Transcript HIPAA - Colorado Center for Nursing Excellence

Alliance for Clinical Education
(ACE)
Student HIPAA Training
July 2008
1
Objectives
 Describe the HIPAA Privacy rules and
regulations
 Identify patients’ rights and your role in
protecting them
 Discuss your responsibilities under HIPAA –
related policies and procedures
 Explain the penalties for non-compliance
2
Protecting Patient Privacy
IS EVERYONE’S
RESPONSIBILITY
3
Your Responsibilities
 Respect the
patient’s right to
privacy
 Know the facility’s
privacy policies
 Be sensitive
4
Definitions
 HIPAA – the Health Insurance Portability and
Accountability Act of 1996. A federal law that
specifies the types of measures required to
protect the security and privacy of personally
identifiable health information.
 Patient Confidentiality – keeping information
about a patient’s health care private. The
information is shared only with those who need
to know in order to perform their duties on
behalf of the patient.
5
Definitions continued…
 Protected Health Information (PHI) – medical
information that can be traced to, or identified
with, a particular patient. PHI is information
created or received by a health care
organization that relates to the past, present,
or future health or condition of an individual.
 Transaction – the exchange of information
between two parties to carry out financial or
administrative activities related to health care.
6
HIPAA
 What is it?
“Patients have the right to have
health information kept private and
secure”
**HIPAA is mandatory, there are
penalties for failure to comply
7
Covered Information
 Confidentiality and Privacy
All protected, identifiable health
information (PHI) must be considered
and treated as confidential and all
patients have the right to request
restrictions on who will see their PHI.
 Security
Establishes the requirements for
ensuring the confidentiality, availability
and integrity of PHI
8
Patients have the Right to:
 Expect privacy and freedom from intrusions or
disturbances regarding his/her personal
affairs.
 Expect that all communications and records
concerning his/her care will be treated as
confidential. Information will be shared only
with those who need to know the information to
perform their duties on behalf of the patient.
 Review the records pertaining to his/her
medical care.
9
What must be
Kept
CONFIDENTIAL?
10
Confidential? How do I know?
 Did you learn the
information
through caring
for your patient?
 If yes, then
consider it
confidential
11
Understanding PHI
(Protected Health Information)
 Protected Health Information
 Is created by a health care provider
 Is information that there is a reasonable basis
to believe it could be used to identify the
patient
 Relates to past, present or future physical or
mental condition of an individual; provision of
healthcare or for payment of care provided to an
individual
 Is transmitted or maintained in any form
(electronic, paper or oral representation)
12
Privacy Protected Elements
Health information is considered individually identifiable if
any of the following are present:












Name
Full address
Names of relatives
Name of employers
Birth date
Telephone numbers
Fax numbers
Electronic e-mail
addresses
Social security number
Medical record number
Health plan beneficiary
number
Account number
 Certificate/license number
 Any vehicle or other device
serial number
 Web Universal Resource
Locator (URL)
 Internet Protocol (IP)
address number
 Finger or voice prints
 Photographic images
 Any other unique
identifying number,
characteristic, code that
could be used to identify
the patient
13
Patients Right to Receive Notice of
Privacy Practices
 Items required to be included in the Notice:
 How medical information is used and disclosed
by an organization
 How to access and obtain a copy of their
medical records
 A summary of patient rights and facility
responsibilities under HIPAA
 How to file a complaint and contact information
for filing a complaint
14
Facilities Notice of Privacy Practices
 The patient has the right to receive a Notice of
Privacy Practices:
 Must provide the notice at the first
encounter with the patient
 Must attempt to obtain written
acknowledgement of receipt of the Notice of
Privacy Practices
15
Minimum Necessary
 HIPAA
Requirement:
 Identify members of
the work group who
need access to
confidential
information
 Identify what
information can be
accessed
 Limit access
WHAT GROUP DO YOU BELONG
TO?
Complete Access:
•Clinical departments
•Health Information
Management
•Students: limited to assigned
patient only
Limited Access:
•Admissions/Business Office
No Access:
•Departments or individuals
whose job does not require any
handling of PHI (Food
Services, Environmental
Services/Housekeeping)
16
Discussions of PHI
 Staff will discuss patient information to share
information and the treatment plan. Every
effort should be made to protect the privacy
of the patient by minimizing risk that others
can overhear the conversation.
 The discussion of PHI should never occur in
public areas such as the cafeteria or elevators.
 Discussions can occur at the nursing station
and with a patient in a treatment area.
17
Minimum Necessary
 What can I access as a
student?
