HIPAA Privacy Training

Health Insurance Portability & Accountability Act of 1996

Standards for Privacy of Individually Identifiable Health Information

45 CFR Parts 160 and 164

The Privacy Rule

Creates national foundation of privacy Does not preempt more stringent state laws Extends:

Certain individual rights to privacy Protection of individual’s medical

records and health information

Who’s affected?Direct impact: Health plans Health care clearinghouses Health care providers

(who transmit health information electronically)

Indirect impact: Business associates

(vendors, consultants, contractors)

What’s protected?Protected health information (PHI) refers to: Individually identifiable health information

relating to:- Person’s past, present and future health or condition;- Provision of health services to the person- Past, present and future payment for health services to the person

Information transmitted or maintained in any form Includes data considered individually identifiable

What’s individually identifiable? Name Geographic divisions smaller

than State (with exceptions) All dates (except year) Phone & fax number E-mail address SSN Medical record # Health plan beneficiary

numbers Account numbers Certificate/license numbers

Vehicle identifiers and serial numbers

Device identifiers and serial numbers

Web URLs IP address numbers Biometric identifiers

(including finger, voice prints)

Full face photo and other images

Any other unique identifier [164.514(b)

(2)]

Rules for Use or Disclosure of PHI

Treatment, Payment, Health Care Operations (TPO)

Opportunity to Object Agreement or Authorization not required

(Exceptions) Authorization

Permitted Uses of PHIUse or disclosure permitted for: Treatment

Some facilities may still require patient authorization for release of PHI

Payment Health care operations

(quality improvement, staff performance review, training in areas of health care, accreditation, medical review, audits, business planning and development, general administration, etc.)

Opportunity to Object

Facility directories To clergy To persons involved in individual’s

care Notification purposes Disaster relief purposes

Agreement or Authorization Not Required (Exceptions)

Required by law Public health activities Victims of abuse/

neglect/domestic violence

Health oversight Judicial/administrative

proceedings Limited law

enforcement purposes

Coroners, medical examiners & funeral directors

Organ/tissue donations

Research purposes Serious threat to self/

others Specialized

government functions Workers’ comp

Authorizations

For all other uses or disclosures of PHI

Notice of Privacy Practices Describes to patient how his/her protected

health information may be used or disclosed

Details patient’s legal rights with regard to own PHI and how to exercise those rights

Details legal obligations of Covered Entity to protect PHI

Individual’s Rights To receive Notice of Privacy Practices To inspect and/or obtain copy of PHI To request to amend PHI To request limits on certain uses or

disclosures of PHI To receive accounting of disclosures To receive confidential communications

To file a complaint

Other Requirements

De-identification of PHI Minimum necessary Workforce training Verification process Business Associate Contract

Other Restrictions Marketing Fundraising Specially Protected Health Information

Additional protections under Hawaii State law relating to release of HIV, mental health and substance abuse treatment records

Consequences of Non-compliance

Penalties: Civil: $100 per violation; up to $25,000

per year Criminal: Up to $250,000 and/or 10

years in prison

Sanctions

A facility is required to sanction members of workforce (including “students”) who violate policies and procedures relating to privacy and security of health information

Student sanctions may include suspension or termination of access privileges to PHI and/or participation in educational programs at facility

What You Need to Know About Each Facility

Facility Directory Family Involvement Minimum Necessary Appropriate Educational Access/Use Requesting/Disclosing PHI for Treatment Request/Disclosures to Govt. Agencies Patient’s Request to Restrict Use or Disclosure

What is a Facility Directory?

The information about a patient that a hospital releases to callers, visitors or the media

This information is limited to: Location Condition

May only release directory information to people who ask for patient BY NAME

Facility Directory Patient may ask that NO INFORMATION

be released to callers, visitors or media Each hospital has procedures for patients

with NO INFORMATION status You must be aware of the hospital’s

procedures Do NOT release information in violation of

patient’s information status

Facility DirectoryNO INFORMATION Status PATIENT’S LOCATION/CONDITION

WILL NOT BE DISCLOSED TO ANYONE, INCLUDING FAMILY OR FRIENDS

Anyone asking for patient will be told, “We have no information regarding the individual.”

