HIPAA Privacy Training - PowerPoint PPT Presentation

About This Presentation

HIPAA Privacy Training


... Appropriate access Minimum necessary for the purpose Protect/safeguard PHI Appropriate disposal upon completion Facially de ... a research project ... – PowerPoint PPT presentation

Number of Views:378
Avg rating:3.0/5.0
Slides: 46
Provided by: Diana229


Transcript and Presenter's Notes

Title: HIPAA Privacy Training

HIPAA Privacy Training
  • Health Insurance Portability Accountability Act
    of 1996
  • Standards for Privacy of Individually
    Identifiable Health Information
  • 45 CFR Parts 160 and 164

Insurance Portability and Accountability Act
(HIPAA) was enacted in 1996 and focused on
improving health insurance accessibility for
persons changing employment or leaving the work
force (portability). HIPAA consists of several
different parts. One part, called the Privacy
Rule, concerns the privacy of health information.
The Privacy Rule includes a requirement that all
members of a health care providers workforce
(including students) must be trained on the
providers policies and procedures relating to
privacy. This training program was developed
through a collaborative effort of representatives
of various Hawaii health care providers. The
collaborative facilities developed and adopted a
standard policy with regard to appropriate uses
of health information for educational purposes.
Although the policies of these facilities may be
similar, specific procedures may vary from
facility to facility. Therefore, when you begin
your training at a facility, you should
familiarize yourself with the specific policies
and procedures of that facility.
The Privacy Rule
  • Creates national foundation of privacy
  • Does not preempt more stringent state laws
  • Extends
  • Certain individual rights to privacy
  • Protection of individuals medical records and
    health information

HIPAA addresses national standards for electronic
data transmission, unique health identifiers,
security standards, and standards for privacy and
confidentiality. Covered Entities were required
to comply with the Privacy Rule by April 14,
2003. The government believes a national
foundation of privacy protections is necessary
because technological advances have resulted in
increasing electronic transmission of health care
data. Standardization of the collection, storage
and transmission of such data has been limited,
while public concern about the privacy and
security of health information have grown. It
is important to note that HIPAA provides a floor
of protection, and does not preempt more
stringent protections provided under state law.
Therefore, a health care provider must be
familiar with both state and federal laws
relating to the use and disclosure of health
Whos affected?
  • Direct impact
  • Health plans
  • Health care clearinghouses
  • Health care providers
  • (who transmit health information electronically)
  • Indirect impact
  • Business associates
  • (vendors, consultants, contracted providers)

All Covered Entities are required to comply with
HIPAA regulations. Covered Entities include
Health Plans that provide or pay the cost of
medical care, including employer plans and
programs, Health Care Providers (doctors, nurses,
hospitals, etc.) who perform electronic
transactions and Health Care Clearinghouses
(entities that process data from non-standard
format to standard format, or vice
versa). Business Associates of a Covered Entity,
including vendors and consultants, are usually
required to comply with HIPAA regulations by
means of a Business Associate Agreement with the
Covered Entity. A Business Associate may or may
not be a Covered Entity.
Whats protected?
  • Protected health information (PHI) refers to
  • Individually identifiable health information
    relating to
  • Persons past, present and future health or
  • Provision of health services to the person
  • Past, present and future payment of health
    services to the person
  • Information transmitted or maintained in any form
  • Includes data considered individually

Protected Health Information (PHI) means any
individually identifiable health information
about a person. PHI is protected under HIPAA
and, therefore, cannot be disclosed by a Covered
Entity without the agreement or authorization of
that person, or as allowed by law. This
requirement will be described in more detail
later. PHI includes information about the
persons past, present and future health or
condition provision of health care services to
the person and past, present and future payment
for health services to the person. Information
transmitted or maintained in any form-- verbal,
written (paper) or electronic-- is protected.
Whats individually identifiable?
  • Name
  • Geographic divisions smaller than State (with
  • All dates (except year)
  • Phone fax number
  • E-mail address
  • SSN
  • Medical record
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP address numbers
  • Biometric identifiers (including finger, voice
  • Full face photo and other images
  • Any other unique identifier
  • 164.514(b)(2)

