SelfDirected HIPAA Training Instructions

1
Self-Directed HIPAA Training Instructions
1. Review the following PowerPoint
presentation 2. Review the FAQs near the end to
know HIPAAs impact on your daily work
practices. 3. Print out and answer the QUIZ (2
pages) at the very end of this presentation 4.
Turn in QUIZ to your Department Head
/Administrative Assistant for compliance
tracking. 5. Print out certificate and maintain
for your own files the approved one (1) Level-1
Risk Mgmt CME hour
2
(No Transcript)
3
Content of Session

• What is HIPAA and why is it important?
• Examples of Breaches
• What rights do patients have under HIPAA?
• Safe Information Practices
• Privacy and Security Compliance
• How do you report a breach?
• Resources

4
What is HIPAA?

• Health Insurance Portability and Accountability
  Act
• Signed into Law August 21, 1996 (Public Law
  104-191)
• Significant impact on health care industry
• Goals To improve the efficiency and the
  
  
  
  
  effectiveness of the health
  care system
• the establishment of standards and requirements
  for the electronic transmission of certain health
  information (eligibility, referrals, and
  claims)and
• create the first national legislation to give
  every patient across the nation protection of
  their health information

5
What Do You Have To Know?

• Stronger Massachusetts privacy laws are followed
  over HIPAA rules in certain situations (like
  those covering Mental Health, HIV, Aids, Alcohol
  and Drug Abuse, Domestic Violence, Sexual
  Assault, Genetic Testing)
• Patients have the right to file a
  complaint if they believe their
  privacy rights have been
  violated

6
What Do You Have To Know?

• What is confidential?
• Protected Health Information or PHI
• any information that identifies who you are
• (as little as name, address and social security
  is PHI)
• past, present or future physical or mental
  health or
  
  
  
  condition
• type of treatment or services provided
• past, present, or future payment for care
  provided
  
  
  
  
• Patients will have the right to file a grievance
  or complaint if they believe their privacy rights
  have been violated

7
Why is HIPAA important to Massachusetts General
Hospital?

• Maintaining patients trust in their caregivers
  is critical to obtaining a complete history,
  medical record, and carrying out an effective
  treatment plan
• It supports our mission
• Its the right thing to do

8
Protecting Patient Privacy

• As healthcare workers we see and
  hear confidential information every
  day on the job.
• We get so accustomed to being around this kind of
  information that its easy to forget how
  important it is to keep it private
• Privacy and confidentiality is a basic right in
  our society.
• Safeguarding that right is your ethical and legal
  obligation

9
Failure to Protect Patient Privacy Can Have Dire
Consequences

• It has been documented that failure to protect
  patient privacy has caused patients to
• Lose Jobs
• Be Victims of False Rumors
• Lose Insurance Coverage
• Become Estranged from Friends and Family
• Lose Custody Battles
• Be harassed by the Media
• Some examples.

10
Examples of Breaches Big Breaches in the news

• An error in a University of Minnesota database
  failed to suppress the names of deceased organ
  donors on computer-generated letters to the 410
  patients who received their kidneys (Report on
  Patient Privacy, 3/02)

11
Examples of Breaches Small seemingly innocent
breaches, or activities that could lead to
breaches

• An employee checking the record of a friend or
  family member, in order to see how they are doing
• Leaving patient identifiable information on
  computer when you bring the next patient into the
  exam room
• Neglecting to confirm accuracy of fax number
  before sending identifiable health information
• Colleague in the hospital and so you access the
  system to get a discharge date to send flowers
• A high profile patient comes in for tests and you
  say to your colleague, guess who I just took care
  of? Joe Celebrity

12
Examples of Breaches Small seemingly innocent
breaches, or activities that could lead to
breaches

• Leaving work at the end of the day and leaving
  patient information out on your desk rather than
  in a folder
• Discussing patient information on your cell phone
  in the Treadwell Library, cafeteria or on the
  shuttle bus.
• Not closing the exam room door or privacy curtain
  when discussing patient information
• Walking up to a computer and using it while
  logged in under a co-workers password or not
  logging off computer when you leave the area

