Your SlideShare is downloading. ×
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

HIPAA Privacy Training by University of Hawaii

986

Published on

Published in: Health & Medicine, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
986
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The Health Insurance Portability and Accountability Act (HIPAA) was initially enacted in 1996 and focused on improving health insurance accessibility for people changing employers or leaving the work force (portability). Within this regulation there are several different parts. One part concerns the privacy of health information. One of the requirements of the privacy rule is that all members of a provider’s workforce (including students) must be trained on the provider’s policies and procedures relating to privacy.
    This training program was developed through a collaborative effort of representatives from various Hawaii health care providers. The collaborative facilities developed and adopted a standard policy in regards to appropriate uses of health information for education. Although the general policy is similar at these facilities, specific policies and procedures at individual facilities may vary. Therefore, it is extremely important to talk to representatives at the facility where you will be performing your training to find out what their facility-specific policies are.
  • The “Administrative Simplification” provisions of HIPAA address national standards for electronic data transmission, unique health identifiers, security standards and privacy and confidentiality standards. Covered entities had to comply with the Privacy standards by April 14, 2003. The intent of “Administration Simplification” provisions was to create a national foundation of privacy. The government felt this was necessary because technological advancements had resulted in substantial and increasing electronic transmission of health information and there was very little standardization for the collection, storage and transmission of health care data. There was also growing public concern regarding the privacy and security of health information.
    It is important to note that the federal privacy rule provides a floor of protection. It does not preempt more stringent protection provided under state law. Therefore, a provider must be aware of both state and federal laws relating to the use and disclosure of health information.
  • All “Covered Entities” are required to comply with HIPAA regulations. “Covered Entities” include Health Plans that provide or pay the cost of medical care, including employer plans and programs, Health Care Providers (doctors, nurses, hospitals, etc.) who perform electronic transactions and Health Care Clearinghouses (entities which process data from non-standard format to standard format, or vice versa).
    Business Associates of Covered Entities, including their vendors and consultants, are usually required to comply with HIPAA regulations by means of a Business Associate Agreement with the Covered Entity which they serve. However, Business Associates are not always considered Covered Entities themselves.
  • Protected Health Information (PHI) includes any individually identifiable health information about a person. PHI is protected under HIPAA and, therefore, cannot be disclosed by Covered Entities without specific consent or authorization from that individual, or as allowed by law - which will be described in more detail later in the presentation. PHI includes information which refers to the person’s past, present and future health or condition; provision of health care services to the person; and past, present and future payment of health services to the person. Information transmitted or maintained in any form is protected.
  • In general there are four major categories or rules relating to the use/disclosure of PHI.
    First, PHI can be disclosed for the purposes of Treatment, Payment or Health Care Operations (TPO) without consent, agreement or an authorization from the individual
    Second, patients have the opportunity to agree or object to certain use and/or disclosure of PHI.
    In some situations (usually as required under existing laws) PHI may be disclosed without a patient’s authorization or agreement.
    Finally, all other circumstances outside the scope of the above, a patient may need to provide written authorization for the use and/or disclosure of their PHI.
  • Use/disclose of PHI is permitted for a covered entity’s Treatment, Payment and Health care operations.
    A covered entity may also disclose PHI to a health care provider for treatment purposes. In the past most providers would require a written request signed by the patient before releasing information for treatment. HIPAA has actually made this process a little more open. Many facilities will now release PHI for treatment as long as they receive a request stating that the provider is involved in the patient’s treatment and the PHI is needed for the patient’s treatment. It is important to recognize, though, that a facility can be more stringent and may still require written authorization or consent to release PHI for treatment
    Covered entities can also release PHI to each other for either parties’ payment purposes and for certain health care operations as long as each entity has or had a relationship with the individual who is the subject of the protected health information and the information released is relevant to that relationship.
  • Under the privacy rule, a covered entity can use/disclose health information for certain purposes as long as the patient verbally agrees or has been given an opportunity to object to the disclosure and has not. These purposes are listed above.
    Each facility will have different procedures as to how they implement this part of the privacy rule. Basic information about facility procedures are on your matrix that was included with this training packet. It is important that you review these practices before you work in a particular facility.
  • Disclosure is permitted without an authorization or an opportunity to object in certain situations. The slide above lists the categories of disclosures that are allowed without patient authorization or agreement. In general most of these disclosures are to government or public officials acting in their professional capacity. Students would not generally make these types of disclosures.
    Each of these categories have their own requirements in terms of what and how the covered entity may release PHI. In addition, these disclosures must be tracked and accounted for by the covered entity. Therefore it is important that any inquiries relating to these types of disclosures be cleared with the the patient’s attending physician, the facility’s staff nurses or the facility’s Privacy Officer.
  • A valid authorization from a patient is required for any other disclosure of PHI.
  • Patients must be given a notice of privacy practices by the covered entity which describes the way the covered entity will use and disclose PHI.
    Health care providers who has a direct treatment relationship must provide the notice at the time of the first service delivery, or as soon as possible in an emergency situation. The covered entity must also make a good faith effort to obtain a written acknowledgement of receipt of the notice from the patient and if not, document of the reason why the acknowledgement was not obtained.
  • HIPAA provides patients with specific rights to privacy and accessibility to their health information. These rights are listed in the slide above. Each facility will have policies and procedures relating to how these rights are implemented and exercised. You can refer any patients with questions relating to their rights under the privacy rule to the facility’s privacy officer.
  • The above are some additional requirements under the privacy rule.
    De-identification refers to the process of stripping PHI of all individually identifiable elements (see slide 5).
    The minimum necessary standard will be covered later in this material.
    The covered entity must train all members of its workforce on its policies and procedures related to privacy. As we mentioned before, students are considered to be part of the facility’s workforce, which is why you are undergoing this training.
    The verification process is a requirement that a covered entity verify the identity and authority of a requestor prior to releasing health information.