The Privacy Rule identifies several data elements
which, when used alone or in combination, may
lead to the identification of a specific person.
These data elements are referred to as
individually identifiable health information,
and are listed on this slide.
Rules for uses / disclosures of PHI
  • Treatment, Payment, Health Care Operations (TPO)
  • Opportunity to Object
  • Agreement or Authorization not required
  • Authorization
  • There are four general rules about the use or
    disclosure of PHI
  • PHI can be disclosed for the purposes of
    Treatment, Payment or Health Care Operations
    (TPO) without the consent, agreement or
    authorization of the patient.
  • The patient has the opportunity to agree or
    object to certain use or disclosure of PHI.
  • In some situations-- usually as required under
    existing laws-- PHI may be disclosed without the
    patients authorization or agreement.
  • Finally, in any other circumstance not described
    above, the patient will need to provide written
    authorization for the use or disclosure of
    his/her PHI.

Permitted Uses of PHI
  • Uses/disclosures permitted for
  • Treatment
  • Some facilities may still require patient
    authorization for release of PHI
  • Payment
  • Health care operations
  • (quality improvement, staff performance review,
    training in areas of health care, accreditation,
    medical review, audits, business planning and
    development, general administration, etc.)

Use or disclosure of PHI is permitted for a
Covered Entitys Treatment, Payment and Health
Care operations. A Covered Entity may also
disclose PHI to a health care provider for
treatment purposes. Many facilities now release
PHI for treatment as long as they receive a
request stating that the provider is involved in
the patients treatment and the PHI is needed for
the patients treatment. It is important to
recognize, though, that a facility can be more
stringent and may still require written
authorization, consent or other verification to
release PHI for treatment. Covered Entities can
also release PHI to each other for for either
Covered Entities payment purposes and certain
health care operations as long as each Covered
Entity has or had a relationship with the patient
who is the subject of the PHI and the information
released is relevant to that relationship.
Examples are provided on slide 26.
Opportunity to Object
  • Facility directories
  • To clergy
  • To persons involved in individuals care
  • Notification purposes
  • Disaster relief purposes

Under the Privacy Rule, a Covered Entity can use
or disclose PHI for certain purposes as long as
the patient verbally agrees, or the patient has
been given an opportunity to object to the
disclosure and has not objected. These purposes
are listed above. Each facility has established
procedures about how these uses or disclosures
are implemented. See the Matrix for information
about each facilitys procedures. Be sure to
review this information before you begin your
training at a facility.
Agreement or Authorization Not Required
  • Required by law
  • Public health activities
  • Victims of abuse/ neglect/domestic violence
  • Health oversight
  • Judicial/administrative proceedings
  • Limited law enforcement purposes
  • Coroners, medical examiners funeral directors
  • Organ/tissue donations
  • Research purposes
  • Serious threat to self/others
  • Specialized government functions
  • Workers comp

In certain situations, disclosure is permitted
without an authorization or an opportunity to
object. This slide lists the types of
disclosures that are allowed without the
patients authorization or agreement. Many of
these disclosures are to government officials
acting in a professional capacity. In general,
students would not make these types of
disclosures. For each of these types of
disclosures, the Covered Entity must follow
certain rules, in terms of how and what PHI is
released. In addition, the Covered Entity must
track and account for these disclosures.
Therefore if you receive an inquiry that relates
to these types of disclosures, you must check
with the patients attending physician, the
facilitys nursing staff or the facilitys
Privacy Officer before you release any
  • For all other uses and disclosures of PHI

A valid authorization from the patient is
required for any other disclosure of PHI. For
example, if a patient applies for life insurance,
before the facility can disclose PHI to the life
insurance company, the patient must provide a
signed authorization form to the facility.
Notice of Privacy Practices
  • Describes to patients how their protected health
    information may be used/disclosed
  • Details patients legal rights in regards to
    their PHI and how to exercise these rights
  • Details legal obligations of covered entity to
    protect PHI

