Hippa final JU nursing informatics


Published on

HIPAA Presentation for JU BSN program

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hippa final JU nursing informatics

  2. 2. What is the Health Insurance Portability and Accountability Act (HIPAA)?  It is a federal law created in 1996, enforced by the Office of Civil Rights which protects the privacy of individually identifiable health information.
  3. 3. HIPAA RULES: The Privacy Rule  Provides standards to protect patients medical records and other personal health information.  Sets limits on uses and disclosures.  Gives patients rights over their health information.
  4. 4. HIPAA RULES: The Security Rule  Creates standards to protect patients electronic personal health information that is created, received, used, or maintained by a health plan, healthcare clearinghouse or health care provider  requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. (Health Information Privacy 2007)
  5. 5. HIPAA RULES: The Breach Notification Rule  requires HIPAA covered entities (health plans, healthcare clearinghouses, healthcare providers) and their business associates to provide notification following a breach of unsecure protected health information.
  6. 6. 2011 HIPAA Violations Resource: onlinetech.com
  7. 7. Information System  Protection of information against threats to its integrity inadvertent disclosure or availability  Information systems can improve protection for client information in some ways and endanger it in others.  The electronic medical record cannot easily be viewed by anyone who doesn’t have access code. (Hebda, Czar 2013, p235)
  8. 8. Consent  The process by which an individual authorizes healthcare personnel to process his or her information based on an informed understanding of how this information will be used.  When obtaining consent the patient should be made aware of any risks to privacy.  HIPAA has a consent form for the release of health related information that is intended to protect a patients privacy.  The consent form is based on rules and restrictions on who may see or be notified of a patients protected health information.
  9. 9. What would you do? You are the nurse for an elderly confused patient. The patient is becoming increasingly confused and keeps asking for her son Larry. You access her medical records and find that Larry is not the patients health care proxy but is listed as one the patient contacts. You are the nurse for an intubated comatose patient. A woman comes to visit the patient stating she is the patients sister. You access the patient records, there is no information about the patient having a sister. A family member calls and states he is the patients Health Care Proxy and would like information on the patient, you have never met the him but his name matches the one on the patients record.
  11. 11. System Security Compliance  This includes computer screens, white boards, phone conversations, waste basket, patient chart, smart phones, conversation in elevator and many more.  Compliance with HIPAA is about people, policies and procedures that make good sense. Remember that it is always about what is best for the patient.
  12. 12. The Minimum Necessary Rule  In accordance with the Federal HIPAA law information may shared with other health care providers for the purpose of TPO: Treatment  Payment  Healthcare operations   Patient information should only be accessed, used, or disclosed in the amount that is the MINIMUM NECESSARY in order for an individual to perform his/her duties. For example: The lab does not need to know the admitting diagnosis to run an Hepatitis screen on a patient’s blood.
  13. 13. Breaches in Security  According to American Medical News 94% of facilities suffered a breach in security in the last 2 years. Leaving thousands of Americans at risk of Medical Identity theft.  An entity regulated by HIPAA must have reasonable administrative, technical and physical safeguards to protect against intentional or unintentional disclosure of protected health information. This may include, shredding documents when they are disposed of and keeping electronic documents under password protected or key code security.  Entities must have policies and procedures in place to keep employees from inadvertently sharing private information, such as closing computer screens before leaving the area and turning computer screens away from an area where they may be viewed by a family member.
  14. 14. Small Scale Snooping  According to a survey by Veriphyr, the majority of HIPAA violations and security breaches are due to insiders who are snooping into the medical records of their coworkers, relatives or even looking at their own medical record.  In this instance the facility must have policies and procedures in place to ensure all employees understand the electronic access needed to perform their job and sanctions in place if inappropriate access is discovered.
  15. 15. Penalties for violations of HIPAA  The American Recovery and Reinvestment act of 2009 established civil penalties for the violation of HIPAA Federal Law.  The penalties for violation of HIPAA laws have a tiered structure which is based on the nature and extent of the violation.  The Secretary of the Department of Health and Human Resources has the discretion to determine the amount of the penalty based on the nature of the violation and the resulting harm.  The Secretary is prohibited from imposing a civil penalty if the violation is corrected within 30 days except in cases of willful neglect.
  16. 16. Civil Penalties
  17. 17. Case Study  An Arkansas LPN may face 10 years in prison and/or a $250,000 fine.  Smith pleaded guilty to wrongfully disclosing individually identifiable health information for personal gain and malicious harm  According to the associated press, the nurse obtained private medical information on a patient while working at clinic in Arkansas.  She then shared the information with her husband who contacted the patient and threatened to use the information against him in a court proceeding the two were involved in,  The patient contacted the states attorney’s office and charges were filed against the nurse and her husband.
