1. Knock, Knock! Whos there? HIPAA!! HIPAA who? I cant tell you THAT!!

2. Jessica McGrail Maria Radziminski Nicole Ring Juliet Nwokedi Rodolfo Tadeo Jacksonville University June 5, 2014 Group Presentation 3. What are the Top Violations of The Health Insurance Portability and Accountability Act (HIPAA)? 4. Health Insurance Portability & Accountability Act WHAT IS HIPAA? 5. HIPAA is a federal law HIPAA establishes uniform rules for protecting health information & privacy HIPAA rules were invented to balance between the flow of information while protecting the privacy of patients. (US Department of Health and Human Services, 2014, May 27). What is HIPAA? 6. What does HIPAA say? The patient has the right to: Request access to health information Request to amend their health information Request restriction to information sharing Request accountability of disclosures (US Department of Health and Human Services, 2014, May 27). 7. HIPPAs Protection Who Does HIPPA Protect? How Does HIPPA Protect? 8. Who and What Does HIPPA Protect? HIPPA Protects Your Individual Health Information HIPPA also Protects Individual Identifiable Health Information (IIHI) name or partial name Address or zip code Social Security number Birth date Phone number Diagnosis Employer Relatives Billing information (US Department of Health and Human Services, 2014, May 27). 9. How Does HIPPA Protect? Requires covered entities to implement security measures to protect improper disclosure of health information Set limits on user access to individual health information Training programs are implemented for employees on how to protect your health information (US Department of Health and Human Services, 2014, May 27). 10. What Information Does HIPAA Protect? Sharing any personal health information with anyone other than the patient, persons authorized by the patient to receive IIHI, or a person directly involved in patient care is a violation of HIPAA (Hebda & Czar, 2013). 11. Personal Ipad 12. Patients health information must be secure against threats to inadvertent disclosure, integrity or availability (Hebda & Czar, 2013). Using patient information on personal computer and taking it home 13. Adding password protection and encrypted files increases security protection (Hebda & Czar, 2013). Losing backup disks or portable drives with patient health information 14. FACEBOOK 15. Social Media The nurse exposed patient data by posting onto her Facebook page How do we safeguard against this? Dont post/tweet or blog about patients Dont discuss medical conditions If you wouldnt say it in an elevator, dont put it online (Ekrem, 2011). Dont exchange personal data 16. Dashboard 17. Dashboard The nurse asked another nurse for access to their dashboardthis should NEVER happen! How can we prevent this violation of HIPAA? Never share your sign-on information Never write passwords down Change passwords regularly and use a combination of upper and lowercase letters, numbers and symbols If the program asks to remember your password, do not say yes If you think your password has been compromised, report it immediately. (University of Wisconsin-Madison, 2003). 18. Wrong Fax Number Prevention Confirm that fax numbers are correct before sending information to prevent wrong delivery. Make use of cover sheet. Use sealed envelopes for delivery. The use of an encryption key makes it impossible to read confidential information. This safeguards fax transmissions that might be sent to a wrong number. (Hebda & Czar, 2013). 19. I N C O M P L E T E A U T H O R I Z A T I O N 20. Preventing Incomplete Authorization Only the patient or personal representative has the right to access patients health information!! Information privacy form must be completely filled out during admission. Personal information cannot be given to any entity without written authorization from patient. Patients can add and amend an incomplete personal health information in a written request to the healthcare provider to avoid ideal representative confusion. (US Department of Health and Human Services, 2014, May 27). 21. THE TEXT 22. PHI may NEVER be shared with anyone who is not directly involved in patient care. Therefore, texting a friend or loved one any information that could be used to identify a patient is a violation of the HIPAA code. (US Department of Health and Human Services, 2014, May 27). The Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. Individual identifiable health information is information that relates to the individuals past, present or future physical or mental health or condition, the provision of healthcare to that individual, and that identifies the individual (Hader & Brown, 2010). Texting PHI 23. Texting PHI violates HIPAA in a couple of ways. First, text messages are not secure or encrypted. Texting patient information is not legal unless the text messages are transmitted through a secure and encrypted network. (Clinch, 2012). Second, texting does not allow the receiver to verify the senders identity. (Clinch, 2012). Texting Personal Health Information is a violation of HIPAA!! 