The Covered Entity must give the a Notice of
Privacy Practices, which describes the ways the
Covered Entity could use or disclose PHI. A
health care provider who has a direct treatment
relationship must provide the Notice at the time
of the first service delivery, or in an emergency
situation, as soon as possible. The Covered
Entity must also make a good faith effort to
obtain the patients written acknowledgement of
receipt of the Notice. If the acknowledgement
was not obtained, the Covered Entity must
document the reason why the acknowledgement was
not obtained.
Individuals Rights
  • To receive Notice of Privacy Practices
  • To inspect and/or obtain copy of PHI
  • To request to amend PHI
  • To request limits on certain uses/disclosures of
  • To receive accounting of disclosures
  • To receive confidential communications
  • To file a complaint

HIPAA gives the patient rights to privacy and
accessibility with regard to his/her PHI. These
rights are listed on this slide. Each facility
has procedures about how the patient may exercise
these rights. Refer any patient with questions
about his/her rights under the Privacy Rule to
the facilitys Privacy Officer.
Other Requirements
  • De-identification of PHI
  • Minimum necessary
  • Workforce Training
  • Verification Process
  • Business Associate Contracts
  • The Privacy Rule includes several other
  • De-identification is the process of stripping PHI
    of all individually identifiable elements (see
    slide 5).
  • The minimum necessary standard (e.g.
    need-to-know) will be covered later.
  • The Covered Entity must train all members of its
    workforce on its policies and procedures related
    to privacy. Students are considered part of the
    facilitys workforce, which is why you are
    completing this training.
  • Verification process refers to a requirement that
    a Covered Entity must verify the identity and
    authority of a person who is requesting to have
    access to PHI.
  • Finally, a Covered Entity must enter into a
    Business Associate Contract with a person or
    entity who provides certain types of services for
    the Covered Entity and who accesses PHI in the
    course of providing those services.

Other Restrictions
  • Marketing
  • Fundraising
  • Specially Protected Health Information
  • Additional protections under Hawaii State law
    relating to release of HIV, mental health and
    substance abuse treatment records

The Privacy Rule imposes other restrictions on
the use or disclosure of PHI for marketing and
fundraising. Those restrictions will not be
discussed here. If in the future, you are
involved in marketing or fundraising, you will
need to familiarize yourself with applicable
sections of the Privacy Rule. As stated
previously, the federal Privacy Rule does not
preempt more stringent state law. In Hawaii,
certain information, called specially protected
health information, are afforded more stringent
protection. Under Hawaii State law, release of
specially protected health information requires
the patients consent, including for treatment
and payment purposes.
Whats consequenceof non-compliance?
  • Penalties
  • Civil 100 per violation up to 25,000 per year
  • Criminal up to 250,000 and or 10 years in prison

There are penalties for violating or failing to
comply with the Privacy Rule. A Covered Entity
may be subject to civil and criminal sanctions
that include monetary fines and imprisonment.
  • Facilities required to sanction members of
    workforce (includes students) who violate
    policies and procedures relating to privacy and
    security of health information.
  • Student sanctions may include suspension or
    termination of access privileges to PHI and/or
    participation in educational programs at facility.

A Covered Entity is required to have a process
for sanctioning workforce members who violate
privacy policies and procedures. Student
sanctions may be levied by the facility and/or
the educational program with which you
What you need to know to operate in different
  • Facility Directory
  • Family Involvement
  • Minimum Necessary
  • Appropriate Educational Access/Use
  • Requesting/Disclosing PHI for treatment
  • Request/Disclosures to Govt. agencies
  • Patient Requested Restrictions on use/disclosure

As stated previously, privacy training includes
training about the facilitys policies and
procedures. Each facility may implement its
procedures differently. See the Matrix for
information about each facilitys procedures. Be
sure to review this information before you begin
your training at a facility.
What is a Facility Directory?
  • The information a hospital releases to the media
    or the public when they call to ask about a
  • This information is limited to
  • Location
  • Condition
  • May only release info in the directory to people
    who ask for patient BY NAME
  • Facility directory requirements apply to
    hospital inpatients.
  • The hospital maintains a list of inpatients. If
    a caller or visitor asks for a patient BY NAME,
    the hospital may
  • Acknowledge the patients presence
  • Provide the patients room number and
  • Provide a one word description of the patients
  • This is the maximum amount of information that
    may be disclosed for facility directory purposes.
  • Facility directory requirements apply to
    inquiries by members of the media, as well as
    other callers or visitors.