  18. 18. Case Study  An HIV positive patient relocating to another city asks his existing physician to fax his medical records to his new doctor.  The busy office manager mistakenly faxed the records to the patient’s new employer. The fax did not have a cover sheet that indicated that the content was confidential.  The patient was very upset that his new employer had private information about health. He contacted the US Department of Health and Human Services, who referred the case to the Office of Civil Rights (OCS).  The physician’s office was investigated and the staff underwent voluntary HIPAA privacy training.
  19. 19. Policies and Procedures ADMINISTRATION AND PERSONAL
  20. 20. Policy and Procedure  Administrative – Responsible for creating and managing an infrastructure which protects client privacy and confidentiality. This involves:  Developing a Plan  Policies designated structure for implementation  User access levels  Adequate budget
  21. 21. Administration – Centralized Security Function  Comprehensive Security Plan  Accurate and complete information  Information asset ownership and sensitivity classifications  Identification of a comprehensive security program  Information security training and user support  Awareness program
  22. 22. Administration – Centralized Security Function  Infrastructure consist of:  Comprehensive Security Plan: Defines security responsibilities for each level of personnel as well as a timeline for the development and implementation of policies, procedures and physical infrastructure.  Accurate and Complete Information: Publishing should be online for easy access with email notification of employees as new policies arises.
  23. 23. Administration – Centralized Security Function  Information asset ownership and sensitivity classifications    Ownership: Who is responsible for the information, including security Sensitivity Classification: determination of how damaging an item of information might be if it were disclosed inappropriately. Determines what information should be encrypted Identification of a comprehensive security program: Security plan can avert and minimized threats by the Identification of responsibility for :  Information integrity  Privacy  Confidentiality
  24. 24. Administration – Centralized Security Function  Information security training and user support: Important component in fostering a proper system is by incorporating education and proper training.  Awareness program: Remind user of the need to protect information
  25. 25. Level of Access  Strictly granted on a need-to-know basis  Access Limitation: On dependence to personnel levels or “user classification,” area in the system are accessible.   Example: Nursing Assistant would only have access to the documentation of hygiene, dietary intakes, vital signs, input and output but no other area in the patients records User Authentications: Authentication of the user through passwords, smartcards, fingerprint, voice recognition or a even third authentication system such as Kerberos and Sesame can be used
  26. 26. Personal Issues  Policies and procedures must be established and communicated to all personnel who handle Information.  Key element include:  Information Ethics training Including:  Audit Trails- Records of IS (Personnel) activity.  Acceptable Computer users- includes authorization access and only authorized and legal copies of software.  Collect only required Data – Limiting the collection of information to what is needed.  Encourage client review of file for accuracy and error correction - Ensuring accuracy  Establish controls for the use of information after hours and off-site – Policy limiting usage of accessing patient information after hours.
  27. 27. Personal Issues  Key elements include:  Access control  System monitoring  Data Entry  Backup procedures  Responsibilities for the use of information on mobile devices  Exchange of client information
  28. 28. HIPPA Education & Training FOR EMPLOYEES AND PATIENTS
  29. 29. HIPAA Education for Employees Institutions should:  Administer a HIPAA Policy handbook for new hires with privacy and confidentiality measures.  Have all staff read and sign a confidentiality statement which is to be stored in the employees file.  Implement required online training modules for all staff to complete.   Require annual mandatory re-training modules. Offer advanced HIPAA training appropriate to each individuals responsibilities at their institution.
  30. 30. HIPAA Education for Patients  It is required by law that all patients receive a Notice of Privacy Practices from a doctor, hospital, or any other health care provider that they see in person.   This form tells patients how the health care provider may use and share their health information and how the patient can exercise their health privacy rights. It is also required by law for each patient to sign a form stating they received a copy of the notice of privacy practices.  The notice must describe:  ways that the Privacy Rule allows the covered entity to use and disclose protected health information. It must also explain that the entity will get patient’s permission, or authorization, before using their health records for any other reason.  the covered entity’s duties to protect health information privacy.  privacy rights, including the right to complain to Health and Human Services (HHS) and to the covered entity if you believe your privacy rights have been violated.
  31. 31. HIPAA Education Starts in the Classroom  HIPAA education and training should be implemented in the curriculum of all studies affiliated with the medical field.  Early education allows for full understanding of privacy and confidentiality policies prior to entering the clinical field.  This allows for staff at clinical sites to act as role models for students and aid in educating about HIPAA rules and regulations.
