HIPAA Basics

The History of HIPAA As health care providers, we have always been called upon to maintain the privacy and confidentiality of a patient’s health information. This is an ethical and legal obligation that we hold as nurses and as nursing students. Until recently, a patient’s medical record was recorded and maintained primarily on paper and stored in the offices of physicians, hospitals, and other health care professionals. These records were kept safe in locked cabinets or closets.

The History of HIPAA With the advent of computers and other electronic technology, we are now able to maintain electronic files that allows us more flexibility in communicating information between offices, hospitals, and clinics, as well as cutting down on the space requirements for storage. In addition, we are better able to track and analyze data that helps us to be more effective in providing care as well as in controlling costs. According to the American Health Information Management Association (AHIMA), an average of 150 people "from nursing staff to x-ray technicians, to billing clerks" have access to a patient's medical records during the course of a typical hospitalization. There are, however, concerns that the increase in electronic information result in a loss of privacy and confidentiality. Because so many people potentially have access to patient medical information now, we need to do more to ensure that the only people who do access the medical information are those who need to have access in order to provide care.

The History of HIPAA The Federal government passed a law in 1996 that creates national standards to protect patients’ medical records as well as other personal health information. This Federal legislation is called the Health Insurance Portability and Accountability Act (HIPAA).

The History of HIPAA HIPAA became effective on April 14, 2003. It sets for minimum standards that facilities must follow to protect patients’ health information. The key term associated with the privacy rules is Protected Health Information or PHI. It covers information that can be found in: Information used within the facility Verbal or written information Information stored in computer files Information stored in paper patient files Information shared with other health care providers, payers or third parties

Failure to Comply Every health care organization is expected to develop policies and procedures to guide practices within their facility. Every person who provides care or assistance to patients in that facility is expected to understand and comply with HIPAA regulations. Each team member’s work is important for patient care. At the same time, it is essential that all patients’ health information be kept confidential. Organizations or individuals that violate the Privacy rules are subject to monetary fines (up to $250,000!) and / or civil or criminal charges (up to 10 years in jail!). Failure to comply may also hurt the reputation of the facility, put accreditation at risk, and result in costly lawsuits.

HIPAA Goal The goal of the privacy program is to protect confidential information from improper use or disclosure . What does this mean to you?

Administrative Requirements Every agency must: Appoint a Privacy Officer. Develop policies and procedures that guide HIPAA implementation, evaluation and revision. These should include actions taken for people who do not follow the directives. Provide education on HIPAA and organizational policies and procedures. Develop a process for handling privacy related complaints. Ensure no retaliation occurs against someone who reports potential violations in good faith. Take appropriate action to minimize any harm that may result from breach of privacy. Ensure processes are in place to demonstrate compliance with documentation and record keeping.

YOUR Responsibility You must respect confidential information about patients and use information only to perform your role as student nurse in that agency. It is your responsibility to be sure patient information is only given or disclosed to others who have a legal right to it. What information needs to be kept private? All information that identifies an individual is considered confidential. This includes, but is not limited to name, address, date of birth, phone/fax numbers, social security number, medical record number, and photographs. It also includes nursing and physician notes, as well as billing and other treatment records used during a patient’s visit in a hospital or office.

HIPAA Patient Rights HIPAA guarantees several rights to patients: Right to privacy Right to confidential use of their health information for their treatment, billing process, and other health care operations (such as quality improvement) Right to access and amend their health information upon request Right to provide specific authorization for use of their health information other than for treatment, billing and other health care operations Right to have their name withheld from our patient directories Right to request that information is not given out concerning their care to specific individuals including the right to ‘opt out’ of our patient directory (name not listed as being present in our facility other than for treatment, billing, and other health care operations) Right to request that individuals are not told of their presence in our facilities

HIPAA Patient Rights Every patient should receive a document called a Notice and be asked to sign an Authorization. This Notice gives patients: Information about their rights. A description of how their PHI may be used by the facility. A comprehensive list of others to whom their health information may be disclosed. The Notice must be given to the patient on the first treatment date or as soon as is practical in an emergent situation.

HIPAA Patient Rights An Authorization is a form signed by the patient for the use and disclosure of specific PHI that are not related to treatment, payment, or health care operations. There are some uses and disclosures where an authorization is not required. When in doubt about what information is required to have a signed authorization for release, ask!

HIPAA Patient Rights What do you need to know? Patients have the right to register complaints with Federal agencies and with the facility if they feel their rights have been violated. Every facility has a Privacy Officer who is responsible for overseeing HIPAA implementation. If you are uncertain about what information may be given out, talk to your instructor or one of the nurses on the unit where you are assigned, or contact the Privacy Officer.

Review Question HIPAA’s goal is to catch staff sharing patients’ health information with those who do not need the information. True or False? To see the correct answer, click on NEXT.

Answer ANSWER: FALSE The goal of HIPAA is to protect confidential patient information from improper use or disclosure. If you see an apparent violation, you should report it to your instructor who will immediately assist you in contacting the Privacy Officer.

