Alliance%20for%20Clinical%20Education%20(ACE)%20HIPPA%20Training%20%20Sept%202012

1
Alliance for Clinical Education (ACE)HIPPA
TrainingSept 2012
2
Objectives

• Describe the HIPPA Privacy rules and regulations
• Identify patients rights and your role in
  protecting them
• Discuss your responsibilities under HIPPA
  related policies and procedures
• Explain the penalties for non-compliance

3
Protecting Patient PrivacyIS EVERYONES
RESPONSIBILITY

4
Your Responsibilities

• Respect the patients right to privacy
• Know the facilitys privacy policies
• Be sensitive

5
Definitions

• HIPPA the Health Insurance Portability and
  Accountability Act of 1996. A federal law that
  specifies the types of measures required to
  protect the security and privacy of personally
  identifiable health information.
• Patient Confidentiality keeping information
  about a patients health care private. The
  information is shared only with those who need to
  know in order to perform their duties on behalf
  of the patient.

6
Definitions continued

• Protected Health Information (PHI) medical
  information that can be traced to, or identified
  with, a particular patient. PHI is information
  created or received by a health care organization
  that relates to the past, present, or future
  health or condition of an individual.
• Transaction the exchange of information between
  two parties to carry out financial or
  administrative activities related to health care.

7
HIPPA

• What is it?
• Patients have the right to have health
  information kept private and secure
• HIPPA is mandatory, there are penalties for
  failure to comply

8
Covered Information

• Confidentiality and Privacy
• All protected, identifiable health information
  (PHI) must be considered and treated as
  confidential and all patients have the right to
  request restrictions on who will see their PHI.
• Security
• Establishes the requirements for ensuring the
  confidentiality, availability and integrity of
  PHI

9
Patients have the Right to

• Expect privacy and freedom from intrusions or
  disturbances regarding his/her personal affairs.
• Expect that all communications and records
  concerning his/her care will be treated as
  confidential. Information will be shared only
  with those who need to know the information to
  perform their duties on behalf of the patient.
• Review the records pertaining to his/her medical
  care.

10
What must be Kept CONFIDENTIAL?
11
Confidential? How do I know?

• Did you learn the information through caring for
  your patient?
• If yes, then consider it confidential

12
Understanding PHI(Protected Health Information)

• Protected Health Information
• Is created by a health care provider
• Is information that there is a reasonable basis
  to believe it could be used to identify the
  patient
• Relates to past, present or future physical or
  mental condition of an individual provision of
  healthcare or for payment of care provided to an
  individual
• Is transmitted or maintained in any form
  (electronic, paper or oral representation)

13
Privacy Protected Elements Health information is
considered individually identifiable if any of
the following are present

• Certificate/license number
• Any vehicle or other device serial number
• Web Universal Resource Locator (URL)
• Internet Protocol (IP) address number
• Finger or voice prints
• Photographic images
• Any other unique identifying number,
  characteristic, code that could be used to
  identify the patient

• Name
• Full address
• Names of relatives
• Name of employers
• Birth date
• Telephone numbers
• Fax numbers
• Electronic e-mail addresses
• Social security number
• Medical record number
• Health plan beneficiary number
• Account number

14
Patients Right to Receive Notice of Privacy
Practices

• Items required to be included in the Notice
• How medical information is used and disclosed by
  an organization
• How to access and obtain a copy of their medical
  records
• A summary of patient rights and facility
  responsibilities under HIPPA
• How to file a complaint and contact information
  for filing a complaint

15
Facilities Notice of Privacy Practices

• The patient has the right to receive a Notice of
  Privacy Practices
• Must provide the notice at the first encounter
  with the patient
• Must attempt to obtain written acknowledgement of
  receipt of the Notice of Privacy Practices

16
Minimum Necessary

• HIPPA Requirement
• Identify members of the work group who need
  access to confidential information
• Identify what information can be accessed
• Limit access

• WHAT GROUP DO YOU BELONG TO?
• Complete Access
• Clinical departments
• Health Information Management
• Students Clinical Instructors limited to
  assigned patients only
• Limited Access
• Admissions/Business Office
• No Access
• Departments or individuals whose job does not
  require any handling of PHI (Food Services,
  Environmental Services/Housekeeping)

17
Discussions of PHI

• Staff will discuss patient information to share
  information and the treatment plan. Every effort
  should be made to protect the privacy of the
  patient by minimizing risk that others can
  overhear the conversation.
• The discussion of PHI should never occur in
  public areas such as the cafeteria or elevators.
• Discussions can occur at the nursing station and
  with a patient in a treatment area.

