HIPAA Training by Miami Valley Hospital's HIPAA Training

WELCOME TO MIAMI VALLEY HOSPITAL’S HIPAA TRAINING

HIPAA BOOT CAMP

2

PURPOSE OF THIS TRAININGPURPOSE OF THIS TRAINING

To introduce you to the basics of HIPAA in order to understand the rules and regulations.

Review its impact on our Healthcare Network. Explore practical ways to deal with Protected

Health Information (PHI) on the job. Help you understand patients’ rights under the

law to protect them, our organization and you.

3

TOPICSTOPICS

WHAT IS HIPAA? WHO DOES IT AFFECT? WHAT IS THE IMPACT OF

HIPAA? WHEN WILL IT HAPPEN? WHAT IS MVH DOING? WHAT IS YOUR ROLE ?

4

WHAT IS HIPAA?WHAT IS HIPAA?

Health Insurance Portability and Accountability Act of 1996

A Federal law imposed on all health care organizations including hospitals, physician offices, home health agencies, nursing homes and other providers, as well as health plans and clearinghouses, that protects patient health information.

5

WHAT IS HIPAA?WHAT IS HIPAA?

Its main purpose is to make sure that Protected Health Information (PHI) is properly handled.

HIPAA tells us how we must process and protect our patient information.

It also says that if we transmit PHI electronically, we must do it in a standard way.

Under HIPAA patients have new rights that we must inform them about.

HIPAA IS ALL ABOUT DOING WHAT IS RIGHT FOR OUR PATIENTS.

6

WHO DOES IT AFFECT?WHO DOES IT AFFECT?

All organizations that deal with a person’s health information:

Providers (Hospitals, Clinics and Physicians)

Health Plans

Health Care Clearinghouses

7

WHEN WILL IT HAPPEN?WHEN WILL IT HAPPEN?

Privacy: April 14, 2003.

Data Standards (EDI): October 16, 2003.

Security: April 21, 2005.

8

HIPAA FINES & PENALTIESHIPAA FINES & PENALTIES

Non-Compliance with Requirements and StandardsNon-Compliance with Requirements and Standards

Penalties for overall non-compliance could reach millions of dollars per year.

These penalties can apply to our organization and in some cases to specific individuals including jail time.

$100 per violation up to $25,000 limit per year.

9

HIPAA FINES & PENALTIESHIPAA FINES & PENALTIES

Wrongful Disclosure of Protected Health information or Wrongful Disclosure of Protected Health information or Misuse of Identifiers (directly or indirectly):Misuse of Identifiers (directly or indirectly):

Simple negligence - Simple negligence - $50,000 fine, one (1) year in prison or both$50,000 fine, one (1) year in prison or both

Disclosure under false pretenses - Disclosure under false pretenses - $100,000 fine, five (5) years in prison or both$100,000 fine, five (5) years in prison or both

Intent to sell or use information - Intent to sell or use information - $250,000 fine, ten (10) years in prison or both$250,000 fine, ten (10) years in prison or both

Employees will also be held accountable by MVHif HIPAA policy violations occur

10

WHAT IS MVH DOING?WHAT IS MVH DOING?

MVH has been hard at work the past 2 years preparing for HIPAA and the impact it will have on our organization. Here are some of the activities:

The establishment of the HIPAA Steering Committee with representatives from key departments affected by HIPAA.

The review and revision of policies and procedures as needed.

The creation of new policies to support the process changes needed.

The education of employees on HIPAA.

The review of our computer systems to ensure security of patient information.

The review of our process for transmitting electronic data for payment purposes.

11

KEY PATIENT PRIVACY RIGHTSKEY PATIENT PRIVACY RIGHTSPatient Privacy rights includePatient Privacy rights include:

Access to health information (and restricted access to Access to health information (and restricted access to information when the patient does not want it disclosed).information when the patient does not want it disclosed).

Amendments to PHI when patients make specific Amendments to PHI when patients make specific written requests and those requests are granted.written requests and those requests are granted.

Accounting of Disclosures (whenever we send patient Accounting of Disclosures (whenever we send patient information without prior patient approval). information without prior patient approval).