What should I do?Scenario #1:Q: I am approached in the hallway by someone who

asks me if I know what room a patient is in. I saw the patient’s name on the unit I just left. What should I do?

A: Refer the person to the nurses’ station, information desk, or hospital operator. You do not know whether the patient has requested a NO INFORMATION status or other restrictions.

Family Involvement A patient’s health information may be

disclosed to family, friends or others if: Patient gives verbal agreement, Patient has opportunity to object and does not, or You can infer from circumstances that patient

does not object Emergency/incompetent patient - Release

information using professional judgement about best interests of patient

Family Involvement Information released must be directly

relevant to that person’s involvement in the patient’s care or payment for that care

A patient has the right to request that you not release information to family or others

If a patient asks that you not talk with family or others, inform nursing staff of the patient’s request

What should I do?Scenario #2:Q: The spouse of a patient I am seeing approaches

me in the hallway and begins asking me questions about the patient. During my assessment visit, the patient indicated that she did not want information shared with her spouse. What should I do?

A: A patient has a right to not involve family members or others in his/her care. You should not share any information with the spouse per the patient’s request and you should alert the nursing staff about the patient’s request.

Minimum Necessary

Need-to-Know Rule Access to information is a privilege.

Individuals who are granted access have an obligation to limit access and use to the minimum necessary to perform their duties and responsibilities.

Request/Disclose PHI for Treatment Purposes

May request/disclose PHI for treatment when: Request is from a provider to whom you referred

patient for treatment, or provider’s involvement in patient’s treatment is documented in medical record, or

Patient has signed an authorization or release for the disclosure to the provider, or

Provider has requested, in writing, the PHI for treatment purposes

Request/Disclosure of PHI to/from Government Agencies

Refer to nursing staff, attending physician or Privacy Officer Only minimum necessary may be

released Must complete an accounting for the

disclosure

Patient’s Request to Restrict Use or Disclosure of PHI

Facility may agree to patient’s request to restrict use or disclosure of PHI for treatment, payment or health care operations

You must be aware of facility’s procedures and where such restrictions would be documented

Use of PHI for Educational Purposes

Allowed without patient consent or authorization

Parameters of use or disclosure of PHI for educational purposes: Appropriate access Minimum necessary for the purpose Protect and safeguard PHI Appropriate disposal upon completion

“Facially De-identified” Information

Use of “facially de-identified” PHI is permitted for educational purposes

Remove all individual identifiers, except: Patient’s medical record number Dates of service Zip code

This information is still considered PHI, and remains under federal privacy protections

“Facially de-identified” means removing:

Name Address Phone & fax number E-mail address SSN Health plan beneficiary

numbers Account numbers Certificate/license

numbers Web URLs

Vehicle identifiers and serial numbers

Device identifiers and serial numbers

IP address numbers Biometric identifiers

(including finger, voice prints)

Full face photo and other images

Any other unique identifier

Allowable Educational Access/Use

Treatment Observation Teaching Rounds Retrospective Record or Data Reviews Research (with IRB approval) Case Presentations Patient Logs

Is this okay?Scenario #3:Q: I heard about a very unusual case in the OR. As a medical

student, I am here to learn. I need to know more about the details so I can gain a better understanding of the clinical course. I plan to review the records before I leave for the day. Is this okay?

A: No. While it might be argued that educational benefit can be gained by reviewing unusual cases, such review should be formally approved and presented. Individual access to patient records in this type of situation is not appropriate. Electronic records and systems are monitored for inappropriate access.

