Health Insurance Portability and Accountability Act HIPAA

Patient Privacy & Security

Allison Martin & Kimberly SegalBarbara Ann Karmanos Cancer Center June, 2012

HIPAA Module Objectives

After completing this training module, you should be able to:

1. Understand key HIPAA terms.

2. Apply general HIPAA rules that apply to your every day work at Karmanos.

3. Know where to turn for help if you have questions or concerns to report regarding patient privacy.

Karmanos’ Commitment to Protecting our Patient’s Privacy Under HIPAA

• HIPAA stands for the Health Insurance Portability and Accountability Act.• HIPAA is a federal law that sets standards regarding protection of confidential

patient data.• Who is responsible to comply with HIPAA?

– Covered Entities: health care provider, health plan, or a clearing house that submits bills electronically.

– All Covered Entities along with their Business Associates (that use or access patient information on the Covered Entity’s behalf)

• Karmanos is committed to protecting the confidential and private information of our patients.

• Remember that employees, friends and family members who are treated at Karmanos are our patients too! If you have had testing or treatment at Karmanos, you were a patient! These records may only be accessed as a part of your routine job duties.

• Protecting the privacy of our patients is EVERYONE’S job.

Protected Health Information (PHI) Includes the Following Identifiers:

• Name

• Street Address, City, County, Zip Code

• Dates:• Birth• Admission• Discharge • Death

• Numbers:• Social Security• Medical Record • Account (FIN)• Health Plan Beneficiary• License• Vehicle Identification• Telephone or Fax

• E-mail Address

• Biometric Identifiers

• Full Face Photos

• Any Other Unique Identifying Number, Characteristic, or Code

Protected Health Information

• Protected Health Information (PHI) includes information:– On paper– In a computer– Orally communicated– In any other form

• Electronically Protected Health Information (EPHI) includes information:

– On your computer hard drive– On floppy disks, CDs or magnetic tapes– Sent via the Internet:

• By e-mail • Other means

PHI Use Under HIPAA

Treatment, Payment & Operations (TPO):

– Treatment: Various activities related to patient care.

– Payment: Various activities related to paying for or getting paid for health care services.

– Operations: Generally refers to day-to-day activities of a covered entity, such as

planning, management, training, quality-improvement, education.

Note: Research is not considered TPO. Written patient authorization is required to access PHI for research.

Notice of Privacy Practices (NPP)

As a Covered Entity under HIPAA, Karmanos has developed a Notice of

Privacy Practices (NPP) for distribution to our patients.

• The NPP states Karmanos practices for use of personal health information.

• The NPP allows patients to be informed of their privacy rights with respect to their personal health information.

• The NPP provides a detailed description of the uses and disclosures of PHI that are permissible without obtaining a patient’s authorization.

• The NPP is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health care providers.

Business Associate Agreement (BAA)

• Business Associates are usually vendors who perform some function or service for Karmanos that requires them to have access to our patients’ information.

• A Business Associate Agreement (BAA) is a signed agreement promising to keep PHI confidential in accordance with HIPAA.

• Karmanos, a Covered Entity under HIPAA, is required to sign Business Associate Agreements with certain organizations and individuals to whom they share Protected Health Information (PHI).

• If you are working with a vendor and are not sure if you need a BAA, you may contact Materials Management or the Compliance Department at hipaahelp@karmanos.org.

Authorization (Release of Information)

• Authorization to Release Information is signed permission allowing Karmanos to use or disclose a patient’s PHI for reasons generally not related to Treatment, Payment or Healthcare Operations (TPO).

• The Authorization must include: a detailed description of the PHI to be disclosed, who will make the disclosure, to whom the disclosure will be made, expiration date, and the purpose of the disclosure.

• See Policy HIM020, Release of Information• Contact Health Information Management (HIM) to

determine the appropriate authorization form needed for your purpose.

Highly Confidential Information

• Michigan law provides even more protection than HIPAA in some cases. This applies to highly confidential areas which include:– Mental Health and Substance Abuse

– HIV/AIDS Testing or Treatment

– Psychotherapy Notes (which are not part of the medical record)

– If you have questions about handling highly confidential information:

• Ask your supervisor

• Contact Health Information Management (HIM)

• Email the Compliance Department at hipaahelp@karmanos.org

Types of Disclosures

• No Authorization Required: to disclose PHI to the patient, to use or disclose PHI for treatment, payment or healthcare operations (TPO) and certain other disclosures required by law (for example, public health reporting of diseases, abuse/neglect cases, etc)

• No Authorization Required, BUT Must Offer Opportunity to Object: a patient must be offered an opportunity to object BEFORE discussing PHI with a patient’s family or friends.