Restrictions on Uses and Disclosures of PHI (we are Restrictions on Uses and Disclosures of PHI (we are obligated to safeguard patient information and keep it obligated to safeguard patient information and keep it confidential to protect their right to privacy).confidential to protect their right to privacy).

Patients will be given a paper copy of our Notice of Privacy Practices concerning the above items and will be asked to sign an acknowledgement of receipt.

12

Notice of Privacy PracticesNotice of Privacy Practices

Provides individual notice of all of the ways the Provides individual notice of all of the ways the organization uses and shares a patient’s health organization uses and shares a patient’s health informationinformation

Explains a patient’s rights to confidentiality and Explains a patient’s rights to confidentiality and access to his/her informationaccess to his/her information

Is posted prominently in the organization and Is posted prominently in the organization and on the organization’s Web siteon the organization’s Web site

13

Notice of Privacy PracticesNotice of Privacy Practices

If a patient has questions about the If a patient has questions about the organization’s practices or his/her privacy organization’s practices or his/her privacy rights, direct him/her to the Notice of Privacy rights, direct him/her to the Notice of Privacy Practices, the Consumer Relations Department Practices, the Consumer Relations Department (208-2666) or the Privacy Officer, Mike (208-2666) or the Privacy Officer, Mike Moddeman (208-8339).Moddeman (208-8339).

14

PRIVACY SUMMARYPRIVACY SUMMARY

April 14, 2003 is the deadline for implementation of the new April 14, 2003 is the deadline for implementation of the new policies and procedures. MVH will be compliant with these policies and procedures. MVH will be compliant with these rules. We are performing the necessary training of staff as rules. We are performing the necessary training of staff as required under the regulations.required under the regulations.

Under HIPAA we can still use a patient’s name in the waiting room. We may put a patient’s name outside their door for identification and patients may still share rooms. Our obligation and focus is to SAFEGUARD their individual health information and to protect their privacy.

15

Safeguarding Patient InformationSafeguarding Patient Information

The Release of Patient Information:The Release of Patient Information:

HIPAA allows us to share patient information with any of the patient’s health care providers without an authorization from the patient.

If you are presented with an authorization to release medical information, contact the Health Information Management Department

16

Releasing Confidential InformationReleasing Confidential Information

The patient’s guardian, durable power of attorney for healthcare, or next of kin (if the patient is incapacitated).

For operations of the hospital (ex. quality assurance, incident reports, teaching and education of residents and students).

To enable our organization to get paid for services rendered.

When there is a legal duty to report (ex. child abuse, domestic violence, gunshot or stab wounds).

To another healthcare provider that has treated the patient to enable that provider to get paid for their services.

You cannot share information with the patient’s family, friends or anyone else without written authorization from the patient except:

17

What is Confidential Information?What is Confidential Information?

Name Medical history

Age Medications

E-Mail Observations of Health

Social Security # Medical Record Number

Address Any Unique Identifier

Phone Number The fact that the patient is in the hospital

Diagnosis

Any information about a patient that is written, saved on a computer, or electronic media (disks, CDs, etc.), or spoken is Protected Health Information (PHI). PHI includes:

18

Confidential Information Confidential Information

Don’t tell anyone what you may overhear regarding a patient.

Don’t discuss a patient in public areas such as elevators, hallways, or cafeterias.

Don’t look at information about a patient unless you need to as part of your job.

Don’t look up information about friends or relatives unless you need to to perform your work.

HIPAA DON’TS

19

Confidential InformationConfidential Information

Do keep all information you hear about a patient to yourself.

Do dispose of patient information by placing in properly designated shredder bins for destruction. Do notify security if you see an unescorted visitor in a non-public area of the hospital.

Do contact the Privacy Officer, Mike Moddeman (208-8339), if you have any questions.

HIPAA DO’S

20

SECURITY SECURITY

Print-based medical records need to be kept in a secure Print-based medical records need to be kept in a secure area or in a safe location with access to authorized area or in a safe location with access to authorized people only. (These areas should be locked when not in people only. (These areas should be locked when not in use).use).