    Finally, covered entities must enter into a business associate contract with those persons or entities who provide services for the facility and have access to health information in the process of providing the services.
  • The privacy rule imposes special restrictions on the use/disclosure of health information for the purposes of marketing and fundraising. We will not go into those requirements, but any of you who are involved in these types of activities in the future will need to become familiar with the requirements.
    As was stated at the beginning of this module, the federal privacy rule is not preempted by more stringent state law. In Hawaii, there are more stringent protections afforded certain information, called specially protected health information. Under Hawaii state law, release of specially protected health information requires the patient’s consent, even where needed for treatment and payment.
  • There are penalties for violations or non-compliance with the privacy rule. There are civil and criminal sanctions that can include monetary fines, as well as jail time.
  • Covered entities are required to have sanction processes for workforce members who violate privacy policies and procedures. Student sanctions may be levied by the facility and/or the educational program with which you participate.
  • As mentioned previously, privacy training includes training to the policies and procedures of the facilities. Each facility may administer these procedures differently. We will generally review the requirements of these areas, but you will need to refer to the matrix of facility practices for specific details about facility practices in these areas.
  • “Facility directory” requirements apply to inpatients.
    The hospital maintains a list of inpatients. If a caller or visitor asks for a patient by name, the hospital may: (1) acknowledge patient’s presence; (2) provide patient’s room number; and (3) provide a one word description of patient’s condition.
    This is the maximum amount of information that may be disclosed for facility directory purposes.
    Facility directory requirements apply to inquiries by members of the media, as well as other callers or visitors.
  • The patient has the right to object to disclosures for facility directory purposes. In other words, patient may direct the hospital to disclose no information about him/her to callers or visitors. The hospital must honor the patient’s request for privacy. As a member of the hospital’s workforce, you must not disclose information about a “No Information” patient to callers or visitors.
    Each hospital has established procedures for honoring patient’s request. See Matrix for details.
  • If patient has requested to be “No Information”, the hospital will not: (1) acknowledge patient’s presence; (2) disclose patient’s room number; (3) describe patient’s condition; (4) accept flowers, gifts or mail for patient.
    This restriction applies to family members, friends, or any one else who may call or visit the hospital. They will be told, “We have no information about a person by that name.”
  • This scenario may present a cultural change, as most healthcare providers want to be helpful to visitors, understanding that family members may be worried about their loved one. However, we also need to be mindful of the patient’s right to privacy.
  • EXAMPLES:
    1. Daughter accompanies elderly patient into exam room. Patient says, “Can you explain it to my daughter?”
    2. Wife goes to pharmacy and states that she would like to pick up the prescription that Dr. __________ called in for her husband.
    3. Patient tells you that neighbor has been helping him with home exercise program.
    4. You knock on the door and enter patient’s room. There are several visitors in the room. You don’t know who the visitors are. You say to the patient, “I’d like to talk with you about discharge planning. Can we talk now? Or should I come back a little later?”
    EXCEPTION: In an emergency, when the patient is unable to express his/her wishes, use your professional judgement. Would it be in the patient’s best interest if you disclosed the information?
  • EXAMPLE:
    Info directly relevant to patient’s care. Friend picks up patient after procedure. Patient will stay with friend for a few days. Friend asks, “What do I need to do?” You say, “Here are her prescriptions. Keep the site dry. Sponge bath only. Call the doctor if the site gets red. No housework or lifting more than ten pounds.”
    Info not directly relevant to patient’s care. You describe patient’s previous episodes of care to friend-- the Emergency Room visit when she was a possible DUI; results of the biopsy she had two years ago; etc.
    RESPONDING TO PATIENT’S REQUEST:
    It’s important that you inform staff of patient’s request to limit involvement of family, friends, or others. Staff will know how to document and follow-up on request.
    Each facility has established procedures for responding to patient’s request. See Matrix for details.
  • The patient explicitly stated that she did not want her health information to be shared with her husband. As difficult as it may seem, you must honor her request.
    It is also important for you to promptly notify staff about patient’s request. They will know how to document and respond to patient’s request.
  • A key element of the privacy rule is the minimum necessary requirement. This is basically a “need to know” rule. You must only access and use the minimum necessary amount of PHI for your specific duty, responsibility or purpose..
    What that means in terms of educational uses of PHI is that you will access and use only the minimum amount of information needed for your specific educational activity. For example: you are reviewing records of ER patients admitted for near drowning for a case presentation or paper. You would determine what type of information or data you need to collect on these cases. You would access only the episodes of care relating to your study topic and you would record only the data elements that have been determined necessary for the preparation of your presentation or paper.
  • As a student in healthcare you would not normally be involved in disclosing PHI except that there may be times where you are asked to release PHI to another provider involved in the patient’s care.
    Under HIPAA a provider can release PHI to another provider for treatment purposes without a patient authorization. There is a verification requirement however. For most facilities in the State, you may disclose PHI for treatment if:
    The provider referred the patient to you
    You referred the patient to him/her
    The treatment relationship of requesting provider is documented in the medical record
    The provider requests information for treatment purposes in writing
    The patient has signed an authorization or other form for the disclosure of the PHI to that provider
  • Hospitals are required to do many disclosures to government agencies. Examples of this include: child abuse reports, infectious disease reports, report of unattended deaths to the medical examiner and so on.
    Most students will not be involved in reporting PHI to government officials. There might be a time, however, where you know that a mandated report is required or a government official asks you for information. Please consult with the facility’s nurses, your supervising provider or the facility’s Privacy Officer before making such reports or releasing any information to a government official.
    Such disclosures must follow the minimum necessary rule and there is a requirement that the facility track the disclosure so it is important that you check as to the appropriate process before you release any information in these situations.
  • One of the rights under HIPAA is that a patient may request restrictions in terms of the facility’s use/disclosure of PHI for treatment, payment or health care operations. The facility is not required to agree to the patient’s request.
