HIPAA Training

1
HIPAA Training

• C6440 Ethics in Counseling

2
Training Goals

• This training will help you understand what
  you must do to comply with the HIPAA law and
  policies to make sure you are in compliance.

3
Patient Rights
4
Patient Rights

• Patients have new rights under HIPAA. They are
  
• Notice of Privacy Practices
• Right to an Accounting of Disclosures
• Right to Alternative Communications
• Right to Access/Copy Records
• Right to Restrict Uses/Disclosures
• Right to Communicate Privacy Issues
• Right to Amend Records

5
Notice of Privacy Practices

• All patients must get a Notice of Privacy
  Practices when they arrive at the time of
  registration. This tells them how you use and
  share their health information and what their
  rights are under HIPAA.
• Every patient signs your Patient Agreement
  Consent Form which includes a statement that the
  patients have received the Notice of Privacy
  Practices unless they refuse or are unable to,
  which must be documented on the form.

6
Right to an Accounting of Disclosures

• You must keep track of all releases of a
  patients information when it does not have to do
  with treatment, payment, or operations (TPO)
  unless you get the patients written permission.
  For example, when you report suspected abuse or
  neglect, or release information to law
  enforcement.

7
Right to an Accounting of Disclosures

• These releases are to be entered into the
  patients record. If you release, you are
  responsible for documenting the release in the
  record.
• Patients have the right to request a report of
  these releases.
• All requests for a report are to be sent to you
  and must be in writing.

8
Right to Alternative Communications

• All patients have the right to request you
  contact them at a different location for safety
  reasons (post office box instead of street
  address).
• You must agree to all reasonable requests.
• These requests are noted on a Confidential/Alterna
  tive Communications Request Form.

9
Right to Access/Copy Records

• Patients generally have the right to see or get a
  copy of their medical record.
• Hospitalized patients cannot get a copy until
  after discharge from a hospital, but can ask
  their doctor to review their record with them.
• Patients must sign an Authorization Form to get a
  copy of their record. These requests must be
  directed to you or Medical Records.

10
Right to Restrict

• All patients have the right to request a limit
  (restriction) on how you use or share their
  health information.
• Patients must fill out a Request for Restriction
  Form. The form must be given to you directly.

11
Right to Communicate Privacy Issues

• Patients have the right to file a complaint if
  they feel their information is not kept private.
• If you receive a privacy complaint, document it
  on a Patient Complaint Form.

12
Right to Amend Records

• Patients have the right to request their medical
  record be corrected (amended) if they feel
  their information is wrong or not complete.

13
Special Requirements
14
Facility Directory

• So that you can tell visitors where patients are
  located in your facility when they ask for
  someone by name, you tell patients you will list
  them in your directory unless they object.
• If a patient objects, it is documented on the
  Patient Agreement Consent Form. This is the
  same form that patients sign stating they have
  received your Notice of Privacy Practices.

15
Facility Directory

• If the patient agrees to be listed in the
  directory
• The patients condition and location can be given
  to anyone who asks for the patient by name, even
  via telephone.
• Clergy can be given directory information and the
  patients religion.
• The Information Desks and Switchboard Operators
  have access to patients in the facility directory
  only.

16
Facility Directory

• If a patient does not agree to be listed in the
  facility directory, the Info Desk and Switchboard
  will not have any information on the patient and
  therefore will say I have no information on that
  patient.
• Patients that do not agree to be listed will not
  receive flowers or mail and visitors will be told
  the organization has no information on the
  patient. The patient is a no info patient.

17
Sharing Information with Family Friends

• You must get the patients permission prior to
  sharing the patients detailed health information
  (more than the patients condition/location) with
  family and friends. You can do this orally.
  There is no need for a patient to sign a form.
• Before discussing health information with the
  patient in front of family and friends, you must
  first ask the patient for permission. He has the
  right to decide if he wants others to hear.

18
Sharing Information with Family Friends

• If it is necessary to notify a family member
  or a friend of a patients condition, for example
  if a patient is brought to an Emergency Center
  alone and the patient is in critical condition, a
  doctor or nurse can try to contact family members
  or friends to notify them of the patients
  condition if they feel it is in the patients
  best interest.

19
Releasing Patient Information

• Your patients trust that you will keep their
  information private. You may be exposed to
  news-worthy information. Remember
• Keep patient information private!
• Do not share information with the media, other
  staff, friends, or relatives!
• Never take pictures!

20
Releasing Patient Information

• Generally, patient information may be released
  for treatment, payment, or operations purposes
  (TPO).
• Patient information may not be released for
  marketing purposes without the patients
  permission.
• Make sure you know your organizations policies
  for releasing patient information.
• If patients ask you for their own information,
  always verify their identity before you release
  it.

21
Use Release of Health Information - TPO

• Health information may be released to other
  treating doctors/providers. The treatment
  relationship must be verified.
• If a patient is being transferred to another
  facility, sharing information for transfer is
  permitted if the patient has consented to the
  transfer.
• Health information may be released so that you
  can get paid.
• Health information may be used for day to day
  operations purposes (evaluations, grievances,
  etc.)