Access to those locations needs to be controlled so that Access to those locations needs to be controlled so that we can maintain the security of records containing PHI.we can maintain the security of records containing PHI.

If you use a workstation as part of your job, a password If you use a workstation as part of your job, a password (not to be shared) should be used to control access to (not to be shared) should be used to control access to PHI.PHI.

If a workstation is available/viewable by non-authorized If a workstation is available/viewable by non-authorized people, use a screensaver or reposition to protect the people, use a screensaver or reposition to protect the viewing of PHI.viewing of PHI.

Lock cabinets that contain PHI when you leave your Lock cabinets that contain PHI when you leave your area.area.

21

The Privacy OfficerThe Privacy Officer

� Manages the development of the organizations privacy standards, policies and procedures.

� Oversees the education and training of the workforce.

� Investigates suspected violations and complaints.

� Facilitates the enforcement of HIPAA within the organization

The Privacy Officer for Miami Valley Hospital is Mike Moddeman @ 208-8339

22

What do you need to know?What do you need to know?

HIPAA requires health care workers to use the HIPAA requires health care workers to use the minimum amount of patient information they need minimum amount of patient information they need to do their jobs efficiently and effectively.to do their jobs efficiently and effectively.

Ask yourself:

Do I need this information to do my job?

What is the least amount of information I need to do my job?

23

What do you need to know?What do you need to know?

Environmental Services staff Environmental Services staff do not needdo not need to look to look at patient recordsat patient records

Professional health care workforce members such Professional health care workforce members such as doctors, nurses, and therapists as doctors, nurses, and therapists need need to look at to look at theirtheir patients patients’’ records to care for them records to care for them

Coders and billers Coders and billers needneed to look at certain portions to look at certain portions of records to code and bill correctlyof records to code and bill correctly

24

WHAT SHOULD YOU DO?WHAT SHOULD YOU DO?

Let’s look at some situations that may Let’s look at some situations that may occur as you deal with patients. occur as you deal with patients.

Apply the idea that we should use Apply the idea that we should use common sense and reasonable common sense and reasonable

judgment in deciding what to do.judgment in deciding what to do.

25

A patient comes to Registration requesting a copy of the Notice of Privacy Practices. The patient admits having been given one several times, but keeps misplacing it. Should Registration give the patient a copy of the Notice of Privacy Practices?

Yes No Uncertain


26

A patient comes into the hospital for the first time. Where will the Notice of Privacy Practices be found?

A. Copies in Registration

B. Posted throughout the hospital

C. On our web site

D. A and B

E. All of the above


27


The insurance company, forgetting to ask the discharge planner for the history and physical, figures that it would be easier to just ask for the patient’s complete medical record and leaf through the information to get what they need, even though they know they will not need everything in the medical record for payment purposes. Is the discharge planner allowed to

release the entire medical record in this case?

Yes No Uncertain

28


Your sister’s close friend is having surgery at the organization where you work. She asks you to find out what you can about the friend’s condition. Should you call and ask around to the nurses you know? Should you look up the friend’s medical record?

Yes No Uncertain

29


No. Even if you and your sister have the best intentions, you have no right to look at private information about her friend’s health. Suggest to your sister that she call or visit the information desk. If the patient has agreed to have her information available, the staff at the information desk can give it to your sister.

Do not seek out confidential patient information unless you need it to do your job. If you happen to hear confidential information, do not repeat it to anyone.

Looking at patient records for any non-business reason can be cause for disciplinary and legal action.

30


You are working in the emergency department when you see that a neighbor has arrived for treatment after a car crash. You hear someone saying he will be taken to surgery soon. Your neighbor’s wife works in another part of the organization. Should you notify her that her husband is in the emergency department?

Yes No Uncertain

31


No. Tell the nursing staff that you know the patient and his wife. Tell them that if they need to locate her, you can help. Your neighbor has a right to privacy and may not want to notify his family of the accident. If he is conscious, the emergency department staff will allow him to decide whom to notify.