13
Enforcement of HIPAA Office of Civil Rights
PRIVACY
Its the LAW!

• HIPAA calls for severe civil and criminal
  penalties for noncompliance
• fines up to 25K for multiple violations of the
  same standard in a calendar year
• fines up to 250K and/or imprisonment up to 10
  years for deliberate misuses of individually
  identifiable health information
• Healthcare organizations must have sanctions in
  place for their workforce and business associates
  who violate their privacy policies

14
Patient RightsIn regard to their health
information
Receipt of Privacy Notice

• The right to receive a written notice of how
  their health information
  will be used and disclosed--this
  is called the Privacy Notice
• The Privacy notice must
• Contain patients rights and the covered
  entities legal duties
• Be made available to patients in print
• Be displayed at the site of service and posted on
  our web site
• Patients must receive a copy of our Privacy
  Notice concerning the use/disclosure of their PHI
  on the first date of service delivery, or as soon
  as possible after an emergency

15
Patient RightsIn regard to their health
information
Receipt of Privacy Notice

• All new and established patients must receive a
  MGH/Partners Privacy Notice one time only at
  their initial visit following implementation.
• We must ask patients to sign an Acknowledgement
  form of having received the Privacy Notice or
  document reasons why the
  acknowledgement was not signed
• The Acknowledgement form will be sent to Health
  Information Services to be maintained in
  patients medical record and recorded in the
  electronic record

16
Patient RightsIn regard to their health
information

• The right to access their own record, and to
  request that their record be amended if it
  contains incorrect or incomplete information
• The right to request a limitation on information
  used and disclosed
• such as their information blocked from the
  hospital directories and unavailable for people
  who call information to ask for them
• or their religious preference blocked from clergy
• or to request that you limit what information you
  may share with their family or friends

17
Patient RightsIn regard to their health
information

• The right to receive a list of disclosures
• we must track anyone we disclose information to
  without a signed authorization from the patient
• patients have the right to receive a list of
  these disclosures
• The right to sign an authorization
• prior to most non-routine uses or disclosures of
  their health information
• with employers for employment decisions,
• with life, disability, or other insurers,
• for marketing activities. and
• for targeted fundraising activities

18
Speaking of confidentiality agreements...
19
When is an Authorization to Release PHI Required?

• General Rule
• if the use or disclosure is for something other
  than treatment, payment or hospital operations
• Exceptions
• Specific authorization is required for use and
  disclosure of specifically protected or
  privileged information, such as HIV testing,
  Genetic testing, Alcohol and Drug Abuse records
  (Federal Confidentiality Rules 42 CFR Part2)
  Domestic Violence Counseling, Sexual Assault
  Counseling, Psychotherapy Notes
• Disclosures required by law

20
Key Definitions under HIPAA You may use or
disclose PHI if it is for...

• Treatment providing, managing and coordinating
  care consulting with other care providers and
  referring a patient to other providers.
• Payment providers request for reimbursement,
  eligibility and medical necessity determinations,
  claims management and related activities
• Health Care Operations quality assessment and
  improvement, evaluation of providers, training,
  legal services, auditing, compliance, limited
  marketing and fundraising activities and other
  business and administrative operations.

21
Reasons for Releasing Confidential PHI

• Providers are required to report certain
  communicable diseases to state health agencies.
• The Food and Drug Administration (FDA) requires
  that certain information about medical devices
  that break or malfunction be reported.
• To inform appropriate agencies during disaster
  relief.
• To inform family members or other identified
  persons involved in the patient's care, or notify
  them on patient location, condition or death

22
Reasons for Releasing Confidential PHI

• Providers are required to report suspected child
  abuse
• Police have the right to request certain
  information about patients to determine whether
  they are suspects in a criminal
  investigation--MGH Police can verify need
• The courts have the right to order providers to
  release PHI
• Providers must report cases of suspicious deaths
  or certain suspected crime victims, such as
  people with gunshot wounds.