• Authorization IS Required: for research, and when conducting certain fundraising or marketing activities.

Incidental Disclosures

• HIPAA recognizes that some disclosures are not completely avoidable. These are called “Incidental Disclosures.”

• For example, visitors may overhear a clinical discussion as they are walking down the hallway of an inpatient unit or a visitor may hear a patient’s name called out in a waiting room.

• HIPAA requires that reasonable safeguards be put in place to limit incidental disclosures.– Speak in soft tones when discussing PHI in open areas.

– Do not discuss PHI in public hallways, elevators or other public locations

– Only use the minimum amount of information necessary to carry out the intended purpose

Every Day Practices For Securing PHI

Do:– log-off your computer when you will be away for a period of time. – position monitors out of view of the public eye.

– change your password as defined in policy.

– choose passwords that are not easily guessed.

– use password protected screensavers and keyboard locks.

– place disks or tapes in a secure location.

– immediately report anyone outside of KCC asking for your password.

Every Day Practices For Securing PHI

Do not:– share passwords or login ID.

– write down passwords where others may access them.

– open any unknown attachments, files or unrecognizable e-mails.

– install unapproved software/hardware

– use unapproved email, such as Hotmail, Yahoo, etc.

Every Day Practices For Securing PHI

• Use caution and respect patients’ privacy when discussing protected health information in public.

• Read and understand the policies and procedures relating to HIPAA Privacy & Security.

• When using or disclosing protected health information, limit the PHI to the minimum necessary to accomplish the intended use.

• Workers should only access or use the PHI necessary to conduct their job responsibilities.

• All electronic systems are audited –a log of all accesses is maintained and is designed to protect patient privacy.

• For Fax's:• Double check fax number.• Use cover page which includes your contact information.• If fax is received by the wrong location, have the fax destroyed or returned to you.

Protecting your Computer & PHI

• Report any suspicious activity, such as new software or hardware appearing on your computer to the Help Desk.

• Contact your supervisor or the Help Desk if you believe someone may have logged onto your computer.

• Secure PDA’s and Laptops:– Always use a password protected screen saver.– Back-up data.– Install and use virus protection software.– Lock devices in a secure location when not in use.– If device is stolen, an incident report should be filed.

Email and PHI

• Email to email transmission within the Karmanos Email System (yourid@karmanos.org) is secure

• Email from the Karmanos email system to any other system is NOT considered secure unless encrypted (Note: this includes DMC and WSU email addresses –email sent from Karmanos is not secure unless encrypted)

• Encryption can be forced for email containing PHI from a Karmanos email to a non-Karmanos email address by typing [SECURE] in the subject line

• In all cases, use the minimum necessary PHI

Emergency Downtime

• Karmanos Cancer Center has a contingency plan to address system access during power failures, disasters, weather hazards or other situations limiting access to patient data:

– Know the recovery plan as it relates to your job– Know the related policies– Know how to report emergencies– Know how the emergency may impact patient care

Penalties

• Disciplinary action up to and including termination.

• Exclusion from participation in Medicare and Medicaid programs.

• NOTE: Individuals (This Means You!) can be subject to criminal prosecution, fines and imprisonment.

• HIPAA Specific: – Up to one year / $50,000 for misuse of protected health information.

– Up to five years / $100,000 for misuse of PHI under false pretenses.

– Up to ten years / $250,000 for misuse with intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm.

HIPAA Reporting

• You are required to understand the law, and how it affects your job. Even an “accidental” disclosure could have consequences.

• As a condition of employment, employees agree to read and abide by the policies and procedures covering HIPAA.

• Individuals should immediately report any observed or suspected HIPAA breach to:

– Your supervisor– Compliance Office: 1-877-857-6007– Compliance Hotline (Anonymous Reporting) at: 1-888-478-3555

Not Sure? Report It Anyway.Too Late? Report It Anyway.Already Told Us? Report It Again!

YOU CAN NEVER BE RETALIATED AGAINST FOR REPORTING A CONCERN!

• Safeguarding PHI is everyone’s job.

HIPAA Resources

• http://www.hhs.gov/ocr/privacy/

• http://www.cms.hhs.gov/HIPAAGenInfo/

Summary

We hope this Computer Based Learning course has been both informative and helpful. Feel free to review this course until you are confident about your knowledge of the material presented. Click the Take Test button on the left side when you are ready to complete the requirements for this course. Click on the My Records button to return to your CBL Courses to Complete list. Click the Exit button on the left to close the Student Interface.