Health Insurance Portability and Accountability Act

Keeper of protected health information

Presenter: Charity Bellmon, BS, CHUC

ObjectivesThe participant should understand● The origin of HIPAA and its five titles● HIPAA’s five basic principles● The Security Rule and the safeguards for

compliance● The Privacy Rule in relation to proper and

improper disclosure of protected health information

● The Health Unit Coordinator’s role in protecting a patient’s privacy

Test your knowledge● When was HIPAA passed?

● Name a patient “right” under HIPAA

● What is protected health information?

● What is an incidental disclosure?

● What does HIPAA stand for?

● Give an example of a covered entity under HIPAA

Why was HIPAA enacted?

• To protect employee's health insurance coverage when they changed or lost their job

• To protect the privacy and security of patient's health information

• To adopt national standards for electronic health care transactions

• To improve the efficiency and effectiveness of the health care system

HIPAA’S ORIGIN● Enacted August 21,1996 by congress● Five titles to the act

– Title I: health care access, portability and renewability

– Title II: administrative simplification– Title III: tax related health provisions– Title IV: application and enforcement of group

health plan requirements– Title V: revenue offsets

www.oup.com/us/ppt/pdr/IntroductiontoHIPAA.ppt

HIPAA’s Administrative Simplification Standards

● Congress mandated to enact privacy legislation within 3 years of HIPAA

● Final modification by Health and Human Services August 14, 2002

● Outlines five basic principles for protecting the confidentiality of individually identifiable health information

● Covered entities include health care providers, health plans, and healthcare clearinghouses

HIPAA's Five basic principles

I Consumer Control : patient rights– Right to access health record– Right to have health record amended or

corrected– Right to request confidential communications– Right to request restrictions on access to

medical records– Right to complain of violations– Right to an accounting of disclosures

II. Boundaries

Health information should be used for health purposes only, including treatment and payment

III. Accountability● HIPAA imposes civil and criminal penalties

for violation of a person’s privacy rights● Civil monetary penalties = $100/per failure

with $25,000 year cap for multiple identical violations

● Criminal penalties = $50,000/ 1 yr. in prison, or $100,000/ up to 5yrs in prison for false pretenses, or up to $250,000/ up to 10yrs in prison for intent to sale

IV. Public Responsibility● Balancing act between protecting the privacy

of patients and protecting the public health

V. SecurityOrganizational responsibility to protect the privacy of patients

Administrative Simplification Title II

• Publicized standards for the electronic exchange and privacy and security of health information

• Pertains to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA

Security Rule● Sets national standards for protecting the

confidentiality, integrity, and availability of ePHI

● Only pertains to information transmitted in electronic format

● Excludes voice mail messages, paper-to-paper faxes, copy machines, or records stored in filing cabinets.

● Requires written security plan to include administrative, physical and technical safeguards.

Security Rule● Administrative safeguards

– Security awareness training– Information access management– Security officer

● Physical safeguards– Work station use and security (screen savers,

screen shields, screen positioning, encryption, firewall protection)

– Facility access controls● Technical safeguards

– Access controls (unique user ID, auto log off, review/modification of user access)

Protected Health Information• The Privacy Rule protects all "individually identifiable

health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

Privacy RuleWhat makes health information identifiable?

• Name• Address• Medical record number• Social security number• Telephone numbers• Fax numbers• Email address• Health plan beneficiary

numbers• Account numbers

• Certificate/license numbers• Vehicle identifiers and serial numbers

including license plate numbers• Device identifiers and serial numbers• Web Universal Resource Locators

(URLs)• Biometric identifiers, including finger

and voice prints• Full face photographic images and any

comparable images• All dates directly related to an

individual• Any other unique identifying number,

characteristic, or code; except for re-identified information

• Internet Protocol (IP) address numbers

Privacy RulePrivacy before HIPAA varied by state and access to medical records was not guaranteed by federal law

Main purposes of the Privacy Rule• Define and limit the circumstances in

which an individual’s protected heath information may be used or disclosed

• Define patient rights with respect to their health information

Privacy Rule's focus

• Individually identifiable information; information which identifies the patient or could be used to identify the patient

• Paper or electronic patient medical or health records• Patient information exchanged verbally• Information relating to the past, present, or future physical or

mental condition of an individual• Research data that identifies individual patients

