HIPAA Basics: Privacy

2HIPAA Basics 2

The History of HIPAA

As health care providers, we have always been called upon to maintain the privacy and confidentiality of patient health information.

This is an ethical and legal obligation that we hold as nurses and as nursing students.

Until recently, patient medical records were recorded and maintained primarily on paper.

Records were then filed and stored in physician offices, hospitals, and other health care areas. These records were kept safe in locked cabinets or closets.

3HIPAA Basics 3

The History of HIPAAWith increasing technology, we are able to maintain electronic files that allow more flexibility in communicating information.

It is now easier to quickly share records between offices, clinics, and hospitals which results in minimized storage requirements.

In addition, we are better able to track and analyze data that helps improve quality of care while controlling costs.

4HIPAA Basics 4

Information Accessibility According to the American Health

Information Management Association (AHIMA), an average of 150 people have access to patient medical records during a typical hospitalization.

This may include:nursing staff, housekeeping, x-ray technicians, physicians, food service staff, billing clerks, etc.

Because so many people have access to patient information, it is our responsibility to ensure that medical files are accessed only by those needing that information to provide care.

5HIPAA Basics 5

The History of HIPAA

This Federal legislation is called the

Health Insurance Portability and Accountability Act (HIPAA)

The U.S. Federal government passed a law in 1996 that created

national standards to protect patient medical records and

other personal health information.

6HIPAA Basics 6

The History of HIPAA HIPAAHIPAA went into effectwent into effect on April 14, 2003. on April 14, 2003.

It sets forth It sets forth minimum standardsminimum standards that all facilities that all facilities must follow to protect patient information.must follow to protect patient information.

The key term associated with these privacy The key term associated with these privacy rules is rules is Protected Health InformationProtected Health Information or or PHIPHI..

PHIPHI covers all of the following: covers all of the following:

Information used within a facilityInformation used within a facility Verbal Verbal oror written information written information Information stored in computer filesInformation stored in computer files Patient information stored in paper filesPatient information stored in paper files Data shared between providers, payers or Data shared between providers, payers or

third partiesthird parties

7HIPAA Basics 7

Failure to Comply•Every health care organization is expected to develop policies and procedures to guide HIPAA practices within their facility.

•Every person who provides care or assistance to patients in that facility is expected to understand and comply with HIPAA regulations. It is essential that all patient health information be kept confidential.

•Organizations or individuals that violate HIPAA rules are subject to monetary fines (up to $250,000!) and civil or criminal charges (up to 10 years in jail!).

•Failure to comply may also: hurt the reputation of the facility put accreditation at risk result in costly lawsuits

8HIPAA Basics 8

HIPAA GoalThe The goalgoal of the HIPAA privacy program is to of the HIPAA privacy program is to protect confidential information from improper use protect confidential information from improper use or disclosure.or disclosure.

What does this mean to you? What does this mean to you?

9HIPAA Basics 9

Administrative RequirementsEvery agency mustEvery agency must::

Appoint a Appoint a Privacy OfficerPrivacy Officer..

Develop Develop policies and procedurespolicies and procedures that guide HIPAA that guide HIPAA implementation, evaluation and revision. These must include implementation, evaluation and revision. These must include actions taken for those who do not follow the directives.actions taken for those who do not follow the directives.

Provide Provide education on HIPAAeducation on HIPAA and organizational and organizational policies/procedures.policies/procedures.

Develop a process for handling privacy related complaints.Develop a process for handling privacy related complaints.

Ensure Ensure no retaliationno retaliation occurs against someone who reports occurs against someone who reports potential violations in good faith.potential violations in good faith.

Take appropriate action to Take appropriate action to minimize any harmminimize any harm that may that may result from breach of privacy.result from breach of privacy.

Ensure processes are in place to Ensure processes are in place to demonstrate compliancedemonstrate compliance with documentation and record keeping.with documentation and record keeping.

10HIPAA Basics 10

YOUR Responsibility You must protect confidential information about patients and use information only to perform your role as a student nurse in that agency.

It is your responsibility to be sure patient information is only disclosed to others who have a legal right to it.

What information needs to be kept private?

All information that identifies an individual is considered confidential.