    For example, one request that a facility may receive is that a patients may not want students involved in his/her care or able to access his/her health information. It will be up to the facility to determine whether or not they will honor the patient’s request. It is important that you be familiar with each facility’s practice in regards to patient requests and that you are aware where such restrictions are documented as you will be required to also honor these agreed upon requests.
  • The use/disclosure of health information for educational purposes is considered to be one of the facility’s health care operations. As such, patient health information can be used by and disclosed to healthcare students without the patient’s consent, agreement or authorization.
    However, there are other requirements of HIPAA that place limitations or parameters around that use.
    The facility must make sure that there are appropriate access controls in terms of student access to PHI.
    PHI disclosed should be limited to the minimum necessary for the particular educational use/purpose.
    Students who access PHI have the responsibility to protect and safeguard that information and make sure that any notes or class documents that contain PHI are disposed of appropriately upon completion of the use/purpose.
  • When developing the policy for appropriate use/disclosure of PHI for educational purposes, the collaborative facilities tried to determine a minimum necessary data set of health information that would meet the needs of the students and educational programs yet provide privacy protection for the patients. The final decision was that the facilities would permit students to use PHI that has been “facially de-identified” for their educational purposes.
    The only difference between de-identified information and facially de-identified information is that the facially de-identified can include the patient’s medical record number, dates of service and zip code. All other elements of individually identifiable information (see slide 5) must be removed from the information.
    It is important that you understand that facially de-identified information is still considered identifiable and must be protected in accordance with the federal privacy rule.
  • Here is a list of what must be taken out of the PHI in order to be considered facially de-identifiable.
  • Once the collaborative facilities agreed upon a minimum necessary data set, the next step was to categorize the uses/activities for which students typically use/access PHI. These uses/activities include:
    Treatment
    Observation
    Teaching Rounds
    Retrospective Record/Data Reviews
    Research (with IRB approval)
    Case Presentations
    Patient Logs
    Access or use of PHI by students for other purposes than these may be a violation of the facility’s policies and could result in sanctions against the student.
  • This is a scenario where the access seems to fit under educational uses. What do you think?
    The bottom line in this scenario is that the case may indeed have educational value to you. But such review must be organized and approved by the appropriate people. Do not access patient information just because you personally think it might be educational. Work through your instructors and the facility.
  • Here are some do’s and don’ts relating to appropriate use/access of PHI for treatment and observation. This is not a complete list but will provide you with some general guidelines.
  • These are some of the do’s and don’t for participation in teaching rounds.
    One point about teaching rounds must be emphasized:
    Use discretion and common sense when discussing patient case details in public areas.
  • These are some of the do’s and don’ts for retrospective reviews.
    It is important that you realize that if the review and collection of patient information from medical records is even remotely considered for a possible research project in the future, it is best to get IRB approval.
  • Both the Common Rule and HIPAA have requirements in regards to research The requirements for research under the privacy rule are complex. The basic rule for students is that you must contact the facility’s Institutional Review Board if your review and collection of patient information from medical records is for research purposes or even remotely considered for a possible research project in the future.. The facility’s IRB will provide you with the necessary information as to the process to have a project reviewed for approval.
    Of important note here: The creation of a database/repository of patient information may be research under the privacy rule.
  • Sometimes it is difficult to draw the line between quality improvement activities and research. If the review and collection of patient information from medical records is even remotely considered for a possible research project in the future, it is best to get IRB approval. Check with the facility’s IRB to be sure of the process to have a project reviewed for approval.
  • This is not a complete list; only some examples.
    Although the facilities allow you to retain the patient’s medical record for your educational purposes, this information should not be shown during your presentations. If the case you are presenting is extremely rare or high profile, you may want to obtain the patient’s authorization for use of his/her PHI for the presentation or, at a minimum, make sure that the audience is truly limited to healthcare students/professionals.
  • We realize keeping a list of the patient’s you have been assigned is part of your program’s requirements. This allows you to go back and do a follow-up review. Please follow the rules of facially de-identifying this data. Meaning, only the medical record number, dates of service, and zip code are the only elements allowed in your patient log to identify your patient(s).
  • This is not a complete list; only some examples. It is important that you follow the rules of facially de-identifying data. This means that the medical record number, dates of service, and zip code are the only elements allowed to identify your patient(s).
  • Each facility will have different requirements in terms of obtaining appropriate access to PHI. You will need to become familiar with the appropriate channels at each facility. The matrix you were provided will give you some information in this regard.
    A special note in terms of access rights to a computerized medical record. You will, no doubt, be able to access more than just your patients through an electronic medical record. But just because you are able to access the information does not make it okay to do so. Any access to a patient’s electronic medical record leaves an audit trail of who went into the record. These audit trails are monitored by the facility. You would be subject to sanctions should a facility find that you are accessing records of patients where you have no legitimate purpose to access the information.
  • Unless you are directly involved in providing health care for your friend, accessing the records is inappropriate. Your friend has the same privacy rights as anyone else admitted. Please check with the nurses station or information to find out what room she/he is in or their condition.
  • Finally, as mentioned previously, the facially de-identified information is still protected health information. You are responsible for safeguarding this information. Here are some examples of how you would safeguard information. This is not a complete list.
    Know where your PDA, classroom work and other documents with patient information are at all times.
    You are responsible for any inappropriate access to data or areas conducted with your login ID or access card – DON”T let a friend borrow or share it for ANY reason.
    When you are finished with the health information you have collected, dispose of it appropriately - don’t throw it in your trash can!
    Do not send PHI over an open network unless the information is encrypted.
    Use discretion and common sense. Think how you would want that health information to be protected if it were your personal health information.
