HIPAA Basics: A crash course for CCFI employees and volunteers. Parts of this presentation are based on Oklahoma Department of Health training materials accessed through our OCAP contract.
Who is CCFI’s Privacy Officer? Look no further than Rachelle Cook!
HIPAA … what the heck is it?
HIPAA provides a framework for the establishment of a nationwide protection of client confidentiality, security of electronic systems, and standards and requirements for electronic transmission of health information. Each part has separate regulations
The Privacy Rule: Privacy means protecting someone’s health care info.
Privacy regulations: Define how client information is used and disclosed. Give clients privacy rights and greater control over their own health information. Outline ways to safeguard Protected Health Information (PHI).
The Security Rule: Security means controlling: - the confidentiality of electronic protected health information (ePHI). -How client data is electronically stored. -How client data is electronically accessed.
Electronic Data Exchange defines the format of electronic transfers of information between providers and payers to carry out financial or administrative activities related to health care. Information includes coding, billing, and insurance verification.
Choosing not to follow these rules: Could put you at risk. Could put CCFI at risk. You and CCFI can be subject to fines.
We PROTECT PHI in all media created, stored or transmitted. Examples include: Verbal discussions (like in person, on the phone, etc.). Written on paper (like chart, progress note, encounter form, referral form, explanation of benefits (EOBs), scratch paper, etc.). Computer applications/systems (like electronic health record (EHR), Microsoft, etc.). Computer hardware/equipment ( like PCs, laptops, pagers, fax machines, servers, cell/multifunctional phones, and any removable media, etc.).
We should treat personal electronic data with the same care and respect as weapons-grade plutonium. It is dangerous, long-lasting and once it has leaked, there's no getting it back.
PHI is Individually Identifiable Health Information (IIHI) Reasonably identifies the individual (client identifiers/demographics).
PHI includes items in the record, such as: Encounter/visit documentation Lab results Appointment dates/times Invoices Radiology films and reports Histories and physicals, etc.
PHI includes information by which the identity of a client can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. For example, when Counselor Troi says “Captain of this ship,” her business friend buddy knows she’s talking about Captain Picard.
Use: when you review or use PHI internally (audits, training, customer service, quality improvement). Disclose: when you release or provide PHI to someone, like an attorney, a client, faxing records to another provider, etc.
What does releasing the minimum necessary PHI mean? To use or disclose/release only the minimum necessary to accomplish the intended purpose. When you get Requests from individuals not employed at CCFI: Keep info at a “need to know” basis. Limit the PHI provided to what is needed to accomplish the purpose for which the request was made or the information the client gives permission to disclose via CCFI release form or other valid authorization.
What is TPO? Treatment – providing care to clients. Payment – the provision of benefits and premium payment. Operations – normal business activities like reporting, quality improvement, training, auditing, customer service and resolution of grievances data collection and eligibility checks, accreditation, etc. These terms are collectively referred to as TPO. PHI used outside of TPO is not allowed without a signed authorization. TPO must be within the minimum necessary to perform your job!
Who protects HIPAA? The federal government through the laws of HIPAA. CCFI, by training folks on HIPAA, and having written policy around HIPAA, and you, by taking HIPAA seriously. Keep in mind, there are penalties for violations of HIPAA. The minimum civil monetary penalties are tiered based upon the entity’s culpability for the HIPAA violation. If you want more info on penalties, feel free to ask our privacy officer, Rachelle Cook!
Clients have the right to file a privacy complaint. Direct all requests or complaints regarding these rights to the CCFI Privacy Officer Clients have lots of rights regarding their PHI. More of these rights are outlined in the training geared for clinicians.
What are some common violations? When leaving his/her computer, an employee didn’t lock or log off the computer; another employee then utilized it to look up her own family members. In this situation, both employees did not follow CCFI’s procedures which require: Logging off/securing all applications when unattended. Using the password protected screensaver when leaving it unattended. Not using another person’s login, unless they are training you and directly observing what you do.
A new employee is assigned to routinely enter charting notes for each client being seen by the provider with whom she works. She was curious and concerned about a particular client’s services, and therefore viewed several other records from the client’s chart from the previous months. Note: It was determined this was a breach of confidentiality as she was not requested by her provider and/or supervisor to access this client’s additional records.
How can a technology problem be a violation? -Theft (or loss) of a computer, laptop. -Inappropriate usage of CCFI computers. -A technology-related situation which results in a significant adverse effect on people, process, technology, facilities, etc., such as: A system “glitch” which results in ePHI being accessed and/or sent to an inappropriate recipient. A virus that prevents users from being able to access PHI. If something like this happens, report the incident to the Privacy Officer.
What is the misuse of PHI: Unauthorized… …Access to… …Using of… …Taking of… …Possession of… …Release of… …Edit of… …Destruction of… …Client PHI Without Authorization.
How do mistakes happen?
Human error, like: -Faxing to the wrong individual/location. -Wrong “sticky” client label placed on a document, then it is handed to the wrong client. -When typing a medical record number to look up an address, it is transposed. The lab results are then sent to the incorrect client. -When searching for a client’s address, her name is typed, her date of birth is not validated, and a client with the same name is selected instead. Here are some examples: -Jane Doe’s name, medical record number, and date of birth was placed on a prescription and handed to Molly Sue. Is this considered a breach of confidentiality? -Yes. If Molly Sue reads Jane Doe’s name on this form, or any other document, it is a breach of confidentiality. Request Molly Sue to return the incorrect prescription and forward it with an incident report to the Privacy Officer. A reminder letter for start of services was mailed to the wrong client. Is this a breach of confidentiality? Yes. It is a breach of confidentiality if the letter includes a different client’s name. Request the client to return the incorrect letter, document the disclosure, and forward it with an incident report to the Privacy Officer.
