Cedar Park Regional Medical Center Orientation Packet

1

HIPAA

Keeping Patient Information Private

2

HIPAA is

• A Federal Law called the Health Insurance Portability and Accountability Act of 1996
• One part of HIPAA is the Privacy Rule
• The main purpose of the HIPAA Privacy Rule is to provide better protections for patient’s protected health information (PHI).

3

PROTECTED HEALTH �INFORMATION (PHI)

• Covers patient information in any form—written, verbal or electronic
• PHI includes
• Any information that can be used to identify the patient for example, name, address, social security number, medical record number, telephone number, patient account number.
• Anything about the patient’s medical condition(s) and treatment-past, present, or possible
• Billing and payment records

4

Before You Access Patient�Information, Ask Yourself

• Is the patient information I am about to access necessary for me to complete my job?
• Am I accessing only the minimum necessary to complete my job, no more, no less?
• Am I accessing, using or disclosing this information for treatment, payment, or healthcare operations reasons?
• If I am accessing, using, or disclosing this information, should I have a signed authorization from the patient?

5

When is it Okay to Share PHI?

• Share only the minimum amount of PHI necessary to fulfill the job responsibility.
• Share PHI only with those with a clinical or business need to know.
• Share only the amount of PHI requested. The entire medical record may not be needed.

6

Examples of Minimum �Necessary

• A billing clerk may need to know what laboratory test was done, but not the result

​

• An admission clerk does not need to have access to the full medical record in order to carry out his/her job.

​

• A patient transporter typically does not need to access the full medical record to do his/her job.

7

Criminal Penalties

• Choosing not to comply with HIPAA could result in civil and criminal penalties, including going to jail.
• If you obtain or disclose PHI without proper authority, you may face a fine of up to $50,000 and up to one year of jail time.
• If you obtain PHI with the intent to sell it, give it to someone else, or for malicious reasons, you could receive a $250,000 fine and up to 10 years in jail.

8

What is the Difference Between �Use and Disclosure of PHI?

​

• USE is sharing PHI within the facility

​

• DISCLOSURE is sharing PHI outside of the facility

9

Incidental Uses & Disclosures

An incidental disclosure is not a violation of HIPAA provided the facility has applied reasonable safeguards and implemented the minimum necessary standard.

Examples of incidental uses and disclosures

• Discussions during teaching rounds
• Calling out a patient’s name in the waiting room
• Sign in sheets in hospitals and clinics containing the minimum information necessary

10

What is a Breach

• Breach means the unauthorized acquisition, access, use, or disclosure of PHI maintained by or on behalf of a person.
• A breach does not include any unintentional acquisition, access, or disclosure made in good faith and done within the course and scope of your job. And provided such information is not further acquired, accessed, used or disclosed.
• In other words, just looking up someone’s PHI, even if you don’t print it or tell someone else, is a breach-and you will be subject to disciplinary action up to and including termination.

11

Protecting Patient Privacy

• DO
• Close curtains and speak softly when discussing treatments in semi-private rooms.
• Log off computer when not attended.
• Dispose of patient information in accordance with hospital policy and procedure.
• Clear patient information off of your desk and place in a secure location when not in use.
• Verify fax numbers and addresses before sending PHI.

​

12

Protecting Patient Privacy�

DON’T

• Discuss a patient in public areas such as elevators, hallways or cafeterias or outside the facility or office.
• Share our computer username, ID or password
• Look at information about a patient unless you need it to do your job.
• Take information about patients (including nursing report notes) home.
• Discuss patient information in front of visitors without the explicit, documented authorization of the patient.
• Post any patient related information in church bulletins, Facebook, MySpace or any other social networking sites.
• Bring friends or family into areas of the facility, clinic, or agency whre ther can see or hear patients receiving care or where they might have access to PHI.

13

Sharing PHI with Family & Friends

• The patient must be given the opportunity to agree, restrict, or object to providing PHI to family members, friends or others identified by the patient as involved in the patient’s care or payment for health care.
• Document the patient’s decsision
• Use professional judgment to determine if disclosing PHI would be in the patient’s best interest if the patient is unable to agree or object.

14

Areas of Concern

• Friends/family/self - when you are seeking information on your family, friends or yourself, you are not acting as an employee and you must access PHI using the procedures required for non-employees. This means you need a written authorization for release of information which can be obtained in HIM.
• You are not permitted to access your own medical records.

15

Areas of Concern

• Employees as patients – information available to the facility as a healthcare provider is not generally available to it in the role of an employer. For example, if an employee comes into the ED – his/her supervisor or co-workers should not be accessing his/her ED information.
• This can be a challenging areas: call the Facility Privacy Officer if questions arise.