 Only the information you
“NEED TO KNOW” to care
for assigned patient
 DO NOT access information
when you are not caring for
that patient any longer or
for any patients you are not
assigned to care for
18
Patient Right to Access
 Patients have the right to:
 Access or inspect their health record
 Obtain a copy of their health record from the
healthcare provider
 Reasonable fees may be charged for copying
 Access and copying for as long as the information is
retained
 Facility must act on request for access no later than
10 days after receipt (Colo. Law)
 Students: Refer requests for access to the facility
staff
19
Patients Right to Request Privacy
Restrictions
 The patient has the right to request an
organization restrict the use and disclosure
(release) of their protected health information
 Can request restriction in use of information for
treatment, payment or healthcare operation
purposes (TPO)
 Organization is not required to agree with the
request for restrictions
 Requests must be made in writing
 No staff level individual should accept any
requested restrictions
 Students: Refer requests for restrictions to
the facility staff
20
Patients Right to Amend
 Patients have the right to
request an amendment to their
PHI
 Amend is defined as the right to
add/revise information with
which s/he disagrees. The
original information is not
removed from the record but
the amended/corrected
information is added to the
record.
 Students: Refer requests for
amendments to the facility
staff
21
As a Student How do I Handle….
 An individual asking
for access to their
record?
 Students: Refer
requests for access
to the facility staff
The staff will followup per specific
facility policy
22
Disclosure ??? What is it???
 The release,
transfer, access or
divulging of PHI
(protected health
information) to an
outside person or
entity
 Students do not
participate in this
process
23
Disclosure can occur without the
patient’s consent under the following
conditions:
 When required by law
 For public health activities to control disease,
injury or disability
 For disaster relief
 In cases of abuse and neglect
 For coroners, funeral directors and organ
donation
 For legal proceedings
 For worker’s compensation
 In cases of communicable diseases
24
Student Responsibilities
 In a patient room or exam room
 Knock before entering room
 Identify yourself as a student
 Close door after entering the room
 Ask visitors to leave the room unless patient
requests otherwise
 Speak softly if roommate present
 In a clinic or office setting
 Sign in sheets should contain minimal amount of PHI
 Street address or reason for visit should not be on
sign in sheets
25
Student Responsibilities cont…
 At the Nurses Station
 Do not leave patient information, e.g. flow
sheets, charts, sticky notes, lab reports or
x-rays out in the open where others may
view. When finished working on it, put it
back where it belongs
 Shred all documents with PHI, do not put in
garbage, do not take them home
 When at the nurses’ station, speak softly
when discussing PHI. It is best to use a
private area to discuss the patient
26
Student Responsibilities cont…
 At the Computer
 Have screen facing away from the public so
it is not visible to patients, visitor and other
unauthorized persons
 Always log off when leaving the computer
 Change the password on your computer if
required by clinical facility
 Do not share your log-in information or
password with anyone else. You are
responsible for what is done under your login
27
Student Responsibilities cont…
 Using E-mail
 Always use protected, encrypted email to
communicate with your faculty and clinical
instructors
 Never use PHI in e-mail attachments or in
the email itself for the following reasons
 E-mail can easily be sent to the wrong
person, either on purpose or by accident
 E-mail does not ensure privacy of
information transmitted
28
Student Responsibilities cont…
 Do not post PHI or discuss patients you have
met on web-based chat rooms (My Space,
Facebook)
 Do not take photos of patients
 Do not photocopy medical records
 At the Fax
 Students do not use the fax machine during
the clinical experience
29
Student Responsibilities cont…
 Using an Interpreter
 When interpreter services are needed,
follow clinical agency practice
 In Public
 Never mention a patient’s PHI in public as
people are often watching and listening, as
you never know who knows the patient
 Never carry, review, discuss or disclose a
patient’s chart or PHI in a public place
30
Scenarios
 Following are scenarios to help you think
through privacy related situations in the
clinical facilities
 After reading each scenario, think how you
would answer the question before going to the
next slide
 Scenario answers follow each scenario
31
Scenario #1
 One of your fellow students who had lab work
done recently, called you from home and asked
you to look up her lab results on the computer
and give her the results.
 Do you look up your fellow students lab
results?
32
Scenario #1 Answer
 No. Since you are not providing treatment to
your fellow student, you are not permitted to
look up her lab results and provide them to her.
She needs to get this information from her
doctor
 This applies to your own records as well
33
Scenario #2
 You see your fellow student reading through a
patient's medical record. She is not providing
treatment for this patient.
 What do you do?
34
Scenario #2 Answer
 Tell your clinical instructor. He/she will followup with the student.
 The clinical instructor then needs to notify the
facility privacy officer of this action
35
Scenario #3
 Your sister’s close friend is having surgery at
the organization where you are doing a clinical
rotation. She asks you to find out what you can
about the friend’s condition. Should you call
and ask around to the nurses you know? Should
you look up the friend’s medical record?
