SelfDirected HIPAA Training Instructions - PowerPoint PPT Presentation

1 / 56
About This Presentation

SelfDirected HIPAA Training Instructions


Colleague in the hospital and so you access the system to get a discharge date to send flowers ... How do you send health information (fax, e-mail, etc.) Make ... – PowerPoint PPT presentation

Number of Views:1288
Avg rating:3.0/5.0
Slides: 57
Provided by: IS174


Transcript and Presenter's Notes

Title: SelfDirected HIPAA Training Instructions

Self-Directed HIPAA Training Instructions
1. Review the following PowerPoint
presentation 2. Review the FAQs near the end to
know HIPAAs impact on your daily work
practices. 3. Print out and answer the QUIZ (2
pages) at the very end of this presentation 4.
Turn in QUIZ to your Department Head
/Administrative Assistant for compliance
tracking. 5. Print out certificate and maintain
for your own files the approved one (1) Level-1
Risk Mgmt CME hour
(No Transcript)
Content of Session
  • What is HIPAA and why is it important?
  • Examples of Breaches
  • What rights do patients have under HIPAA?
  • Safe Information Practices
  • Privacy and Security Compliance
  • How do you report a breach?
  • Resources

What is HIPAA?
  • Health Insurance Portability and Accountability
  • Signed into Law August 21, 1996 (Public Law
  • Significant impact on health care industry
  • Goals To improve the efficiency and the

    effectiveness of the health
    care system
  • the establishment of standards and requirements
    for the electronic transmission of certain health
    information (eligibility, referrals, and
  • create the first national legislation to give
    every patient across the nation protection of
    their health information

What Do You Have To Know?
  • Stronger Massachusetts privacy laws are followed
    over HIPAA rules in certain situations (like
    those covering Mental Health, HIV, Aids, Alcohol
    and Drug Abuse, Domestic Violence, Sexual
    Assault, Genetic Testing)
  • Patients have the right to file a
    complaint if they believe their
    privacy rights have been

What Do You Have To Know?
  • What is confidential?
  • Protected Health Information or PHI
  • any information that identifies who you are
  • (as little as name, address and social security
    is PHI)
  • past, present or future physical or mental
    health or

  • type of treatment or services provided
  • past, present, or future payment for care

  • Patients will have the right to file a grievance
    or complaint if they believe their privacy rights
    have been violated

Why is HIPAA important to Massachusetts General
  • Maintaining patients trust in their caregivers
    is critical to obtaining a complete history,
    medical record, and carrying out an effective
    treatment plan
  • It supports our mission
  • Its the right thing to do

Protecting Patient Privacy
  • As healthcare workers we see and
    hear confidential information every
    day on the job.
  • We get so accustomed to being around this kind of
    information that its easy to forget how
    important it is to keep it private
  • Privacy and confidentiality is a basic right in
    our society.
  • Safeguarding that right is your ethical and legal

Failure to Protect Patient Privacy Can Have Dire
  • It has been documented that failure to protect
    patient privacy has caused patients to
  • Lose Jobs
  • Be Victims of False Rumors
  • Lose Insurance Coverage
  • Become Estranged from Friends and Family
  • Lose Custody Battles
  • Be harassed by the Media
  • Some examples.

Examples of Breaches Big Breaches in the news
  • An error in a University of Minnesota database
    failed to suppress the names of deceased organ
    donors on computer-generated letters to the 410
    patients who received their kidneys (Report on
    Patient Privacy, 3/02)

Examples of Breaches Small seemingly innocent
breaches, or activities that could lead to
  • An employee checking the record of a friend or
    family member, in order to see how they are doing
  • Leaving patient identifiable information on
    computer when you bring the next patient into the
    exam room
  • Neglecting to confirm accuracy of fax number
    before sending identifiable health information
  • Colleague in the hospital and so you access the
    system to get a discharge date to send flowers
  • A high profile patient comes in for tests and you
    say to your colleague, guess who I just took care
    of? Joe Celebrity