  • Transcript

    • 1. HIPAA Privacy Training Health Insurance Portability & Accountability Act of 1996 Standards for Privacy of Individually Identifiable Health Information 45 CFR Parts 160 and 164 THIS INFORMATION MUST BE PRESENTED OR, IF THROUGH SELF-STUDY, REVIEWED IN ITS ENTIRETY. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and focused on improving health insurance accessibility for persons changing employment or leaving the work force (portability). HIPAA consists of several different parts. One part, called the Privacy Rule, concerns the privacy of health information. The Privacy Rule includes a requirement that all members of a health care provider’s workforce (including students) must be trained on the provider’s policies and procedures relating to privacy. This training program was developed through a collaborative effort of representatives of various Hawaii health care providers. The collaborative facilities developed and adopted a standard policy with regard to appropriate uses of health information for educational purposes. Although the policies of these facilities may be similar, specific procedures may vary from facility to facility. Therefore, when you begin your training at a facility, you should familiarize yourself with the specific policies and procedures of that facility.
    • 2. The Privacy Rule    Creates national foundation of privacy Does not preempt more stringent state laws Extends:   Certain individual rights to privacy Protection of individual’s medical records and health information HIPAA addresses national standards for electronic data transmission, unique health identifiers, security standards, and standards for privacy and confidentiality. Covered Entities were required to comply with the Privacy Rule by April 14, 2003. The government believes a national foundation of privacy protections is necessary because technological advances have resulted in increasing electronic transmission of health care data. Standardization of the collection, storage and transmission of such data has been limited, while public concern about the privacy and security of health information have grown. 2 It is important to note that HIPAA provides a floor of protection, and does not preempt more stringent protections provided under state law. Therefore, a health care provider must be familiar with both state and federal laws relating to the use and disclosure of health information.
    • 3. Who’s affected? Direct impact:  Health plans  Health care clearinghouses  Health care providers (who transmit health information electronically) Indirect impact:  Business associates (vendors, consultants, contracted providers) All Covered Entities are required to comply with HIPAA regulations. Covered Entities include Health Plans that provide or pay the cost of medical care, including employer plans and programs, Health Care Providers (doctors, nurses, hospitals, etc.) who perform electronic transactions and Health Care Clearinghouses (entities that process data from non-standard format to standard format, or vice versa). Business Associates of a Covered Entity, including vendors and consultants, are usually required to comply with HIPAA regulations by means of a Business Associate Agreement with the Covered Entity. A Business Associate may or may not be a Covered Entity. 3
    • 4. What’s protected? Protected health information (PHI) refers to:  Individually identifiable health information relating to:      Person’s past, present and future health or condition; Provision of health services to the person Past, present and future payment of health services to the person Information transmitted or maintained in any form Includes data considered individually identifiable Protected Health Information (PHI) means any individually identifiable health information about a person. PHI is protected under HIPAA and, therefore, cannot be disclosed by a Covered Entity without the agreement or authorization of that person, or as allowed by law. This requirement will be described in more detail later. PHI includes information about the person’s past, present and future health or condition; provision of health care services to the person; and past, present and future payment for health services to the person. Information transmitted or maintained in any form-- verbal, written (paper) or electronic-is protected. 4
    • 5. What’s individually identifiable?           Name Geographic divisions smaller than State (with exceptions) All dates (except year) Phone & fax number E-mail address SSN Medical record # Health plan beneficiary numbers Account numbers Certificate/license numbers      Vehicle identifiers and serial numbers Device identifiers and serial numbers Web URLs IP address numbers Biometric identifiers (including finger, voice prints)   Full face photo and other images Any other unique identifier [164.514(b)(2)] The Privacy Rule identifies several data elements which, when used alone or in combination, may lead to the identification of a specific person. These data elements are referred to as “individually identifiable health information”, and are listed on this slide. 5
    • 6. Rules for uses / disclosures of PHI     Treatment, Payment, Health Care Operations (TPO) Opportunity to Object Agreement or Authorization not required (Exceptions) Authorization There are four general rules about the use or disclosure of PHI: 1. PHI can be disclosed for the purposes of Treatment, Payment or Health Care Operations (TPO) without the consent, agreement or authorization of the patient. 2. The patient has the opportunity to agree or object to certain use or disclosure of PHI. 3. In some situations-- usually as required under existing laws-PHI may be disclosed without the patient’s authorization or agreement. 4. Finally, in any other circumstance not described above, the patient will need to provide written authorization for the use or disclosure of his/her PHI. 6
    • 7. Permitted Uses of PHI Uses/disclosures permitted for:  Treatment    Some facilities may still require patient authorization for release of PHI Payment Health care operations (quality improvement, staff performance review, training in areas of health care, accreditation, medical review, audits, business planning and development, general administration, etc.) Use or disclosure of PHI is permitted for a Covered Entity’s Treatment, Payment and Health Care operations. A Covered Entity may also disclose PHI to a health care provider for treatment purposes. Many facilities now release PHI for treatment as long as they receive a request stating that the provider is involved in the patient’s treatment and the PHI is needed for the patient’s treatment. It is important to recognize, though, that a facility can be more stringent and may still require written authorization, consent or other verification to release PHI for treatment. 7 Covered Entities can also release PHI to each other for for either Covered Entities’ payment purposes and certain health care operations as long as each Covered Entity has or had a relationship with the patient who is the subject of the PHI and the information released is relevant to that relationship. Examples are provided on slide 26.
    • 8. Opportunity to Object      Facility directories To clergy To persons involved in individual’s care Notification purposes Disaster relief purposes Under the Privacy Rule, a Covered Entity can use or disclose PHI for certain purposes as long as the patient verbally agrees, or the patient has been given an opportunity to object to the disclosure and has not objected. These purposes are listed above. Each facility has established procedures about how these uses or disclosures are implemented. See the Matrix for information about each facility’s procedures. Be sure to review this information before you begin your training at a facility. 8
    • 9. Agreement or Authorization Not Required (Exceptions) Required by law  Public health activities  Victims of abuse/ neglect/domestic violence  Health oversight  Judicial/administrative proceedings  Limited law enforcement purposes  Coroners, medical examiners & funeral directors  Organ/tissue donations  Research purposes  Serious threat to self/others  Specialized government functions  Worker’s comp  In certain situations, disclosure is permitted without an authorization or an opportunity to object. This slide lists the types of disclosures that are allowed without the patient’s authorization or agreement. Many of these disclosures are to government officials acting in a professional capacity. In general, students would not make these types of disclosures. 9 For each of these types of disclosures, the Covered Entity must follow certain rules, in terms of how and what PHI is released. In addition, the Covered Entity must track and account for these disclosures. Therefore if you receive an inquiry that relates to these types of disclosures, you must check with the patient’s attending physician, the facility’s nursing staff or the facility’s Privacy Officer before you release any information.