This includes: (but is not limited to)name, address, date of birth, phone/fax number,SS number, medical record or hospital number,room number, photographs, etc

It also includes: nursing and physician notes, treatment plans, and billing/insurance records

11HIPAA Basics 11

HIPAA Patient RightsHIPAA guarantees these rights to patients:

Right to privacy Right to confidential use of protected health information

(PHI) for treatment, billing, and other health care operations (such as quality improvement)

Right to access and amend their health information upon request

Right to provide specific authorization for use of their health information other than for treatment, billing and other operations

Right to have their name withheld from patient directories (having their name not listed as being present in a facility other than for treatment, billing, and other operations)

Right to request that information concerning their care is not released to specific individuals

Right to request that specific individuals are not told of their presence in a facility

12HIPAA Basics 12

HIPAA Patient RightsEvery patient should receive a document called a Notice and

be asked to sign an Authorization.

This Notice gives patients:

Information about their rights. A description of how their PHI may be used by the

facility. A comprehensive list of others to whom their health

information may be disclosed.

The Notice must be given to the patient on the first treatment date or as soon as is practical in an emergent situation.

13HIPAA Basics 13

HIPAA Patient Rights An An AuthorizationAuthorization is a form: is a form:

signed by the patient for use and signed by the patient for use and disclosure of specific PHI that are not disclosure of specific PHI that are not related to treatment, payment, or health related to treatment, payment, or health care operations. care operations.

There are There are somesome uses and disclosures where uses and disclosures where an authorization is an authorization is not requirednot required..

When in doubt about information for which a When in doubt about information for which a signed authorization is required….signed authorization is required….

~ Please~ Please ASKASK your instructor ~your instructor ~

14HIPAA Basics 14

HIPAA Patient RightsWhat do YOU need to know?

Patients have the right to register complaints with Federal agencies and with the facility if they feel their rights have been violated.

Every facility has a Privacy Officer who is responsible for overseeing HIPAA implementation.

If you are uncertain about what information may be given out, talk to your instructor, a nurse on the unit where you are assigned, or contact the Privacy Officer.

15HIPAA Basics 15

Review QuestionThe goal of HIPAA is to catch staff sharing patient The goal of HIPAA is to catch staff sharing patient protected health information (PHI) with those who protected health information (PHI) with those who do not need the information....do not need the information....

True or False?True or False?

To see the correct answer, click NEXT.

16HIPAA Basics 16

AnswerFALSE

The goal of HIPAA is to protect confidential patient information from improper use or disclosure.

If you see an apparent violation, you should report it to your instructor who will immediately assist you in contacting the Privacy Officer.

17HIPAA Basics 17

Unauthorized DisclosuresOne of the biggest threats to patient privacy is UNINTENTIONAL disclosure of information ~Examples include:

Discussing patient information where other patients, visitors or staff may overhear ~ such as in elevators, hallways, dining facilities, or other common areas.

Leaving sensitive information in a location where patients or visitors could possibly see it.

18HIPAA Basics 18

Unauthorized DisclosuresAnother threat to patient privacy is when a staff

member intentionally uses or discloses information in an unauthorized way:

Copying information and taking it home

Removing medical records and giving them to those with no legal right of possession

Deliberately sharing information with unauthorized persons(family members, friends, colleagues, news reporters, etc)

Using confidential information to gossip about patients

Leaving a computer unattended after logging in to an application

Sharing passwords with others or leaving passwords around a computer

19HIPAA Basics 19

Unauthorized Disclosures Always be cognizant of:

• Where you are• Who is around you• What information can be seen or heard• How you can “minimize possible incidental disclosure to

others”

You must ensure that PHI is only shared:• With those who need to know• At the minimum level necessary• In order to provide safe, effective, and efficient care

As a Student Nurse:• Don’t browse through a patient charts or files out of

curiosity• Access only portions of medical record that you need

to perform your role as a student nurse

It is essential that everyone with access to PHI be aware of what is going on in their surroundings.

20HIPAA Basics 20

Review QuestionOne of the privileges of working in healthcare is One of the privileges of working in healthcare is that we have access to our friends and families that we have access to our friends and families PHI so we know when they have an illness….PHI so we know when they have an illness….

True or False?True or False?

To see the correct answer, click on

NEXT.

21HIPAA Basics 21

Answer

FALSE

We do not have a right to access health information for anyone, including family members, unless it is essential for patient care.