Facility Directory
  • Patient may ask hospital to NOT release
    information to media or others who call
  • Each hospital will have process to identify these
    NO INFORMATION patients
  • YOU must be aware of each hospitals codes and
    process to identify these patients
  • DO NOT release information in violation of the
    patients information status

The patient has the right to object to
disclosures for facility directory purposes. In
other words, patient may tell the hospital to
disclose no information about him/her to callers
or visitors. The hospital must honor the
patients request for privacy. As a member of
the hospitals workforce, you must not disclose
information about a patient with No Information
status to callers or visitors. Each hospital
has established procedures for honoring patients
request. See Matrix for details.
Facility Directory
  • Anyone asking for patient will be told, We have
    no information regarding the individual.
  • If patient has requested No Information status,
    the hospital will not
  • Acknowledge the patients presence
  • Disclose the patients room number
  • Describe the patients condition
  • Accept flowers, gifts or mail for the patient.
  • This restriction applies to family members,
    friends, or any one else who may call or visit
    the hospital. They will be told, We have no
    information about a person by that name.

What should I do?
  • Scenario 1
  • Q I am approached in the hallway by someone who
    asks me if I know what room a patient is in. I
    saw the patients name on the unit I just left.
    What should I do?
  • A Refer the person to the nurses station,
    information desk, or hospital operator. You do
    not know whether the patient has requested a NO
    INFORMATION status or other restrictions.

This scenario may present a cultural change, as
most healthcare providers want to be helpful to
visitors, understanding that family members may
be worried about their loved one. However, we
need to be mindful of the patients right to
Family Involvement
  • A patients health information may be disclosed
    to family/others if
  • Patient gives verbal agreement,
  • Patient has opportunity to object and does not,
  • You can infer from circumstances that patient
    does not object
  • Emergency/incompetent patients - Release
    information using professional judgement in best
    interests of patient
  • Examples of Permitted Disclosures to Family,
    Friends or Others
  • Daughter accompanies elderly patient into exam
    room. The patient says, Can you explain it to
    my daughter? You may provide instructions to
    the daughter.
  • Wife goes to pharmacy and asks to pick up the
    prescription that Dr. Young called in for her
    husband. You may give the medications to the
  • Patient tells you that neighbor has been helping
    him with home exercise program. You may speak
    with the neighbor about the patients exercises.
  • You knock on the door and enter patients room.
    There are several visitors in the room. You
    dont know who the visitors are. You say to the
    patient, Id like to talk with you about
    discharge planning. Can we talk now? Perhaps
    your visitors would like to have lunch? Or
    should I come back a little later?
  • Exception In an emergency, when the patient is
    unable to express his/her wishes, use your
    professional judgment. Ask yourself, Would it be
    in the patients best interest if I disclosed the

Family Involvement
  • Information released must be directly relevant to
    that persons involvement in the patients care
    or payment for that care
  • A patient has the right to request that you not
    release information to family/others.
  • If a patient asks that you not talk with
    family/others, please refer patient to nursing