    • 10. Authorizations For all other uses and disclosures of PHI A valid authorization from the patient is required for any other disclosure of PHI. For example, if a patient applies for life insurance, before the facility can disclose PHI to the life insurance company, the patient must provide a signed authorization form to the facility. 10
    • 11. Notice of Privacy Practices    Describes to patients how their protected health information may be used/disclosed Details patient’s legal rights in regards to their PHI and how to exercise these rights Details legal obligations of covered entity to protect PHI The Covered Entity must give the a Notice of Privacy Practices, which describes the ways the Covered Entity could use or disclose PHI. A health care provider who has a direct treatment relationship must provide the Notice at the time of the first service delivery, or in an emergency situation, as soon as possible. The Covered Entity must also make a good faith effort to obtain the patient’s written acknowledgement of receipt of the Notice. If the acknowledgement was not obtained, the Covered Entity must document the reason why the acknowledgement was not obtained. 11
    • 12. Individual’s Rights  To receive Notice of Privacy Practices To inspect and/or obtain copy of PHI  To request to amend PHI  To request limits on certain uses/disclosures of PHI  To receive accounting of disclosures  To receive confidential communications  To file a complaint  HIPAA gives the patient rights to privacy and accessibility with regard to his/her PHI. These rights are listed on this slide. Each facility has procedures about how the patient may exercise these rights. Refer any patient with questions about his/her rights under the Privacy Rule to the facility’s Privacy Officer. 12
    • 13. Other Requirements      De-identification of PHI Minimum necessary Workforce Training Verification Process Business Associate Contracts The Privacy Rule includes several other requirements: • De-identification is the process of stripping PHI of all individually identifiable elements (see slide 5). • The minimum necessary standard (e.g. need-to-know) will be covered later. • The Covered Entity must train all members of its workforce on its policies and procedures related to privacy. Students are considered part of the facility’s workforce, which is why you are completing this training. • Verification process refers to a requirement that a Covered Entity must verify the identity and authority of a person who is requesting to have access to PHI. • Finally, a Covered Entity must enter into a Business Associate Contract with a person or entity who provides certain types of services for the Covered Entity and who accesses PHI in the course of providing those services. 13
    • 14. Other Restrictions    Marketing Fundraising Specially Protected Health Information  Additional protections under Hawaii State law relating to release of HIV, mental health and substance abuse treatment records The Privacy Rule imposes other restrictions on the use or disclosure of PHI for marketing and fundraising. Those restrictions will not be discussed here. If in the future, you are involved in marketing or fundraising, you will need to familiarize yourself with applicable sections of the Privacy Rule. As stated previously, the federal Privacy Rule does not preempt more stringent state law. In Hawaii, certain information, called specially protected health information, are afforded more stringent protection. Under Hawaii State law, release of specially protected health information requires the patient’s consent, including for treatment and payment purposes. 14
    • 15. What’s consequence of non-compliance?  Penalties:   Civil: $100 per violation; up to $25,000 per year Criminal: up to $250,000 and or 10 years in prison There are penalties for violating or failing to comply with the Privacy Rule. A Covered Entity may be subject to civil and criminal sanctions that include monetary fines and imprisonment. 15
    • 16. Sanctions   Facilities required to sanction members of workforce (includes “students”) who violate policies and procedures relating to privacy and security of health information. Student sanctions may include suspension or termination of access privileges to PHI and/or participation in educational programs at facility. A Covered Entity is required to have a process for sanctioning workforce members who violate privacy policies and procedures. Student sanctions may be levied by the facility and/or the educational program with which you participate. 16
    • 17. What you need to know to operate in different facilities        Facility Directory Family Involvement Minimum Necessary Appropriate Educational Access/Use Requesting/Disclosing PHI for treatment Request/Disclosures to Govt. agencies Patient Requested Restrictions on use/disclosure As stated previously, privacy training includes training about the facility’s policies and procedures. Each facility may implement its procedures differently. See the Matrix for information about each facility’s procedures. Be sure to review this information before you begin your training at a facility. 17
    • 18. What is a Facility Directory?   The information a hospital releases to the media or the public when they call to ask about a patient This information is limited to:    Location Condition May only release info in the directory to people who ask for patient BY NAME “Facility directory” requirements apply to hospital inpatients. The hospital maintains a list of inpatients. If a caller or visitor asks for a patient BY NAME, the hospital may: 1. Acknowledge the patient’s presence; 2. Provide the patient’s room number; and 3. Provide a one word description of the patient’s condition. This is the maximum amount of information that may be disclosed for facility directory purposes. Facility directory requirements apply to inquiries by members of the media, as well as other callers or visitors. 18
    • 19. Facility Directory     Patient may ask hospital to NOT release information to media or others who call Each hospital will have process to identify these NO INFORMATION patients YOU must be aware of each hospital’s codes and process to identify these patients DO NOT release information in violation of the patient’s information status The patient has the right to object to disclosures for facility directory purposes. In other words, patient may tell the hospital to disclose no information about him/her to callers or visitors. The hospital must honor the patient’s request for privacy. As a member of the hospital’s workforce, you must not disclose information about a patient with “No Information” status to callers or visitors. Each hospital has established procedures for honoring patient’s request. See Matrix for details. 19
