Training on confidentiality MHA690 HaydenPresentation Transcript
Mandatory Training on confidentiality (HIPPA) Health Insurance Portability and Accountability Act Training on confidentiality Sandra Hayden, B.S., R.T.(T) For MHA690 December 9, 2010
HIPAA stands for Health Insurance Portability and Accountability Act of 1996 and is composed of three components: Insurance portability, fraud enforcement, and administrative simplification. This session will focus on the Security Rule section of HIPAA and the responsibilities of units or entities to protect and safeguard the confidentiality of PHI that is either created, maintained, and transmitted in electronic form.
Welcome to HIPAA Security Training
The goals for this training session are:
Increase your knowledge and understanding of what is protected health information (PHI) and how to maintain its security.
Enhance your awareness of your role in assisting in following the HIPAA Security Rule.
Learn about privacy and the security of information created, maintained, and transmitted in electronic format.
Inform the workforce about their reporting responsibilities for HIPAA violations and the possible penalties for violation of HIPAA law for both you and the this hospital.
Protect the confidentiality and security of PHI.
Not only will the information you learn today help you here in your job, but it will also help you become an informed consumer of health care services.
Why did the need for accountability and administrative simplification come about?
The increasing use of the internet, involving the storing and transferring of electronic information, advances in genetic science, and the concern about WHO would have access to WHAT information, and HOW it would be used generated concern.
Protected Health Information (PHI) is individually identifiable health information that is held or disclosed by a covered entity that can be communicated electronically, verbally, or written.
Electronic Protected Health Information (EPHI) is protected health information (PHI) that is transmitted by electronic media or maintained by electronic media.
Sensitive Data is protected health information that can be used to determine the identity of an individual and/or their diagnosis
The Security Rule
Follow the fundamentals of secure password management
Remember Security impacts privacy
Adhere to Policies and Procedures regarding safeguarding buildings, systems, and information
Report any suspected violations of policies and procedures to your Unit Security Officer, and
Employ daily work habits that protect the security and privacy of information you have access to in your responsibilities
These are practices that we all can support and implement to safeguard the security and confidentiality of EPHI at our organization.
The following are key practices to remember and implement to do your part in safeguarding the security and confidentiality of Electronic Protected Health Information:
It is YOUR responsibility to safeguard information
We must ALL protect the security and integrity of PHI information by implementing a process to assist with anticipating reasonable threats or hazards and protect against use or disclosure of EPHI that is not permitted or required under the Privacy Rule. In addition, we must as an organization ensure and monitor compliance with the Security Rule by our faculty, staff, and students.
What does access mean?
What does access mean? Access is when someone has the ability or the means by which to communicate Protected Health Information (PHI) through the use of a system resource that creates, maintains, or transmits information in an electronic format. An example of this would be PHI that is stored on your local hard drive as an email or in a local database as well as those stored on a shared system.
Actions you need to take
If you see a medical record in public view where patients or others can see it, cover the file, turn it over, or find another way to protect it.
When you talk about patients, try to prevent others from overhearing the conversation. Whenever possible, hold conversations about patients in private areas. Do not discuss patients while you are in elevators or other public areas.
When medical records are not in use, store them in offices, shelves or filing cabinets.
Remove patient documents from faxes and copiers as soon as you can.
When you throw away documents containing PHI, follow the procedures for disposal of documents with PHI.
Use Only the Minimum Necessary Information
When you use PHI, you must follow the Privacy Rule's minimum necessary requirement by asking yourself the following question: "Am I using or accessing more PHI than I need to?"
Three employees continued to look at the confidential records of a celebrity.
What happened to the employees who violated the HIPPA? They were either terminated, suspended and or received warnings/ disciplinary actions.
After further investigations all employees found to have breached patient confidentiality were disciplined or fired.
Reference: Over 120 UCLA Hospital staff saw celebrity health records. Retrieved July 20, 2010 from http://www.foxnews.com/story/0,2933,398784,00.html.
True Case Scenario: Hospital staff saw celebrity health records.
According to An, Ranji, and Salganicoff (2008), privacy is a major challenge to consider when adopting broad health IT within the public arena.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established guidelines and regulations for the use and disclosure of information about patients’ records (An, et al., 2008).
HIPAA also has safeguards for unauthorized access to information. HIPAA also requires that electronic health transactions be standardized to improve the efficiency and effectiveness in the United State’s health care system via strengthening the use of electronic data (An, et al., 2008).
It is your job to safeguard patient information.
Reference: An, J., Ranji, U., & Salganicoff, A. (2008). Health information technology (Issue Module). Retrieved from The Kaiser Family Foundation website: http://www.kaiseredu.org/topics_im.asp?id=655&imID=1&parentID=70
Literature Review (continued)
According to Kongstvedt (2007), in 2003 The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules enforcement of HIPAA. The OCR's enforcement activities have obtained significant results that have improved the privacy practices of covered entities. The corrective actions obtained by OCR from covered entities have resulted in systemic change that has improved the privacy protection of health information for all individuals they serve.
Reference: Kongstvedt, P. R. (2007). Essentials of managed health care . Sudbury, MA: Jones and Bartlett.
Ready for the Quiz?
You overhear two hospital employees discussing a patient in the elevator. What do you do?
A. Remind them to respect patient confidentiality and/or obtain their names from their name badges and inform your supervisor. B. Join in the conversation only if you know about the patient. C. Ignore the employees and forget what you've heard them talking about.
Correct answer: A
You forget your password and need access to patient information to do your job. What do you do? A. Call Information Services help desk or your network administrator to reinstate your password. B. Share your coworker's password until you have time to obtain another password. C. None of the above. Correct answer: A
You walk up to a computer workstation and notice that the previous user has not logged out. What do you do? A. Send email from the user's account. B. Log the user out and sign in your own USER ID and password. C. Save time by accessing the information you need to do your job on the current screen. Correct answer: B
You walk away from my computer on your desk without logging out. Another employee starts using your computer and, using your access, inappropriately looks up patient information out of curiosity. Are you held accountable? A. Yes. B. No. C. Only if the patient complains. Correct answer: A
As a health care employee on our team, you are required to know about the health information privacy requirements of a federal law called HIPAA (Health Insurance Portability and Accountability Act.
You are covered by the Privacy Rule as a member of the facility's workforce. You must follow all policies and procedures, including those concerning health information privacy.
Thank you for taking time to learn about the HIPAA Privacy Rule.