18
Minimum Necessary

• What can I access as a student or clinical
  instructor?
• Only the information you NEED TO KNOW to care
  for assigned patient(s)
• DO NOT access information when you are not
  assigning or student is not caring for that
  patient any longer or for any patients you not
  assigned to care for

19
Patient Right to Access

• Patients have the right to
• Access or inspect their health record
• Obtain a copy of their health record from the
  healthcare provider
• Reasonable fees may be charged for copying
• Access and copying for as long as the information
  is retained
• Facility must act on request for access no later
  than 10 days after receipt (Colorado Law)
• Students Refer requests for access to the
  facility staff

20
Patients Right to Request Privacy Restrictions

• The patient has the right to request an
  organization restrict the use and disclosure
  (release) of their protected health information
• Can request restriction in use of information for
  treatment, payment or healthcare operation
  purposes (TPO)
• Organization is not required to agree with the
  request for restrictions
• Requests must be made in writing
• No staff level individual should accept any
  requested restrictions
• Students Refer requests for restrictions to the
  facility staff

21
Patients Right to Amend

• Patients have the right to request an amendment
  to their PHI
• Amend is defined as the right to add/revise
  information with which s/he disagrees. The
  original information is not removed from the
  record but the amended/corrected information is
  added to the record.
• Students Refer requests for amendments to the
  facility staff

22
As a Student How do I Handle.

• An individual asking for access to their record?
• Students Refer requests for access to the
  facility staff
• The staff will follow-up per specific facility
  policy

23
Disclosure ??? What is it???

• The release, transfer, access or divulging of PHI
  (protected health information) to an outside
  person or entity
• Students do not participate in this process

24
Disclosure can occur without the patients
consent under the following conditions

• When required by law
• For public health activities to control disease,
  injury or disability
• For disaster relief
• In cases of abuse and neglect
• For coroners, funeral directors and organ
  donation
• For legal proceedings
• For workers compensation
• In cases of communicable diseases

25
Student Responsibilities

• In a patient room or exam room
• Knock before entering room
• Identify yourself as a student
• Close door after entering the room if okay with
  patient
• Ask visitors to leave the room unless patient
  requests otherwise
• Speak softly if roommate present
• In a clinic or office setting
• Sign in sheets should contain minimal amount of
  PHI
• Street address or reason for visit should not be
  on sign in sheets

26
Student Responsibilities cont

• At the Nurses Station
• Do not leave patient information, e.g. flow
  sheets, charts, sticky notes, lab reports or
  x-rays out in the open where others may view.
  When finished working on it, put it back where it
  belongs
• Shred all documents with PHI, do not put in
  garbage, do not take them home
• When at the nurses station, speak softly when
  discussing PHI. It is best to use a private area
  to discuss the patient

27
Student Responsibilities cont

• At the Computer
• Have screen facing away from the public so it is
  not visible to patients, visitor and other
  unauthorized persons
• Always log off when leaving the computer
• Change the password on your computer if required
  by clinical facility
• Do not share your log-in information or password
  with anyone else. You are responsible for what
  is done under your log-in

28
Student Responsibilities cont

• Using E-mail
• Always use protected, encrypted email to
  communicate with your faculty and clinical
  instructors
• Never use PHI in e-mail attachments or in the
  email itself for the following reasons
• E-mail can easily be sent to the wrong person,
  either on purpose or by accident
• E-mail does not ensure privacy of information
  transmitted

29
Student Responsibilities cont

• Do not post PHI or discuss patients you have met
  on web-based chat rooms (My Space, Facebook)
• Do not take photos of patients
• Do not photocopy medical records
• At the Fax
• Students do not use the fax machine during the
  clinical experience

30
Student Responsibilities cont

• Using an Interpreter
• When interpreter services are needed, follow
  clinical agency practice
• In Public
• Never mention a patients PHI in public as people
  are often watching and listening, as you never
  know who knows the patient
• Never carry, review, discuss or disclose a
  patients chart or PHI in a public place

31
Scenarios

• Following are scenarios to help you think through
  privacy related situations in the clinical
  facilities
• After reading each scenario, think how you would
  answer the question before going to the next
  slide
• Scenario answers follow each scenario

32
Scenario 1

• One of your fellow students who had lab work done
  recently, called you from home and asked you to
  look up her lab results on the computer and give
  her the results.
• Do you look up your fellow students lab results?

33
Scenario 1 Answer

• No. Since you are not providing treatment to
  your fellow student, you are not permitted to
  look up her lab results and provide them to her.
  She needs to get this information from her doctor
• This applies to your own records as well

34
Scenario 2

• You see your fellow student reading through a
  patient's medical record. She is not providing
  treatment for this patient.
• What do you do?

35
Scenario 2 Answer

• Tell your clinical instructor. He/she will
  follow-up with the student.
• The clinical instructor then needs to notify the
  facility privacy officer of this action

36
Scenario 3

• Your sisters close friend is having surgery at
  the organization where you are doing a clinical
  rotation. She asks you to find out what you can
  about the friends condition. Should you call
  and ask around to the nurses you know? Should
  you look up the friends medical record?

37
Scenario 3 Answer

• No. Even if you and your sister have the best
  intentions you have no right to look at private
  information about her friends health. Suggest
  to your sister that she call the facility or
  visit the information desk. If the patient has
  agreed to have her information available,
  hospital staff will assist her in obtaining
  information on her friend.
• Do not seek out confidential patient information
  unless you need it to do your job. When you
  happen to hear confidential information, do not
  repeat it to anyone.
• Looking at patient records for any non business
  reason is cause for disciplinary action and can
  have possible legal consequences.