    • 20. Facility Directory NO INFORMATION STATUS   PATIENT’S LOCATION/CONDITION WILL NOT BE DISCLOSED TO ANYONE, INCLUDING FAMILY/FRIENDS Anyone asking for patient will be told, “We have no information regarding the individual.” If patient has requested “No Information” status, the hospital will not: 1. Acknowledge the patient’s presence; 2. Disclose the patient’s room number; 3. Describe the patient’s condition; 4. Accept flowers, gifts or mail for the patient. This restriction applies to family members, friends, or any one else who may call or visit the hospital. They will be told, “We have no information about a person by that name.” 20
    • 21. What should I do? Scenario #1: Q: I am approached in the hallway by someone who asks me if I know what room a patient is in. I saw the patient’s name on the unit I just left. What should I do? A: Refer the person to the nurses’ station, information desk, or hospital operator. You do not know whether the patient has requested a NO INFORMATION status or other restrictions. This scenario may present a cultural change, as most healthcare providers want to be helpful to visitors, understanding that family members may be worried about their loved one. However, we need to be mindful of the patient’s right to privacy. 21
    • 22. Family Involvement  A patient’s health information may be disclosed to family/others if: Patient gives verbal agreement,  Patient has opportunity to object and does not, or  You can infer from circumstances that patient does not object Emergency/incompetent patients - Release information using professional judgement in best interests of patient   Examples of Permitted Disclosures to Family, Friends or Others: 1. Daughter accompanies elderly patient into exam room. The patient says, “Can you explain it to my daughter?” You may provide instructions to the daughter. 2. Wife goes to pharmacy and asks to pick up the prescription that Dr. Young called in for her husband. You may give the medications to the wife. 3. Patient tells you that neighbor has been helping him with home exercise program. You may speak with the neighbor about the patient’s exercises. 4. You knock on the door and enter patient’s room. There are several visitors in the room. You don’t know who the visitors are. You say to the patient, “I’d like to talk with you about discharge planning. Can we talk now? Perhaps your visitors would like to have lunch? Or should I come back a little later?” Exception: In an emergency, when the patient is unable to express 22 his/her wishes, use your professional judgment. Ask yourself, “Would it be in the patient’s best interest if I disclosed the information?”
    • 23. Family Involvement    Information released must be directly relevant to that person’s involvement in the patient’s care or payment for that care A patient has the right to request that you not release information to family/others. If a patient asks that you not talk with family/others, please refer patient to nursing staff. A Permitted Disclosure: Friend picks up patient after procedure. Patient will stay with friend for a few days. Friend asks, “What do I need to do?” You may explain to friend, “Here are her prescriptions. Be sure to keep the site dry. Sponge bath only. Call the doctor if the site gets red. No housework or lifting more than ten pounds.” Not A Permitted Disclosure: You may not describe the patient’s previous episodes of care to friend-- the Emergency Room visit when she was a possible DUI; results of the biopsy she had two years ago; etc. Responding to Patient’s Request: It’s important that you inform staff of patient’s request to limit involvement of family, friends or others. Staff will know how to document and follow-up on the request. Each facility has established procedures for responding to such a request. See Matrix for details. 23
    • 24. What should I do? Scenario #2: Q: The spouse of a patient I am seeing approaches me in the hallway and begins asking me questions about the patient. During my assessment visit, the patient indicated that she did not want information shared with her spouse. What should I do? A: Patients have a right to not involve family members and others in their care. You should not share any information with the spouse per the patient’s request and you should alert the nursing staff about the patient’s request. The patient explicitly stated that she did not want her health information to be shared with her husband. As difficult as it may seem, you must honor her request. It is also important for you to promptly notify staff about patient’s request. They will know how to document and respond to patient’s request. Once a facility has agreed to a patient’s restriction request, everyone-- including students-- must abide by it. 24
    • 25. Minimum Necessary   Need-to-Know Rule Access is a privilege. Individuals with access privileges have an obligation to limit access and use to the minimum necessary to perform their duties and responsibilities. A key element of the Privacy Rule is the minimum necessary standard. This is the need-to-know rule. You are only permitted to access and use the minimum necessary amount of PHI for your specific duty, responsibility or purpose. In terms of educational uses of PHI, you must limit your access and use to the minimum amount of information required for your specific educational activity. Example: You would like to review records of ER patients admitted for near drowning for a presentation or paper. First, you must obtain the required approvals and determine the types of information or data that you will need to collect. Then, you must limit your access to only the episodes of care that relate to the study topic and record only the data elements that are necessary to prepare your presentation or paper. 25
    • 26. Request/Disclose PHI for Treatment Purposes  May request/disclose PHI for treatment where:    Request is from a provider to whom you referred the patient for treatment or provider involvement in patient’s treatment is documented in medical record, or Patient has signed an authorization or release for the disclosure to the provider, or Provider has requested, in writing, the PHI for treatment purposes As a student, you may be asked to release PHI to another health care provider who is involved in the patient’s care. Under HIPAA, a health care provider may release PHI to another provider for treatment purposes without the patient’s authorization; however, this disclosure is subject to verification of the identity and authority of the requestor. At most facilities (see Matrix), you may disclose PHI to another health care provider for treatment purposes if: 1. The provider referred the patient to you 2. You referred the patient to the provider 3. The medical record contains documentation of the provider’s treatment relationship with the patient 4. The provider requests the information for treatment purposes and the request is made in writing 5. The patient has signed an authorization or other form for the disclosure of the PHI to that provider 26
