Transcript HIPAA - Colorado Center for Nursing Excellence

ALLIANCE FOR CLINICAL
EDUCATION (ACE)
HIPPA TRAINING
SEPT 2012
1
OBJECTIVES
Describe the HIPPA Privacy rules and
regulations
Identify patients’ rights and your role in
protecting them
Discuss your responsibilities under HIPPA –
related policies and procedures
Explain the penalties for non-compliance
2
PROTECTING PATIENT PRIVACY
IS EVERYONE’S
RESPONSIBILITY
3
YOUR RESPONSIBILITIES
Respect the patient’s
right to privacy
Know the facility’s
privacy policies
Be sensitive
4
DEFINITIONS
HIPPA – the Health Insurance Portability and
Accountability Act of 1996. A federal law
that specifies the types of measures required
to protect the security and privacy of
personally identifiable health information.
Patient Confidentiality – keeping information
about a patient’s health care private. The
information is shared only with those who
need to know in order to perform their duties
on behalf of the patient.
5
DEFINITIONS CONTINUED…
Protected Health Information (PHI) – medical
information that can be traced to, or identified
with, a particular patient. PHI is information
created or received by a health care organization
that relates to the past, present, or future
health or condition of an individual.
Transaction – the exchange of information between
two parties to carry out financial or administrative
activities related to health care.
6
HIPPA
What is it?
“Patients have the right to have health
information kept private and secure”
**HIPPA is mandatory, there are
penalties for failure to comply
7
COVERED INFORMATION
Confidentiality and Privacy
All protected, identifiable health information
(PHI) must be considered and treated as
confidential and all patients have the right to
request restrictions on who will see their PHI.
Security
Establishes the requirements for ensuring
the confidentiality, availability and integrity
of PHI
8
PATIENTS HAVE THE RIGHT TO:
Expect privacy and freedom from intrusions or
disturbances regarding his/her personal affairs.
Expect that all communications and records
concerning his/her care will be treated as
confidential. Information will be shared only
with those who need to know the information to
perform their duties on behalf of the patient.
Review the records pertaining to his/her
medical care.
9
What must be
Kept
CONFIDENTIAL?
10
CONFIDENTIAL? HOW DO I KNOW?
Did you learn the
information through
caring for your
patient?
If yes, then consider
it confidential
11
UNDERSTANDING PHI
(PROTECTED HEALTH
INFORMATION)
 Protected Health Information
 Is created by a health care provider
 Is information that there is a reasonable basis to believe it could be used to
identify the patient
 Relates to past, present or future physical or mental condition of an individual;
provision of healthcare or for payment of care provided to an individual
 Is transmitted or maintained in any form (electronic, paper or oral
representation)
12
PRIVACY PROTECTED ELEMENTS
HEALTH INFORMATION IS CONSIDERED
INDIVIDUALLY IDENTIFIABLE IF ANY OF THE
FOLLOWING ARE PRESENT:
Name
Full address
Names of relatives
Name of employers
Birth date
Telephone numbers
Fax numbers
Electronic e-mail addresses
Social security number
Medical record number
Health plan beneficiary
number
Account number
Certificate/license number
Any vehicle or other device
serial number
Web Universal Resource
Locator (URL)
Internet Protocol (IP) address
number
Finger or voice prints
Photographic images
Any other unique identifying
number, characteristic, code
that could be used to identify
the patient
13
PATIENTS RIGHT TO RECEIVE
NOTICE OF PRIVACY PRACTICES
Items required to be included in the Notice:




How medical information is used and disclosed by an organization
How to access and obtain a copy of their medical records
A summary of patient rights and facility responsibilities under HIPPA
How to file a complaint and contact information for filing a complaint
14
FACILITIES NOTICE OF PRIVACY
PRACTICES
The patient has the right to receive a Notice of
Privacy Practices:
 Must provide the notice at the first encounter with the patient
 Must attempt to obtain written acknowledgement of receipt of the Notice of
Privacy Practices
15
MINIMUM NECESSARY
HIPPA Requirement:
 Identify members of the
work group who need
access to confidential
information
 Identify what information
can be accessed
 Limit access
WHAT GROUP DO YOU BELONG
TO?
Complete Access:
•Clinical departments
•Health Information
Management
•Students & Clinical
Instructors: limited to
assigned patients only
Limited Access:
•Admissions/Business Office
No Access:
•Departments or individuals
whose job does not require any
handling of PHI (Food
Services, Environmental
Services/Housekeeping)
16
DISCUSSIONS OF PHI
Staff will discuss patient information to share
information and the treatment plan. Every
effort should be made to protect the privacy
of the patient by minimizing risk that others
can overhear the conversation.
The discussion of PHI should never occur in
public areas such as the cafeteria or
elevators.
Discussions can occur at the nursing station and
with a patient in a treatment area.
17
MINIMUM NECESSARY
What can I access as a
student or clinical
instructor?
