• Welcome to the ITC training module for confidentiality awareness. This program will present a brief overview of ITC’s policies and the federal HIPAA regulations that deal with privacy and data security.• ITC is committed to compliance with federal and state laws that protect the privacy of our consumers’ health information. There are federal and state laws and standards that pertain to any individual that enters a health care organization and may directly or indirectly impact the quality and safety of consumer care.
• Caregivers who will have access or potential access to consumers, health information, or other sensitive information are required to know how to handle and protect consumer privacy and data security.• If you have any questions about privacy issues, please contact your ITC Supervisor.
• HIPAA is the acronym for the Health Insurance Portability and Accountability Act passed by Congress in 1996.• The purpose of HIPAA regulations is to establish national standards for safeguarding an individual’s privacy and their Protected Health Information (PHI).• All ITC facilities, employees, and caregivers must comply with federal HIPAA regulations.
• HIPAA includes: – Privacy Rules that keep Protected Health Information (PHI) confidential, and provide penalties for individuals who fail to keep consumer information confidential. – Security Rules to ensure the confidentiality and integrity of all electronic Protected Health Information.• There are also other federal and state laws that protect PHI and provide penalties for individuals who violate these laws.
• The HIPAA Privacy Rule gives consumers important rights over their Protected Health Information (PHI) – Maintain the consumer’s basic right to respect, dignity and privacy. – Never share any consumer sensitive information with anyone not associated with the consumer. – Never discuss consumer sensitive information in hallways, elevators or public spaces. – Never post consumer information anywhere in or out of the ITC office where it can be viewed by others. – Access the medical record only when necessary for the care of the consumer . – Comply with all HIPPA rules and regulations.
• Protected Health Information (PHI) is any health information created, received, transmitted, or maintained that: – Relates to part, present or future physical or mental health, the provision of health care, or payment for health care. – Identifies the consumer, or could reasonably be expected to identify the consumer.
• PHI includes all kinds of identifying information including: – Name: a consumer , relatives, employers, caregivers, etc. – Personal Data: date of birth, date of death, address, phone number, etc. – Numbers: Social Security number, medical record, account, telephone, passport, health insurance, etc. – Graphics: photographs, videos, radiographs, voice prints, fingerprints, etc. – A document does not have to include a consumer’s name to be considered PHI. It is considered PHI if it includes any information that can identify an individual.
• (PHI) comes in many forms: – Paper records of all types • Documents and forms • Labels on consumer care items • Photos and graphics – Electronic records • computer-based records • portable storage media • video recordings – Verbal/Oral communications – Observation
• Access to PHI is Limited to persons who: – Have a valid medical need for the information – Have a valid business need for the information – Are authorized to know the information• There are multiple safeguards in place to limit access to PHI and confidential information. – Attempts to bypass these safeguards is a violation of HIPAA laws and ITC’s policies.
• The Professional Need to Know Rule limits use, disclosures and requests for PHI to the “professional need to know” to accomplish the task for which the information is needed.
• Some examples of privacy violations: – Accessing consumer information outside of your “professional need to know” activity, either from personal curiosity or for any other unauthorized purpose. – Removing an original or a copy of any Protected Health Information from an ITC office without authorization. – Selling or inappropriately giving consumer information to the news media.
• Some examples of privacy violations: – Discussing consumer information in a public area without taking reasonable precautions. – If in the course of your job duties you observe or overhear information about someone you know, you are responsible to keep the information confidential, and not share it with anyone. – PHI or confidential documents should never be discarded in the garbage. Place in a secure shred bin or use a shredder.
• Violating federal Privacy and Security Rules can result in personal liability, either civil or criminal sanctions, including fines, jail time or both.• Violating some state privacy and security laws can result in personal liability, either civil or criminal sanctions, including fines, jail time or both – law allows consumers to seek damages as a result of privacy/security incidents. – law places liability directly on the individual who knowingly, willfully or negligently obtains discloses or uses medical information inappropriately.
• You are responsible for protecting your consumer or other sensitive information that you have access to, whether it is in a document, electronic, transmitted, or received.• You are responsible for protecting consumers or other sensitive information that you may overhear or observe.
• Limit use, disclosure or requests for Protected Health Information (PHI) to the “minimum necessary” to get your work done.• You are responsible for reporting a known or suspected privacy incident.
• A breach of privacy that is known to any caregiver is to be reported immediately.• Some examples of situations that require reporting: – Anyone accessing or removing PHI without authorization. – A lost print job that you are unable to locate (containing PHI or sensitive Information) – Misdirected faxes – If you observe or overhear inappropriate disclosure of PHI. – A consumer who receives information about an unrelated consumer.• Report known or possible privacy incidents to your immediate supervisor.