A Permitted Disclosure Friend picks up patient
after procedure. Patient will stay with friend
for a few days. Friend asks, What do I need to
do? You may explain to friend, Here are her
prescriptions. Be sure to keep the site dry.
Sponge bath only. Call the doctor if the site
gets red. No housework or lifting more than ten
pounds. Not A Permitted Disclosure You may not
describe the patients previous episodes of care
to friend-- the Emergency Room visit when she was
a possible DUI results of the biopsy she had two
years ago etc. Responding to Patients
Request Its important that you inform staff of
patients request to limit involvement of family,
friends or others. Staff will know how to
document and follow-up on the request. Each
facility has established procedures for
responding to such a request. See Matrix for
What should I do?
  • Scenario 2
  • Q The spouse of a patient I am seeing approaches
    me in the hallway and begins asking me questions
    about the patient. During my assessment visit,
    the patient indicated that she did not want
    information shared with her spouse.
  • What should I do?
  • A Patients have a right to not involve family
    members and others in their care. You should not
    share any information with the spouse per the
    patients request and you should alert the
    nursing staff about the patients request.

The patient explicitly stated that she did not
want her health information to be shared with her
husband. As difficult as it may seem, you must
honor her request. It is also important for you
to promptly notify staff about patients request.
They will know how to document and respond to
patients request. Once a facility has agreed
to a patients restriction request, everyone--
including students-- must abide by it.
Minimum Necessary
  • Need-to-Know Rule
  • Access is a privilege. Individuals with access
    privileges have an obligation to limit access and
    use to the minimum necessary to perform their
    duties and responsibilities.

A key element of the Privacy Rule is the minimum
necessary standard. This is the need-to-know
rule. You are only permitted to access and use
the minimum necessary amount of PHI for your
specific duty, responsibility or purpose. In
terms of educational uses of PHI, you must limit
your access and use to the minimum amount of
information required for your specific
educational activity. Example You would like
to review records of ER patients admitted for
near drowning for a presentation or paper.
First, you must obtain the required approvals and
determine the types of information or data that
you will need to collect. Then, you must limit
your access to only the episodes of care that
relate to the study topic and record only the
data elements that are necessary to prepare your
presentation or paper.
Request/Disclose PHI for Treatment Purposes
  • May request/disclose PHI for treatment where
  • Request is from a provider to whom you referred
    the patient for treatment or provider involvement
    in patients treatment is documented in medical
    record, or
  • Patient has signed an authorization or release
    for the disclosure to the provider, or
  • Provider has requested, in writing, the PHI for
    treatment purposes
  • As a student, you may be asked to release PHI to
    another health care provider who is involved in
    the patients care. Under HIPAA, a health care
    provider may release PHI to another provider for
    treatment purposes without the patients
    authorization however, this disclosure is
    subject to verification of the identity and
    authority of the requestor. At most facilities
    (see Matrix), you may disclose PHI to another
    health care provider for treatment purposes if
  • The provider referred the patient to you
  • You referred the patient to the provider
  • The medical record contains documentation of the
    providers treatment relationship with the
  • The provider requests the information for
    treatment purposes and the request is made in
  • The patient has signed an authorization or other
    form for the disclosure of the PHI to that

Request/Disclosure of PHI to/from government
  • Refer to Nursing Staff/Attending
    Physician/Privacy Officer
  • Only minimum necessary may be released
  • Must do an accounting for the disclosure

Hospitals are required to disclose PHI to
government agencies for many reasons. Examples
include reports of child abuse or neglect,
infectious disease reporting, reports of
unattended deaths to the Medical Examiner, etc.
Most students will not be involved in reporting
PHI to government officials. However, you may
encounter a situation in which reporting is
mandatory, or a government official, such as a
police officer, asks you for information. Please
consult with the facilitys nursing staff, your
supervisor or the facilitys Privacy Officer
before making such a report or releasing
information to any person who is not a health
care provider. Such disclosures must follow
the minimum necessary rule. Additionally, the
facility must track or account for such
disclosures. Therefore, it is important that you
know and follow the appropriate procedures before
you release any information to a government
Patient Requested Restrictions on Use/Disclosure
of PHI
  • Facility may have agreed to patient requested
    restrictions on use/disclosures of PHI for
    treatment, payment or health care operations
  • YOU must be aware of each facilitys practice in
    this regards and where such restrictions would be

Under HIPAA, a patient has the right to request
restrictions on the facilitys use or disclosure
of PHI for treatment, payment or health care
operations. The facility is not required to
agree to the patients request. For example, a
patient may not want students to be involved in
his/her care or to access his/her health
information. The facility will determine whether
or not it will honor the patients request.
Review the Matrix to familiarize yourself with
each facilitys procedures with regard to such
requests. Be aware that when a facility has
agreed to a patients restriction request, as a
student, you are obligated to honor the request.