Examples of Breaches Small seemingly innocent
breaches, or activities that could lead to
  • Leaving work at the end of the day and leaving
    patient information out on your desk rather than
    in a folder
  • Discussing patient information on your cell phone
    in the Treadwell Library, cafeteria or on the
    shuttle bus.
  • Not closing the exam room door or privacy curtain
    when discussing patient information
  • Walking up to a computer and using it while
    logged in under a co-workers password or not
    logging off computer when you leave the area

Enforcement of HIPAA Office of Civil Rights
Its the LAW!
  • HIPAA calls for severe civil and criminal
    penalties for noncompliance
  • fines up to 25K for multiple violations of the
    same standard in a calendar year
  • fines up to 250K and/or imprisonment up to 10
    years for deliberate misuses of individually
    identifiable health information
  • Healthcare organizations must have sanctions in
    place for their workforce and business associates
    who violate their privacy policies

Patient RightsIn regard to their health
Receipt of Privacy Notice
  • The right to receive a written notice of how
    their health information
    will be used and disclosed--this
    is called the Privacy Notice
  • The Privacy notice must
  • Contain patients rights and the covered
    entities legal duties
  • Be made available to patients in print
  • Be displayed at the site of service and posted on
    our web site
  • Patients must receive a copy of our Privacy
    Notice concerning the use/disclosure of their PHI
    on the first date of service delivery, or as soon
    as possible after an emergency

Patient RightsIn regard to their health
Receipt of Privacy Notice
  • All new and established patients must receive a
    MGH/Partners Privacy Notice one time only at
    their initial visit following implementation.
  • We must ask patients to sign an Acknowledgement
    form of having received the Privacy Notice or
    document reasons why the
    acknowledgement was not signed
  • The Acknowledgement form will be sent to Health
    Information Services to be maintained in
    patients medical record and recorded in the
    electronic record

Patient RightsIn regard to their health
  • The right to access their own record, and to
    request that their record be amended if it
    contains incorrect or incomplete information
  • The right to request a limitation on information
    used and disclosed
  • such as their information blocked from the
    hospital directories and unavailable for people
    who call information to ask for them
  • or their religious preference blocked from clergy
  • or to request that you limit what information you
    may share with their family or friends

Patient RightsIn regard to their health
  • The right to receive a list of disclosures
  • we must track anyone we disclose information to
    without a signed authorization from the patient
  • patients have the right to receive a list of
    these disclosures
  • The right to sign an authorization
  • prior to most non-routine uses or disclosures of
    their health information
  • with employers for employment decisions,
  • with life, disability, or other insurers,
  • for marketing activities. and
  • for targeted fundraising activities

Speaking of confidentiality agreements...
When is an Authorization to Release PHI Required?
  • General Rule
  • if the use or disclosure is for something other
    than treatment, payment or hospital operations
  • Exceptions
  • Specific authorization is required for use and
    disclosure of specifically protected or
    privileged information, such as HIV testing,
    Genetic testing, Alcohol and Drug Abuse records
    (Federal Confidentiality Rules 42 CFR Part2)
    Domestic Violence Counseling, Sexual Assault
    Counseling, Psychotherapy Notes
  • Disclosures required by law

Key Definitions under HIPAA You may use or
disclose PHI if it is for...
  • Treatment providing, managing and coordinating
    care consulting with other care providers and
    referring a patient to other providers.
  • Payment providers request for reimbursement,
    eligibility and medical necessity determinations,
    claims management and related activities
  • Health Care Operations quality assessment and
    improvement, evaluation of providers, training,
    legal services, auditing, compliance, limited
    marketing and fundraising activities and other
    business and administrative operations.

