Upload
charity-bowie-bellmon
View
133
Download
1
Embed Size (px)
Citation preview
Health Insurance Portability and Accountability Act
Keeper of protected health information
Presenter: Charity Bellmon, BS, CHUC
ObjectivesThe participant should understand● The origin of HIPAA and its five titles● HIPAA’s five basic principles● The Security Rule and the safeguards for
compliance● The Privacy Rule in relation to proper and
improper disclosure of protected health information
● The Health Unit Coordinator’s role in protecting a patient’s privacy
Test your knowledge● When was HIPAA passed?
● Name a patient “right” under HIPAA
● What is protected health information?
● What is an incidental disclosure?
● What does HIPAA stand for?
● Give an example of a covered entity under HIPAA
Why was HIPAA enacted?
• To protect employee's health insurance coverage when they changed or lost their job
• To protect the privacy and security of patient's health information
• To adopt national standards for electronic health care transactions
• To improve the efficiency and effectiveness of the health care system
HIPAA’S ORIGIN● Enacted August 21,1996 by congress● Five titles to the act
– Title I: health care access, portability and renewability
– Title II: administrative simplification– Title III: tax related health provisions– Title IV: application and enforcement of group
health plan requirements– Title V: revenue offsets
www.oup.com/us/ppt/pdr/IntroductiontoHIPAA.ppt
HIPAA’s Administrative Simplification Standards
● Congress mandated to enact privacy legislation within 3 years of HIPAA
● Final modification by Health and Human Services August 14, 2002
● Outlines five basic principles for protecting the confidentiality of individually identifiable health information
● Covered entities include health care providers, health plans, and healthcare clearinghouses
HIPAA's Five basic principles
I Consumer Control : patient rights– Right to access health record– Right to have health record amended or
corrected– Right to request confidential communications– Right to request restrictions on access to
medical records– Right to complain of violations– Right to an accounting of disclosures
II. Boundaries
Health information should be used for health purposes only, including treatment and payment
III. Accountability● HIPAA imposes civil and criminal penalties
for violation of a person’s privacy rights● Civil monetary penalties = $100/per failure
with $25,000 year cap for multiple identical violations
● Criminal penalties = $50,000/ 1 yr. in prison, or $100,000/ up to 5yrs in prison for false pretenses, or up to $250,000/ up to 10yrs in prison for intent to sale
IV. Public Responsibility● Balancing act between protecting the privacy
of patients and protecting the public health
V. SecurityOrganizational responsibility to protect the privacy of patients
Administrative Simplification Title II
• Publicized standards for the electronic exchange and privacy and security of health information
• Pertains to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA
Security Rule● Sets national standards for protecting the
confidentiality, integrity, and availability of ePHI
● Only pertains to information transmitted in electronic format
● Excludes voice mail messages, paper-to-paper faxes, copy machines, or records stored in filing cabinets.
● Requires written security plan to include administrative, physical and technical safeguards.
Security Rule● Administrative safeguards
– Security awareness training– Information access management– Security officer
● Physical safeguards– Work station use and security (screen savers,
screen shields, screen positioning, encryption, firewall protection)
– Facility access controls● Technical safeguards
– Access controls (unique user ID, auto log off, review/modification of user access)
Protected Health Information• The Privacy Rule protects all "individually identifiable
health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Privacy RuleWhat makes health information identifiable?