  32. 32. Proper Disposal of PHI (Protected Health Information) MANDATED THROUGH HIPAA
  33. 33. PHI DEFINED PHI stands for Protected Health Information and is used within HIPAA to describe the type of information that must never be seen by unauthorized individuals. PHI can come in many forms whether it be paper or electronic and can involve patient demographic information, diagnostic study results, treatment records, billing information, and any other form of information pertaining to the patients stay at any type of medical institution.
  34. 34. Required Proper PHI Disposal  The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form.  Improper disposal of PHI can result in a mandatory fine of up $1,500,000 as well a an investigation enforced by the State Attorney General and the Health and Human Services (HHS).  Under the HIPAA Privacy Rule institutions are not authorized to dispose of PHI in any containers that could be potentially accessible to the public.
  35. 35. Paper PHI Disposal  Paper forms of PHI are to disposed through, shredding, burning, pulping, or pulverizing.  Once disposed of the PHI must be rendered unreadable without the possibility of being reconstructed.  Many institutions use secure document disposal receptacles throughout the facility designated strictly for PHI paper records. A vendor then removes the paper PHI from the receptacle to be properly shredded and disposed of.
  36. 36. Electronic and Pharmaceutical PHI Disposal Electronic Disposal  PHI is automatically stored on the hard drives of computers therefore in order to properly dispose of the record:  The system could be cleared through software that will overwrite the recorded data.  Purging the system by disrupting the recorded magnetic domains  Complete destruction of the system to destroy any material that may be stored. Labeled Medication Disposal  Pharmaceuticals are always labeled with patient demographic information and must be properly disposed of.  Most institutions use opaque bags to store disposed labeled medication.  Vendors will then take the bags from the facility and properly dispose of the labeled medications without breaching privacy regulations.
  37. 37. Ensure Proper Disposing  Proper HIPAA education of all staff is very important to ensure privacy and confidentiality regulations are being followed. In order to be sure all staff are up to date on HIPAA regulations it is important to re-educate annually. Patients should be educated on their rights as well and should always receive a Notice of Privacy Practices upon admission. Educating all staff (including students) will ensure proper handling and disposing of all PHI information.
  38. 38. Video
  39. 39. References  PHI Disposal. (2011) Welcome to Proper PHI Disposal. Retrieved from http://www.properphidisposal.net/  University of California. (2008). Privacy Training. HIPAA checklist for new hires: UCSF staff employee/postdocs. Retrieved from http://hipaa.ucsf.edu/education/staff/default.html  U.S. Department of Health and Human Services. (2009). Frequently Asked Questions About the Disposal of Protected Health Information. The HIPAA Privacy and Security Rule. Retrieved from www.hhs.gov/ocr/.../disposalfaqs.pdf  Wimberley, P., Isaacson, J., & Walden, D. (2005). HIPAA and Nursing Education: How to Teach in a Paranoid Health Care Environment. Journal Of Nursing Education, 44(11), 489-492.  Czar. P, & Hebda, T. (2013) Handbook of informatics for nurses and healthcare professionals. Upper Saddle River, New Jersey  US Department of Health and Human Services
  40. 40. References  US Department of Health and Human Services (2010, July) http://www.hrsa.gov  American Medical Association. (2014). HIPAA Violations and Enforcement. HIPAA Violations and Enforcement. Retrieved February 02, 2014, from http://www.amaassn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billinginsurance/hipaahealth-insurance-portability-accountability-act/hipaa-violationsenforcement.page  Associated press. (2008, April 17). Nurse admits to privacy violation in HIPAA case. Healthcare Business News, Research and Events from Modern Healthcare. Retrieved February 1, 2014, fromhttp://www.modernhealthcare.com/article/20080417/NEWS/621626204  Gungor, F. (2013, June 09). Resources. 10 Examples of HIPAA Violations. Retrieved January 31, 2014, from http://www.onesourcedoc.com/blog/bid/95168/10-Examples-of-HIPAAViolations  Dept of Health and Human Resources. (2003). Office of Civil Rights Privacy brief [Brochure]. Author. Retrieved February 02, 2014, from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf  Latner, A. (2013, June). Fax Sent to Wrong Number Results in HIPAA Violation. - Renal and Urology News. Retrieved February 2, 2014, from http://www.renalandurologynews.com/faxsent-to-wrong-number-results-in-hipaa-violation/article/305022/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.