Title: Health Insurance Portability and Accountability Act HIPAA Patient Privacy
1Health Insurance Portability and Accountability
Act HIPAAPatient Privacy Security
Allison Martin Kimberly Segal Barbara Ann
Karmanos Cancer Center June, 2012
2HIPAA Module Objectives
- After completing this training module, you should
be able to - Understand key HIPAA terms.
- Apply general HIPAA rules that apply to your
every day work at Karmanos. - Know where to turn for help if you have questions
or concerns to report regarding patient privacy.
3Karmanos Commitment to Protecting our Patients
Privacy Under HIPAA
- HIPAA stands for the Health Insurance Portability
and Accountability Act. - HIPAA is a federal law that sets standards
regarding protection of confidential patient
data. - Who is responsible to comply with HIPAA?
- Covered Entities health care provider, health
plan, or a clearing house that submits bills
electronically. - All Covered Entities along with their Business
Associates (that use or access patient
information on the Covered Entitys behalf) - Karmanos is committed to protecting the
confidential and private information of our
patients. - Remember that employees, friends and family
members who are treated at Karmanos are our
patients too! If you have had testing or
treatment at Karmanos, you were a patient! These
records may only be accessed as a part of your
routine job duties. - Protecting the privacy of our patients is
EVERYONES job.
4Protected Health Information (PHI) Includes the
Following Identifiers
- Name
- Street Address, City, County, Zip Code
- Dates
- Birth
- Admission
- Discharge
- Death
- Numbers
- Social Security
- Medical Record
- Account (FIN)
- Health Plan Beneficiary
- License
- Vehicle Identification
- Telephone or Fax
5Protected Health Information
- Protected Health Information (PHI) includes
information - On paper
- In a computer
- Orally communicated
- In any other form
- Electronically Protected Health Information
(EPHI) includes information - On your computer hard drive
- On floppy disks, CDs or magnetic tapes
- Sent via the Internet
- By e-mail
- Other means
6PHI Use Under HIPAA
- Treatment, Payment Operations (TPO)
- Treatment Various activities related to
patient care. - Payment Various activities related to paying
for or getting paid for health care services. - Operations Generally refers to day-to-day
activities of a covered entity, such as
planning, management, training,
quality-improvement, education. - Note Research is not considered TPO. Written
patient authorization is required to access PHI
for research.
7Notice of Privacy Practices (NPP)
- As a Covered Entity under HIPAA, Karmanos has
developed a Notice of - Privacy Practices (NPP) for distribution to our
patients. - The NPP states Karmanos practices for use of
personal health information. - The NPP allows patients to be informed of their
privacy rights with respect to their personal
health information. - The NPP provides a detailed description of the
uses and disclosures of PHI that are permissible
without obtaining a patients authorization. - The NPP is intended to focus individuals on
privacy issues and concerns, and to prompt them
to have discussions with their health care
providers.
8Business Associate Agreement (BAA)
- Business Associates are usually vendors who
perform some function or service for Karmanos
that requires them to have access to our
patients information. - A Business Associate Agreement (BAA) is a signed
agreement promising to keep PHI confidential in
accordance with HIPAA. - Karmanos, a Covered Entity under HIPAA, is
required to sign Business Associate Agreements
with certain organizations and individuals to
whom they share Protected Health Information
(PHI). - If you are working with a vendor and are not sure
if you need a BAA, you may contact Materials
Management or the Compliance Department at
hipaahelp_at_karmanos.org.
9Authorization (Release of Information)
- Authorization to Release Information is signed
permission allowing Karmanos to use or disclose a
patients PHI for reasons generally not related
to Treatment, Payment or Healthcare Operations
(TPO). - The Authorization must include a detailed
description of the PHI to be disclosed, who will
make the disclosure, to whom the disclosure will
be made, expiration date, and the purpose of the
disclosure. - See Policy HIM020, Release of Information
- Contact Health Information Management (HIM) to
determine the appropriate authorization form
needed for your purpose.
10Highly Confidential Information
- Michigan law provides even more protection than
HIPAA in some cases. This applies to highly
confidential areas which include - Mental Health and Substance Abuse
- HIV/AIDS Testing or Treatment
- Psychotherapy Notes (which are not part of the
medical record) - If you have questions about handling highly
confidential information - Ask your supervisor
- Contact Health Information Management (HIM)
- Email the Compliance Department at
hipaahelp_at_karmanos.org
11Types of Disclosures
- No Authorization Required to disclose PHI to
the patient, to use or disclose PHI for
treatment, payment or healthcare operations (TPO)
and certain other disclosures required by law
(for example, public health reporting of
diseases, abuse/neglect cases, etc) - No Authorization Required, BUT Must Offer
Opportunity to Object a patient must be offered
an opportunity to object BEFORE discussing PHI
with a patients family or friends. - Authorization IS Required for research, and
when conducting certain fundraising or marketing
activities.