Reasons for Releasing Confidential PHI
  • Providers are required to report certain
    communicable diseases to state health agencies.
  • The Food and Drug Administration (FDA) requires
    that certain information about medical devices
    that break or malfunction be reported.
  • To inform appropriate agencies during disaster
  • To inform family members or other identified
    persons involved in the patient's care, or notify
    them on patient location, condition or death

Reasons for Releasing Confidential PHI
  • Providers are required to report suspected child
  • Police have the right to request certain
    information about patients to determine whether
    they are suspects in a criminal
    investigation--MGH Police can verify need
  • The courts have the right to order providers to
    release PHI
  • Providers must report cases of suspicious deaths
    or certain suspected crime victims, such as
    people with gunshot wounds.

Safe Information Practices
  • Rule number one
  • Any person to whom information is
    communicated must
  • Be authorized to receive the information
  • Have a legitimate need to know
  • What can I do to protect need to know?
  • Verify peoples identity and employee badge when
    they come to the unit, pull a medical record or
    ask for information
  • Remember that access to a system on the
    computer does not imply that it is appropriate
    to search any patient information that may be
    stored within the system at will, simply to
    satisfy curiosity

Safe Information Practices
  • Confidential subjects are discussed
    only in a private setting (not in
    Treadway library, cafeteria, elevator, locker
  • Cautious use of cellular phones, PDAs, e-mail
    and faxes for confidential information
  • Hard copy documents are secured (kept out of
    sight) of unauthorized persons

Safe Information Practices
  • No dictating in the hallway outside the exam room
  • Following MGH policies and procedures for release
    and disclosure of health information
  • Write your medical note as if the patient were
    reading it over your shoulder
  • Do not discuss care issues such as test results
    with the exam room door open

Safe Information Practices
  • Computer Security
  • Never share passwords
  • Click on the yellow lock at the
    bottom right corner of your screen when
    leaving a workstation
  • Make sure there is no prior patient information
    left on the computer screen before you place the
    next patient in the exam room

Safe Information Practices
  • Computer Security
  • Personal databases containing patient

    information are prohibited unless
  • they contain de-identified information

    (as per HIPAA definition), or
  • you have received an IRB waiver, or

    other IRB approval
  • Diskettes with patient information are never
    thrown out without being cleaned off

Safe Information Practices
Electronic Mail
  • E-mail containing patient identifiable
    information should not be transmitted over the
    internet, as security cannot
    be guaranteed, however
  • Follow best practice for confidentiality
  • Explain this to patients before you agree to
    communicate with them this way
  • Do not put patient name or identifier in subject
  • Keep information to a minimum necessary
  • Create a second auto-signature in your Outlook
    e-mail with a confidentiality statement

Safe Information Practices
Electronic Mail
  • E-mails using the intranet between
    all Partners entities is secure
  • For example Outlook system we use daily
    for e-mailing colleagues
    at the Brigham or
    Newton Wellesley Hospital is secure
  • Patient Gateway is secure
  • E-mail guidelines on the MGH web site clinical
    policy http//

Safe Information PracticesFaxing
  • Faxes are the least controllable type of
  • ALWAYS use a cover sheet with a confidentiality
    statement and your location and phone number even
    on internal faxes
  • Never leave faxes sitting on fax machines
  • It is critically important when faxing
  • to verify the sender has the correct fax number,
  • that the fax machine is in a secure location,
    and/or the receiver is available immediately to
    receive the fax

Somewhere outside the Partners Network
What can you do? Be on your guard
  • Your responsibility for protecting
    patient privacy and confidentiality does not
    end with your work shift
  • Dont divulge any patient information when in an
    informal atmosphere or social setting
  • If asked about a patient, simply reply Im
    sorry, that information is confidential
  • Respect everyone as if they were your family

How to Report a Privacy Concern or Breach
  • Contact the Compliance Hotline to report a breach
    anonymously (617) 726-1446
  • or
  • Health Information Services (617) 726-2465

Privacy Complaints/BreachesWhat you should tell
a Patient or Family Member
  • A patient or family member can contact the
    Office Manager (in the office practice) or the
    MGH Patient Advocacy Office at (617) 726-3370