Use of PHI for educational purposes
  • Allowed without patient consent or authorization
  • Parameters of use/disclosure of PHI for
    educational purposes
  • Appropriate access
  • Minimum necessary for the purpose
  • Protect/safeguard PHI
  • Appropriate disposal upon completion
  • Use or disclosure of PHI for educational purposes
    is considered one of the facilitys health care
    operations. Therefore, PHI can be used by and
    disclosed to health care students without the
    patients consent, agreement or authorization.
    However, HIPAA does place certain limitations on
    the use of PHI for educational purposes.
  • The facility must establish appropriate controls
    on the students access to PHI
  • PHI disclosed should be limited to the minimum
    necessary for the particular educational use or
  • The student who accesses PHI is responsible for
    protecting and safeguarding that information and
    to properly dispose of any notes or class
    documents that contain PHI upon completion of the
    use or purpose.
  • The student must be aware of and honor any
    agreed-upon restriction.

Facially de-identified information
  • Policy permits use of PHI that is facially
    de-identified for educational purposes.
  • Remove same identifiers as in de-identified
    information, except may leave in
  • Patient medical record number
  • Dates of Service
  • Zip codes
  • This information is still identifiable under
    HIPAA and remains under federal privacy

The collaborative facilities permit a student to
use PHI that has been facially de-identified
for his/her educational purposes. The only
difference between de-identified information and
facially de-identified information is that
facially de-identified information can include
the patients medical record number, dates of
service and zip code. All other individual
identifiers (see slide 5) must be removed from
the information. Under HIPAA, facially
de-identified information is still considered
PHI. You must protect facially de-identified
information in compliance with the Privacy Rule.

Facially de-identified means removing
  • Name
  • Address
  • Phone fax number
  • E-mail address
  • SSN
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Web URLs
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • IP address numbers
  • Biometric identifiers (including finger, voice
  • Full face photo and other images
  • Any other unique identifier

This slide lists the identifiers which must be
removed from the PHI in order for the information
to be considered facially de-identified.
Allowable educational access/use
  • Treatment
  • Observation
  • Teaching Rounds
  • Retrospective Record/Data Reviews
  • Research (with IRB approval)
  • Case Presentations
  • Patient Logs

This slide lists the types of educational uses or
activities for which a student may access
PHI. Access to PHI or an attempt to access PHI by
a student for a use or activity other than what
is listed above would be considered a violation
of the facilitys policies and could result in
sanctions against the student.
Is this okay?
  • Scenario 3
  • Q I heard about a very unusual case in the OR.
    As a medical student I am here to learn. I need
    to know more about the details so that I may gain
    a better understanding of the clinical course. I
    plan to review the records before I leave for the
    day. Is this okay?
  • A No. While it might be argued that educational
    benefit can be gained by reviewing unusual cases,
    such review should be formally approved and
    presented. Individual access to patients
    records in this type of situation is not
    appropriate. Electronic records and systems are
    monitored for inappropriate access.

In this scenario, access may seem to fit under
one of the allowable educational uses or
activities. What do you think? The bottom
line is that the case may indeed have educational
value to you. But such review must be organized
and approved by the appropriate individuals. Do
not access patient information just because you
personally believe it might be educational. Work
through your instructors and the facility.
Some Dos and DontsTreatment and Observation
  • Can Do
  • Access medical records of the patients you are
    treating/caring for
  • Prepare class work with patient identifiers
  • Observe patient care with approval from
    department manager/ supervising faculty
  • Cannot Do
  • Obtain medical records of patients you are not
    treating/caring for
  • Use data obtained from your cases with patient
    identifiers such as name, address, birth date
    left in
  • Observe patient care without appropriate approval
    or where the patient objects

