Providing Care With
Respect and Dignity
Through Data Security
& Privacy Practices
HIPAA Review for Interpreters
Presented by: The Privacy Office
Core Elements of this Review
1. Accessing PHI (Protected Health Information) beyond the scope of
your duties is a violation of HIPAA’s “Minimum Necessary” Rule”,
which is everyone’s responsibility in every transaction.
2. It also violates Clinic Policy, and can lead to immediate termination
3. Providers and Business Associates are required by law to report
privacy/security incidents or suspected violations. Contact the
Privacy Office at ext. 14216.
4. Under HITECH patients have the right to pay cash out-of-pocket at
the time of service to keep the insurer from receiving info from the
visit (going forward). This is called a “Cash Restriction”.
5. Sending patient information through external email requires the
user to type encrypt in the subject line.
6. Sharing Passwords or user ID’s is strictly prohibited.
HIPAA is a Federal Law named
“The Health Insurance Portability
and Accountability Act”.
HIPAA was enacted in 1996 to
standardize electronic health insurance
transactions. Its primary purpose was
to reduce the gap in health insurance
coverage occurring with change of
HIPAA Omnibus – the Final
Rule is effective 9/23/13
Business Associates now have all the
responsibilities of a Covered Entity and must
also require the same protections of any
Health Insurance Portability & Accountability Act
HIPAA Privacy Rule focuses on the Uses
and Disclosures of patient identifiable health
and billing information. It structured the
insurance industry’s electronic data exchange.
Gave patients 6 new civil rights. Requires
designation of a Privacy and Security Officer,
delivery of a Notice of Privacy Practices before
the first service, contractual agreements for
privacy between Organizations, and internal
reporting with mitigation of violations.
HIPAA Security Rule focuses on the
Confidentiality, Integrity, and Availability
of patient-identifiable electronic health and
billing information. Requires that reasonable
and appropriate measures be taken. It is
technology neutral and includes scalability of
numerous requirements. There are
Organizational requirements, and safeguards
include administrative, physical and technical
HITECH expands penalties, requirements, and
enforcement capacity. Expands the definition
and responsibilities of a Business Associate
(BA) to the same level as CE (Covered Entity).
Requires HHS proactive auditing of CE’s. Adds
patient right to Cash Restrictions. Requires
patient notification within 60 days of PHI
breach with potential harm. Requires that any
breach over 500 patients is reported to HHS,
media outlets, and patients. It also provides
Meaningful Use incentives for Providers to use
OMNIBUS The “Final Rule” expands requirements for BA’s and
their subcontractors, increases penalties, expands HHS audit
numbers, and audit scope where evidence of willful negligence
is found. Huge increases in fines. It requires the CE to audit
compliance of its Business Associates. BA’s are directly liable for
their breaches. It changes the definition of Business Associate
and “breach notification”. Lack of BAA does not prevent this
designation. State Attorneys General are given “private right to
action” to prosecute on a patient’s behalf (the state gets a
percentage). Genetic information is now PHI. Decedent info is no
longer PHI 50 years after death. Documented Risk Analysis is now
required for incidents not reported to HHS due to low probability
that PHI was “compromised”. Patients can ask for records in
electronic format and must accommodate if reasonable. Entities
that create, receive, maintain or transmit ePHI for CE’s are now
BA’s. BA’s must provide an accounting of disclosures if requested.
Business associates will be subject to audits, compliance reviews,
and enforcement actions by HHS.
It’s been updated several times!
Degree of Culpability/ “State of
Maximum Annual Cap for All
Violations of Identical HIPAA
Violation was not known and could
not have been discovered with
$100 - $50,000 $1,500,000
Reasonable cause for violation, not
due to willful neglect
$1000 - $50,000 $1,500,000
Violation due to willful neglect, but
corrected in 30 days
$10,000 - $50,000 $1,500,000
Violation due to willful neglect, not
corrected in 30 days
•Violations are counted up “based on the nature of the … obligation to act or not to act.”
New factors - # of persons affected by the violation, potential harm to those persons’
reputations and finances.
•Generally, monetary penalties will be tallied on a per person and per day basis. A
violation should be corrected promptly within 30 days. Delaying beyond the timeframe
will foreclose certain defenses that could decrease monetary penalty amounts.
•The maximum annual cap of $1.5 million is applied on a “per provision” basis.
•Monetary penalty system is as follows:
Who Is A
HIPAA Covered Entity?
• A Covered Entity (CE) is someone with a
direct (face-to-face) patient care
relationship. No authorization is
required for PHI release for purposes of
treatment, payment and CE operations.