• Name• Address• Medical record number• Social security number• Telephone numbers• Fax numbers• Email address• Health plan beneficiary
numbers• Account numbers
• Certificate/license numbers• Vehicle identifiers and serial numbers
including license plate numbers• Device identifiers and serial numbers• Web Universal Resource Locators
(URLs)• Biometric identifiers, including finger
and voice prints• Full face photographic images and any
comparable images• All dates directly related to an
individual• Any other unique identifying number,
characteristic, or code; except for re-identified information
• Internet Protocol (IP) address numbers
Privacy RulePrivacy before HIPAA varied by state and access to medical records was not guaranteed by federal law
Main purposes of the Privacy Rule• Define and limit the circumstances in
which an individual’s protected heath information may be used or disclosed
• Define patient rights with respect to their health information
Privacy Rule's focus
• Individually identifiable information; information which identifies the patient or could be used to identify the patient
• Paper or electronic patient medical or health records• Patient information exchanged verbally• Information relating to the past, present, or future physical or
mental condition of an individual• Research data that identifies individual patients
Privacy RuleRequired Disclosures of PHI
• Protected health information must be disclosed • To the individual (or their representative) who is the subject of
the medical records when a request for access of those records. or an accounting of disclosures of PHI is made
• To HHS when it is undertaking a compliance investigation, review, or enforcement action
Privacy RulePermitted disclosures of PHI
Covered entities are permitted to use PHI without patient authorization in the following situations:
• To the individual• For Treatment, Payment, or Operations• Opportunity to agree or object (i.e.. Facility directory)• Incident to an otherwise permitted use or disclosure• Public interest and benefit activities (i.e. victims of abuse, law
enforcement)• Limited Data Set for research, public health, or health care
operations
Disclosures of PHIMinimum Necessary Standard•Permitted Uses must adhere to the “minimum necessary” standard when it comes to how much information should be disclosed•Guidelines for the minimum necessary standard is left up to the health care provider only•The minimum necessary standard does not apply to information disclosed or requested by a health care provider in connection with patient treatment or when a patient gives their authorization.
Disclosures of PHI requiring AuthorizationA written authorization is required from the individual for the release of PHI for purposes other than TPO, or otherwise permitted or required disclosures by the privacy rule.Authorizations must:
Be written in specific terms Be stated in plain English Contain specific information regarding the information to be
disclosed or used State the name of the person(s) disclosing and receiving the
information State an expiration Have a written right to revoke Be obtained for psychotherapy notes Be obtained for marketing
HIPPA rules are not a barrier to good care: The HIPAA Privacy Rule is not intended to prohibit providers
from talking to each other and to their patients. Health Unit Coordinators are free to communicate as required
for quick, effective, and high-quality health care. The Privacy Rule also recognizes that overheard communications
in these settings may be unavoidable and allows for these incidental disclosures.
Incidental Disclosures • An incidental disclosure that occurs as a by-product of an otherwise permitted use
or disclosure is permitted: • If it cannot be reasonably prevented. • If it is limited in nature.• To the extent that reasonable safeguards exist.
• Reasonable safeguards: • Keep patient information on white boards/locater boards to a minimum.• Reduce unnecessary incidental disclosures during check-in processes and in
waiting rooms.• Take care to limit the amount of information disclosed on an answering
machine.• Do not discuss patients in public areas.• Consider location when posting patient schedules and storing patient charts.• Keep voices low when discussing patient issues in joint treatment areas.• Position workstations so screen does not face public areas; consider using
screen filters.
Practical Examples of Appropriate Behaviour Under HIPAA
The following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby:
Orally coordinate services at hospital nursing stations. Discuss a patient's condition over the phone with the patient, a
provider, or family member. Discuss a patient's condition or treatment regimen in the patient's
semi private room. Covered entities may use patient sign-in sheets or call out patient
names in waiting rooms, so long as the information disclosed is appropriately limited.
Maintaining patient charts at bedside or outside exam rooms Displaying patient names on the outside of patient charts, or at the
door of patient rooms
Improper disclosure of PHI• Any disclosure of PHI whether intentional or incidental that
comes as a result of a covered entities failure to implement reasonable safeguards or apply the minimum necessary standard is a violation of the Privacy Rule.
Example: A nurse may not tell a patient's friend about a past medical problem that is unrelated to the patient's current condition
Health Unit Coordinators and PHI
• Healthcare professionals who have access to medical records have a legal, ethical, and moral obligation to protect the confidentiality of patient's protected health information
• NAHUC members have an ethical responsibility to protect patient rights and privacy
Remember: Keep this information confidential. Access or use this information only as required to perform your
job. Provide the minimum necessary information when responding to
information requests. Do not discuss this information with others unless it is
administratively or clinically necessary to do so. Do not use any electronic media to copy or transmit information
unless you are specifically authorized to do so.
Additional examples of actions to protect patient privacy
• At nursing stations, keep computer monitors that display patient information turned away from public view.
• Log off from patient records before leaving a data terminal.
• If you must leave for a few moments, do not leave records face up on your desk or work area.
• Place fax machines used to receive confidential records in locations with appropriately limited access.
• Avoid elevator and hallway consultations involving patients.
• Isolate and/or lock file cabinets or record rooms