HIPAA Privacy Training - PowerPoint PPT Presentation


PPT – HIPAA Privacy Training PowerPoint presentation | free to download - id: 4a609-ZTlkY


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

HIPAA Privacy Training


Certain individual rights to privacy ... As a medical student, I am here to learn. ... Obtain medical records of patients you are not treating/caring for ... – PowerPoint PPT presentation

Number of Views:400
Avg rating:3.0/5.0
Slides: 46
Provided by: thequeensm
Learn more at: http://www.hawaii.edu


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: HIPAA Privacy Training

HIPAA Privacy Training
  • Health Insurance Portability Accountability Act
    of 1996
  • Standards for Privacy of Individually
    Identifiable Health Information
  • 45 CFR Parts 160 and 164

The Privacy Rule
  • Creates national foundation of privacy
  • Does not preempt more stringent state laws
  • Extends
  • Certain individual rights to privacy
  • Protection of individuals medical records and
    health information

Whos affected?
  • Direct impact
  • Health plans
  • Health care clearinghouses
  • Health care providers
  • (who transmit health information electronically)
  • Indirect impact
  • Business associates
  • (vendors, consultants, contractors)

Whats protected?
  • Protected health information (PHI) refers to
  • Individually identifiable health information
    relating to
  • - Persons past, present and future health or
  • - Provision of health services to the person
  • - Past, present and future payment for health
    services to the person
  • Information transmitted or maintained in any form
  • Includes data considered individually

Whats individually identifiable?
  • Name
  • Geographic divisions smaller than State (with
  • All dates (except year)
  • Phone fax number
  • E-mail address
  • SSN
  • Medical record
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP address numbers
  • Biometric identifiers (including finger, voice
  • Full face photo and other images
  • Any other unique identifier
  • 164.514(b)(2)

Rules for Use or Disclosure of PHI
  • Treatment, Payment, Health Care Operations (TPO)
  • Opportunity to Object
  • Agreement or Authorization not required
  • Authorization

Permitted Uses of PHI
  • Use or disclosure permitted for
  • Treatment
  • Some facilities may still require patient
    authorization for release of PHI
  • Payment
  • Health care operations
  • (quality improvement, staff performance review,
    training in areas of health care, accreditation,
    medical review, audits, business planning and
    development, general administration, etc.)

Opportunity to Object
  • Facility directories
  • To clergy
  • To persons involved in individuals care
  • Notification purposes
  • Disaster relief purposes

Agreement or Authorization Not Required
  • Required by law
  • Public health activities
  • Victims of abuse/ neglect/domestic violence
  • Health oversight
  • Judicial/administrative proceedings
  • Limited law enforcement purposes
  • Coroners, medical examiners funeral directors
  • Organ/tissue donations
  • Research purposes
  • Serious threat to self/ others
  • Specialized government functions
  • Workers comp

  • For all other uses or disclosures of PHI

Notice of Privacy Practices
  • Describes to patient how his/her protected health
    information may be used or disclosed
  • Details patients legal rights with regard to own
    PHI and how to exercise those rights
  • Details legal obligations of Covered Entity to
    protect PHI

Individuals Rights
  • To receive Notice of Privacy Practices
  • To inspect and/or obtain copy of PHI
  • To request to amend PHI
  • To request limits on certain uses or disclosures
    of PHI
  • To receive accounting of disclosures
  • To receive confidential communications
  • To file a complaint

Other Requirements
  • De-identification of PHI
  • Minimum necessary
  • Workforce training
  • Verification process
  • Business Associate Contract

Other Restrictions
  • Marketing
  • Fundraising
  • Specially Protected Health Information
  • Additional protections under Hawaii State law
    relating to release of HIV, mental health and
    substance abuse treatment records

Consequences of Non-compliance
  • Penalties
  • Civil 100 per violation up to 25,000 per year
  • Criminal Up to 250,000 and/or 10 years in prison

  • A facility is required to sanction members of
    workforce (including students) who violate
    policies and procedures relating to privacy and
    security of health information
  • Student sanctions may include suspension or
    termination of access privileges to PHI and/or
    participation in educational programs at facility

What You Need to Know About Each Facility
  • Facility Directory
  • Family Involvement
  • Minimum Necessary
  • Appropriate Educational Access/Use
  • Requesting/Disclosing PHI for Treatment
  • Request/Disclosures to Govt. Agencies
  • Patients Request to Restrict Use or Disclosure

What is a Facility Directory?
  • The information about a patient that a hospital
    releases to callers, visitors or the media
  • This information is limited to
  • Location
  • Condition
  • May only release directory information to people
    who ask for patient BY NAME

Facility Directory
  • Patient may ask that NO INFORMATION be released
    to callers, visitors or media
  • Each hospital has procedures for patients with NO
    INFORMATION status
  • You must be aware of the hospitals procedures
  • Do NOT release information in violation of
    patients information status

Facility Directory
  • Anyone asking for patient will be told, We have
    no information regarding the individual.