36
Scenario #3 Answer
 No. Even if you and your sister have the best intentions you
have no right to look at private information about her friend’s
health. Suggest to your sister that she call the facility or
visit the information desk. If the patient has agreed to have
her information available, hospital staff will assist her in
obtaining information on her friend.
 Do not seek out confidential patient information unless you
need it to do your job. When you happen to hear confidential
information, do not repeat it to anyone.
 Looking at patient records for any non business reason is
cause for disciplinary action and can have possible legal
consequences.
37
Scenario #4
 You are called to work in a patient's room to
perform a routine job. You knock on the door
and are invited in. You see that a nurse is in
the room discussing the patient’s condition or
medication.
 What should you do?
38
Scenario #4 Answer
 If you must do the job immediately to properly care for the
patient, ask whether you can interrupt. If the job can wait,
explain that you are there to perform a routine job and will
return in 15-20 minutes. This protects the patient’s privacy
by allowing him/her to openly discuss his/her condition
without being overheard
 Some patients may say that it is acceptable for you to stay in
the room during the conversation. But remember that a
patient may not feel comfortable sharing everything about
his/her symptoms or medical history while you are in the
room. They also might not feel comfortable asking you to
leave. It would be best for you to come back later.
39
Scenario #5
 You are working the ER when you see that a
neighbor has arrived for treatment after a car
crash. You hear someone saying he will be
taken to surgery soon. Your neighbor’s wife
works in another part of the hospital.
 Should you notify her that her husband is in
the ER?
40
Scenario #5 Answer
 No. Tell the nursing staff that you know the patient and
his wife. Tell them that if they need to locate her, you
can help. When patients are in the hospital, they have the
right to decide who should know that they are there. Your
neighbor has a right to privacy and may not want to notify
his family of the accident. If he is conscious, the ER staff
will allow him to decide whom to notify that he is there.
 If he is unconscious, the doctors and nurses will use their
professional judgment about whether to notify his wife.
Leave the decision up to the ER staff. They will let you
know whether they need your help to find the patients
wife.
41
Scenario #6
 You are in the nurses station where the
patients medical records are located in the
chart rack. You spot the name of a close
friend.
 Should you stop by her room?
42
Scenario #6 Answer
 No. if you learned of your friend’s stay only by
seeing the name on a medical record on the
chart rack, you should not go to her room.
 You should inform your clinical instructor of
your relationship with her so that you are not
assigned to care for her.
 If you find out from the patient or her family
member that she is a patient there, feel free
to visit her after your shift.
43
Scenario #7
 You are walking by a trashcan and notice a pile
of photocopied records has been laid on top of
the trash.
 How should you handle this?
44
Scenario #7 Answer
 Don’t just take the records to a shredder
or locked disposal container yourself.
Gather the records and take them to your
clinical instructor. He or she will report it
to the Manager of the unit who will
investigate the incident and report it to
the organization’s privacy officer.
45
Scenario #8
 A woman provides the name of a patient and
asks for information.
 What can you tell her?
46
Scenario #8 Answer
 Refer the woman to the information desk
 Check the facility directory. If the
patient is listed in the directory, you can
tell the woman the patient’s location.
 If the patient has requested that his
name not be included in the directory, you
can not give out any information about
them to anyone or even acknowledge that
they are here, regardless of the person’s
relationship to the patient.
47
Scenario #9
 At the nursing station, you are approached by
someone asking to see a patient record.
 What do you do?
48
Scenario #9 Answer
 Refer to agency staff for clarification of
identification and appropriateness of request.
49
What Happens If….
 A privacy policy is
violated?
 Patients have the
right to file a
complaint and
 Civil and criminal
penalties could occur
50
Patient’s Right to File a Complaint
 The patient has the
right to file a
complaint if s/he
believes privacy
rights have been
violated*
*Organization must provide
contact information for
filing a complaint
51
Doing Your Part
 Access confidential
information ONLY if you
need it to care for your
patient.
 Protect your computer
passwords
 Understand the facility’s
privacy policies
 Report problems to the
facility staff
52
As a Student
 Patient identification
 Cannot use patients initials
 Need to assign a number to the patient for
identification
 Care plans
 Any notes with PHI gathered must be
shredded after the assigned shift
 The use of PDAs or pocket PCs to RECORD
patient information is not allowed
53
Penalties…….
 Both criminal and civil penalties for:
 Failure to comply with HIPAA requirements
 Knowingly or wrongfully disclosing or receiving
individually identifiable health information
 Obtaining information under false pretenses
 Obtaining information with intent to:




Sell or transfer it
Use it for commercial advantage
Use it for personal gain
Use it for malicious harm
 Fines as high as $250,000 and prison sentence
54
of up to 10 years
References
 HIPAA Programs from:







ACC
Craig Hospital
Centura
HCA-HealthONE
Denver Health
P/SL
Regis University
55