Protected health information (PHI) is what HIPAA is all about. Anytime you are dealing with anything regarding: a mental or physical condition (past, present or future) treatment for a mental or physical condition payment for treatment if the information can be tied to a specific individual, you are dealing with PHI. (Note: The phrase “relates to” in the definition of PHI may be interpreted broadly by the courts. Any information about an individual – even addresses or telephone numbers – is potentially PHI.) <customize with additional notes as needed>
Penalties for not meeting HIPAA standards can potentially cost an organization millions of dollars. Additionally, if an individual knowingly misuses health information criminal sanctions, including prison sentences, may be involved. <customize with additional notes as needed>
<add notes dealing with this organization’s sanctions policy including where an employee can obtain a complete copy>
PrivaPlan includes a sample complaint form. HIPAA requires that you document all complaints and the actions that were taken to address them. Remember the HIPAA compliance investigations will most likely be complaint-driven. If you can deal with a complaint to the patient’s satisfaction you can avoid a complaint investigation by HHS.
Privacy and security can not be guaranteed with technical tools alone. All users must do their part to maintain the overall strength of the system. <customize with additional notes as needed>
HIPAA PRIVACY 101 Orientation for the University of Maryland Dental School and U.M. FDSP
X-rays with name/medical record number/social security number, etc.
Laboratory prescriptions, including prescriptions for dental prostheses (crowns, partials, dentures, etc.)
PENALTIES FOR NON-COMPLIANCE WITH HIPAA $100 fine per day for each unmet standard. (Up to $25,000 per person, per year, per standard.) $50,000 fine + one year in prison for improper disclosure of health information. $100,000 fine + five years in prison for obtaining health information under false pretenses. $250,000 fine + ten years in prison for using health information for personal gain.
Documents referring to over 125 psychiatric patients of a hospital were found in a convenience store trashcan. A medical student had taken papers outside of the hospital and dumped them in the trash. The documents included lists of patients in the psychiatric unit and their diagnoses.
Doctor’s staff looked up employee’s medical record to learn about her birthday so they could throw her a surprise birthday party. Employee’s medical record contained many sensitive details previously unknown to the staff.
A “good faith” effort must be made to get the patient’s written acknowledgment that they received the NPP at the first treatment encounter.
If we cannot get the acknowledgment, we must document our “good faith” efforts to obtain the acknowledgment. Simply place a note in the chart that the patient refused or forgot to sign the acknowledgement, but the patient was given the NPP.
We must keep a record of the acknowledgment (or our effort to obtain one) for at least six years. This is accomplished by placing the acknowledgment or note about our efforts to get an acknowledgment in the written chart. Written charts of the Dental School are kept for seven years before they are destroyed.
This is not the same as power of attorney, which takes a court order. These individuals cannot consent for treatment.
Please note in the written record the name of the personal representative or have the patient fill out a form naming a personal representative. The patient can name a personal representative verbally or with written notice.
“ Minimum necessary” is the buzz phrase for PHI – only request what is needed, and only disclose what is needed. “Minimum necessary” varies according to a person’s job. A receptionist does not need to know all the details of a patient’s medical history to do his or her job.
We cannot disclose PHI to the portions of the Dental School not involved with patient care. We must ensure this does not happen, as part of our hybrid entity status.
Maryland law states PHI can only be authorized for disclosure for one year. This would apply to the use of a full-face photograph in a study club presentation.
A consent form for research (a clinical trial) is different from an authorization.
Patients enrolled in clinical trials after April 14, 2003 will sign both an authorization and an informed consent. In the case of research, the authorization can be longer than one year. The IRB will post an authorization form template on the Web.
A waiver for authorization for research can be granted by the IRB for retrospective studies.
Some uses and disclosures of PHI happen as a result of an otherwise permitted use or disclosure and cannot reasonably be prevented:
Conversations that can be overheard in a waiting room, exam room or other patient accessible area
Patient charts kept outside of exam rooms
Appointment reminder messages left on a patient’s home answering machine
Front Desk sign in sheets and calling out a patient’s name
Each member of the workforce must take reasonable efforts to limit uses and disclosures to the minimum necessary, but HIPAA does not require that all risk of incidental disclosure of PHI be eliminated.
It is the responsibility of every authorized data user to maintain confidentiality of University of Maryland Dental School health information assets even if technical security mechanisms fail or are absent.
A lack of security measures to protect the confidentiality of information does not imply that such information is public.
An authorized data user who finds that he or she has retained or been inadvertently granted additional access beyond that appropriate to his or her current role should report this to his or her current department director.
Passwords are the individual’s responsibility and users should not share them. All computers with PHI need password protection.
Passwords should be changed at least every ninety days.
Passwords should be at least six characters long and not easily guessed or found in a dictionary. Use of numeric digits and non-alphanumeric characters in passwords is encouraged for protection of confidential information.
Users should not write down passwords, store them on hard copy or store them locally on workstations and laptop computers
Do not put the patient’s name, number or other PHI in the subject field.
Print out a copy of PHI-containing emails and place it in the written record.
email disclaimer This email may contain confidential information and may be protected by law as a legally privileged document and copyright work. Its content should not be disclosed and it should not be given or copied to anyone other than the person(s) Named or referenced above. Any review, retransmission, dissemination,or other use of this information by other than the intended recipient is prohibited. If you have received this email in error, please contact the sender.
Storing patient health information in portable devices (laptop, PDA, tablet PC, etc) is not recommended.
If you choose to store patient health information in portable devices, you are responsible for the security of this information (e.g. strong password protection for accessing the device, file encryption, proper disposal of unwanted storage media)