Transcript Document

HIPAA
For General Workforce
What you need to know
HIPAA Training Presentation for
Management Workforce
1
The Catholic Health Initiatives Mission
Catholic Health Initiatives continues the journey begun by our
foundresses. Like these women religious, we continue the healing
ministry of Jesus Christ through the provision of health care in our
many communities. Our core values of reverence, integrity,
compassion and excellence guide us on this journey. We build
relationships based upon these core values. These relationships
enable us to assume the challenging role of caring for those most in
need, those least able to care for themselves.
Our core values and standards of conduct are the principles that guide us
in navigating the complexity of providing health care. At a minimum,
we are expected to follow all laws related to our responsibilities.
However, following the law is not enough. Our values call us to live by
an ethical standard that is greater than the law. We are responsible
for ensuring the privacy of an individual’s health information and are
entrusted with that information in order to provide the necessary care
and services. We have a duty to prevent the inappropriate use or
disclosure of an individual’s health information.
Course Objectives/Navigation
The objectives of this course are:
– To foster and maintain a culture of integrity.
– To develop individual and team character and virtue in the
workplace.
– To foster compliance with applicable federal and state laws and
regulations.
– To understand the policies and procedures in order to protect
health information.
Navigating this course:
Each course contains Cases to Consider, which are designed to help
improve your understanding of the course material. At the end of each
course you will take a Section Test. The Section Test is designed to
measure your understanding of the course material and is scored. You
will be required to successfully pass the Section Test.
You can use the arrows at the top and bottom of your screen to move
forward and backward through the course. For most people, this
course should take approximately 1 hour.
Education Objectives

Understand the Health Insurance Portability and
Accountability Act (HIPAA) rules and regulations

Understand the penalties for not complying

Understand patients’ rights and health care workers’ role in
protecting them

Understand your responsibilities under HIPAA-related
policies and procedures
The Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
HIPAA is a federal law imposed on all health care organizations,
including:

Hospitals, physician offices, home health agencies, nursing
homes, and other health care providers

Clearinghouses

HMOs, private health plans, and public payers such as
Medicare and Medicaid
The above organizations are considered Covered Entities under
HIPAA.
HIPAA
• HIPAA consists of five main sections, or “titles.” The most
important title for health providers is Title II, Administrative
Simplification.
• The three main components of Title II include the following
standards:
 Privacy
 Security
 Electronic Data Interchange
• The Privacy and Security standards will be reviewed in this
module.
HIPAA Privacy Rule
HIPAA Training Presentation for
Management Workforce
7
HIPAA Privacy Rule

Compliance date of April 14, 2003

Gives patients federal rights to gain access to their medical
records and restrict who sees their health information

Requires organizations to take measures to safeguard
patient health information

Requires organizations to train members of the workforce
on patients’ rights to privacy and control over their health
information

Punishes individuals and organizations that fail to keep
patient health information confidential
The Privacy Official
A Privacy Official has been appointed by each covered entity to:

Manage the development of the organization’s privacy
standards, policies, and procedures

Oversee training and education of workforce

Enforce the rules and investigate violations
Myths about HIPAA

Patients cannot be paged

Organizations must get rid of all
their semi-private rooms and put
up sound barriers

Organizations cannot put patient
names outside their doors or use
white boards

HIPAA does not require the
above measures and these
myths are not true.
Quiz Question
What type of rule is HIPAA?
a. a state law imposed only on hospitals
b. a federal law imposed on all health care organizations
c. a guideline set forth by the American Medical Association
d. an accreditation requirement
b. HIPAA is the first federal regulation that gives patients rights to gain access to
their medical records and restrict who sees their health information.
Safeguarding
Health
Information
What is Confidential?
Any information about a patient written on paper, saved on a computer,
or spoken, is protected health information (PHI), including:






Name
Address
Age
Social Security number
Phone number
E-mail address






Diagnosis
Medical history
Medications
Observations of health
Medical record number
And more...
Protect Patient Privacy “Do’s”

Log off the computer when you’re
finished

Dispose of health information only
by shredding or storing in locked
containers for destruction

Notify Security if you see an
unescorted visitor in a private area
Protect Patient Privacy “Don’ts”

Don’t leave patient records lying
around

Don’t discuss a patient in public
areas such as elevators, hallways,
and cafeterias

Don’t look at information about a
patient unless you need it to do
your job
Rules for Computers “Do’s”