38
Scenario 4

• You are called to work in a patient's room to
  perform a routine job. You knock on the door and
  are invited in. You see that a nurse is in the
  room discussing the patients condition or
  medication.
• What should you do?

39
Scenario 4 Answer

• If you must do the job immediately to properly
  care for the patient, ask whether you can
  interrupt. If the job can wait, explain that you
  are there to perform a routine job and will
  return in 15-20 minutes. This protects the
  patients privacy by allowing him/her to openly
  discuss his/her condition without being overheard
• Some patients may say that it is acceptable for
  you to stay in the room during the conversation.
  But remember that a patient may not feel
  comfortable sharing everything about his/her
  symptoms or medical history while you are in the
  room. They also might not feel comfortable
  asking you to leave. It would be best for you to
  come back later.

40
Scenario 5

• You are working the ER when you see that a
  neighbor has arrived for treatment after a car
  crash. You hear someone saying he will be taken
  to surgery soon. Your neighbors wife works in
  another part of the hospital.
• Should you notify her that her husband is in the
  ER?

41
Scenario 5 Answer

• No. Tell the nursing staff that you know the
  patient and his wife. Tell them that if they
  need to locate her, you can help. When patients
  are in the hospital, they have the right to
  decide who should know that they are there. Your
  neighbor has a right to privacy and may not want
  to notify his family of the accident. If he is
  conscious, the ER staff will allow him to decide
  whom to notify that he is there.
• If he is unconscious, the doctors and nurses will
  use their professional judgment about whether to
  notify his wife. Leave the decision up to the ER
  staff. They will let you know whether they need
  your help to find the patients wife.

42
Scenario 6

• You are in the nurses station where the
  patients medical records are located in the
  chart rack. You spot the name of a close friend.
• Should you stop by her room?

43
Scenario 6 Answer

• No. if you learned of your friends stay only by
  seeing the name on a medical record on the chart
  rack, you should not go to her room.
• You should inform your clinical instructor of
  your relationship with her so that you are not
  assigned to care for her.
• If you find out from the patient or her family
  member that she is a patient there, feel free to
  visit her after your shift.

44
Scenario 7

• You are walking by a trashcan and notice a pile
  of photocopied records has been laid on top of
  the trash.
• How should you handle this?

45
Scenario 7 Answer

• Dont just take the records to a shredder or
  locked disposal
• container yourself. Gather the records and take
  them to
• your Clinical instructor. He or she will report
  it to the
• Manager of the unit who will investigate the
  incident and
• report it to the organizations privacy officer.

46
Scenario 8

• A woman provides the name of a patient and asks
  for information.
• What can you tell her?

47
Scenario 8 Answer

• Refer the woman to the information desk
• Check the facility directory. If the patient is
  listed in thedirectory, you can tell the woman
  the patients location.
• If the patient has requested that his name not be
  included in the directory, you can not give out
  any information about them to anyone or even
  acknowledge that they are here, regardless of the
  persons relationship to the patient.

48
Scenario 9

• At the nurses station, you are approached by
  someone asking to see a patient record.
• What do you do?

49
Scenario 9 Answer

• Refer to agency staff for clarification of
  identification and appropriateness of request.

50
What Happens If.

• A privacy policy is violated?
• Patients have the right to file a complaint and
• Civil and criminal penalties could occur

51
Patients Right to File a Complaint

• The patient has the right to file a complaint if
  s/he believes privacy rights have been violated
• Organization must provide contact information
  for filing a complaint

52
Doing Your Part

• Access confidential information ONLY if you need
  it to care for your patient.
• Protect your computer passwords
• Understand the facilitys privacy policies
• Report problems to the facility staff

53
As a Student

• Patient identification
• Cannot use patients initials
• Need to assign a number to the patient for
  identification
• Care plans
• Any notes with PHI gathered must be shredded
  after the assigned shift
• The use of PDAs or pocket PCs to RECORD patient
  information is not allowed

54
Penalties.

• Both criminal and civil penalties for
• Failure to comply with HIPPA requirements
• Knowingly or wrongfully disclosing or receiving
  individually identifiable health information
• Obtaining information under false pretenses
• Obtaining information with intent to
• Sell or transfer it
• Use it for commercial advantage
• Use it for personal gain
• Use it for malicious harm
• Fines as high as 250,000 and prison sentence of
  up to 10 years

55
Family Educational Rights and Privacy Act

• FERPA refers to confidentiality in regards to
  students. Your information is also to be kept
  confidential and accessed only by those who need
  to know.
• FERPA generally prohibits the improper disclosure
  of personally identifiable information derived
  from education records.

56
References

• HIPPA Programs from
• Arapahoe Community College
• Craig Hospital
• Centura
• HCA-HealthONE
• Denver Health
• Presbyterian St. Lukes
• Regis University