Privacy RuleRequired Disclosures of PHI

• Protected health information must be disclosed • To the individual (or their representative) who is the subject of

the medical records when a request for access of those records. or an accounting of disclosures of PHI is made

• To HHS when it is undertaking a compliance investigation, review, or enforcement action

Privacy RulePermitted disclosures of PHI

Covered entities are permitted to use PHI without patient authorization in the following situations:

• To the individual• For Treatment, Payment, or Operations• Opportunity to agree or object (i.e.. Facility directory)• Incident to an otherwise permitted use or disclosure• Public interest and benefit activities (i.e. victims of abuse, law

enforcement)• Limited Data Set for research, public health, or health care

operations

Disclosures of PHIMinimum Necessary Standard•Permitted Uses must adhere to the “minimum necessary” standard when it comes to how much information should be disclosed•Guidelines for the minimum necessary standard is left up to the health care provider only•The minimum necessary standard does not apply to information disclosed or requested by a health care provider in connection with patient treatment or when a patient gives their authorization.

Disclosures of PHI requiring AuthorizationA written authorization is required from the individual for the release of PHI for purposes other than TPO, or otherwise permitted or required disclosures by the privacy rule.Authorizations must:

Be written in specific terms Be stated in plain English Contain specific information regarding the information to be

disclosed or used State the name of the person(s) disclosing and receiving the

information State an expiration Have a written right to revoke Be obtained for psychotherapy notes Be obtained for marketing

HIPPA rules are not a barrier to good care: The HIPAA Privacy Rule is not intended to prohibit providers

from talking to each other and to their patients. Health Unit Coordinators are free to communicate as required

for quick, effective, and high-quality health care.  The Privacy Rule also recognizes that overheard communications

in these settings may be unavoidable and allows for these incidental disclosures.

Incidental Disclosures • An incidental disclosure that occurs as a by-product of an otherwise permitted use

or disclosure is permitted: • If it cannot be reasonably prevented. • If it is limited in nature.• To the extent that reasonable safeguards exist.

• Reasonable safeguards: • Keep patient information on white boards/locater boards to a minimum.• Reduce unnecessary incidental disclosures during check-in processes and in

waiting rooms.• Take care to limit the amount of information disclosed on an answering

machine.• Do not discuss patients in public areas.• Consider location when posting patient schedules and storing patient charts.• Keep voices low when discussing patient issues in joint treatment areas.• Position workstations so screen does not face public areas; consider using

screen filters.

Practical Examples of Appropriate Behaviour Under HIPAA

The following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby:

Orally coordinate services at hospital nursing stations. Discuss a patient's condition over the phone with the patient, a

provider, or family member. Discuss a patient's condition or treatment regimen in the patient's

semi private room. Covered entities may use patient sign-in sheets or call out patient

names in waiting rooms, so long as the information disclosed is appropriately limited.

Maintaining patient charts at bedside or outside exam rooms Displaying patient names on the outside of patient charts, or at the

door of patient rooms

Improper disclosure of PHI• Any disclosure of PHI whether intentional or incidental that

comes as a result of a covered entities failure to implement reasonable safeguards or apply the minimum necessary standard is a violation of the Privacy Rule.

Example: A nurse may not tell a patient's friend about a past medical problem that is unrelated to the patient's current condition

Health Unit Coordinators and PHI

• Healthcare professionals who have access to medical records have a legal, ethical, and moral obligation to protect the confidentiality of patient's protected health information

• NAHUC members have an ethical responsibility to protect patient rights and privacy

Remember: Keep this information confidential. Access or use this information only as required to perform your

job. Provide the minimum necessary information when responding to

information requests. Do not discuss this information with others unless it is

administratively or clinically necessary to do so. Do not use any electronic media to copy or transmit information

unless you are specifically authorized to do so.

Additional examples of actions to protect patient privacy

• At nursing stations, keep computer monitors that display patient information turned away from public view.

• Log off from patient records before leaving a data terminal.

• If you must leave for a few moments, do not leave records face up on your desk or work area.

• Place fax machines used to receive confidential records in locations with appropriately limited access.

• Avoid elevator and hallway consultations involving patients.

• Isolate and/or lock file cabinets or record rooms