What should I do?
  • Scenario 1
  • Q I am approached in the hallway by someone who
    asks me if I know what room a patient is in. I
    saw the patients name on the unit I just left.
    What should I do?
  • A Refer the person to the nurses station,
    information desk, or hospital operator. You do
    not know whether the patient has requested a NO
    INFORMATION status or other restrictions.

Family Involvement
  • A patients health information may be disclosed
    to family, friends or others if
  • Patient gives verbal agreement,
  • Patient has opportunity to object and does not,
  • You can infer from circumstances that patient
    does not object
  • Emergency/incompetent patient - Release
    information using professional judgement about
    best interests of patient

Family Involvement
  • Information released must be directly relevant to
    that persons involvement in the patients care
    or payment for that care
  • A patient has the right to request that you not
    release information to family or others
  • If a patient asks that you not talk with family
    or others, inform nursing staff of the patients

What should I do?
  • Scenario 2
  • Q The spouse of a patient I am seeing approaches
    me in the hallway and begins asking me questions
    about the patient. During my assessment visit,
    the patient indicated that she did not want
    information shared with her spouse.
  • What should I do?
  • A A patient has a right to not involve family
    members or others in his/her care. You should
    not share any information with the spouse per the
    patients request and you should alert the
    nursing staff about the patients request.

Minimum Necessary
  • Need-to-Know Rule
  • Access to information is a privilege.
    Individuals who are granted access have an
    obligation to limit access and use to the minimum
    necessary to perform their duties and

Request/Disclose PHI for Treatment Purposes
  • May request/disclose PHI for treatment when
  • Request is from a provider to whom you referred
    patient for treatment, or providers involvement
    in patients treatment is documented in medical
    record, or
  • Patient has signed an authorization or release
    for the disclosure to the provider, or
  • Provider has requested, in writing, the PHI for
    treatment purposes

Request/Disclosure of PHI to/from Government
  • Refer to nursing staff, attending physician or
    Privacy Officer
  • Only minimum necessary may be released
  • Must complete an accounting for the disclosure

Patients Request to Restrict Use or Disclosure
of PHI
  • Facility may agree to patients request to
    restrict use or disclosure of PHI for treatment,
    payment or health care operations
  • You must be aware of facilitys procedures and
    where such restrictions would be documented

Use of PHI for Educational Purposes
  • Allowed without patient consent or authorization
  • Parameters of use or disclosure of PHI for
    educational purposes
  • Appropriate access
  • Minimum necessary for the purpose
  • Protect and safeguard PHI
  • Appropriate disposal upon completion

Facially De-identified Information
  • Use of facially de-identified PHI is permitted
    for educational purposes
  • Remove all individual identifiers, except
  • Patients medical record number
  • Dates of service
  • Zip code
  • This information is still considered PHI, and
    remains under federal privacy protections

Facially de-identified means removing
  • Name
  • Address
  • Phone fax number
  • E-mail address
  • SSN
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Web URLs
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • IP address numbers
  • Biometric identifiers (including finger, voice
  • Full face photo and other images
  • Any other unique identifier

Allowable Educational Access/Use
  • Treatment
  • Observation
  • Teaching Rounds
  • Retrospective Record or Data Reviews
  • Research (with IRB approval)
  • Case Presentations
  • Patient Logs

Is this okay?
  • Scenario 3
  • Q I heard about a very unusual case in the OR.
    As a medical student, I am here to learn. I need
    to know more about the details so I can gain a
    better understanding of the clinical course. I
    plan to review the records before I leave for the
    day. Is this okay?
  • A No. While it might be argued that
    educational benefit can be gained by reviewing
    unusual cases, such review should be formally
    approved and presented. Individual access to
    patient records in this type of situation is not
    appropriate. Electronic records and systems are
    monitored for inappropriate access.