• Everyone at Springfield Clinic is
considered part of the same covered
entity. Internally releasing patient
information without patient consent is
Who Is A Covered Entity Outside the Clinic?
• Any Provider with either a face-to-face patient relationship or
who processes transactions using electronic patient
• Any Health Care Plan paying for patient services
• Any Clearinghouse providing healthcare billing services
• Interpreters; Dentists; NP’s, PA’s, Counselors, Therapists
• Medical Benefits Coordinator for ANY residential facility
– Law enforcement officials holding prisoner in custody
– Residential, Group & Nursing homes
• School Nurses (only when evaluating students or
What Is Protected Health
Any patient identifiable information
contained within an electronic media and
This includes all subsequent release of
medical records, demographics, or billing
information, whether released orally,
through electronic transmission, copies, or
De-identifying PHI is the only legal way to transmit in an unsecured transmission.
Consult with I.T. before using ePHI on personal devices.
To de-identify information, call the ROI Services Manager in HIM Correspondence.HIPAA Protects Patient-identifiable Health and/or Billing
Information, So What Constitutes Identifiers?
2. Street address
5. All dates (admit/discharge, DOS, date of death)
6. First 3 digits of zip only (if population > 20,000)
7. any geographic divisions smaller than state
8. age (if 90 or more, report age as “90+”)
9. Telephone, cell, or other personal number
10. Fax Number
11. URL and IP addresses (e-mail/internet)
12. VIN and serial numbers (vehicle)
13. Full face photos
14. Tattoos and any unique physical anomalies
15. Medical Record Number
16. Account Number
17. Insurance plan numbers
18. Device identifiers and serial numbers
19. Biometrics including fingerprint, voice, iris
20. Certificate/License Numbers
De-identifying PHI is considered a “safe harbor” for transport or storage.
However there must be a procedure in place, to de-identify and re-identify
accurately. Encryption is more commonly used.
HIPAA Rule: Provide Minimum
Necessary Information Per
• It is the individual’s responsibility to
provide no more than the “minimum
necessary” patient information to satisfy a
request or to complete a transaction.
• The only exception to minimum necessary
is releasing health and/or billing
information to another Provider.
Patient Rights Under HIPAA
• If we accept terms or conditions
requested by the patient they must be
• Please contact the Privacy Office
when patients assert the civil rights
reviewed on the following slides.
The Right To Review their Health and/or
• Patients may ask to sit with us and review their
medical and billing records, which is a Health
– (Call the Privacy Office Staff)
• They may ask for paper or electronic copies in any
preferred format and we generally must provide this
(Behavioral Health Records may be an exception –
– (Call Health Information Mgmt. - Correspondence)
The Right To Request Amendment of
Their Health Or Billing Information
• When the patient disagrees with statements in the
record, it is their right to ask the author to change the
– (Refer them to the Privacy Office)
• The provider may refuse the amendment if he/she
feels that the content is “complete and accurate” as
it is, or if the information came from another source
• The Privacy Office assists the patient in adding a
rebuttal letter to the disputed content if amendment
The Right To Request
• When a patient asks us to change our
normal method of communicating with
him or her.
• HIPAA states that where we can we
should. Remember that this type of
request applies to all Clinic computer
systems and offices. Let the Privacy
Office handle it.
The Right To Request
When a patient asks us to change the way we internally
flow their PHI through our transaction processes.
– (It is critical to call the Privacy Office)
• Don’t give my records to the worker’s Comp
• Don’t let the receptionist ay my doctor’s office
see my information (she’s my ex sister-in-law)
• Don’t send information to my other doctors
The Right To An
• When a patient asks “Where have you sent my
information without my authorization”?
– (Call the Privacy Office)
• We must supply a listing of 6 years of past
• With an EHR, we must include all electronic
transactions as of 1/1/14.
The Right to a Paper Copy of the
Notice of Privacy Practices
• HIPAA requires that patients receive the Notice of Privacy
Practices (NPP) before their first service with a covered
• The purpose is to:
– Assist the patient in choosing a provider based on our uses and
disclosures of their PHI
– Inform them of their privacy rights under the law
– Provide a contact to complain to when they feel their rights have
• If anyone asks for a privacy notice, please take them to
the nearest reception desk for an NPP (Notice of Privacy
Purpose Of The NPP
• Intent of a public notice
• To help patients choose between
• To explain rights given to individuals
• To inform a patient where to complain
if rights are violated
• If requested, we should try to make
accommodations for our special needs
• Braille copies are available from Operations
• Large Print and Spanish are on our internet
The Right to Receive Their PHI
Electronically in Their Preferred Format
• Patients now have the right to ask for their
PHI in their preferred electronic format.