If you inadvertently view/hear patient information that is not necessary for you to provide care, you cannot share that information with anyone else.

22HIPAA Basics 22

Verify Identity

Before you can legally release PHI (in person, by phone, or in writing):

You must confirm the identity of the person requesting

Determine if the requesting person is entitled to the information

Verify what specific information this person is permitted to haveHow can you verify identity?

A photo ID Password chosen by patient to ensure

confidentiality Information known by those close to patient &

who are permitted to access PHI (ie; middle name, DOB, mother’s maiden name, name of HS/College, etc)

23HIPAA Basics 23

Security RulesPrivacy Rules (which we have been discussing up

to this point) identify what information is protected and define how and when PHI may be used or disclosed.

Security Rules (used in addition to Privacy Rules) apply to PHI that is sent electronically . These rules govern PHI that is being transmitted, used, or stored in electronic format.

KEY COMPONENTS

1. Physical Security: protects computer hardware, wiring, systems, areas, and buildings

2. Technical Security: determines the type of information that may be accessed by individuals via computer

3. Technical Security Mechanisms: automatically monitor computer systems and report suspicious activity

4. Administrative Procedures: outline steps taken by the facility to enforce Security Rules

These define the basic level of security that

must be in place to comply with

HIPAA

24HIPAA Basics 24

Electronic Communication

In order to protect PHI, it is important for us to understand how information is stored, transmitted, and utilized.

Examples are: Faxes, Emails, Computer Reports

As STUDENTS, if you are placed in a situation that requires you to email or fax PHI, consult your instructor about the proper procedure.

Be especially mindful that any clinicalinformation/communication is delivered

to the intended person or destination!

25HIPAA Basics 25

Case Scenario

Dr. Williams asks Sue, a nurse, to bring up patient lab results on the computer at the nurse’s station. He does not see anyone in the area and he asks Sue to turn the monitor around so he can see it. There is no one near the desk when the screen is turned toward him. When Dr. Williams is finished, Sue turns the screen back around, away from public view.

Dr. Williams and Sue violated HIPAA by turning the screen and viewing the lab results….

True or False?True or False?

To see the correct answer, click NEXT.

26HIPAA Basics 26

Case Answer

FALSE

Because they took the time to examine their surroundings and make certain no unauthorized persons were near, they did NOT violate HIPAA. Turning the screen around and then returning it to a secure position is an acceptable practice.

If there were visitors or other staff present, the doctor would have to go behind the desk and view the screen.

27HIPAA Basics 27

Paper Communication During your clinical experiences, you will encounter many documents that contain confidential information (PHI).

It is YOUR responsibility to keep these documents out of public view!

At your clinical site, NEVER leave documents where they may be accessed by unauthorized persons ~ even accidentally.

Faculty often utilize visitor lounges, conference rooms, or other common areas for post-clinical discussion. In these public areas, it is especially important that you do not have papers/medical information where it could be seen by others.

When you are finished with When you are finished with documents containing patient documents containing patient information, information, DISPOSEDISPOSE of them in of them in designated containers ONLY!designated containers ONLY!

28HIPAA Basics 28

Case QuestionJulie is a nurse entering information into a patient chart at the nurse’s station where visitors often come to ask questions. Jeff, another nurse, steps out of a patient room and asks Julie for help. Julie leaves the chart open on the desk, then goes to assist Jeff in the patient’s room.

Leaving the chart open on the desk is OK since the nurse will be right back and trying to find her place would waste too much time….

True or False?True or False?

To see the correct answer, click NEXT.

29HIPAA Basics 29

Case AnswerFALSE

The best way to maintain patient confidentiality is to NEVER leave records open & unattended. Closing the chart is a good first step.

In a non-emergent situation, always return the chart to its designated location before leaving the area.

In an emergency, secure the chart usingyour professional judgment,then assist with the emergency.

30HIPAA Basics 30

Verbal CommunicationNursing is a collaborative team effort and is never practiced in isolation. As a result, there are many times when you will NEED to discuss patient information with colleagues.

What should you do then ???