Here are some dos and donts relating to
appropriate use/access of PHI for treatment and
observation. This is not a complete list but
will provide you with some general guidelines.
Some Dos and DontsTeaching Rounds
  • Can Do
  • Share patient information during teaching rounds
  • Prepare class work using data from your cases
    with patient identifiers removed
  • Cannot Do
  • Discuss patients in public areas with no
    consideration to surroundings
  • Include family members in rounds, unless patient
    has agreed or determination has been made by
    physician that inclusion is in patients best

Here are some dos and donts for participation
in teaching rounds. One important point must be
emphasized. Always use discretion and common
sense when discussing cases in public areas. Do
not verbalize details that would inappropriately
disclose patient information.
Some Dos and DontsRetrospective Reviews
  • Can Do
  • Access medical records with written approval of
    supervising faculty member
  • Prepare class work using collected data with
    patient identifiers removed
  • Use aggregate or de-identified patient information
  • Cannot Do
  • Use information collected for research without
    IRB approval
  • Publish or publicly present findings without IRB
    approval or waiver of authorization
  • Contact the patient or the patients physician
  • Abstract patient identifiers

Here are some dos and donts for retrospective
reviews. If you are thinking of publishing your
findings or making a public presentation, you
must obtain the approval of the facilitys
Institutional Review Board (IRB) before accessing
or collecting patient information from medical
records. See the Matrix for information about
each facilitys procedures.
Some Dos and DontsResearch
  • Can Do
  • With IRB approval
  • Build a database of patient information
  • Access and use patient identifiable information
    as approved by IRB
  • Do a public presentation or publish findings
    using aggregate or de-identified information
  • Cannot Do
  • Any research without IRB approval or waiver
  • Publish or publicly present findings that
    identify the patient without patient
  • Access and collect patient data in preparation
    for a research project without IRB waiver or
  • There are a number of regulatory requirements for
    research, and the requirements are quite complex.
    As a student, the key points to remember are
  • Under the HIPAA Privacy Rule, the creation of a
    database or repository of patient information may
    be considered research
  • You should contact the facilitys Institutional
    Review Board (IRB) if you intend to review and
    collect patient information for research
    purposes. It is prudent to seek guidance from
    the IRB if you consider publication or public
    presentation to be future possibilities.

What should I do?
  • Scenario 4
  • Q My supervising faculty member has asked me to
    review 100 charts of newborn babies to determine
    whether or not the delivery room temperature has
    an effect on babies. Do I need IRB approval?
  • A Maybe. If the intent is purely for quality
    improvement without intent to publish findings
    and you will destroy the database upon
    completion, then you do not need an IRB approval
    or waiver. But, if you intend to publicize,
    publish or use the data you collected for any
    other purpose and do not get a patient
    authorization or an IRB approval or waiver you
    would be violating the patients rights.

It is sometimes difficult to distinguish between
quality improvement activities and research. If
the patient information you are collecting might
be considered for use in a future research
project, it is best to obtain IRB approval. See
the facilitys IRB for information about its
application, review and approval procedures.
Some Dos and DontsCase Presentations/Grand
  • Can Do
  • Access medical records with written approval of
    supervising faculty member
  • Prepare for presentation using facially
    de-identified, aggregate or de-identified
  • Limit audience to healthcare students/professional
    s if presentation might inadvertently reveal
    patients identity
  • Cannot Do
  • Leave/show the following in your presentation
  • Patient Name
  • Medical Record Number
  • Openly present a high profile or unusual case
    where patients privacy may be compromised
    without patients written authorization for

Here are some dos and donts for case
presentations or grand rounds. Although you
are permitted to retain the patients medical
record number for certain educational purposes,
this information should not be displayed or
revealed during your presentation. If the case
you plan to present is high-profile or extremely
rare, obtain the patients authorization before
you use his/her PHI in the presentation or, at
minimum, ensure that the audience is limited to
healthcare students or professionals.
Patient Logs
  • Information collected and submitted on a patient
    log of your educational activities must be
    facially de-identified