Privacy Resources To learn more.
  • Intranet sites where privacy/HIPAA information is
  • HIPAA Central on Partners Web Site (all
    employees) http//
  • Policies and Procedures/Forms
  • FAQs/Training Resources
  • MGH Policy Manuals
  • Administrative Policy Manual
  • Clinical Policy Manual
  • Human Resource Manual
  • Patient Gateway (patients)
  • Policies and Procedures/Forms

Privacy Resources To learn more.
  • Internet Sites
  • Dept. of Health and Human Services
  • http//
  • http//
  • Mass Health Data Consortium
  • http//
  • Workgroup for Electronic Data Interchange (WEDI)
  • http//

Privacy Resources To learn more.
  • MGH Contact Persons
  • Deborah Adair, Director of HIS, Privacy Officer
  • Maryanne Spicer, MGH Compliance Officer
  • Eileen Bryan, HIPAA Manager, Privacy Office
  • (617) 726-6360

QA Privacy
  • What are examples of the minimum necessary rule
    in your daily work do changes in practice need
    to be made?
  • Patient Sign in sheets
  • Appointment reminder calls

Answer -- YES and YES
  • Sign in sheets are permitted, although they
    should kept to minimum information, some examples
  • First name last initial or last three numbers of
    Medical record number
  • Have a blank sheet covering list
  • Place stickers over patients already taken care
    of to remove name
  • use small single sheets that are then deposited
    in a hanging folder on reception desk
  • Calls are permitted as long as patients are
    notified through our MGH Privacy Notice and
    patients agree to give primary phone contact
  • Remember minimum necessary information to get the
    job done
  • Use professional judgement around
    privileged/protected PHI

QA Privacy
  • HIPAA allows identifiable health information to
    be shared among Partners-owned (or controlled)
    entities on a need-to-know basis for certain
    purposes (without obtaining a signed
  • What are these reasons?
  • Example patient is brought by ambulance to the
    Faulkner Hospital. The nurse in the ED calls and
    asks for patients last discharge note.

  • Identifiable health information may be shared
  • among health care providers for TPO
  • Treatment
  • Payment
  • Healthcare Operations
    (QA/QI, Utilization Review,
    Disease Management, Credentialing, Auditing,
    Accreditation, etc.)
  • Since the information was needed by Faulkner
    Hospital for treatment purposes this is allowed
    without written authorization.

QA Privacy in Inpatient Floors
  • Mary is transported by Medflight to MGH for
    specialized care. She is admitted to White 7 and
    being treated by a specialist. An employee from
    Medflight calls the Nursing station on White 7
    the following day and asks for follow up
    information on Mary.
  • Can the nurse give Medflight the information they
    are asking for?

Answer -- Absolutely YES!
  • This is considered a business associate who
    assists MGH in treatment and hospital operations.
  • MedFlight needs the follow up information for
    billing purposes and also to meet their own
    requirement to report patient information to DPH.
  • Have a procedure in place for verifying identity
    of the caller that is actually a
    Medflight employee

QA Privacy in Job Roles
  • Olivia is a Nurse in the O.R. She has completed
    her evening shift and is changing in the locker
    room. Another nurse coming on for the day says
    she heard there was a bad accident and that the
    patient was in surgery all night. She asks
    Olivia what the blood alcohol level of the
    patient was.
  • How should Olivia respond?
  • What are the risks here?

  • Olivia should ask herself if this meets the need
    to know criteria, if the nurse coming on was not
    going to be treating this patient then Olivia
    should state that she cant discuss the case
    because of confidentiality.
  • Employee should limit amount of PHI discussed in
    open work areas such as the locker room,
    cafeteria or nursing station.