22
Use Release of Health Information - TPO

• Example primary care physician contacts ER to
  obtain information on a patient that was seen in
  ER. You fax information BAD! (Physician was
  really asking for information on neighbor, not a
  patient of his.)
• Example primary care physician contacts ER to
  obtain information on a patient that was seen in
  ER. We verify patient named the physician as his
  primary care physician first and then fax the
  information GOOD!

23
Use Release of Health Information Non
Routine

• When releasing Protected Health Information
  (PHI) for non-TPO reasons (such as marketing), or
  if a provider is not documented on the patients
  record, a patients authorization should be
  obtained (unless required or permitted by law).
  The approved Authorization Form must be used.

24
Safeguards
25
Role-Based Access

• You are required to obtain and/or access
  information only if it is needed for you to do
  your job. This is called role-based access.

26
Examples of Inappropriate Accesses

• Accessing celebrity information
• Accessing friend or relative information
• Accessing information for other
  companies/providers who want the information for
  marketing purposes
• Accessing information for personal reasons
• Accessing co-workers patient information
• Accessing your own information

27
Confidentiality

• These inappropriate accesses are against the
  law (HIPAA-the Federal Privacy Law, and other
  state laws).

28
Computer Screens

• Whenever you leave a computer that is used for
  accessing confidential information, completely
  log off application.
• If possible, computer screens are to be turned so
  that visitors cannot see the information.

29
Sending PHI Externally

• Never send PHI externally in an e-mail or in an
  attachment to an e-mail unless the information is
  encrypted.

30
Electronic Disposal/Storage

• Do not throw away any CDs, floppy disks, or
  tapes that have patient information. First make
  sure the information is erased.
• Store these items in an area that is locked.

31
Faxing

• You can fax health information.
• A fax cover sheet with the approved
  confidentiality statement must be used.
• Your name and telephone number must be on the
  cover sheet.

32
Faxing

• Be careful that any and all health information
  that is faxed is not faxed to a wrong number
  outside of you facility.
• Fax machines must be placed in a secure area.
• Fax numbers that are used a lot should be
  programmed into the fax machine.

33
Faxing

• Use programmed fax numbers if you can.
• Fax machines should be checked often so that
  faxes can be given to the right person quickly.
  If the person cannot be found, the information
  should be put in an envelope or folder, or placed
  in an area where others cannot see the
  information.

34
Faxing

• No sexually-transmitted disease alcohol/drug
  abuse or mental health information shall be
  faxed unless it is for treatment, payment, or
  required by law.

35
Transporting Patients and/or Patient Information

• Hide names and other information when delivering
  or transporting.
• Do not leave documents unattended.
• When moving offices, make sure information is
  secure.
• Ask visitors to wait for another elevator or
  transport on designated elevators.

36
Leaving Messages for Patients

• You CAN leave general messages for patients.
• No information regarding a patients condition
  can be left on an answering machine, unless he
  tells you it is OK.

37
Leaving Messages for Patients

• Example
• This is John Doe from City Hospital calling for
  Jane Smith. Please return my call at 825-1100
• or
• This is John Doe from City Hospital calling to
  remind Jane Smith about her appointment tomorrow
  at 1000.

38
Sign In Sheets

• Sign in sheets may be used by your facility or
  department. If they are used, only the patients
  name can be recorded on them.

39
Document Disposal/Storage

• All printed confidential information must be
  shredded or burned. Know how to dispose of
  confidential info at your facility.
• All patient information papers that must be
  stored must be stored in an area that is
  lockable.
• Dont leave paperwork where other patients and
  visitors can see, unlocked, or unattended.

40
Markings on Medical Records

• No information about a patients diagnosis
  shall be on the outside of a medical record.
• Always store charts in chart racks with the
  patients name faced in so that others cannot see
  it.

41
Computer Safeguards

• NEVER SHARE YOUR COMPUTER
• USER I.D. OR PASSWORD!
• ALWAYS LOG OFF BEFORE LEAVING YOUR COMPUTER!
• YOU ARE RESPONSIBLE FOR ANY
• ACTIONS FOR WHICH YOUR USER I.D. WAS USED!

42
Federal Penalties

• Non-Intentional Non Compliance
• 100 per violation
• For example, did not give patient a Notice of
  Privacy Practices
• Intentional Non Compliance
• Up to 10 years in jail and 250,000 fine
• For example, selling patient information
• Stating you are someone that you are not in order
  to obtain a patients information

43
Report Concerns

• It is your responsibility to report concerns!
• To report concerns
• Talk with your supervisor
• Call the Chief Privacy Officer at your
  organization

44
Summary

• Only access information needed to perform your
  duties.
• Never share your user I.D. and password.
• Always log off when leaving your computer.
• Make sure you know when releasing patient
  information is appropriate.
• Patient privacy is serious! Report concerns.
• You are required by HIPAA to audit accesses.