Some Dos and DontsTreatment and Observation
  • Cannot Do
  • Obtain medical records of patients you are not
    treating/caring for
  • Use data (obtained from your cases) that include
    patient identifiers such as name, address, birth
  • Observe patient care without appropriate approval
    or when the patient has objected
  • Can Do
  • Access medical records of the patients you are
    treating/caring for
  • Prepare class work with patient identifiers
  • Observe patient care with approval from
    department manager/ supervising faculty

Some Dos and DontsTeaching Rounds
  • Cannot Do
  • Discuss patients in public areas with no
    consideration of surroundings
  • Include family members in rounds unless patient
    has agreed, or physician has determined that
    inclusion is in patients best interest
  • Can Do
  • Share patient information during teaching rounds
  • Prepare class work using data from your cases
    with patient identifiers removed

Some Dos and DontsRetrospective Reviews
  • Can Do
  • Access medical records with written approval of
    supervising faculty member
  • Prepare class work using collected data with
    patient identifiers removed
  • Use aggregate or de-identified patient information
  • Cannot Do
  • Use information collected for research without
    IRB approval
  • Publish or publicly present findings without IRB
    approval or waiver of authorization
  • Contact the patient or the patients physician
  • Abstract patient identifiers

Some Dos and DontsResearch
  • Can Do
  • With IRB approval
  • Build database of patient information
  • Access and use patient identifiable information
    as approved by IRB
  • Make a public presentation or publish findings
    using aggregate or de-identified information
  • Cannot Do
  • Any research without IRB approval or waiver
  • Publish or publicly present findings that
    identify the patient without patient
  • Access and collect patient data in preparation
    for a research project without IRB approval or

What should I do?
  • Scenario 4
  • Q My supervising faculty member has asked me to
    review 100 charts of newborn babies to determine
    whether or not the delivery room temperature has
    an effect on babies. Do I need IRB approval?
  • A Maybe. If the intent is purely for quality
    improvement without intent to publish findings
    and you will destroy the database upon
    completion, then you do not need an IRB approval
    or waiver. But if you intend to publish, present
    or use the data you collected for any other
    purpose and do not have the patients
    authorization or an IRB approval or waiver, you
    would be violating the patients rights.

Some Dos and DontsCase Presentations or Grand
  • Can Do
  • Access medical records with written approval of
    supervising faculty member
  • Prepare for presentation using facially
    de-identified, aggregate or de-identified
  • Limit audience to healthcare students or
    professionals if patients identify might be
    inadvertently revealed
  • Cannot Do
  • Display or reveal patients name or medical
    record number in your presentation
  • Present a high-profile or unusual case that may
    compromise patients privacy without patients
    written authorization for disclosure

Patient Logs
  • You must facially de-identify all information
    collected and submitted on a Patient Log

Some Dos and DontsFacially De-identifying
Patient Data
  • Cannot Do
  • Leave patient identifiers in information
  • Patients or relatives names
  • Birth dates
  • Address
  • Employer
  • Take copies of dictated reports home with you
    (unless reports are facially de-identified)
  • Can Do
  • Use general terms to describe a patient
  • 36 year old
  • White male
  • Living in Arizona
  • Admitted in October 2002
  • Construction worker
  • Black-out, delete or cut-out patient identifiers
    on hard copy

Some Dos and DontsAccessing PHI
  • Cannot Do
  • Remove medical records from facility
  • Leave patient records or data in break room or
    other areas that are not secure
  • Out of curiosity, access the records of a
    celebrity patient or the records of a patient
    with an unusual medical condition
  • Can Do
  • Request access to PHI through appropriate
  • Request access to medical records through Medical
  • Submit completed appropriate data request form
    for data reports

Is it okay?
  • Scenario 5
  • Q My friend was admitted yesterday after she
    collapsed during a bike ride. I am very
    concerned about her progress and would like to
    visit, but I dont know which room she is in. Is
    it okay if I look up the information in the
    computer system?
  • A No. Using your access privileges to look up
    information about a patient when there is no
    need-to-know (based upon your responsibilities in
    the hospital) is a violation of patient

Some Dos and DontsSafeguarding Information
  • Must Do
  • Password-protect laptops or PDAs
  • Shred facially de-identified papers when no
    longer needed
  • Ensure memory/hard drive has been wiped clean
    when selling/disposing of a PC, laptop or PDA
  • Encrypt PHI sent over Internet
  • Cannot Do
  • Leave information unsecured or in public areas
  • Discuss patients in elevator, hallways or
  • Dispose of facially de-identified information
    in trash can (it is still PHI under HIPAA!)
  • Share your access codes or cards

  • For further information or questions, please
    contact the facilitys Privacy Officer
About PowerShow.com