Some Do’s and Don’ts:Treatment and Observation

Can Do Access medical records

of the patients you are treating/caring for

Prepare class work with patient identifiers removed

Observe patient care with approval from department manager/ supervising faculty

Cannot Do Obtain medical records of

patients you are not treating/caring for

Use data (obtained from your cases) that include patient identifiers such as name, address, birth date

Observe patient care without appropriate approval or when the patient has objected

Some Do’s and Don’ts:Teaching Rounds

Can Do Share patient information

during teaching rounds Prepare class work using

data from your cases with patient identifiers removed

Cannot Do Discuss patients in public

areas with no consideration of surroundings

Include family members in rounds unless patient has agreed, or physician has determined that inclusion is in patient’s best interest

Some Do’s and Don’ts:Retrospective Reviews

Can Do Access medical records

with written approval of supervising faculty member

Prepare class work using collected data with patient identifiers removed

Use aggregate or de-identified patient information

Cannot Do Use information collected

for research without IRB approval

Publish or publicly present findings without IRB approval or waiver of authorization

Contact the patient or the patient’s physician

Abstract patient identifiers

Some Do’s and Don’ts:Research

Can Do With IRB approval:

Build database of patient information

Access and use patient identifiable information as approved by IRB

Make a public presentation or publish findings using aggregate or de-identified information

Cannot Do Any research without IRB

approval or waiver Publish or publicly present

findings that identify the patient without patient authorization

Access and collect patient data in preparation for a research project without IRB approval or waiver

What should I do?Scenario #4:Q: My supervising faculty member has asked me to review

100 charts of newborn babies to determine whether or not the delivery room temperature has an effect on babies. Do I need IRB approval?

A: Maybe. If the intent is purely for quality improvement without intent to publish findings and you will destroy the database upon completion, then you do not need an IRB approval or waiver. But if you intend to publish, present or use the data you collected for any other purpose and do not have the patient’s authorization or an IRB approval or waiver, you would be violating the patient’s rights.

Some Do’s and Don’ts:Case Presentations or Grand Rounds

Can Do Access medical records with

written approval of supervising faculty member

Prepare for presentation using “facially de-identified”, aggregate or de-identified information

Limit audience to healthcare students or professionals if patient’s identify might be inadvertently revealed

Cannot Do Display or reveal patient’s

name or medical record number in your presentation

Present a high-profile or unusual case that may compromise patient’s privacy without patient’s written authorization for disclosure

Patient Logs

You must “facially de-identify” all information collected and submitted on a Patient Log

Some Do’s and Don’ts:“Facially De-identifying” Patient Data

Can Do Use general terms to

describe a patient 36 year old White male Living in Arizona Admitted in October 2002 Construction worker

Black-out, delete or cut-out patient identifiers on hard copy

Cannot Do Leave patient identifiers in

information used/removed Patient’s or relatives’ names Birth dates Address Employer

Take copies of dictated reports home with you (unless reports are “facially de-identified”)

Some Do’s and Don’ts:Accessing PHI

Can Do Request access to PHI

through appropriate channels Request access to medical

records through Medical Records

Submit completed appropriate data request form for data reports

Cannot Do Remove medical records from

facility Leave patient records or data

in break room or other areas that are not secure

Out of curiosity, access the records of a celebrity patient or the records of a patient with an unusual medical condition

Is it okay?Scenario #5:Q: My friend was admitted yesterday after she

collapsed during a bike ride. I am very concerned about her progress and would like to visit, but I don’t know which room she is in. Is it okay if I look up the information in the computer system?

A: No. Using your access privileges to look up information about a patient when there is no need-to-know (based upon your responsibilities in the hospital) is a violation of patient confidentiality.

Some Do’s and Don’ts:Safeguarding Information

Must Do Password-protect laptops or

PDAs Shred “facially de-identified”

papers when no longer needed Ensure memory/hard drive

has been wiped clean when selling/disposing of a PC, laptop or PDA

Encrypt PHI sent over Internet

Cannot Do Leave information unsecured

or in public areas Discuss patients in elevator,

hallways or cafeteria Dispose of “facially de-

identified” information in trash can; (it is still PHI under HIPAA!)

Share your access codes or cards

Questions?

For further information or questions, please contact the facility’s Privacy Officer