Ascension Health HIPAA Presents: Health Care Professional

Ascension Health
Presents:
HIPAA
and the
Health Care Professional
Introduction…
HIPAA is one of the newest
regulatory changes that affects the
healthcare industry.
Congress passed the HIPAA
regulations to Standardize, Secure
and Protect healthcare information.
Purpose of this course:
• To foster understanding of how HIPAA
compliance may impact your job-related
activities
• To assure compliance with federal and state
laws
• To assure that facility policies and procedures
are followed
• To foster and maintain a culture of integrity &
accountability
The expected results of this
standardization is that they will:
• Protect the confidentiality of personal
health information
• Improve efficiencies in healthcare billing
• Foster the growth of electronic medical
records
• Improve the quality of data used to make
decisions
• Ultimately it is believed that it will reduce
healthcare costs
HIPAA has three major areas:
1) Transaction and Code Sets: Standards for
the format and coding of billing related information.
For example: electronic claims sent to a third party
payer such as Blue Cross/Blue Shield.
2) Privacy: Standards to protect the privacy of
medical records and other specific information.
These standards help ensure that the information
(PHI) is properly handled and kept confidential.
3) Security: Standards to protect security,
confidentiality, integrity and availability of PHI.
These standards address items such as electronic
billing, and when and how you access electronic
PHI.
Quiz Yourself: Which HIPAA
regulation helps make sure that
Protected Health Information (PHI) is
kept confidential? (pick one answer)
1. Transaction and Code Sets
2. Privacy
3. OSHA
HIPAA Regulations must be followed by:
• Clearinghouses
– (example: Health Care Billing Companies)
• Health Plans
– (example: Blue Cross/Blue Shield Health
Insurance, Dental or Optical Insurance Plans)
• Providers
– (example: Hospitals, Pharmacies, Physician
Offices, Ambulance Companies, Durable Medical
Equipment etc)
Anyone who maintains or transmits health
information electronically
Healthcare Facilities or Systems
must designate a Privacy Official
who is:
Responsible for the development and
implementation of policies and
procedures relating to protecting the
privacy of health information.
Healthcare Facilities or Systems
must designate a Security official
who is:
Responsible for the development and
implementation of policies and
procedures related to protecting the
security of Electronic Protected Health
Information (EPHI).
Workforce Training:
• All members of the workforce must have
received training no later than April 14,
2003 for Privacy and April 20, 2005 for
Security
• All new workforce members must be
trained in privacy and security
Note: Additional training must be provided
for those workforce members whose
functions are affected by any changes to
privacy policies and procedures
The Privacy Rule Includes:
•
•
•
•
•
•
•
•
•
•
Protected Health Information (PHI)
Minimum Necessary Use & Disclosure
Authorization Requirements
Notice of Privacy Practice
Requirements
Individual Patient Rights
Uses for Marketing & Fundraising
Business Associate Provisions
Sanctions for Non-Compliance
Safeguards
Training
As a Clinician you will need to
understand certain portions of
the HIPAA Regulations in more
detail…
• Permitted uses of Protected Health
Information (PHI)
• Minimum Necessary Use & Disclosure
• Protecting Confidentiality
• Sanctions
PHI – Just what is it?
Protected Health Information
(I)
(II)
(III)
(IV)
Names
Zip Codes
All Dates
Telephone & Fax
Numbers
(V) E-mail Addresses
(VI) Social Security
Numbers
(VII) Medical Record
Numbers
(VIII) Health Plan Numbers
(IX) License Numbers
(X)
Vehicle Identification
Numbers
(XI) Account Numbers
(XII) Biometric Identifiers
(XIII) Full Face photos
(XIV) Any Other Unique
Identifying Number,
Characteristic or
Code
To provide complete healthcare:
Direct Care Providers need access
to patients Protected Health
Information (PHI) for the purposes
of:
 Reviewing medical history
 Diagnosis
 Treatment
 Evaluating Response to Treatment
 Billing for services
Access to Protected Health
Information (PHI) is necessary to
provide complete holistic health care
for the patient
But this type of access carries
with it an obligation to make
sure that Confidentiality for the
patient is maintained
You will use Protected Health Information
(PHI) most often for:
Treatment purposes
• Review of the patient’s health history
• Review of social issues which impact
health
• Diagnostic test results
• Treatment activities
• Consulting with other healthcare
providers
• Response to treatment provided
Rule of thumb for sharing Protected
Health Information (PHI):
• You may freely share the
information with the patient
• The patient may give permission
for you to share their information
with anyone
• You may discuss PHI with anyone
participating in the patients’
healthcare or billing activities
Quiz Yourself: Can the patients’ PHI be
shared with a pharmacy when calling in a
prescription?