Your educational program may require you to keep
a Patient Log, a list of patients to whom you
have been assigned, and to conduct follow-up
reviews. As you keep your Patient Log, please
follow the rules for facially de-identifying
patient information.
Some Dos and DontsFacially De-identifying
Patient Data
  • Can Do
  • Use generic terms to describe a patient
  • 36 year old
  • white male
  • living in Arizona
  • Admitted in October 2002
  • Construction worker
  • Black out/delete/cut out patient identifiers on
    hard copy
  • Cannot Do
  • Leave patient identifiers in information
  • Patient/Relatives Name
  • Birth dates
  • Address
  • Employer
  • Take copies of dictated reports home with you
    (unless facially de-identified)

Here are some examples about how to facially
de-identify patient information. Remember that
you are only permitted to retain the patients
medical record number, dates of service, and zip
code for certain educational purposes.
Some Dos and DontsAccessing PHI
  • Can Do
  • Request access to PHI through appropriate
  • Request access to medical records through Medical
  • Submit completed appropriate data request form
    for data reports
  • Cannot Do
  • Remove medical records from facility
  • Leave patient records/data in break room or other
    areas where they are unattended
  • Out of curiosity, access the records of the
    celebrity who was admitted last week or the
    records of a patient with an unusual medical

Each facility has established procedures for
obtaining access to PHI. See the Matrix for more
information. If you are assigned to a
facility that has implemented an electronic
medical record, you will probably be able to
access information about patients with whom you
do not have a treatment relationship. Keep in
mind that simply because you are able to access
the information does not mean you have permission
to do so. Each facility has implemented audit
trails to monitor users who have accessed a
patients electronic medical records. If a
facility discovered that you accessed a patients
record and you had no legitimate reason for doing
so, you could be subject to sanctions.
Is it okay?
  • Scenario 5
  • Q My friend was admitted yesterday after
    collapsing during a bike ride. I am very
    concerned about her progress and would like to
    visit her but I dont know which room she is in.
    Is it okay if I look up the information in the
    computer system?
  • A No. Using your access privileges to look up
    any information for any patient when there is no
    need to know based on your responsibilities in
    the hospital is a violation of patient

Unless you are directly involved in providing
health care for your friend, it is not
appropriate for you to access her electronic
medical record. Your friend is entitled to
privacy, as are all patients. As discussed on
the Facility Directory slides, please ask for
your friend by name at the nurses station or
information desk. As long as your friend has not
requested No Information status, staff will be
able to tell you her room number and you will be
able to visit.
Some Dos and DontsSafeguarding Information
  • Must Do
  • Password protect laptops/PDAs
  • Shred facially de-identified papers when you are
    done with them
  • Insure memory/hard drive has been wiped clean
    when selling/ disposing of a PC, laptop or PDA
  • Encrypt any PHI sent over Internet
  • Cannot Do
  • Leave information in open or other public areas
  • Discuss patients in elevator, hallways or the
  • Dispose of facially de-identified information in
    your trash can (it is still identifiable under
  • Share your access codes/cards
  • Remember that under HIPAA, facially
    de-identified information is still Protected
    Health Information (PHI). You are responsible
    for keeping the information confidential and
    secure. Here are some examples of safeguards you
    should follow
  • Maintain control over your PDA, class work and
    other documents that contain patient information.
    Know where they are at all times.
  • Do not let a friend borrow or share your access
    codes (log-in) or cards for any reason. You are
    responsible for inappropriate access to data or
    secured areas that occurs under your
  • When you no longer need health information you
    have collected, dispose of it appropriately. Do
    not throw it away in your trash can!
  • Do not send PHI over an open network unless the
    information is encrypted.
  • Always use discretion and common sense. Consider
    how you would want others to protect your
    personal health information.

  • For further information or questions, please
    contact the facilitys privacy officer.
Write a Comment
User Comments (0)
About PowerShow.com