23
Safe Information Practices

• Rule number one
• Any person to whom information is
  communicated must
• Be authorized to receive the information
• Have a legitimate need to know
  
• What can I do to protect need to know?
• Verify peoples identity and employee badge when
  they come to the unit, pull a medical record or
  ask for information
• Remember that access to a system on the
  computer does not imply that it is appropriate
  to search any patient information that may be
  stored within the system at will, simply to
  satisfy curiosity

24
Safe Information Practices

• Confidential subjects are discussed
  only in a private setting (not in
  Treadway library, cafeteria, elevator, locker
  rooms,etc.)
• Cautious use of cellular phones, PDAs, e-mail
  and faxes for confidential information
• Hard copy documents are secured (kept out of
  sight) of unauthorized persons

25
Safe Information Practices

• No dictating in the hallway outside the exam room
• Following MGH policies and procedures for release
  and disclosure of health information
• Write your medical note as if the patient were
  reading it over your shoulder
• Do not discuss care issues such as test results
  with the exam room door open

26
Safe Information Practices

• Computer Security
• Never share passwords
• Click on the yellow lock at the
  bottom right corner of your screen when
  leaving a workstation
• Make sure there is no prior patient information
  left on the computer screen before you place the
  next patient in the exam room

27
Safe Information Practices

• Computer Security
• Personal databases containing patient
  
  
  
  
  information are prohibited unless
• they contain de-identified information
  
  
  
  
  (as per HIPAA definition), or
• you have received an IRB waiver, or
  
  
  
  
  other IRB approval
• Diskettes with patient information are never
  thrown out without being cleaned off

28
Safe Information Practices
Electronic Mail

• E-mail containing patient identifiable
  information should not be transmitted over the
  internet, as security cannot
  be guaranteed, however
• Follow best practice for confidentiality
• Explain this to patients before you agree to
  communicate with them this way
• Do not put patient name or identifier in subject
  heading
• Keep information to a minimum necessary
• Create a second auto-signature in your Outlook
  e-mail with a confidentiality statement

29
Safe Information Practices
Electronic Mail

• E-mails using the intranet between
  all Partners entities is secure
• For example Outlook system we use daily
  for e-mailing colleagues
  at the Brigham or
  Newton Wellesley Hospital is secure
• Patient Gateway is secure
• E-mail guidelines on the MGH web site clinical
  policy http//healthcare.partners.org/mgh/policies
  /default.htm

30
Safe Information PracticesFaxing

• Faxes are the least controllable type of
  communication
• ALWAYS use a cover sheet with a confidentiality
  statement and your location and phone number even
  on internal faxes
• Never leave faxes sitting on fax machines
  unattended
• It is critically important when faxing
  information
• to verify the sender has the correct fax number,
  and
• that the fax machine is in a secure location,
  and/or the receiver is available immediately to
  receive the fax

31
Somewhere outside the Partners Network
32
What can you do? Be on your guard

• Your responsibility for protecting
  patient privacy and confidentiality does not
  end with your work shift
• Dont divulge any patient information when in an
  informal atmosphere or social setting
• If asked about a patient, simply reply Im
  sorry, that information is confidential
• Respect everyone as if they were your family
  member!

33
How to Report a Privacy Concern or Breach

• Contact the Compliance Hotline to report a breach
  anonymously (617) 726-1446
• or
• Health Information Services (617) 726-2465

34
Privacy Complaints/BreachesWhat you should tell
a Patient or Family Member

• A patient or family member can contact the
  Office Manager (in the office practice) or the
  MGH Patient Advocacy Office at (617) 726-3370

35
Privacy Resources To learn more.

• Intranet sites where privacy/HIPAA information is
  available
• HIPAA Central on Partners Web Site (all
  employees) http//phsweb17.mgh.harvard.edu/opbud
  get/hipaa/hipaa.asp
  
