practices explaining how
Protected Health Information (PHI) is
handled for treatment, payment, and
health care operations and explaining the
Privacy Rights.
The social workers are responsible
for sending a JIRDC Notice of
Privacy Practices to each guardian.
Click to go to the next slide.
Access of Individuals to PHI
JIRDC residents and their guardians have
a right to inspect certain records that we
keep.
The request begins with the completion of
a “Request for Consumer Access to
Protected Information Form.”
If we receive a request by an individual to
view their record (all or part), we must act
on the request within 30 days.
Click to go to the next slide.
Location of JIRDC Records
JIRDC has identified certain records that
may be inspected. The primary records
are:
record in the home
record housed in the Resident Records
Department
The log book is an example of a record that
may not be inspected because it contains
information about more than one person.
Click to go to the next slide.
Location of Request Form
Each guardian must sign a form when
requesting to see the records. The
Social Worker or Home Coordinator
will have this form.
Although we have 30 days to allow
access, it should not take long to reply to
a request.
Click to go to the next slide.
Amending PHI
If a guardian feels that some information in the
record is not correct, he may ask for a change
to be made.
Residents and their guardians have the right to
request amendments to PHI by completing a
“Request for Amendment of Health Care
Information” form.
We must respond to requests for amendment
within 60 days.
If we determine the PHI is accurate and
complete, it does not have to be amended.
Click to go to the next slide.
Accounting of Disclosures of PHI
A guardian may ask to see a record of
individuals who have seen the resident’s chart
for the 6 years prior to the request.
This does not include disclosures for
treatment, payment, or operations.
This also does not include disclosures to the
individual or guardian or to law enforcement.
No information must be provided
about disclosures that occurred
prior to April 14, 2003.
Click to go to the next slide.
Requesting Restrictions
on Disclosures of PHI
Guardians may request that we limit the use
and disclosure of health information about
residents for the purposes of treatment,
payment, and operations.
We are not required to agree to their request to
limit the number of people who view the record.
If we do agree to it, we must follow the agreed
restrictions (except for emergency treatment).
Click to go to the next slide.
Receiving PHI - Alternative
Means or Alternative Locations
Guardians usually prefer that information
be mailed to their home addresses and
that phone calls be made to their home
phones. However, a guardian may ask
JIRDC to use a different address,
phone number, e-mail, FAX, etc.
Click to go to the next slide.
Receiving PHI - Alternative
Means or Alternative Locations
We must provide our guardians with the
opportunity to receive PHI communications
by alternative means or at alternative
locations (such as a work address instead
of a home address).
We must oblige all reasonable requests.
Click to go to the next slide.
Refraining from Retaliation
Guardians who want to exercise their rights
should not receive any negative responses
from staff.
JIRDC must not intimidate, threaten, coerce,
discriminate, or retaliate against any person
attempting to exercise their rights under the
privacy regulations.
All staff must “remain neutral” toward
guardians choosing to exercise their rights.
Click to go to the next slide.
Protecting Confidential
Information Learned at JIRDC
ALL information about a person who lives at
JIRDC which is learned as a result of
performing your job is confidential information.
According to state law, all JIRDC employees
are responsible for assuring confidentiality.
If you don’t protect information about people
who live at JIRDC, you can be fined,
suspended, or dismissed from your job.
The Federal HIPAA law focuses on Protected
Health Information (PHI).
Click to go to the next slide.
What is Protected Health
Information (PHI)?
Any health information that can be identified to
a person is PHI.
We are using a very liberal definition of “health
information” that includes treatment, care, and
demographic information.
The fact that a person lives at JIRDC is PHI.
PHI can be dates (except just year); record
number; Social Security Number; full face
photographic image; or any other unique,
identifying information.
Click to go to the next slide.
Recognizing PHI When You See It
PHI is not just information in the resident
record. PHI can look like anything.
PHI can be spoken, such as a conversation or
answering machine message.
PHI can be written, such as on a piece of paper,
a computer monitor, or a chalkboard.
Click to go to the next slide.
Recognizing PHI When You See It
PHI reveals something about a person’s
past, present, or future health or condition.
PHI is individually identifiable (gives a
reasonable basis for determining a person’s
identity). PHI is about a specific person.
You may know the person if you hear their
name or if you can guess who it is by the
information that is provided.
Click to go to the next slide.
It can look like anything
Data appearing on computer monitors
Lab test results
Resident schedule boards
A conversation about a resident’s health
An appointment reminder left on a
guardian’s answering machine
File server backup tapes
Financial records
Click to go to the next slide.
It reveals something about health
It does not have to be present health.
It can also be past or future health.
It does not have to be about bad health.
“Joe is feeling fine” also qualifies as PHI.
Since knowledge that a person
lives at JIRDC strongly implies a
“diagnosis” of mental retardation,
this also qualifies as PHI.
Click to go to the next slide.
It is individually identifiable
This means that someone seeing or
hearing the health information can identify
the person it’s about.
The information must provide a
“reasonable basis” for determining the
person’s identity.
