2. What is HIPAA?
• Health Insurance Portability and Accountability
Act (HIPAA) is broad federal legislation that
includes rules to protect the privacy and confidentiality
of patient information.
• Does not replace existing confidentiality laws
• Establishes a minimum requirement
3. Protected Health
Information
• HIPAA regulates the use and disclosure of what is
known as protected health information or “PHI.”
• PHI is any information that can be used to identify
the past, present, or future healthcare of an
individual or the payment for that care.
4. Protected Health
Information
This is virtually all information about a patient,
whether written on paper, saved on a computer, or
spoken aloud. This includes their:
• Name
• Address
• Age
• Social Security number
• Other personal information
• License plate numbers
• Fax machine numbers
5. HIPAA Confidentiality
HIPAA privacy also protects the following:
• The reason the patient is sick or in the hospital
• The treatments and medication he or she receives
• Caregivers’notes
• Information about past health conditions
6. Use of Protected Health
Information
• In general, a healthcare provider can access and use
PHI without specific patient authorization, if it is to
be used for treatment, payment, or healthcare
operations (TPO).
• Before looking at a patient’s health information,
ask yourself, “Do I need to know this to do my
job?”
7. Use of Protected Health
Information
A healthcare provider can also disclose PHI without
patient authorization for:
• As required by law
• Public Health Activities
• Law Enforcement
• Other national priorities - funeral directors, organ
donation, research, prevent a disaster, special
government functions, workers compensation
8. Use of Protected Health
Information
• Minimum Necessary Standard – Always use or
disclose only the Minimum amount of information
necessary to honor the request
• If you are not sure whether you should disclose any
form of PHI, ASK your supervisor, department
compliance representative or the compliance officer
• Once the disclosure is made it’s too late to get it
back.
10. Use of Electronic Protected Health
Information(ePHI)
49
• HIPAA security rules apply only to ePHI stored,
maintained or transmitted in an electronic format
• ePHI is the same information as PHI; anything that
could identify the patient, their medical condition or
method of payment
• Security rules require additional compliance
11. 50
• Appropriately use computers and other technology.
Workforce members cannot use their computers or
access to review personal or family PHI.
• If you use a laptop, palmtop computer, PDA or
removable storage media it is your responsibility
to:
– Obtain approval before transferring ePHI to a portable
device
– It is your responsibility to protect ALL ePHI from theft
both electronic and physical
Use of Electronic Protected
Health Information (ePHI)
12. Use of Electronic Protected
Health Information (ePHI)
51
• Monitor the use of cellular phones
– information and images (ePHI) can be sent over Internet.
This ePHI in not encrypted
• It is not allowed to send ePHI over the email system.
• Use E-mail and Internet access appropriately
– workforce members should remember that e-mails sent to or
from RFA computers are not considered private. RFA can
and does audit e-mail and Internet usage
13. Use of Electronic Protected
Health Information (ePHI)
• Password control. Sign-off application after you
are finished.
• You are your password. Protect it. Never share it.
• If you believe your password has been compromised,
call the HELP desk immediately. Tell them your concern
and ask for a new password.
52
14. What Does HIPAA
Mean To Me?
53
• Our patients have a right to expect we will keep their information
confidential. This information includes anything that could identify
Or be used to find out the identity of the patient or their medical
condition.
• As employees, volunteers and physicians, we come in contact
with many forms of patient information, i.e. surgical lists, laboratory
draw lists, patient census listings, etc. We need to understand what
are acceptable uses of this information.
• Follow the “need to know” rule. Ask yourself “do I need to see
patient information to perform my job”. If the answer is “Yes”, you
have nothing to worry about. If the answer is “no”, STOP.
15. What Does This All Mean
To Me?
• The cafeteria, the elevator or any of the social media sites are notthe
place to discuss the medical condition or other aspects of a patient’s
care.
• Information you have access to must not be the subject of
conversation with family, friends or neighbors.
• Most disclosures of PHI do not need an authorization by the patient
PHI can be disclosed without an authorization for reasons of TPO
and any of the 12 permitted uses under the Privacy Rules. Any other
disclosure requires an authorization by the patient.
• The minimum necessary standard needs to be applied to all
disclosures except for treatment purposes, disclosures to the
patient or as required by law.
16. What Does This All Mean
To Me?
• Never send ePHI to anyone unless you have verified who will
receive the information and how the information will be used.
If it doesn’t seem right to you, it probably isn’t.
• Remember follow the “need to know” rule. Ask yourself “do I
need to see patient information to perform my job”.
If the answer is “Yes”, you have nothing to worry about.
If the answer is “no”, STOP.
• Use e-mail and Internet services in the proper manner.
17. What Does This All Mean
To Me?
• Always protect your password. NEVER give your password or
sign-on to anyone.If you think your password or sign-on has
been compromised, notify the Administrator immediately.
• Violations can also result in personal civil penalties of up to
$25,000 per person and criminal penalties of up to $250,000
and/or 10 years in prison.
• Violations of confidentiality and privacy policies can result in
disciplinary action up to and including discharge.
18. What Does This All Mean
To Me?
• If you know of any violation of our existing
confidentiality policies or the Privacy Policy, it is your
obligation to bring the violation to the attention of your
supervisor, Administrator, or Compliance Officer.
Compliance is the responsibility of every employee!