    • 27. Request/Disclosure of PHI to/from government agencies  Refer to Nursing Staff/Attending Physician/Privacy Officer   Only minimum necessary may be released Must do an accounting for the disclosure Hospitals are required to disclose PHI to government agencies for many reasons. Examples include reports of child abuse or neglect, infectious disease reporting, reports of unattended deaths to the Medical Examiner, etc. Most students will not be involved in reporting PHI to government officials. However, you may encounter a situation in which reporting is mandatory, or a government official, such as a police officer, asks you for information. Please consult with the facility’s nursing staff, your supervisor or the facility’s Privacy Officer before making such a report or releasing information to any person who is not a health care provider. Such disclosures must follow the minimum necessary rule. Additionally, the facility must track or account for such disclosures. Therefore, it is important that you know and follow the appropriate procedures before you release any information to a government official. 27
    • 28. Patient Requested Restrictions on Use/Disclosure of PHI   Facility may have agreed to patient requested restrictions on use/disclosures of PHI for treatment, payment or health care operations YOU must be aware of each facility’s practice in this regards and where such restrictions would be documented Under HIPAA, a patient has the right to request restrictions on the facility’s use or disclosure of PHI for treatment, payment or health care operations. The facility is not required to agree to the patient’s request. For example, a patient may not want students to be involved in his/her care or to access his/her health information. The facility will determine whether or not it will honor the patient’s request. Review the Matrix to familiarize yourself with each facility’s procedures with regard to such requests. Be aware that when a facility has agreed to a patient’s restriction request, as a student, you are obligated to honor the request. 28
    • 29. Use of PHI for educational purposes   Allowed without patient consent or authorization Parameters of use/disclosure of PHI for educational purposes:     Appropriate access Minimum necessary for the purpose Protect/safeguard PHI Appropriate disposal upon completion Use or disclosure of PHI for educational purposes is considered one of the facility’s health care operations. Therefore, PHI can be used by and disclosed to health care students without the patient’s consent, agreement or authorization. However, HIPAA does place certain limitations on the use of PHI for educational purposes. 1. The facility must establish appropriate controls on the student’s access to PHI 2. PHI disclosed should be limited to the minimum necessary for the particular educational use or purpose 3. The student who accesses PHI is responsible for protecting and safeguarding that information and to properly dispose of any notes or class documents that contain PHI upon completion of the use or purpose. 4. The student must be aware of and honor any agreed-upon restriction. 29
    • 30. Facially de-identified information   Policy permits use of PHI that is “facially deidentified” for educational purposes. Remove same identifiers as in de-identified information, except may leave in:     Patient medical record number Dates of Service Zip codes This information is still identifiable under HIPAA and remains under federal privacy protections. The collaborative facilities permit a student to use PHI that has been “facially de-identified” for his/her educational purposes. The only difference between de-identified information and “facially de-identified” information is that “facially de-identified” information can include the patient’s medical record number, dates of service and zip code. All other individual identifiers (see slide 5) must be removed from the information. Under HIPAA, “facially de-identified” information is still considered PHI. You must protect “facially de-identified” information in compliance with the Privacy Rule. 30
    • 31. “Facially de-identified” means removing:          Name Address Phone & fax number E-mail address SSN Health plan beneficiary numbers Account numbers Certificate/license numbers Web URLs       Vehicle identifiers and serial numbers Device identifiers and serial numbers IP address numbers Biometric identifiers (including finger, voice prints) Full face photo and other images Any other unique identifier This slide lists the identifiers which must be removed from the PHI in order for the information to be considered “facially de-identified”. 31
    • 32. Allowable educational access/use        Treatment Observation Teaching Rounds Retrospective Record/Data Reviews Research (with IRB approval) Case Presentations Patient Logs This slide lists the types of educational uses or activities for which a student may access PHI. Access to PHI or an attempt to access PHI by a student for a use or activity other than what is listed above would be considered a violation of the facility’s policies and could result in sanctions against the student. 32
    • 33. Is this okay? Scenario #3: Q: I heard about a very unusual case in the OR. As a medical student I am here to learn. I need to know more about the details so that I may gain a better understanding of the clinical course. I plan to review the records before I leave for the day. Is this okay? A: No. While it might be argued that educational benefit can be gained by reviewing unusual cases, such review should be formally approved and presented. Individual access to patients’ records in this type of situation is not appropriate. Electronic records and systems are monitored for inappropriate access. In this scenario, access may seem to fit under one of the allowable educational uses or activities. What do you think? The bottom line is that the case may indeed have educational value to you. But such review must be organized and approved by the appropriate individuals. Do not access patient information just because you personally believe it might be educational. Work through your instructors and the facility. 33
    • 34. Some Do’s and Don’ts: Treatment and Observation Can Do    34 Access medical records of the patients you are treating/caring for Prepare class work with patient identifiers removed Observe patient care with approval from department manager/ supervising faculty Cannot Do    Obtain medical records of patients you are not treating/caring for Use data obtained from your cases with patient identifiers such as name, address, birth date left in Observe patient care without appropriate approval or where the patient objects Here are some do’s and don’ts relating to appropriate use/access of PHI for treatment and observation. This is not a complete list but will provide you with some general guidelines.