24. We avoid violating the Privacy Rule of the HIPAA code by NEVER texting ANY patient information. Whether a name, a room number, or a diagnosis, PHI must be guarded carefully to ensure the safety and security of our patients. (Hebda & Czar, 2013). As nurses, we must protect our patients by honoring their privacy and not discussing them with anyone who is not directly involved in their care, even if we feel the information is benign or could not be traced back to the patient. Especially in the case of text messages, we just never know who could be intercepting PHI. How do we avoid this violation of HIPAA? 25. What is an incidental disclosure of PHI? According to The University of Chicagos HIPAA Program Office (2006, paragraph 2), While reasonable precautions should be used to avoid sharing patient information with those not involved in the patients care, it is possible that minor amounts of patient information may be disclosed to people near where patient care is delivered or being coordinated. This is referred to as an incidental disclosure. Incidental Disclosures of PHI 26. The HIPAA laws state that as long as reasonable efforts are made to minimize incidental disclosure, sharing patient information that may be overheard is okay. (US Department of Health and Human Services, 2014, May 27). But what are reasonable measures? Refusing to discuss one patient in front of another patient or his/her family members, for example, a roommate Using a quiet voice to discuss PHI over the phone, such as with a discharged patient, another healthcare facility, or a patients family member Avoiding conversations about patients in public areas, such as the elevator, hallway, or cafeteria (The University of Chicago, 2006). Incidental Disclosure 27. The nurse in the video is violating the HIPAA code because she is not using reasonable measures to avoid an incidental disclosure of PHI. To avoid violating the Privacy Rule, nurses can encourage patients and family members to come in to the hospital to discuss sensitive PHI. Nurses can also seek out a private area to discuss PHI over the phone, and make an effort to use a quiet voice so that others will not overhear. (The University of Chicago, 2006). How can we do our part? 28. Although it may seem obvious, the release of the incorrect patient's information can occur through careless mistakes. If your facility contains records for two patients with the same name your staff must be trained to correctly file all medical records, and release documents only for the authorized patient. The use of red name tags in front of charts upon admission helps notify staff members of patients with the same name. (Department of Health and Human Services, n.d.). Release of the Wrong Patient's Information 29. SHRED IT 30. Paper PHI should never be thrown in the regular trash can. Placing PHI in trash bins or dumpsters is not a secure method of disposing of PHI. Failing to shred patient information before disposal could lead to dangerous consequences. (Hebda & Czar, 2013). Improper Disposal of Patient Records 31. Before PHI can be thrown out it should be made indecipherable by shredding or burning. Another alternative is to hire a reputable company to destroy the records. Placing small bins at each work station clearly labeled PHI FOR PROPER DISPOSAL ONLY DO NOT TRASH will prevent information from accidentally ending up in the trash. (Department of Health and Human Services, n.d.). Proper Disposal of Patient Records 32. Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. HIPAA gives you the right to protect your health information and sets rules and limits on who can look at and receive your health information. It regulates the use of all forms of individuals' protected health information, whether electronic, written, or oral. Conclusion 33. Clinch, T. (2012). Nursing Practice Question: Is Texting/ Receiving Patient Information a HIPAA Rules Violation?. Nursing News, 36(2), 8. Department of Health and Human Services. (n.d.). Summary of the HIPAA Privacy Rule. Retrieved May 24, 2014, from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html ehow (2014, May 28). HIPPA individual identifiable information. Retrieved from http://www.ehow.com/about_6297969_hipaa-individually-identifiable-information.html#ixzz331NjetR4 Greene, A. H. (2012). HIPAA Compliance for Clinician Texting. Journal Of AHIMA, 83(4), 34-36. Hader, A., & Brown, E. (2010). LEGAL BRIEFS. Patient Privacy and Social Media. AANA Journal, 78(4), 270-274. Hebda, Toni, and Patricia Czar. Handbook of Informatics for Nurses & Healthcare Professionals. Boston: Pearson, 2013. Print. References 34. Onesource (2014, May 27). The Top 10 Most Common HIPPA Violations. Retrieved from http://www.onesourcedoc.com/blog/bid/95955/The-Top-10-Most-Common-HIPAA-Violations The University of Chicago. (2006, October). HIPAA - Incidental Disclosures of PHI. Retrieved May 24, 2014, from http://hipaa.bsd.uchicago.edu/incidental_disc.html University of Wisconsin-Madison. (2003). HIPAA Security Practices Best Guidelines #6. Retrieved from: https://hipaa.wisc.edu/docs/passwordManagement.pdf US Department of Health and Human Services (2014, April 4). Alaska settles HIPAA security case for $1,700,000. Retrieved from http://www.hhs.gov/news/press/2012pres/06/20120626a.html US Department of Health and Human Services (2014, May 27). Health Information Materials. Retrieved from http://www.hhs.gov/ocr/privacy/hippa/understanding/consumer/index.html References