Next Steps Recommendations
  • Appoint a Compliance Privacy and Security
    Official for your practice/department (Office
  • Review current practices for how your department
    uses or discloses protected health information
  • Do you get a valid written authorization when
  • How do patients amend their records
  • Do you follow minimum necessary policy
  • What guidelines do you have in place for
    communicating health information over the
  • How do you send health information (fax, e-mail,

Make a list of all Business Associates
If you outsource a certain service,
such as transcription, follow below guidance
  • HIPAA Definition a person or organization that
    performs or assists in the performance
    of a function that involves the use or
    disclosure of individually identifiable health
  • Review business associate contract for privacy
    and security policies and procedures also what
    sanctions will be taken if these policies are
  • MGH Legal has drafted contract language for new
    and amended business associate contracts-see
    Partners Intranet Web site HIPAA Central to use
    these templates and further guidance
  • Materials Management has created a log of all
    hospital business associates and will be
    reviewing and updating these contracts--compare
    your list with Materials Management

Next Steps -- Recommendations Review high
risk areas identified in the survey
  • location of computer monitors
  • move to non public area
  • order privacy filter from Staples
  • Are charts/patient information in or near public
    areas (door racks, reception desk, fax
    or copy machine, etc)
  • Place so patient name is not visible if possible
  • do not leave papers unattended and close and lock
    doors as feasible
  • photocopying patient health information
  • Play it safe and get written authorization from
  • taking health information off-site
  • only take information off site if absolutely
  • maintain the same level of privacy and security
    standards off site -- dont leave out in viewable

Additional high risk areas
  • discussions regarding patients scheduling
    procedures/tests near public area
  • limit details, keep voices down
  • place white noise machines near public waiting
  • disposing of health information
  • request more blue recycle bins for white paper
    and gray recycle bins for colored paper from
    environmental services
  • We shred all paper products put in these recycle
  • Discussing patient information in open areas
  • do not discuss in health club, library,
    cafeteria, waiting room, locker room, shuttle
    bus--be aware of your surroundings

Massachusetts General Hospital Privacy
and Confidentiality Guiding
  • A practical interpretation of the HIPAA
  • A commonsense approach to this endeavor
  • A positive change that does not impede quality
    patient care and
  • Unquestionable concern for safeguarding our
    protected health information

Key Points Keep your actions reasonable
  • Most importantly -- do not let HIPAA impede our
    quality care and patients trust -- that is not
    the goal of HIPAA
  • We already do a really good job at protecting
    health information -- whats different -- we now
    have a legal obligation
  • Patients will be more knowledgeable in regard to
    accessing, copying, amending and tracking
    disclosures of their own health information -- so
    we must be knowledgeable too -- both as
    employees and health consumers ourselves

Key Points Keep your actions reasonable
  • All health information is protected whether it is
    spoken, written in a record or written and stored
  • View every decision about use and disclosure of
    health information through the lens of
  • Treatment
  • Payment
  • Hospital Operations and
  • the Minimum Necessary information to get the job
  • If it meets this criteria HIPAA does not require
    a change in our everyday work practices

Take pride and ownership in the fact that

Massachusetts General Hospital is concerned
about privacy and recognizes its importance in
providingquality healthcare. Above all honor
our patients trust Thank you !
  • Eileen Bryan
  • MGH HIPAA Privacy Manager
  • Health Information Services

1. HIPAAs privacy rule protects a patients
fundamental right to privacy and
confidentiality of a) Patient information in
electronic form b) Patient information in paper
form c) Patient information communicated
orally d) all of the above 2. Now that there is
a federal law protecting patient privacy, all
individual health information shares the same
level of protection, including psychotherapy
notes, HIV test results, genetic testing, sexual
assault, domestic violence,etc.) a) True b)
3. Patients have the right to amend inaccurate
or incomplete information contained in their
individual health record a) True b) False 4.
Health information is considered confidential if
it identifies the patient and relates to a) A
persons past, present, or future physical or
mental health condition b) A persons
present health condition only c) A persons past
and present condition only
(No Transcript)
Write a Comment
User Comments (0)