Keep your password a secret
Turn computer screens away from
public view
Change your password every 180
days or as required by internal
policy
Do not log into the system using
someone else’s password
Do not remove equipment, disks,
or software without permission
Quiz Question
When are you free to repeat a patient’s private health information that you
hear on the job?
a.
b.
c.
d.
after you no longer work at the organization
after a patient dies
if you know the patient would not mind
when your job requires it
Quiz Question
Which of the following is protected health information under HIPAA?
a.
b.
c.
d.
the patient’s address
the patient’s allergies
the patient’s medical record number
all of the above
Quiz Question
Which of the following types of information does
HIPAA’s privacy rule protect?
a.
b.
c.
d.
patient information in electronic form
patient information communicated orally
patient information in paper form
all of the above
Do You Need to
Know?
The Minimum Necessary
Standard
Do You Need To Know?
HIPAA requires health care workers to use the
minimum amount of health information they need to do
their jobs efficiently and effectively.
Ask yourself:

Do I need this information to do my job and provide good
service?

What is the least amount of information I need to do my job?
Do You Need to Know?

Coders and billers need to look at certain portions of records
to code and bill correctly

Professional health care workforce members such as doctors,
nurses, and therapists need to look at their patients’ records
to care for them

Housekeeping staff do not need to look at patient records to
perform their job
Quiz Question
What question should you ask yourself before looking at
health information?
a.
b.
c.
d.
Would the patient mind if I looked at this?
Do I need to know this to do my job?
Can anyone see what I’m doing?
Am I curious?
Quiz Question
Your sister’s friend just had triple bypass surgery at your organization. She
asks you to find out his prognosis. What should you do?
a.
b.
c.
d.
ask a nurse on the floor how the patient is doing and pass the
information along to your sister
log in to the computerized record system and read the patient’s record
to find information for your sister
explain that it is a violation of the patient’s privacy for you to ask
around or look at his record, and suggest that she call one of her
friend’s family members
none of the above
Authorization
Authorization
Organizations must obtain authorization from a patient
before using or sharing protected health information (PHI)
for reasons other than treatment, payment, or health care
operations.
Reasons other than treatment, payment or health care
operations include:
–
–
–
–
Marketing
Fundraising
Research
Employment determinations
•A patient may revoke an authorization at any time by
making a written request.
Examples of Treatment, Payment and
Health Care Operations

Treatment: doctors and nurses caring for patients;
technicians performing tests

Payment: billers sending out claims; coders applying
codes to procedures

Health care operations: quality assurance staff
performing reviews; transcriptionists typing reports
Authorization Exceptions
An authorization is not necessary for uses or disclosures mandated by law
such as:

Reporting births, deaths, and communicable diseases to state
agencies

Giving certain information to the police for investigations,
searches for missing people

Responding to a court order, subpoena, or other lawful process

Workers’ compensation

Specialized government functions

External health oversight agencies

Public health activities
Quiz Question
When is the patient’s authorization to release information
required?
a. in most cases in which information is going to be shared
with anyone for reasons other than treatment, payment, or
health care operations
b. upon admission
c. when information is to be shared among two or more
clinicians
d. when information is used for billing a private insurer
Marketing and
Fundraising
Marketing
In most cases, we may not use or disclose protected
health information (PHI) to market a product or
service without obtaining a valid authorization.
Defining Marketing
The following are not considered marketing under HIPAA and do
not require an authorization:

Descriptions of the organization and whether products or services are
provided or covered

Explanations of treatment alternatives

Case management or care coordination

Recommendations of alternative treatments, therapies, providers, or
settings

Reminders and disease management and wellness programs
Fundraising
We can use only the following information for fundraising
purposes without patient authorization:

Demographic information

Dates of service
Opting Out
A patient has the right to revoke his/her authorization
and opt out of receiving future fundraising or
marketing communications
The Facility
Directory
The Facility Directory
Unless a patient has asked not to
be included in the directory, you
may disclose the following
information to visitors and callers
who ask for a patient listed in the
directory by name:

Location (room number)

General condition (e.g. stable,
critical)
Directory Disclosures to Clergy
Clergy who have signed the Clergy Confidentiality
Agreement do not have to ask for a patient by name and
may receive:

Names of patients listed in the directory with the same
religious affiliation of the clergy making the request

Locations

General conditions
Quiz Question
What information about a patient who is listed in the
directory can be disclosed to someone who asks for
the patient by name?
A.
B.
C.
C.
room number and name of doctor
room number and general condition
general condition and prognosis
D. nothing
Individual
Rights
Individual Rights
Patients have the following rights under HIPAA:

To know who has access to their health information and how it is used
(Notice of Privacy of Practices)

