Redox Medical CenterHealth Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules Roderick Laino MHA690: Health Care Capstone Dr. Sherry Grover June 28, 2012
Objectives๏ What is HIPAA?๏ What is the Organization’s responsibility? Clinician’s responsibility?๏ What information should be protected?๏ What can we do as a team, to protect patient health information?๏ What is the organization’s policy for violators?
What is HIPPA?๏ The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights, with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. (www.hhs.gov) ๏ The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. (www.hhs.gov)
Who ensures HIPPA compliance๏ Doctors, nurses, and any allied healthcare workers๏ Pharmacies๏ Hospitals, clinics, and nursing homes๏ Health insurance companies๏ Health maintenance organizations (HMOs)๏ Employer group health plans๏ Certain government programs that pay for health care, such as Medicare and Medicaid.๏ The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protects identifiable information being used to analyze patient safety events and improve patient safety. (www.hhs.gov)๏ Any Healthcare Clearing House. Healthcare Clearing Houses are any private or public entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements (www.cms.gov)
How does HIPPA relates to you as a “Clinician or Organization”๏ As an organization, it is our corporate social responsibility to ensure that we protect patient health information.๏ How do we try to accomplish this? As an organization we can do the following. ๏ By making sure that our website is secure ๏ By educating all of our employees thru annual competency ๏ Having an open door policy for reporting any incident that might be a HIPPA violation ๏ Have an anonymous 1-800 reporting number that it is available 24/7 ๏ Have a non-retaliatory policy for reporting, in the event that it is a false alarm ๏ Have password protection on any computer ๏ Track all activity by personal log in
How does HIPPA relates to you as a “Clinician or Organization”๏ As a clinician, how can you make sure that you are protecting patient health information? ๏ Make sure that you don’t talk out loud about patients, especially in public areas, like the cafeteria, elevator, bathroom, etc, where anyone can over hear patient confidential information. ๏ Log off of your computer when unattended ๏ Don’t share your password to anyone ๏ Call IT if you lose or forget your password ๏ All emails that contains PHI will be automatically encrypted for security ๏ Report any and all suspicious activity
Responsibility๏ Any one who has access to patient health information is responsible to ensure that we comply with the law, for example clinicians, allied healthcare workers, cashiers, medical records employees, medical assistance, etc.๏ The Organization as a whole is also responsible that we educate, empower and audit any reported incidence.๏ The organization is also responsible that the website, email and any PHI are being held in a secured site and being protected against hackers and malicious attacks from inside of the company as well as outside.
What information are protected?๏ Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)๏ “Individually identifiable health information” is information, including demographic data, that relates to: ๏ An individual’s past, present or future physical or mental health or condition, ๏ The provision of health care to the individual, or ๏ The past, present, or future payment for the provision of health care to the individual
What information are protected?๏ Anything that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).๏ The Privacy Rule excludes from protected health information, employment records that a covered entity maintains in its capacity as an employer and education and/or certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. (U.S. Department of Health & Human Services, 2003, pp.3-4)
How to ensure that we don’t violate HIPPA?๏ The organization has done everything it can in order to be compliant. ๏ We have policies and procedures in place ๏ Pamphlets and brochure to educate patients their rights as well as all the employees ๏ We have annual training as part of annual competency ๏ HIPPA information is available 24/7 in the intranet ๏ We have a compliance officer for any concerns ๏ Every employee have their own password and restricted access to PHI, ๏ All computers and instrument that carries PHI activities are tracked 24/7
How to ensure that we don’t violate HIPPA?๏ The organization has done everything it can in order to be compliant. ๏ We have 800 # available for reporting 24/7 ๏ We have a non-retaliatory policy ๏ Anonymous reporting is also available ๏ HIPPA consent form is mandatory for any PHI to be release to a third party ๏ Automatic log out and save of computer that are idle
Zero tolerance to violators๏ The company takes the HIPPA Act seriously. All practitioners are only to access the PHI of a patient that they have direct contact with. We have a computer alert for all practitioners and they must acknowledge that they are in direct contact with that patient before access is granted. Violations of the HIPPA rules are grounds for termination.๏ The organization wants to express the seriousness of this issue. We want to make sure that we communicate to you our expectation and we wish that you’ll do the same.
Discussion 2-Wk1 Hipaa presentation๏ References:U.S. Department of Health & Human Services. (2003). OCR privacy brief: Summary of the HIPAA privacy rule.Center for Medicare and Medicaid Services. (2009). HIPPA compliance review analysis and summary of results