• The Pharmacy is considered
a Healthcare Provider
• The Pharmacy will be
providing services directly to
that patient
• The Pharmacy will bill the
patient for the services they
provide
Minimum Necessary Standards
This means that access to
Protected Health Information
(PHI) must be limited to only
those who “need to know”
The Minimum Necessary HIPAA Standards
• Only those who are Directly
Participating in the care of the patient,
involved in billing activities or working
on operational activities should have
access to that information and….
– They should have access to only the
amount of information needed to perform
their job
Not every healthcare provider needs
access to ALL health care information
For example: A nursing aide would
NOT need to know MRI test results in
order to give a patient their dinner tray.
But they would need to know things like:
–
–
–
–
NPO Status
Intake & Output (I&O) Restrictions
Dietary Restrictions
Occasionally, Glucometer test results
Quiz Yourself: Do direct care providers
have the right to access any patients’
medical record?
Remember: Only those healthcare
providers that are Directly Involved
with the patient’s diagnosis,
treatment plan or care should have
access
Authorization
An authorization must be obtained from a
patient for all uses and disclosures that
are not related to Treatment, Payment or
Operations. For example:
* Some types of Marketing
* Participation in Research
* Some Fundraising activities
An example of when an
authorization would be needed:
Newsletters and/or taking pictures of
patients…If the newsletter contains
Protected Health Information (PHI) about
a patient, the patient must give written
authorization prior to use.
Quiz Yourself: Which of the following almost
always requires the completion of a written
authorization when using PHI? (pick one answer)
1. Quality improvement activities
2. Discussions with the patient about medical
treatment
3. Research activities
4. Sharing information for billing & payment
purposes
Notice of Privacy Practices
All healthcare providers must develop a Privacy
Notice which:
– describes how PHI may be used
– outlines patient rights required by the
HIPAA regulations, and
– provides them with information on who to
contact if they have questions or complaints
Notice of Privacy Practices
• A copy must be provided to the patient on
the first service delivery date, which
began on April 14, 2003
• A copy must be posted on the wall of the
waiting room area
• It must be posted on a web site, if one is
available
• A copy must be made available upon
request
Notice of Privacy Practices –
Acknowledgement of Receipt
• HIPAA requires that healthcare
providers make a “good faith” effort to
obtain a written acknowledgement that
the patient received a copy of the Notice
– This will typically take
place during Registration
Quiz Yourself: The Notice of Privacy
Practices contains which type of
information? (pick one answer)
1.
2.
3.
4.
How PHI may be used
Patient rights
Where to file a complaint
All of the above
Protecting Confidentiality…
Remember: Patients have a
fundamental right to expect that
their personal Protected Health
Information (PHI) will be maintained
in a confidential manner
How would you feel if you overheard a
conversation about your Personal
Protected Health Information in the
cafeteria?
• Would you feel violated?
• Would you be angry?
• Would you lose your trust?
FAQ: Can I give information to another
care giver, such as a Consulting
Physician, over the telephone?
• You can share information with
other healthcare providers who are
participating in the care of the
patient
• You will need to make a
“Reasonable” effort and use your
professional judgment to identify
the caller
Protect Confidentiality on the phone:
Make a “Reasonable” effort and use your
Professional judgment to identify the
caller, for example:
• If possible, verify with the patient
• Ask the caller to give the patient birth date
or home address
• Or, ask the caller to speak to the next of kin
identified on the face sheet
Business Associate Provisions
• Under certain circumstances we can
share PHI with individuals who are
not involved in Treatment, Payment
and Operational activities
• HIPAA mandates that we have a
contract that clearly states that they
must follow HIPAA privacy
regulations
Security
To assist with ensuring privacy,
certain security measures must be
followed to protect electronic patient
health information.
Some of these measures include:
–Log-in monitoring
–Awareness and protection from
malicious software
Log-in Monitoring
• All individuals with electronic access to the
SETON Healthcare Network are held
accountable for all activity performed with
their user ID and password.
• Individuals must secure their user ID and
password to prevent unauthorized use.
• Since many systems have audit trails,
suspicious activity can be tracked with
authorization.