• Policies and Procedures/Forms
• FAQs/Training Resources
• MGH Policy Manuals
• Administrative Policy Manual
• Clinical Policy Manual
• Human Resource Manual
• Patient Gateway (patients)
• Policies and Procedures/Forms

36
Privacy Resources To learn more.

• Internet Sites
• Dept. of Health and Human Services
• http//aspe.hhs.gov/admnsimp/Index.htm
• http//www.hhs.gov/ocr/hipaa/whatsnew.html
• Mass Health Data Consortium
• http//mahealthdata.org
• Workgroup for Electronic Data Interchange (WEDI)
• http//www.wedi.org

37
Privacy Resources To learn more.

• MGH Contact Persons
• Deborah Adair, Director of HIS, Privacy Officer
• Maryanne Spicer, MGH Compliance Officer
• Eileen Bryan, HIPAA Manager, Privacy Office
• embryan_at_partners.org
• (617) 726-6360

38
QA Privacy

• What are examples of the minimum necessary rule
  in your daily work do changes in practice need
  to be made?
• Patient Sign in sheets
• Appointment reminder calls

39
Answer -- YES and YES

• Sign in sheets are permitted, although they
  should kept to minimum information, some examples
• First name last initial or last three numbers of
  Medical record number
• Have a blank sheet covering list
• Place stickers over patients already taken care
  of to remove name
• use small single sheets that are then deposited
  in a hanging folder on reception desk
• Calls are permitted as long as patients are
  notified through our MGH Privacy Notice and
  patients agree to give primary phone contact
• Remember minimum necessary information to get the
  job done
• Use professional judgement around
  privileged/protected PHI

40
QA Privacy

• HIPAA allows identifiable health information to
  be shared among Partners-owned (or controlled)
  entities on a need-to-know basis for certain
  purposes (without obtaining a signed
  authorization).
• What are these reasons?
• Example patient is brought by ambulance to the
  Faulkner Hospital. The nurse in the ED calls and
  asks for patients last discharge note.

41
Answer

• Identifiable health information may be shared
• among health care providers for TPO
• Treatment
• Payment
• Healthcare Operations
  (QA/QI, Utilization Review,
  Disease Management, Credentialing, Auditing,
  Accreditation, etc.)
• Since the information was needed by Faulkner
  Hospital for treatment purposes this is allowed
  without written authorization.

42
QA Privacy in Inpatient Floors

• Mary is transported by Medflight to MGH for
  specialized care. She is admitted to White 7 and
  being treated by a specialist. An employee from
  Medflight calls the Nursing station on White 7
  the following day and asks for follow up
  information on Mary.
• Can the nurse give Medflight the information they
  are asking for?

43
Answer -- Absolutely YES!

• This is considered a business associate who
  assists MGH in treatment and hospital operations.
  
• MedFlight needs the follow up information for
  billing purposes and also to meet their own
  requirement to report patient information to DPH.
• Have a procedure in place for verifying identity
  of the caller that is actually a
  Medflight employee

44
QA Privacy in Job Roles

• Olivia is a Nurse in the O.R. She has completed
  her evening shift and is changing in the locker
  room. Another nurse coming on for the day says
  she heard there was a bad accident and that the
  patient was in surgery all night. She asks
  Olivia what the blood alcohol level of the
  patient was.
• How should Olivia respond?
• What are the risks here?

45
Answer

• Olivia should ask herself if this meets the need
  to know criteria, if the nurse coming on was not
  going to be treating this patient then Olivia
  should state that she cant discuss the case
  because of confidentiality.
• Employee should limit amount of PHI discussed in
  open work areas such as the locker room,
  cafeteria or nursing station.

46
Next Steps Recommendations

• Appoint a Compliance Privacy and Security
  Official for your practice/department (Office
  Manager)
• Review current practices for how your department
  uses or discloses protected health information
• Do you get a valid written authorization when
  required
• How do patients amend their records
• Do you follow minimum necessary policy
• What guidelines do you have in place for
  communicating health information over the
  telephone
• How do you send health information (fax, e-mail,
  etc.)