We must accommodate if reasonable to
• We must provide a reason why if we
decline and ask for another preference.
The Right to Request a
HITECH Cash Restriction
• Any patient may request that today’s services
not be submitted to insurance, and if he/she
meets conditions, we must allow it.
• In order to allow this cash restriction, the patient
must request it before the visit is completed, and
pay up front total charges for today.
• When those conditions are met, we must never
release this information to the insurer (even in
HIPAA Says: No Snooping!
Five medical workers have been fired over patient data
breaches at Cedars-Sinai Medical Center. The audit was
triggered by Kim Kardashian’s delivery of daughter North West
on June 15, 2013. Kim’s family suspected a leak of information
at Cedars-Sinai after media reports included undisclosed
details of the stay.
Four of the workers logged onto the hospital’s information
system to access patient records, as employees of local
physicians with staff privileges at the hospital.
The others included a Medical Assistant, a Foundation
employee, and a volunteer student research assistant.
After “Octomom’ was discharged, Kaiser Permanente fired 15
employees and disciplined 8 more for inappropriate access.
After Fashion Designer Gianni Versace passed away, 5
employees were fired for inappropriate access.
UCLA paid $865,500 for breach of celebrity privacy. The audit was
2005-2009 where breaches had been reported on dozens of
celebrities, including Britney Spears, Farrah Fawcett, and
• Extra sensitivity for well-known patients is required. Access audits are likely on
VIP’s, such as celebrities, politicians, or recent news stories.
• Even mentioning that the VIP was treated at the Clinic is a HIPAA violation.
• Clinic Policy states that all health and health-
related services and programs provided by the
Clinic are available and accessible equally to
patients who are hearing impaired, and to
those with limited English proficiency (“LEP”).
• Interpreters shall receive payment for services
performed only upon submitting a Clinic form
invoice, which is verified or endorsed by a
• Telecommunications manages our
interpreter contracts, and interpreters are
available for multiple languages.
• As Business Associates, interpreters are
entitled to access minimum necessary PHI
relating to the visit, for their services or
• Interpreters should contact the ROI Services
Manager in Health Information Management
at extension 43742 to request chart copies.
May I discuss treatment information with a
visitor present in the exam room?
• The patient has implied consent to discuss
treatment-related information by allowing them
in the treatment room.
• Include the visitor by name and relationship in
• FYI, The Provider’s best practice is always to
ask any visitor to step out at some point and
ask the patient if there is anything they wish to
discuss privately at this time. Also inquire as
to social history and any potential abuse
Good to Know!
• A visitor brought to the exam room is
only allowed to be privy to the
discussion during the exam. For an
adult patient, even a parent’s presence
does not provide access to any
additional information later, regarding
that visit (or any other encounter)
without a signed patient authorization.
Authorized Patient Representatives
May I release information to a patient’s
healthcare power of attorney?
– Watch this! Typically a POA for healthcare may only
access a patient’s information after the patient is
deemed incapacitated. However, some forms state
they are effective on the date signed.
– You must read the form to see if it is activated.
– This is different from a non-healthcare POA.
– Protect yourself and do not act on a POA unless the
document is in patient’s record!
• A Business Associate is defined as a
business or person who is hired to
assist with daily operations, and whose
job requires them to have access to
• HIPAA requires written contracts with
legally specific language which
requires that BA to handle all PHI
according to HIPAA rules even when
Is It Okay to E-mail Patient
to Another Provider?
• Where it is necessary to email, your email
must be encrypted.
• If email with PHI is received from
Springfield Clinic, the subject line must
contain the word encrypt.
• You may respond to an encrypted email
HIPAA & Your Role
• As a Business Associate of the Clinic, we
would appreciate knowing anytime we are
not delivering “best practice” services to
• Please notify the Privacy Operations
Manager at ext. 14216.
• We will appreciate your feedback .
How Can I Reach the Privacy Office?
The phone directory lists us under Privacy Office.
• Information Privacy Officer
– Linda Meadows ext. 14540
• Privacy Operations Manager
– Nancy Cardinale-Lower ext. 14216
• Privacy Operations Analysts:
– Dawn Kane ext. 14245
– Farrah Reagon ext. 14217
– Danielle Dellaquila ext. 14278
• Privacy Support Specialist
– Safron Squires ext. 14198
for completing this review!
Helping to educate our Interpreters about privacy
and security rules is part of the Clinic’s ongoing
mission to provide the highest quality of
healthcare to the people of Central Illinois!