When health information is paired with
unique identifiers (like client number or a
photograph) it is always PHI.
Click to go to the next slide.
What do we do with PHI?
Protect it! Keep it private by not leaving
it lying around where it can be seen.
Except for treatment reasons, provide
the “minimum necessary” to meet the
needs of the requestor.
“Minimum necessary” means providing
just enough information to meet the
needs of the requestor and no more.
Click to go to the next slide.
Some things we do to protect PHI
Pick up all meeting handouts
and erase blackboards when
meetings are done.
Working on PHI? When you leave for lunch,
cover it up AND lock it up.
Talking PHI on the phone? Keep your voice
low if you might be overheard.
Avoid mentioning PHI at restaurants.
Click to go to the next slide.
Dealing with PHI: Test Yourself
Five situations related to
“minimum necessary” follow.
Read each situation.
Determine if each situation was
handled correctly.
Click to go to the next slide.
Dealing with PHI – Scenario #1
Mary is escorting four residents to a movie.
As they are leaving, Mary’s supervisor tells
her to make sure Phil gets to sit very close
to the screen because he is having some
vision problems stemming from developing
cataracts.
Was this situation handled correctly?
Click to go to the next slide.
Dealing with PHI – Scenario #1
Since treatment of Phil’s cataracts was not
involved, the “minimum necessary” rule
applies here. It was appropriate for Mary’s
supervisor to tell her to make sure Phil gets to
sit very close to the screen because he is
having some vision problems. It was not
necessary to mention his cataracts.
This is NOT “minimum necessary.”
Click to go to the next slide.
Dealing with PHI – Scenario #2
Mary has been asked to drive Phil to a shoe
store and help him purchase new shoes.
Mary’s supervisor tells her to make sure Phil’s
new shoes have good arch support because
he has heel spurs.
Was this situation handled correctly?
Click to go to the next slide.
Dealing with PHI – Scenario #2
Selecting the proper shoes is a big part of the
treatment of heel spurs. Communicating the
fact that Phil has heel spurs was for treatment
reasons, so the “minimum necessary” rule
does not apply. It was appropriate for Mary’s
supervisor to mention the heel spurs. It would
also be appropriate for Mary to mention it to
the store clerk.
This is a treatment situation and
“minimum necessary” does not apply.
Click to go to the next slide.
Dealing with PHI – Scenario #3
A JIRDC advocate is interviewing Mary about a
bruise that has appeared on Phil’s arm. Mary
answers questions about the bruise, but decides
not to tell the advocate about two other bruises on
Phil’s leg since this information does not seem to
meet the “minimum necessary” rule.
Was this situation handled correctly?
Click to go to the next slide.
Dealing with PHI – Scenario #3
The advocate’s investigation of possible abuse
is a part of Phil’s treatment at JIRDC and the
“minimum necessary” rule does not apply.
Mary should have mentioned the leg bruises to
the inquiring resident advocate.
Advocates have the right to see all
information. “Minimum necessary”
does not apply.
Click to go to the next slide.
Dealing with PHI – Scenario #4
Phil’s mother shows up unexpectedly with a
copy of JIRDC’s Notice of Privacy Practices in
her hand. She wants to examine Phil’s chart.
Mary remembers this is a new right, takes her
to the chart, and lets her examine it.
Was this situation handled correctly?
Click to go to the next slide.
Dealing with PHI – Scenario #4
Requests to examine records must be handled
by the Home Coordinator. Mary should have
helped Phil’s mother submit her request to the
Home Coordinator in writing (required) and
should not have allowed her to examine any
records.
A guardian must complete a
written request to see the record.
Click to go to the next slide.
Dealing with PHI – Scenario #5
Phil suddenly develops very shallow breathing
and is taken to Grace Hospital’s emergency
room. Staff take Phil’s resident record with
them. The entire record is made available to
emergency room physicians as they attempt to
determine the cause of Phil’s shallow breathing.
Was this situation handled correctly?
Click to go to the next slide.
Dealing with PHI – Scenario #5
The sharing of Phil’s PHI with the staff at
Grace Hospital was for treatment reasons.
The “minimum necessary” rule does not apply.
This is a treatment situation and
“minimum necessary” does not apply.
Click to go to the next slide.
Rules We Must Follow at JIRDC
JIRDC staff have many rules
regarding the handling of PHI.
Many of the rules involve how
computers are used.
ALL of the rules involve common
sense.
Click to go to the next slide.
Some Rules We Must Follow
PHI must be secured when no one is in
the area – no open log books.
No PHI should be viewable in
public areas.
No PHI should be sent in e-mail
(except password-protected attachments).
No PHI should be left at copy machines,
fax machines, or conference rooms.
Discarded PHI must be shredded.
Click to go to the next slide.
Computer Rules We Must Follow
Computer monitors showing PHI must be
positioned for privacy.
Computer passwords must not be shared
and must be reasonably “un-guessable.”
Computer passwords must not be left
visible or hidden where they can be found.
Computer users must log-off the network
when leaving computers unattended.