To access and request an amendment to their health records in the
designated record set (Access and Amendment)

To request a list of people and organizations who have received his/her
health information (Accounting of Disclosures)

To request that we communicate with them by alternative means
(Confidential Communications)

To request restrictions for the use and disclosure of their health information
(Request Restrictions)

To complain to a covered entity, to the Secretary of HHS, or to the Office for
Civil Rights (OCR)
Notice of Privacy Practices

Provides individual notice of the ways the organization
uses and shares an individual’s health information

Explains an individual’s rights to confidentiality and
access to his/her health information

Is posted prominently in the organization
Right to Access
A patient has the right to inspect
and obtain a copy of his/her
designated record set, which
includes protected health
information (PHI) used in whole or
in part to make decisions about
the patient.
Designated Record Set
A designated record set is a group of records that may
include:


Health care provider medical and billing records
Health plan enrollment, payment, claims adjudication and
case or medical management records
Right to Request Amendments
A patient has the right to request
amendments to his/her
designated record set. However,
organizations are not required to
automatically make whatever
changes the patient requests.
Personal Representatives
Persons who have the authority
(under federal and state laws) to act
on behalf of a patient in making
health care decisions may have
access to the patient’s health
information as his/her personal
representative.
Personal Representatives for Minors
Parents, guardians, and others who have authority
(under federal and state laws) to act on behalf of a
minor in making health care decisions may have access
to the minor’s health information as his/her personal
representative
Accounting of Disclosures
A patient has the right to request a list of people and
organizations who have received his/her health information.
The list does not have to include disclosures:

For treatment, payment, and health care operations

Authorized by the patient

To the facility directory

For national security

Of “limited data set” information
Confidential Communications
A patient may ask to receive correspondence at an alternate
location or by an alternate means.
Organizations must honor all reasonable requests such as:

Sending mail to a P.O. Box or alternative location

Calling the patient at work instead of home

Using sealed envelopes instead of postcards
Complaints and Grievances
The Notice of Privacy Practices includes information on
filing complaints:

The name of the designated representative or department
for handling grievances

The representative’s phone number

The steps for filing a formal complaint
The Formal Grievance Process
If a patient or personal
representative complains about a
breach of confidentiality or a
violation of a HIPAA rule, notify
your supervisor and contact the
representative listed on the Notice
of Privacy Practices.
Quiz Question
What should members of the workforce do if a patient complains that
her privacy was violated during her stay?
a. Notify their supervisor and the person or department responsible
for handling complaints listed on the Notice of Privacy Practices
b. Ask the patient to provide proof
c. Nothing—it’s not their job to handle complaints
d. None of the above
Quiz Question
Which of the following does the complaints section of the
Notice of Privacy Practices include?
a. the name of the designated representative or
department for handling grievances
b. the representative’s phone number
c. the steps for filing a formal complaint
d. all of the above
Confidentiality
Agreement
and Penalties
Confidentiality Agreement
By signing you agree to:






Dispose of health information properly
Follow the organization’s policies and procedures
Use computers and information systems only for
performing job duties
Use confidential information only in performing job duties
Share confidential information only with those who need
the information to do their jobs
Handle health records carefully to preserve individual
privacy
Penalties for Breaking the Privacy
Rules

Criminal penalties under HIPAA: Maximum of 10 years in
jail and a $250,000 fine for serious offenses

Civil penalties under HIPAA: Maximum fine of $25,000 per
violation

Organization actions: Employee disciplinary actions
including suspension and/or termination for serious
violations of the organization’s policies and procedures
HIPAA Security
Rule
HIPAA Security Rule
 Compliance date of April 20, 2005
 Applies to the same covered entities described in
the Privacy Rule section.
 Applies to protected health information (PHI) that is
electronically sent from one location to another or
stored by the facility.
 Identifies steps to take to secure electronic PHI.
Information Security

A Security Official has been appointed with
responsibility to:


Make sure the covered entity complies with the
security standards, and
Provide training to all system users at the facility.
Information Security

The Security Rule has three key areas that work together
to protect PHI. These include:



Physical safeguards
Technical safeguards
Administrative safeguards
Physical Safeguards
 The purpose of physical safeguards is to help protect the
physical computer systems and related buildings and
equipment from unauthorized access, fire, and other
natural and environmental hazards.
 Some physical safeguards were discussed in the privacy
section of this course. These included access to
computer systems, workstations, and the use of
passwords.
Technical Safeguards
Technical safeguards focus on the steps and procedures
that must be in place to:





Protect the integrity of electronic PHI
Control access
Record and examine system activity
Validate the identity and authorization of users
Protect electronic PHI transmitted over a communications
network
Technical Safeguard Examples
– Unique user IDs
– Reliable user authentication – typically passwords
– Authorization to access information
– Automatic computer logoff (inactivity timeout)
– Firewalls
– Log capture and monitoring
Passwords, the First Layer of
Protection
Password usage:
•
Generic User IDs are not permitted except in special
circumstances.
•
User ID access must be changed immediately upon a User’s
transfer to a different role in the organization.
•
All User ID passwords must change at least once every 180 days
or as required by policy. Systems should be set to automatically
force password changes.
•
When changing passwords, a User must not create passwords
that are identical to his or her previous eight passwords.
Passwords, the first layer of
protection
Password Syntax Rules
• Passwords must be at least six characters in length
and
–
–
have a minimum of four alphabetic characters.
have a minimum of two numeric characters (0 through
9).
•
Passwords may include no more than two
consecutively repeated characters.
•
NOTE: The use of control characters and other non-printing characters is not
permitted because they may cause network or system problems.
Passwords, the First Layer of
Protection
Examples of passwords:
• Good / strong passwords:
– 15djOth (15 dogs jumped over the house)
– Cft6vgy& (keyboard pattern)
• Poor / weak passwords:
– Orange
– Skipper
– BobH
Passwords, the First Layer of
Protection
Password Selection Rules
• Choose passwords that are difficult to guess.
• Passwords must not be related to the user’s job or personal
life. For example, do not use names of family members or
pets as a password.
• Personal information that is easily obtainable, including date
of birth, license plate number, telephone number, Social
Security number, make of automobile or home address must
not be used as a password.
• The first, middle or last name of the user should not be used
to construct a password.
• User IDs must not be used as a password in any form.
Administrative Safeguards
Under the Security Rule, policies and procedures must be
in place that define the steps to address:



Adding, changing or deleting user access based on job
responsibilities or if user terminates employment
Use and assignment of individual user IDs and passwords
How to access the computer system and/or electronic PHI in
the event of an emergency
Quiz Question
Which of the following is NOT a key area of the HIPAA
Security Rule?
a.
b.
c.
d.
Physical safeguards
Technical safeguards
Documentation safeguards
Administrative safeguards
Quiz Question
When is it acceptable to share your password?
a. when your co-worker forgets his password
b. when it saves time
c. when you know you can trust the person to use it
appropriately
d. never
Quiz Question
Which of the following choice of passwords is best to use?
a.
b.
c.
d.
AlSm!th
15djOth
Terry
12345678
What Should
You Do?
Case #1
You are called to work in a patient’s room to perform
a routine job. You knock on the door and are
invited in. You see that a nurse is in the room
discussing the patient’s condition or medication.
What should you do?
Case #1 Answer
If you must do the job immediately ask whether you can interrupt. If the job
can wait, explain that you are there to perform a routine job and will
return in 15 or 20 minutes. This protects the patient’s privacy by
allowing him/her to openly discuss his/her condition without being
overheard.
Some patients may say that it is acceptable for you to stay in the room
during the conversation. But remember that patients may not feel
comfortable sharing everything about their symptoms or medical
history while you are in the room. They also might not feel comfortable
asking you to leave.
Case #2
A visitor tells you she is at the organization to
work on the computers and wants you to
point the way to the system. How do you
respond?
Case #2 Answer
The best response is to ask the repairwoman who
at the organization contacted her. Find that
person. He or she can take the repairwoman to
the appropriate work area.
Case #3
You are walking by a trash can and notice a pile
of photocopied health records has been laid
on top of the trash can. How should you
handle this?
Case #3 Answer
Gather the records and take them to your
supervisor. He or she will report it to the
organization’s Privacy Official to determine
why the records were not destroyed.
Case #4
You are working on a nursing unit and see the
name of a friend on a white board. Should you
stop by her room?
Case #4 Answer
If you learned of your friend’s stay only by looking at
the white board, you should not go to her room
unless your job responsibilities take you there.
If you find out from the patient or her family member
that she is a patient at the facility, feel free to visit
her. Be sure to follow the visitor policies.
Case #5
A co-worker is having trouble logging in to the
organization’s system. She asks for your
login name and password so she can use
them. Should you share them with her?
Case #5 Answer
No. The HIPAA security standards require the use of
individual passwords for each workforce member with
access to health information stored in the computer
system. The organization keeps track of the records
you gain access to based on the login name and
password you use to enter the system. If you let others
use your name and password, you are breaking
HIPAA’s rules and the organization’s policy, and you
may be held responsible if the co-worker gains access
to patient information inappropriately.
Case #6
You have a hard time remembering your
password for the computerized record
system. Should you jot it down on a
piece of paper and stick it in your desk
drawer?
Case #6 Answer
No. Even if your desk drawer remains locked, it is
not appropriate to keep it in your desk.
If you have a hard time remembering your
password, select a password that meets your
organization’s criteria, but is easy for you to
remember.
Test Your
Understanding
Question #1
A man comes into the organization and tells you he is
supposed to work on the computers and wants you to open
a door for him or point the way to a workstation. How
should you respond to this request?
a. provide him with the information or access he needs
b. ask him who at the organization hired him and find that
person for assistance
c. call the police
d. none of the above
Question #2
Your sister’s friend just had triple bypass surgery at your organization.
She asks you to find out his prognosis. What should you do?
a. ask a nurse on the floor how the patient is doing and pass the
information along to your sister
b. log in to the computerized record system and read the patient’s
record to find information for your sister
c. explain that it is a violation of the patient’s privacy for you to ask
around or look at his record, and suggest that she call one of her
friend’s family members
d. none of the above
Question #3
When are you free to repeat a patient’s private health
information that you hear on the job?
a.
b.
c.
d.
after you no longer work at the organization
after a patient dies
if you know the patient would not mind
when your job requires it
Question #4
You see an open recycling bin full of paper. You can see
names, addresses, and diagnoses on the paper. What
should you do?
a. nothing
b. bring it to your supervisor or the Privacy Official so he or
she can dispose of it properly and determine why it was put
there
c. read the report and try to figure out what workforce
member disposed of it improperly
d. none of the above
Question #5
What question should you ask yourself before looking at
patient information?
a.
b.
c.
d.
Would the patient mind if I looked at this?
Do I need to know this to do my job?
Can anyone see what I’m doing?
Am I curious?
Question #6
When is the patient’s authorization to release information
required?
a. in most cases in which information is going to be
shared with anyone for reasons other than treatment,
payment, or health care operations
b. upon admission
c. when information is to be shared among two or more
clinicians
d. when information is used for billing a private insurer
Question #7
When is it acceptable to share your password?
a. when your co-worker forgets his password
b. when it saves time
c. when you know you can trust the person to use it
appropriately
d. never
Question #8
Which of the following is protected health information under
HIPAA?
a.
b.
c.
d.
the patient’s address
the patient’s allergies
the patient’s medical record number
all of the above
Question #9
Which of the following types of information does HIPAA’s
privacy rule protect?
a.
b.
c.
d.
patient information in electronic form
patient information communicated orally
patient information in paper form
all of the above
Question #10
What should members of the workforce do if a patient
complains that her privacy was violated during her stay?
a. Notify their supervisor and the person or department
responsible for handling complaints listed on the Notice of
Privacy Practices
b. Ask the patient to provide proof
c. Nothing—it’s not their job to handle complaints
d. None of the above
Question 11
Which of the following does the complaints section of the
Notice of Privacy Practices include?
a. the name of the designated representative or
department for handling grievances
b. the representative’s phone number
c. the steps for filing a formal complaint
d. all of the above
Question #12
Which of the following choice of passwords is best to use?
a.
b.
c.
d.
AlSm!th
15djOth
Terry
12345678
Course Summary
This course linked your everyday job functions with their effect on the organization’s privacy and
security practices and compliance with the Health Insurance Portability and Accountability Act
(HIPAA). The HIPAA requirements discussed throughout this course included:
– Understanding the purpose of HIPAA regulations.
– Safeguarding written, oral and electronic information.
– Knowing the steps to protect privacy.
– Understanding the role of the Privacy and Security Officials in your organization.
The intent of this course was to educate staff members and make them more aware of how their
everyday activities affect their organization’s HIPAA compliance. Through this course, you were
empowered to protect the privacy of those we serve and prevent violations of confidentiality.
Our purpose for asking you to take this course was not only to help you become familiar with some of
the current laws and regulations associated with HIPAA, but also to reinforce the mission of
Catholic Health Initiatives (CHI). CHI is built upon a foundation of integrity. All of the women and
men who have gone before us tried to ensure that, regardless of the challenges they faced, CHI
would truly minister to and be worthy of trust by their communities. It is our ethical duty to continue
this mission at CHI. Knowledge from this course is one tool that assists us in fulfilling that mission.
Thank you for taking this course. Please click here to take the Final Test.