If he is unconscious, the doctors and nurses will decide whether to notify his wife. Leave the decision up to the emergency department staff. They will let you know whether they need your help to find the patient’s wife.

32


You pass by a nurses’ station where patients names are listed on a white board. You spot the name of a close friend. Should you stop by her room?

Yes No Uncertain

33


No. If you learned of your friend’s stay only by looking at the white board, you should not go to her room unless your job responsibilities take you there.

If you find out from the patient or her family member that she is staying here, feel free to visit her. But be sure to follow the visitor policies.

34


A co-worker is having trouble logging in to the organization’s system. She asks for your login name and password so she can try them. Should you share them with her?

Yes No Uncertain

35


No. HIPAA requires the use of individual passwords for each person with access to health information stored in the computer system. The organization keeps track of the records you access based on the login name and password you use. If you let others use your name and password, you are breaking HIPAA’s rules and our policy. You may be held responsible if the co-worker gains access to patient information inappropriately.

Each person must keep the system secure by using only their login name and password to gain access to the system. Never share your login name or password.

36


A woman provides the name of a patient and asks for information about his condition. What can you tell her?

A. The patient’s diagnosis

B. The patient’s general condition

C. The patient’s location in the hospital

D. B and C

E. All of the above

37


B and C. Check the facility directory. If the patient is listed in the directory (and are not listed as Do Not Admit or No Information), you can tell the woman the patient’s location (room number and telephone number) and his general condition (good, fair, serious, critical).

If the patient is not included in the directory, you can not give out any information about him to anyone, regardless of the person’s relationship to the patient.

38


A billing representative is missing the authorization number for an outpatient surgery. The representative calls the physician’s office to ask for the authorization. The representative also asks about the patients recovery from the surgery.

Yes No Uncertain

Is the representative acting appropriately?Is the representative acting appropriately?

39


You happen to see a friend (who is a patient) in the hospital. Later while talking to a family member you say: “Guess who I saw today in the hospital?”

Have you violated your friend’s privacy rights?

Yes No Uncertain

40


You happen to be walking by a trash bin and you notice a stack of medical records laying on the floor next to the trash. What should you do?

A. Throw the records in the trash

B. Deposit the records in a container to be shredded

C. Bring the records to your supervisor or the Privacy Officer

D. Ignore the situation since you are not authorized to look at these records

41


A minor is concerned about the possibility of having contracted a sexually transmitted disease. She requests to have a private conversation with the physician. Can the parent receive documentation related to this discussion at a later date without authorization of the minor?

Yes No Uncertain

42


An ICU nurse who just returned from vacation today is caring for a patient who has been in the ICU for four days. The nurse wants to review all progress notes and physician orders in the medical record for the patient’s ICU stay. Does the nurse have the right to access the progress notes and physician orders?

Yes No Uncertain

43


A patient asks you how they can get their confidential A patient asks you how they can get their confidential information sent to their workplace instead of their home. information sent to their workplace instead of their home. What should the clerk do?What should the clerk do?

A. Politely tell the patient that we don’t provide this type of service

B. Ask the patient why they want their confidential information sent somewhere else, then get advice from your supervisor

C. Contact the HIM department for assistance

D. Tell the patient that we can’t do this until we receive permission from their employer

44


Ms. White asks you for an accounting of disclosures of her child’s PHI. You direct her to the HIM department Did the employee act properly?

Yes No Uncertain

45


A person performing discharge planning is coordinating the transfer of a patient to a skilled nursing facility. The discharge planner has never worked with this patient before and needs to review the medical record to appropriately prepare for the transfer. Does the discharge planner have access to the medical record to conduct this task?

Yes No Uncertain

46

Questions?Questions?

If you have questions about privacy matters If you have questions about privacy matters or wish to report a concern,or wish to report a concern, contact Mike Moddeman at contact Mike Moddeman at

208-8339208-8339

Thank YouThank You

MIAMI VALLEY HOSPITAL

Copyright 2003 The Gates-Brewer Group, LLC

Technology

HIPAA Training by Miami Valley Hospital's HIPAA Training