REMEMBER: Only discuss information relevant to patient care Include only individuals involved with the particular

issue Choose an area that is private to discuss the case Check the surroundings to ensure no one will

overhear confidential information

31HIPAA Basics 31

Case Scenario

Jennifer, a nurse, and Tom, a physical therapist, are eating lunch together in the cafeteria. They begin discussing a patient for which they are both providing care. The cafeteria is crowded and others overhear them refer to the patient by name.

They are violating HIPAA in this situation….

True or False?True or False?

To see the correct answer, click

NEXT.

32HIPAA Basics 32

Case Answer

TRUE

NEVER discuss PHI

in areas where

others may overhear!!

If you need to discuss patient care with a co-worker, speak softly in an area away from the public.

33HIPAA Basics 33

Case and QuestionThe adult daughter of an elderly patient is in the room when the doctor comes in to review the patient’s test results. The patient introduces his daughter and then asks about the test. The doctor proceeds to explain the results in front of the patient’s daughter.

The doctor violated HIPAA by talking about the test results with the daughter present in the room….

True or False?True or False?

To see the correct answer, click

NEXT.

34HIPAA Basics 34

Case Answer

FALSE

Because the patient asked about the results with his daughter in the room, the doctor can assume that it is appropriate to discuss the results in front of her .

35HIPAA Basics 35

Case Question

In the Radiology waiting room, an X-Ray Technologist calls the next patient by saying, “Jane Smith, we are ready for you in the sonogram room.”

The X-Ray Tech violated HIPAA by calling out the patient’s name and test to be performed….

True or True or False?False?

To see the correct answer, click

NEXT.

36HIPAA Basics 36

Case AnswerTRUE

Healthcare employees are allowed to call out patient names in a waiting room. However, no other information should be communicated within the public area.

The X-Ray Tech should not have mentionedthe room to which the patient was going.Stating, “Jane Smith, we are ready for you now,”is acceptable.

37HIPAA Basics 37

Non-Retaliation Policy Every institution is required to have a policy in place to Every institution is required to have a policy in place to

safeguard the rights of a person who, in good faith, reports safeguard the rights of a person who, in good faith, reports a privacy violation. a privacy violation.

Action Action should notshould not be taken against be taken against anyoneanyone:: Exercising their rights, including filing a complaintExercising their rights, including filing a complaint Filing a complaint with the Department of Health and Filing a complaint with the Department of Health and

Human Services (DHHS)Human Services (DHHS) Testifying, assisting, or participating in an investigation, Testifying, assisting, or participating in an investigation,

compliance review, proceeding, or hearingcompliance review, proceeding, or hearing That believes an act or practice is against the lawThat believes an act or practice is against the law

RememberRemember, anyone reporting a violation must , anyone reporting a violation must believebelieve there is a problem BUT, they may there is a problem BUT, they may not use or disclose not use or disclose PHIPHI to address their concern. to address their concern.

38HIPAA Basics 38

Complaints

If you feel there has been a privacy violation, inform your instructor and they will immediately assist you in contacting the Privacy Officer.

You should refer patients who have a privacy concern or complaint to the charge nurse on the unit.

39HIPAA Basics 39

Summary AllAll health information that health information that

specifically specifically identifiesidentifies an individual an individual (PHI) is considered confidential!(PHI) is considered confidential!

Protecting the privacy of patient Protecting the privacy of patient information is information is everyone’severyone’s responsibility.responsibility.

As a As a Student NurseStudent Nurse, you are an , you are an active part of this program. Be sure to active part of this program. Be sure to access access only only the information needed to the information needed to perform your assigned responsibilities.perform your assigned responsibilities.

Be awareBe aware! Don’t intentionally ! Don’t intentionally or or unintentionallyunintentionally disclose PHI ~ Help disclose PHI ~ Help others do the same.others do the same.

If you suspect a HIPAA violation, If you suspect a HIPAA violation, notify your instructornotify your instructor who will who will immediately assist you in contacting immediately assist you in contacting the Privacy Office.the Privacy Office.

40HIPAA Basics 40

Thank You!

Thanks to….Thanks to….

~ Memorial Medical ~ Memorial Medical Center ~Center ~

~ OSF St. Joseph ~ OSF St. Joseph Hospital ~Hospital ~

……for assistance with for assistance with this HIPAA module!this HIPAA module!

You are now ready to take You are now ready to take the the Final QUIZFinal QUIZ!!