 Only the information you “NEED
TO KNOW” to care for assigned
patient(s)
 DO NOT access information
when you are not assigning or
student is not caring for that
patient any longer or for any
patients you not assigned to care
for
18
PATIENT RIGHT TO ACCESS
Patients have the right to:
 Access or inspect their health record
 Obtain a copy of their health record from the healthcare
provider
 Reasonable fees may be charged for copying
 Access and copying for as long as the information is
retained
 Facility must act on request for access no later than 10
days after receipt (Colorado Law)
 Students: Refer requests for access to the facility staff
19
PATIENTS RIGHT TO REQUEST
PRIVACY RESTRICTIONS
The patient has the right to request an
organization restrict the use and disclosure
(release) of their protected health information
 Can request restriction in use of information for treatment,
payment or healthcare operation purposes (TPO)
 Organization is not required to agree with the request for
restrictions
 Requests must be made in writing
 No staff level individual should accept any requested
restrictions
 Students: Refer requests for restrictions to the facility
staff
20
PATIENTS RIGHT TO AMEND
Patients have the right to request
an amendment to their PHI
Amend is defined as the right to
add/revise information with which
s/he disagrees. The original
information is not removed from
the record but the
amended/corrected information is
added to the record.
Students: Refer requests for
amendments to the facility staff
21
AS A STUDENT HOW DO I HANDLE….
An individual asking for
access to their record?
 Students: Refer requests for
access to the facility staff
The staff will follow-up per
specific facility policy
22
DISCLOSURE ??? WHAT IS IT???
The release, transfer,
access or divulging of
PHI (protected health
information) to an
outside person or entity
Students do not
participate in this
process
23
DISCLOSURE CAN OCCUR WITHOUT
THE PATIENT’S CONSENT UNDER
THE FOLLOWING CONDITIONS:
When required by law
For public health activities to control disease, injury or
disability
For disaster relief
In cases of abuse and neglect
For coroners, funeral directors and organ donation
For legal proceedings
For worker’s compensation
In cases of communicable diseases
24
STUDENT RESPONSIBILITIES
In a patient room or exam room
 Knock before entering room
 Identify yourself as a student
 Close door after entering the room if okay with patient
 Ask visitors to leave the room unless patient requests
otherwise
 Speak softly if roommate present
In a clinic or office setting
 Sign in sheets should contain minimal amount of PHI
 Street address or reason for visit should not be on sign in
sheets
25
STUDENT RESPONSIBILITIES
CONT…
At the Nurses’ Station
 Do not leave patient information, e.g. flow sheets, charts, sticky notes, lab
reports or x-rays out in the open where others may view. When finished
working on it, put it back where it belongs
 Shred all documents with PHI, do not put in garbage, do not take them
home
 When at the nurses’ station, speak softly when discussing PHI. It is best
to use a private area to discuss the patient
26
STUDENT RESPONSIBILITIES
CONT…
At the Computer
 Have screen facing away from the public so it is not visible to patients, visitor
and other unauthorized persons
 Always log off when leaving the computer
 Change the password on your computer if required by clinical facility
 Do not share your log-in information or password with anyone else. You are
responsible for what is done under your log-in
27
STUDENT RESPONSIBILITIES
CONT…
Using E-mail
 Always use protected, encrypted email to communicate with your faculty
and clinical instructors
 Never use PHI in e-mail attachments or in the email itself for the following
reasons
E-mail can easily be sent to the wrong
person, either on purpose or by accident
E-mail does not ensure privacy of
information transmitted
28
STUDENT RESPONSIBILITIES
CONT…
Do not post PHI or discuss patients you have
met on web-based chat rooms (My Space,
Facebook)
Do not take photos of patients
Do not photocopy medical records
At the Fax
 Students do not use the fax machine during the clinical experience
29
STUDENT RESPONSIBILITIES
CONT…
Using an Interpreter
 When interpreter services are needed, follow clinical agency practice
In Public
 Never mention a patient’s PHI in public as people are often watching and
listening, as you never know who knows the patient
 Never carry, review, discuss or disclose a patient’s chart or PHI in a public
place
30
SCENARIOS
Following are scenarios to help you think
through privacy related situations in the
clinical facilities
After reading each scenario, think how you
would answer the question before going to
the next slide
Scenario answers follow each scenario
31
SCENARIO #1
One of your fellow students who had lab
work done recently, called you from home
and asked you to look up her lab results on
the computer and give her the results.
Do you look up your fellow students lab
results?
32
SCENARIO #1 ANSWER
No. Since you are not providing treatment
to your fellow student, you are not
permitted to look up her lab results and
provide them to her. She needs to get
this information from her doctor
This applies to your own records as well
33
SCENARIO #2
You see your fellow student reading through
a patient's medical record. She is not
providing treatment for this patient.
What do you do?
34
SCENARIO #2 ANSWER
Tell your clinical instructor. He/she will
follow-up with the student.
The clinical instructor then needs to notify
the facility privacy officer of this action
35
SCENARIO #3
Your sister’s close friend is having surgery
at the organization where you are doing a
clinical rotation. She asks you to find out
what you can about the friend’s condition.
Should you call and ask around to the
nurses you know? Should you look up the
friend’s medical record?