    • 35. Some Do’s and Don’ts: Teaching Rounds Can Do   Share patient information during teaching rounds Prepare class work using data from your cases with patient identifiers removed Cannot Do   Discuss patients in public areas with no consideration to surroundings Include family members in rounds, unless patient has agreed or determination has been made by physician that inclusion is in patient’s best interest Here are some do’s and don’ts for participation in teaching rounds. One important point must be emphasized. Always use discretion and common sense when discussing cases in public areas. Do not verbalize details that would inappropriately disclose patient information. 35
    • 36. Some Do’s and Don’ts: Retrospective Reviews Can Do    Access medical records with written approval of supervising faculty member Prepare class work using collected data with patient identifiers removed Use aggregate or deidentified patient information Cannot Do     Use information collected for research without IRB approval Publish or publicly present findings without IRB approval or waiver of authorization Contact the patient or the patient’s physician Abstract patient identifiers Here are some do’s and don’ts for retrospective reviews. If you are thinking of publishing your findings or making a public presentation, you must obtain the approval of the facility’s Institutional Review Board (IRB) before accessing or collecting patient information from medical records. See the Matrix for information about each facility’s procedures. 36
    • 37. Some Do’s and Don’ts: Research Can Do  With IRB approval:    Build a database of patient information Access and use patient identifiable information as approved by IRB Do a public presentation or publish findings using aggregate or deidentified information Cannot Do    Any research without IRB approval or waiver Publish or publicly present findings that identify the patient without patient authorization Access and collect patient data in preparation for a research project without IRB waiver or approval There are a number of regulatory requirements for research, and the requirements are quite complex. As a student, the key points to remember are: 1. Under the HIPAA Privacy Rule, the creation of a database or repository of patient information may be considered research 2. You should contact the facility’s Institutional Review Board (IRB) if you intend to review and collect patient information for research purposes. It is prudent to seek guidance from the IRB if you consider publication or public presentation to be future possibilities. 37
    • 38. What should I do? Scenario #4: Q: My supervising faculty member has asked me to review 100 charts of newborn babies to determine whether or not the delivery room temperature has an effect on babies. Do I need IRB approval? A: Maybe. If the intent is purely for quality improvement without intent to publish findings and you will destroy the database upon completion, then you do not need an IRB approval or waiver. But, if you intend to publicize, publish or use the data you collected for any other purpose and do not get a patient authorization or an IRB approval or waiver you would be violating the patient’s rights. It is sometimes difficult to distinguish between quality improvement activities and research. If the patient information you are collecting might be considered for use in a future research project, it is best to obtain IRB approval. See the facility’s IRB for information about its application, review and approval procedures. 38
    • 39. Some Do’s and Don’ts: Case Presentations/Grand Rounds Can Do Cannot Do     Access medical records with written approval of supervising faculty member Prepare for presentation using facially de-identified, aggregate or de-identified information Limit audience to healthcare students/professionals if presentation might inadvertently reveal patient’s identity Leave/show the following in your presentation    Patient Name Medical Record Number Openly present a high profile or unusual case where patient’s privacy may be compromised without patient’s written authorization for disclosure Here are some do’s and don’ts for case presentations or grand rounds. 39 Although you are permitted to retain the patient’s medical record number for certain educational purposes, this information should not be displayed or revealed during your presentation. If the case you plan to present is high-profile or extremely rare, obtain the patient’s authorization before you use his/her PHI in the presentation or, at minimum, ensure that the audience is limited to healthcare students or professionals.
    • 40. Patient Logs Information collected and submitted on a patient log of your educational activities must be facially de-identified Your educational program may require you to keep a Patient Log, a list of patients to whom you have been assigned, and to conduct follow-up reviews. As you keep your Patient Log, please follow the rules for “facially de-identifying” patient information.
    • 41. Some Do’s and Don’ts: “Facially De-identifying” Patient Data Can Do  Use generic terms to describe a patient       Cannot Do  36 year old white male living in Arizona Admitted in October 2002 Construction worker Black out/delete/cut out patient identifiers on hard copy Leave patient identifiers in information used/removed      Patient/Relatives’ Name Birth dates Address Employer Take copies of dictated reports home with you (unless facially deidentified) Here are some examples about how to “facially de-identify” patient information. Remember that you are only permitted to retain the patient’s medical record number, dates of service, and zip code for certain educational purposes. 41
    • 42. Some Do’s and Don’ts: Accessing PHI Can Do  Request access to PHI through appropriate channels   Request access to medical records through Medical Records Submit completed appropriate data request form for data reports Cannot Do    Remove medical records from facility Leave patient records/data in break room or other areas where they are unattended Out of curiosity, access the records of the celebrity who was admitted last week or the records of a patient with an unusual medical condition Each facility has established procedures for obtaining access to PHI. See the Matrix for more information. If you are assigned to a facility that has implemented an electronic medical record, you will probably be able to access information about patients with whom you do not have a treatment relationship. Keep in mind that simply because you are able to access the information does not mean you have permission to do so. Each facility has implemented audit trails to monitor users who have accessed a patient’s electronic medical records. If a facility discovered that you accessed a patient’s record and you had no legitimate reason for doing so, you could be subject to sanctions. 42
    • 43. Is it okay? Scenario #5: Q: My friend was admitted yesterday after collapsing during a bike ride. I am very concerned about her progress and would like to visit her but I don’t know which room she is in. Is it okay if I look up the information in the computer system? A: No. Using your access privileges to look up any information for any patient when there is no need to know based on your responsibilities in the hospital is a violation of patient confidentiality. Unless you are directly involved in providing health care for your friend, it is not appropriate for you to access her electronic medical record. Your friend is entitled to privacy, as are all patients. 43 As discussed on the Facility Directory slides, please ask for your friend by name at the nurses station or information desk. As long as your friend has not requested “No Information” status, staff will be able to tell you her room number and you will be able to visit.
    • 44. Some Do’s and Don’ts: Safeguarding Information Must Do     Password protect laptops/PDA’s Shred facially de-identified papers when you are done with them Insure memory/hard drive has been wiped clean when selling/ disposing of a PC, laptop or PDA Encrypt any PHI sent over Internet Cannot Do    Leave information in open or other public areas Discuss patients in elevator, hallways or the cafeteria Dispose of facially deidentified information in your trash can (it is still identifiable under HIPAA!)  Share your access codes/cards Remember that under HIPAA, “facially de-identified” information is still Protected Health Information (PHI). You are responsible for keeping the information confidential and secure. Here are some examples of safeguards you should follow: 1. Maintain control over your PDA, class work and other documents that contain patient information. Know where they are at all times. 2. Do not let a friend borrow or share your access codes (log-in) or cards for any reason. You are responsible for inappropriate access to data or secured areas that occurs under your identification. 3. When you no longer need health information you have collected, dispose of it appropriately. Do not throw it away in your trash can! 4. Do not send PHI over an open network unless the information is encrypted. 5. Always use discretion and common sense. Consider how you would want others to protect your personal health information. 44
    • 45. Questions? For further information or questions, please contact the facility’s privacy officer. 45

    ×