47
Make a list of all Business Associates
If you outsource a certain service,
such as transcription, follow below guidance

• HIPAA Definition a person or organization that
  performs or assists in the performance
  of a function that involves the use or
  disclosure of individually identifiable health
  information
• Review business associate contract for privacy
  and security policies and procedures also what
  sanctions will be taken if these policies are
  breached
• MGH Legal has drafted contract language for new
  and amended business associate contracts-see
  Partners Intranet Web site HIPAA Central to use
  these templates and further guidance
• Materials Management has created a log of all
  hospital business associates and will be
  reviewing and updating these contracts--compare
  your list with Materials Management

48
Next Steps -- Recommendations Review high
risk areas identified in the survey

• location of computer monitors
• move to non public area
• order privacy filter from Staples
• Are charts/patient information in or near public
  areas (door racks, reception desk, fax
  or copy machine, etc)
• Place so patient name is not visible if possible
• do not leave papers unattended and close and lock
  doors as feasible
• photocopying patient health information
• Play it safe and get written authorization from
  patient
• taking health information off-site
• only take information off site if absolutely
  necessary
• maintain the same level of privacy and security
  standards off site -- dont leave out in viewable
  location

49
Additional high risk areas

• discussions regarding patients scheduling
  patient
  procedures/tests near public area
• limit details, keep voices down
• place white noise machines near public waiting
  area
• disposing of health information
• request more blue recycle bins for white paper
  and gray recycle bins for colored paper from
  environmental services
• We shred all paper products put in these recycle
  bins
• Discussing patient information in open areas
• do not discuss in health club, library,
  cafeteria, waiting room, locker room, shuttle
  bus--be aware of your surroundings

50
Massachusetts General Hospital Privacy
and Confidentiality Guiding
Principles
HIPAA

• A practical interpretation of the HIPAA
  regulation
• A commonsense approach to this endeavor
• A positive change that does not impede quality
  patient care and
• Unquestionable concern for safeguarding our
  patients
  protected health information

51
Key Points Keep your actions reasonable

• Most importantly -- do not let HIPAA impede our
  quality care and patients trust -- that is not
  the goal of HIPAA
• We already do a really good job at protecting
  health information -- whats different -- we now
  have a legal obligation
• Patients will be more knowledgeable in regard to
  accessing, copying, amending and tracking
  disclosures of their own health information -- so
  we must be knowledgeable too -- both as
  employees and health consumers ourselves

52
Key Points Keep your actions reasonable

• All health information is protected whether it is
  spoken, written in a record or written and stored
  electronically
• View every decision about use and disclosure of
  health information through the lens of
• Treatment
• Payment
• Hospital Operations and
• the Minimum Necessary information to get the job
  done
• If it meets this criteria HIPAA does not require
  a change in our everyday work practices

53
Take pride and ownership in the fact that

Massachusetts General Hospital is concerned
about privacy and recognizes its importance in
providingquality healthcare. Above all honor
our patients trust Thank you !

• Eileen Bryan
• MGH HIPAA Privacy Manager
• Health Information Services

54
HIPAA QUIZ
1. HIPAAs privacy rule protects a patients
fundamental right to privacy and
confidentiality of a) Patient information in
electronic form b) Patient information in paper
form c) Patient information communicated
orally d) all of the above 2. Now that there is
a federal law protecting patient privacy, all
individual health information shares the same
level of protection, including psychotherapy
notes, HIV test results, genetic testing, sexual
assault, domestic violence,etc.) a) True b)
False
55
HIPAA QUIZ
3. Patients have the right to amend inaccurate
or incomplete information contained in their
individual health record a) True b) False 4.
Health information is considered confidential if
it identifies the patient and relates to a) A
persons past, present, or future physical or
mental health condition b) A persons
present health condition only c) A persons past
and present condition only
56
(No Transcript)