12Incidental Disclosures
- HIPAA recognizes that some disclosures are not
completely avoidable. These are called
Incidental Disclosures. - For example, visitors may overhear a clinical
discussion as they are walking down the hallway
of an inpatient unit or a visitor may hear a
patients name called out in a waiting room. - HIPAA requires that reasonable safeguards be put
in place to limit incidental disclosures. - Speak in soft tones when discussing PHI in open
areas. - Do not discuss PHI in public hallways, elevators
or other public locations - Only use the minimum amount of information
necessary to carry out the intended purpose
13Every Day Practices For Securing PHI
- Do
- log-off your computer when you will be away for a
period of time. -
- position monitors out of view of the public eye.
- change your password as defined in policy.
- choose passwords that are not easily guessed.
- use password protected screensavers and keyboard
locks. - place disks or tapes in a secure location.
- immediately report anyone outside of KCC asking
for your password.
14Every Day Practices For Securing PHI
- Do not
- share passwords or login ID.
- write down passwords where others may access
them. - open any unknown attachments, files or
unrecognizable e-mails. - install unapproved software/hardware
- use unapproved email, such as Hotmail, Yahoo,
etc.
15Every Day Practices For Securing PHI
- Use caution and respect patients privacy when
discussing protected health information in
public. - Read and understand the policies and procedures
relating to HIPAA Privacy Security. - When using or disclosing protected health
information, limit the PHI to the minimum
necessary to accomplish the intended use. - Workers should only access or use the PHI
necessary to conduct their job responsibilities. - All electronic systems are audited a log of all
accesses is maintained and is designed to protect
patient privacy. - For Fax's
- Double check fax number.
- Use cover page which includes your contact
information. - If fax is received by the wrong location, have
the fax destroyed or returned to you.
16Protecting your Computer PHI
- Report any suspicious activity, such as new
software or hardware appearing on your computer
to the Help Desk. - Contact your supervisor or the Help Desk if you
believe someone may have logged onto your
computer. - Secure PDAs and Laptops
- Always use a password protected screen saver.
- Back-up data.
- Install and use virus protection software.
- Lock devices in a secure location when not in
use. - If device is stolen, an incident report should be
filed.
17Email and PHI
- Email to email transmission within the Karmanos
Email System (yourid_at_karmanos.org) is secure - Email from the Karmanos email system to any other
system is NOT considered secure unless encrypted
(Note this includes DMC and WSU email addresses
email sent from Karmanos is not secure unless
encrypted) - Encryption can be forced for email containing PHI
from a Karmanos email to a non-Karmanos email
address by typing SECURE in the subject line - In all cases, use the minimum necessary PHI
18Emergency Downtime
- Karmanos Cancer Center has a contingency plan to
address system access during power failures,
disasters, weather hazards or other situations
limiting access to patient data - Know the recovery plan as it relates to your job
- Know the related policies
- Know how to report emergencies
- Know how the emergency may impact patient care
19Penalties
- Disciplinary action up to and including
termination. - Exclusion from participation in Medicare and
Medicaid programs. - NOTE Individuals (This Means You!) can be
subject to criminal prosecution, fines and
imprisonment. - HIPAA Specific
- Up to one year / 50,000 for misuse of protected
health information. - Up to five years / 100,000 for misuse of PHI
under false pretenses. - Up to ten years / 250,000 for misuse with
intent to sell, transfer or use PHI for
commercial advantage, personal gain or malicious
harm.
20HIPAA Reporting
- You are required to understand the law, and how
it affects your job. Even an accidental
disclosure could have consequences. - As a condition of employment, employees agree to
read and abide by the policies and procedures
covering HIPAA. - Individuals should immediately report any
observed or suspected HIPAA breach to - Your supervisor
- Compliance Office 1-877-857-6007
- Compliance Hotline (Anonymous Reporting) at
1-888-478-3555 -
- Not Sure? Report It Anyway.
- Too Late? Report It Anyway.
- Already Told Us? Report It Again!
- YOU CAN NEVER BE RETALIATED AGAINST FOR REPORTING
A CONCERN! - Safeguarding PHI is everyones job.
21HIPAA Resources
- http//www.hhs.gov/ocr/privacy/
- http//www.cms.hhs.gov/HIPAAGenInfo/
22Summary
We hope this Computer Based Learning course has
been both informative and helpful. Feel free to
review this course until you are confident about
your knowledge of the material presented. Click
the Take Test button on the left side when you
are ready to complete the requirements for this
course. Click on the My Records button to
return to your CBL Courses to Complete list.
Click the Exit button on the left to close the
Student Interface.