36
SCENARIO #3 ANSWER
No. Even if you and your sister have the best intentions
you have no right to look at private information about
her friend’s health. Suggest to your sister that she
call the facility or visit the information desk. If the
patient has agreed to have her information available,
hospital staff will assist her in obtaining information on
her friend.
Do not seek out confidential patient information unless you
need it to do your job. When you happen to hear
confidential information, do not repeat it to anyone.
Looking at patient records for any non business reason is
cause for disciplinary action and can have possible legal
consequences.
37
SCENARIO #4
You are called to work in a patient's room to
perform a routine job. You knock on the
door and are invited in. You see that a
nurse is in the room discussing the
patient’s condition or medication.
What should you do?
38
SCENARIO #4 ANSWER
If you must do the job immediately to properly care for
the patient, ask whether you can interrupt. If the job
can wait, explain that you are there to perform a
routine job and will return in 15-20 minutes. This
protects the patient’s privacy by allowing him/her to
openly discuss his/her condition without being overheard
Some patients may say that it is acceptable for you to
stay in the room during the conversation. But
remember that a patient may not feel comfortable
sharing everything about his/her symptoms or medical
history while you are in the room. They also might not
feel comfortable asking you to leave. It would be best
for you to come back later.
39
SCENARIO #5
You are working the ER when you see that a
neighbor has arrived for treatment after
a car crash. You hear someone saying he
will be taken to surgery soon. Your
neighbor’s wife works in another part of
the hospital.
Should you notify her that her husband is in
the ER?
40
SCENARIO #5 ANSWER
No. Tell the nursing staff that you know the patient and his
wife. Tell them that if they need to locate her, you can
help. When patients are in the hospital, they have the
right to decide who should know that they are there.
Your neighbor has a right to privacy and may not want to
notify his family of the accident. If he is conscious, the
ER staff will allow him to decide whom to notify that he is
there.
If he is unconscious, the doctors and nurses will use their
professional judgment about whether to notify his wife.
Leave the decision up to the ER staff. They will let you
know whether they need your help to find the patients
wife.
41
SCENARIO #6
You are in the nurses’ station where the
patient’s medical records are located in
the chart rack. You spot the name of a
close friend.
Should you stop by her room?
42
SCENARIO #6 ANSWER
No. if you learned of your friend’s stay only by
seeing the name on a medical record on the
chart rack, you should not go to her room.
You should inform your clinical instructor of your
relationship with her so that you are not
assigned to care for her.
If you find out from the patient or her family
member that she is a patient there, feel free
to visit her after your shift.
43
SCENARIO #7
You are walking by a trashcan and notice a
pile of photocopied records has been laid
on top of the trash.
How should you handle this?
44
SCENARIO #7 ANSWER
Don’t just take the records to a shredder or locked disposal
container yourself. Gather the records and take them to
your Clinical instructor. He or she will report it to the
Manager of the unit who will investigate the incident and
report it to the organization’s privacy officer.
45
SCENARIO #8
A woman provides the name of a patient and
asks for information.
What can you tell her?
46
SCENARIO #8 ANSWER
Refer the woman to the information desk
Check the facility directory. If the patient is listed in
thedirectory, you can tell the woman the patient’s location.
If the patient has requested that his name not be included in
the directory, you can not give out any information about
them to anyone or even acknowledge that they are here,
regardless of the person’s relationship to the patient.
47
SCENARIO #9
At the nurses’ station, you are approached
by someone asking to see a patient record.
What do you do?
48
SCENARIO #9 ANSWER
Refer to agency staff for clarification of
identification and appropriateness of
request.
49
WHAT HAPPENS IF….
A privacy policy is
violated?
 Patients have the right to
file a complaint and
 Civil and criminal penalties
could occur
50
PATIENT’S RIGHT TO FILE A
COMPLAINT
The patient has the
right to file a complaint
if s/he believes privacy
rights have been
violated*
*Organization must provide
contact information for
filing a complaint
51
DOING YOUR PART
Access confidential
information ONLY if you need
it to care for your patient.
Protect your computer
passwords
Understand the facility’s
privacy policies
Report problems to the
facility staff
52
AS A STUDENT
Patient identification
 Cannot use patients’ initials
 Need to assign a number to the patient for identification
Care plans
 Any notes with PHI gathered must be shredded after the assigned shift
 The use of PDAs or pocket PCs to RECORD patient information is not
allowed
53
PENALTIES…….
Both criminal and civil penalties for:
 Failure to comply with HIPPA requirements
 Knowingly or wrongfully disclosing or receiving
individually identifiable health information
 Obtaining information under false pretenses
 Obtaining information with intent to:
 Sell or transfer it
 Use it for commercial advantage
 Use it for personal gain
 Use it for malicious harm
Fines as high as $250,000 and prison sentence
of up to 10 years
54
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT
FERPA refers to confidentiality in regards to
students. Your information is also to be
kept confidential and accessed only by
those who need to know.
FERPA generally prohibits the improper
disclosure of personally identifiable
information derived from education
records.
55
REFERENCES
HIPPA Programs from:
 Arapahoe Community College
 Craig Hospital
 Centura
 HCA-HealthONE
 Denver Health
 Presbyterian St. Luke’s
 Regis University
56