Log-In Monitoring
What You Can Do……
• Report the following suspicious activities
to the IS Service Desk @ ext. 41675
– If anyone asks for your password
– If someone appears to be using someone
else’s password
Guarding Against Malicious Software
“Excuse me, could you see if this virus ruins your
computer too?”
Reminder: Do not download or install software
that are not approved by Information Services
Guarding Against Malicious
Software
• Malicious (destructive) software can alter data,
destroy files, or even bring down the entire
computer network
• ALL computers MUST have virus protection to
reduce the potential of malicious software
• Software and e-mail should only be installed or
opened from known and trusted sources
• Suspicious software must be reported to the IS
Service Desk at x41675
Ways to Protect Patient’s Privacy
• Be aware of individuals in
your surroundings
• Speak in low tones
• Do not talk about patients
in the elevators, hallways,
or cafeterias
• Do not leave charts or
documents unattended
Ways to Protect Patient Privacy
Discard
documents with
Protected Health
Information (PHI)
by shredding or
placing in a secure
recycle bin
Ways to Protect Patient Privacy
• Make sure patient information is
not easily seen or accessible
• You must not share computer
passwords
• Be sure to log-off the computer
when finished
Passwords are like bubblegum
• Strongest when fresh
• Should NOT be shared
• Should not be left under
keyboards for future use
• If left laying around, can
create a sticky mess
What happens if a workforce
member breaches the
confidentiality of a patient?
We are required to have policies in
place to apply appropriate
sanctions against members of the
workforce who fail to comply with
the HIPAA privacy and security
regulations
But this is not new!
• That is right, healthcare employers have
always had sanctions in place to handle
confidentiality breaches by their workforce
– The change is….
• We will have routine monitoring in place to
identify breaches of confidentiality
Breaching Confidentiality – what does it
mean to you?
• HIPAA requires sanctions to be in place
for breaching confidentiality
• The state laws protecting patient
confidentiality have been in place for years
but…
– Breaches are now considered not only Civil
offences but in some cases considered
Criminal offences
What is meant by the term
“Breaching Confidentiality”?
• There are two types of breaches:
– Intentional
• Example: a healthcare provider sells a list of
patient demographic information to a telemarketer
– Unintentional
• Example: a census list is left on a cafeteria table or
patient charts are left unattended in a public place
FAQ: What happens if someone overhears
a conversation when I am discussing
patient diagnostic or treatment information
with another caregiver?
Answer:
As long as you have taken
“Reasonable” precautions to prevent
an unintentional disclosure, then this
would be considered an Incidental
Disclosure and is not punishable as a
breach of confidentiality.
Failure to comply with HIPAA
Regulations can result in:
•
•
•
•
•
Exclusion from Medicare Programs
Places Accreditation at risk
Damaged Community Reputations
Lawsuits for breaches of confidentiality
Civil and Criminal penalties for healthcare
providers, including Individuals!
Remember these HIPAA Basics:
• Patients have a fundamental right to expect
that their personal Protected Health
Information (PHI) will be maintained in a
confidential manner
• PHI may be used for Treatment, Payment, or
Operations (TPO)
• Most other uses of PHI require the patient to
give specific permission or authorization
HIPAA is simply Common Sense!
• Protect Patient information in the same
manner you want YOUR information
protected
• Access to information should only be for
individuals who are directly caring for a
patient, billing for services provided, or
performing operational (quality
improvement type) activities
Who do you think is responsible
for Protecting Health Information?
He is!
That one
She is!
over
She is! there!
He is!
They are!
I am certain it is her!
For further information:
• Refer to the Notice of Privacy Practices
• Call your designated Privacy Official
• All privacy and information security policies and
procedures as well as additional information,
may be found on the SETON Intranet.
• Helpful internet sites:
• http://hipaa.ascensionhealth.org
• http//www.cms.hhs.gov
This program was a
collaborative effort between:
Genesys Health System
Grand Blanc, Michigan
http://www.genesys.org
&
Seton Healthcare Network
Austin, Texas
http://www.seton.net
Property of Ascension Health©
All materials appearing on this presentation may
not be reproduced or stored in a retrieval system
without prior written permission of the publisher and
in no case for profit.
Authored & Developed by:
Carol L. Joseph – Genesys
[email protected]
Leigh Chiuminetta – Seton
[email protected]
Technical Assistance:
Bill Shea – Genesys Medical
Education – Technical Resources
[email protected]
• Please complete the post-test.