A client requested we send 2006 test results to her provider. In addition to the 2006 test results, we also released 2004 and 2005 test results. Is this a breach of confidentiality? Yes. This is a breach of confidentiality as more information than was requested by the client was released (the 2004 and 2005 test results). Always keep in mind we may only release the minimum necessary PHI to accomplish the purpose of the request – even when releasing to another treating provider, insurance company, etc. Request the provider to return the 2004 and 2005 test results, and forward them with an incident report to the Privacy Officer.
A reminder letter for start of services was mailed to the wrong client. Is this a breach of confidentiality? Yes. It is a breach of confidentiality if the letter includes a different client’s name. Request the client to return the incorrect letter, document the disclosure, and forward it with an incident report to the Privacy Officer.
A spouse answers the phone, or the voice mail picks up. What information may I provide? State your first name and that you are calling from CCFI. Ask the client to return your call, and provide your direct phone number. Do not provide lab results, or other detailed information. Example: “This is Sally from CCFI calling for Johnny Doe. Please call me back at your earliest convenience at [number]. Thank you.” Double check you ended the call.
You never know who may overhear you discussing a client. Another client or coworker could be the client’s neighbor, best friend, cousin, etc… Remember to talk quietly. When possible, discuss PHI privately, such as behind a closed door. Avoid having discussions in client waiting rooms, elevators, cafeteria, etc.
You’re walking through the grocery store one day, and see a CCFI client. What should you do? It’s ok to say hello but don’t ask the client “how she’s doing” or questions about her health/services. It’s ok to listen if she offers to update you on her health/services. Let the client approach you first, but don’t make it seem like you are trying to avoid her.
When you are delivering PHI internally, keep it close to your person, and turn papers over so people can’t see them. When necessary to transport PHI externally: Place in a locked, closed container; Place PHI in the trunk of your locked vehicle or in the back of a locked SUV out of sight; And Remember, You may not transport client charts offsite unless authorized to do so. Send all PHI in sealed confidential envelopes. Verify all PHI was removed from the outside of envelope before stuffing it. Confirm you are sending the correct PHI. Place in mailbox or deliver to person. Do not leave unattended in an office. All confidential material must be locked up at the end of the workday.
Secure PHI when you leave your desk so others cannot read it. If you have an office, you have the option of closing your door instead. Turn over/cover PHI when a coworker approaches you to discuss something other than that PHI. Don’t leave documents containing PHI unattended in fax machines, printers, or copiers. Check your fax machine frequently so documents are not left on the machine. Remember, if you have confidential info on paper that needs to be disposed of, it needs to be shredded. If you have electronic equipment (like a flash drive) with confidential info that needs to be disposed of, give it to the privacy officer.
There are three types of violations: Incidental Accidental Intentional Incidental Example: Person in the waiting room recognizes someone else in the room, and realizes they are coming to CCFI for services. This situation is incidental, and there wasn’t much you could have done to avoid the situation. Incidental disclosures are going to happen…even in the best of circumstances. An incidental disclosure is not a privacy incident. This type of disclosure is not required to be documented. Accidental Mistakes happen. If you mistakenly disclose PHI or provide confidential information to an unauthorized person or if you breach the security of confidential data: Acknowledge the mistake and notify your supervisor and the CCFI Privacy Officer immediately. Learn from the error and help revise procedures (when necessary) to prevent it from happening again. Assist in correcting the error only as requested by your leader or the CCFI Privacy Officer. Don’t cover up or try to make it “right” by yourself. Intentional If you ignore the rules and carelessly or deliberately use or disclose protected health or confidential information, you can expect: Disciplinary action, up to and including termination. Civil and/or criminal charges. Possible monetary penalties. Examples include: Accessing PHI for purposes other than assigned job responsibilities. Attempting to learn or use another person’s access to information.
If you are aware or suspicious of an accidental or intentional HIPAA violation, it is your responsibility to report it. CCFI may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against anyone who in good faith reports a violation (whistle blowing). It is important to report violations so … So they can be investigated, managed, and documented. So they can be prevented from happening again in the future. So damages can be kept to a minimum. To minimize your personal risk. In some instances, management may have to notify affected parties of lost, stolen, or compromised data. Incidental disclosures need not be reported, but if you’re not sure, report them anyway.
Shred or place all confidential paper in the designated confidential paper bins. Does this include Post-it notes, scratch paper, envelopes, and old non-confidential documents we no longer need? Non-confidential is the qualifier…if you have any PHI on that Post-It note, then it needs to be shred. If you write a client name on a pizza box, it needs to be shredded/blacked-out/burned If you have doodles on scratch paper then it can be placed in the recycle bin. How should I dispose of electronic media, like a floppy disk, CD, USB Drive, etc.)? Provide electronic media to Privacy Officer to dispose of it.
Remember, it is your responsibility, as an CCFI employee or provider, to comply with all privacy and security laws, regulations, and CCFI’s policies pertaining to them. Questions? Ask our privacy officer, Rachelle Cook!
A crash course for CCFI
employees and volunteers
Information by Rachelle Cook
Designed by Michelle Hughes
The Security Rule
• Security means controlling:
Electronic Data Exchange
• This defines the
way we can
Why should we care about all of
ourse t we would
t o ding o
We protect PHI in all media created, stored, or
We should treat personal electronic data
with the same care and respect as
weapons-grade plutonium. It is dangerous,
long-lasting and once it has leaked,
there's no getting it back.
- Corey Doctorow
Protected Health Information (PHI)
This includes information
o Health/condition of an
o Payment for health care
of an individual
Examples of PHI
nt f o
PHI includes client identifiers …
The captain of this
ship is my client.
He is a mess …