16

Areas of Concern

• Before PHI is removed from a facility for business purposes by any means, electronic or hard copy- the following questions must be answered.
• 1. Does it need to go outside the facility?
• 2. If so, are reasonable safeguards in place to protect the data from breach during transmission.

17

Examples of HIPAA Potential �Violations

• Text messaging medical information about a patient to anyone.
• An employee passing on information to her son about his spouse or their children.
• Allowing a former employee, friends, family or co-workers into off-limit areas where PHI is located – this includes children.
• Taking pictures of patients with a cell phone camera.

18

Reporting Suspected Violations of�our Privacy Policies

Suspected HIPAA violations should be reported to

• Your supervisor
• The Facility Privacy Officer
• Megan Drake 512.528.7016
• The Corporate Compliance and Privacy Officer

​

*The Confidential Disclosure Program Hotline may also be used by calling 1-800-495-9510.

​

19

Non-retaliation

CHS POLICY AND STATE AND FEDERAL

LAWS PROVIDE PROTECTION FROM

RETROBUTION OR RETALIATION AGAINST

A PERSON FOR REPORTING ACTUAL

OR SUSPECTED VIOLATIONS.

20

This Facility Protects Patient Privacy by…….

• Assigning a Facility Privacy Officer

​

• Having written policies and procedures to help

employees understand the privacy rules.

• Providing this privacy training to the workforce.
• Putting in place ways to protect health information

from being misused.

• Having a way for patients and others to file complaints.
• Providing discipline for employees who don’t follow privacy practices.

21

What is the Notice of Privacy Practices?

The Notice of Privacy Practices (something referred to as the NPP is):

• An explanation to our patients of how their personal PHI is used and disclosed.
• The start of dialogue with our patients regardithe purpose of the uses of information.
• An explanation of the patient’s rights as defined by the HIPAA Privacy Regulations.
• The Notice of Privacy Practices is:
• Available in a paper copy
• On the facility website
• Posted in facility

​

​

22

Disclosures with Authorization

A valid Authorization is required for certain disclosures to:

• Attorneys
• Schools
• Others
• Applies to situations where use falls outside of treatment, payment, and healthcare operations and for which there is no exception for the authorization requirement.
• Only certain staff members are permitted

to accept and act upon patient authorizations.

23

Disclosures Not Requiring Patient Authorization

Required by Federal or state law

• Workman’s Compensation
• Birth Reporting
• Child abuse or domestic violence reporting

Required for Public Health Reasons

• Sexually transmitted diseases
• FDA regulated products

Required for national security reasons

• Prevent a serious threat of harm to the individual or others.

​

If in doubt, check with the Facility Privacy Officer before disclosing information

​

24

Facility Directory Disclosures

• The patient must be given the opportunity to opt-out from the directory.
• Unless the patient objects, the following PHI may be included in the facility directory and give to those individuals who inquire about the patient by name.
• Name
• Location within the facility
• Condition of the patient in general terms (e.g., good, critical, serious
• Only members of the clergy may have access to the religious affiliation of the patient, if provided.

​

• If the patient has opted out of the patient directory, no information may be discussed, simply say, “I have no information on that person.”

​

​

25

Patient Rights

Under the HIPAA Privacy Regulations, patients have the right to

• Receive Notice of Privacy Policies
• Inspect and request a copy of the PHI
• Know to whom the information is being disclosed in certain situations
• Request restrictions on use and disclosure of their PHI
• Request an amendment to their PHI
• Request confidential communications of their PHI

​

26

Case Study

• While working on the fourth floor, Sally Housekeeper noticed that her neighbor, Penny Patient, was walking down the hall in a hospital gown and pushing an IV pole. When she went home later that day, she told her husband that she saw their neighbor on the cancer unit.

​

• Is this a HIPAA Violation? Why

27

“Octomom”

• Kaiser Permanente Belflower Medial Center --

was fined $250,000 for failing to keep workers from peeking at the “octomom” Nadya Suleman’s electronic health records.

​

• 23 unauthorized staff and physicians accessed the records, including some at other Kaiser facilities.

​

• 1 Person was fired, 14 other resigned and 8 were disciplined.

28

Final Thoughts

• Confidentiality and protecting PHI is everyone’s job.

​

• Privacy Matters. Don’t discuss protected healthcare information in public or with those who do not need to know.

​

• Don’t get casual about privacy and confidentiality.

29

QUESTIONS?

30