Click to go to the next slide.
More Rules We Must Follow
If you notice your login name has been
changed while you were away from your
computer, report it to Computer Services.
If you see an “intruder lockout” message
while logging into the network, report it to
Computer Services.
Pay attention to any unusual login names
that show up on your computer. Report
what you see to Computer Services.
Click to go to the next slide.
Even More Rules We Must Follow
We must not discuss a resident within the
hearing of other individuals or visitors.
We must not leave keys unattended.
When sharing resident health information,
we must share the “minimum necessary”
(except for treatment reasons).
JIRDC must sanction staff for violations of
the Privacy rules.
Click to go to the next slide.
Security Awareness at JIRDC
All JIRDC staff are responsible
for keeping data secure.
Computer data should be kept
safe by the person who created
the disk, CD, or printout.
All security incidents must be
reported as soon as possible.
Click to go to the next slide.
Security Awareness
JIRDC data must be kept secure at all
times. Staff who use computers and
staff who do not use computers are
responsible for protecting information.
Information created on JIRDC
computers is considered property of
JIRDC and the State of NC regardless
of how information is stored.
Click to go to the next slide.
Security Awareness Continued
Computer printouts, floppy disks, or CDs
which are found not under direct
observation of a responsible data owner
should be picked up by the person who
finds them and turned in
to their supervisor.
Click to go to the next slide.
Security Awareness Continued
A security incident is a violation, or
imminent threat of violation, of
computer security policies.
Notify your supervisor or the
JIRDC Computer Help Desk
as soon as possible if you
suspect a security incident has
occurred.
Click to go to the next slide.
Workforce Privacy Sanctions
If staff break the rules, there are
3 levels of violations and punishments.
The 1st level is “accidental.”
The 2nd level is “purposeful.”
The 3rd level is “malicious.”
Malicious violations are the most serious
and can result in loss of jobs and
criminal prosecution.
Click to go to the next slide.
Workforce Privacy Sanctions
- Accidental Violations
This violation occurs when an employee
unintentionally or carelessly accesses or reveals
resident information to others without a
legitimate need to know.
Examples: Discussing a resident
in a public area without discretion;
sharing your network password.
Sanctions include verbal counseling and training
or written counseling and training.
Click to go to the next slide.
Workforce Privacy Sanctions
- Purposeful Violations
This violation occurs when an employee accesses
or discusses information about a resident for
purposes other than the care of the resident or
to perform one's specific job responsibilities.
Examples: Using another employee’s
login name and password;
looking up resident information
out of curiosity.
Sanctions include written counseling and training
or suspension and training.
Click to go to the next slide.
Workforce Privacy Sanctions
- Malicious Violations
This violation occurs when an employee
accesses or reveals resident information to
others for personal gain or with malicious intent.
Examples: Destroying or altering
data intentionally; releasing information
in an attempt to harm a resident
or JIRDC.
Sanctions include written counseling and
training, termination, and prosecution.
Click to go to the next slide.
Failure to Comply Penalties
JIRDC and the employee can be
punished for violations.
The following fine is for JIRDC:
$100/violation/person,
up to $25,000 per person
per year per standard violated
Click to go to the next slide.
Failure to Comply Penalties
The remaining fines and jail time apply
to the employee:
Up to $50,000 and 1 year in prison
for inappropriate use of PHI
Up to $100,000 and 5 years in prison
for using PHI under false pretenses
Up to $250,000 and 10 years
for intent to sell or use PHI
for personal gain or malicious harm
Click to go to the next slide.
Let’s Review!
Residents Have Six Privacy Rights
1. The right to receive a copy of JIRDC’s Notice
of Privacy Practices
2. The right to inspect and receive a copy of
information in files we keep
3. The right to request a change in information
4. The right to know who we have shared their
information with
5. The right to request restrictions on who we
share information with
6. The right to request an alternative method of
contact
Click to go to the next slide.
Let’s Review!
Three Rules for Recognizing PHI
PHI can look like anything.
PHI reveals something about health.
PHI can be identified to an individual.
Click to go to the next slide.
Let’s Review!
PHI Must be Protected
We must not leave it lying around
where it can be seen.
We must not post it
in public places.
We must be careful
what we say when
we can be overheard.
Click to go to the next slide.
Let’s Review!
What is “Minimum Necessary”?
Except for treatment reasons, when
sharing health information about a resident
you should share the minimum necessary
amount of information.
That means what it takes to
get the job done and no more.
There should be no gossiping
about resident health matters.
Click to go to the next slide.
Let’s Review!
Violations MUST be Punished
Violations of HIPAA Privacy rules MUST
be punished by JIRDC Administration.
Minor violations will be viewed as
training opportunities.
There are some very severe penalties
for violating the privacy rights
of JIRDC residents.
How severe? Up to 10 years in jail
and a $250,000 fine.
Click to go to the next slide.
How much have you learned?
You have finished the HIPAA slide show.
Tell the LRC Instructor that you are ready
to take the quiz.
Click to end the slide show.