Unauthorized Disclosures Some of the biggest threats to patient privacy is unintentional disclosure of information: Discussing a case where other patients or visitors may overhear, such as in elevators, hallways or the cafeteria. Leaving sensitive information out where patients or visitors can see it. Another threat to patient privacy is when a workforce member intentionally uses or discloses information in an unauthorized way: Copying information and taking it home. Removing medical records from the health facility and giving them to others who have no legal right to them. Deliberately sharing information with unauthorized persons (family members, friends, or news reporters). Using confidential information in gossiping about patients. Leaving a computer unattended after logging in to an application. Sharing passwords with others or leaving passwords around a computer.

Unauthorized Disclosures It is essential that everyone who provides care and services to patients be aware of what is going on in their surroundings to ensure that confidential information is only shared with those who need to know, and at the minimum level necessary to enable them to carry out duties and responsibilities safely, effectively, and efficiently. Always be aware of where you are, who is around you, and what information can be seen or heard. It may not be possible to ensure absolute privacy, but reasonable measures need to be taken to “minimize the chance of incidental disclosure to others.” Don’t browse through a patient’s chart or other files out of curiosity. Access only the portions of medical record you need to perform your specific role as a student nurse.

Review Question One of the privileges of working in health care is that we have access to our family and friends’ health information so we can find out when they have an illness. True or False? To see the correct answer, click on NEXT.

Answer ANSWER: FALSE We do not have a right to access anyone’s health information including family members unless it is directly needed for the completion of our job responsibilities for a patient. If you accidentally see patient information that is not directly needed for you to perform your job, you cannot share that information with anyone else.

Verify Identity Before you can release information about a patient, you must first confirm the identity of the person requesting information about the patient, whether in person, by phone, or in writing. What methods can be used to verify identity? A photo ID Information that only the patient would know, and which you can confirm, such as the patient’s middle name

Security Rules Privacy rules identify what information is protected and define when and how that information may be used or disclosed. Security rules apply to PHI that is sent electronically from one location to another. Security rules identify steps to take to secure PHI that is in electronic format. They also apply to PHI that may be used or stored by the facility. There are four key parts which work together to protect PHI. These are: Physical Security: hands-on access to computer hardware, systems, areas, and buildings. Technical Security: the process to identify the access and type of information individuals may access and view on a computer. Technical Security Mechanisms: processes that automatically monitor systems activity and report suspicious activity. Administrative Procedures: policies and procedures that define steps the facility will take to address the above. These define the basic level of security that must be in place to comply with HIPAA

Electronic Communication Part of ensuring the privacy rules is to understand how information is stored, transmitted, and accessed by staff. Faxes, e-mails, and computer printouts may contain patient information. Take precautions to ensure that these types of communications get to their intended destination. As students, you will likely not be in a position to fax or email patient information to others. If you are placed in a situation where this becomes necessary, talk with your instructor about the proper procedure.

Case Scenario Dr. Williams asks Sue, a nurse, to bring up his patient’s lab results on the computer screen. Dr. Williams looks around and does not see any other staff or visitors in the area. He asks Sue to turn the monitor so he can see the chart. There is no other person around the desk when the screen is turned towards him. When Dr. Williams is finished, Sue turns the screen back around facing away from public view. Dr. Williams and Sue violated the patient’s privacy by turning the screen and viewing the lab results. True or False? To see the correct answer, click on NEXT.

Case Answer ANSWER: False They took the time to examine their surroundings and made certain that no unauthorized individuals were near. Turning the screen and then returning it to a secure position is an acceptable practice. If visitors or others were present, the doctor would need to go behind the desk and view the screen.

Paper Communication You will find during your clinical experiences that there is a lot of paper that contains confidential patient information. Make sure you keep this paper out of the public view. Do not leave documents where the public can easily access them, even accidentally. Many of you may use visitors’ lounges for conferences. Do not leave your papers or any medical record information where it can be seen by others. When documents containing patient information are no longer needed, shred them or dispose in designated containers.

Case Question Julie is a nurse entering notes into a patient chart at the nurse’s station where visitors come to ask questions. Jeff, another nurse, steps out of a patient’s room and asks Julie for help. Julie leaves the chart open on the desk, then goes to assist Jeff in the patient’s room. Q: Leaving the chart open on the desk when the nurse leaves the area is OK because she will be right back and trying to find her place would take too much time. True or False? To see the correct answer, click on NEXT.

Case Answer ANSWER: False The best way to maintain patient confidentiality is to never leave records unattended in public places. Closing the chart is a good first step. In a non-emergency situation, return the chart to its designated location before leaving the area. In an emergency situation, secure the chart using your professional judgment, then proceed to assist with the emergency.

Verbal Communication Nursing is never practiced in isolation. It is a collaborative team operation. As a result, there are many times when you will need to discuss patient information with colleagues. In doing so, remember you must: Only discuss information relevant to the patient’s care. Only include those involved in the patient’s care. Select an area that is as private as possible, and check the surroundings to ensure no one will overhear confidential information who shouldn’t.

Case Scenario Jennifer, a nurse, and Tom, a physical therapist, are eating lunch together in the cafeteria. They begin discussing a patient that they are both treating. The cafeteria is crowded and others around them can hear them referring to the patient’s name and other confidential information. Q: They are violating the patient’s privacy in this situation. True or False? To see the correct answer, click on NEXT.

Case Answer ANSWER: True Never discuss a patient’s health information in areas where there are others that don’t need to know about it. If you need to discuss a patient’s care with a co-worker, speak softly in an area away from the public.

Case and Question An adult daughter of an elderly patient is present in the room when his doctor enters to speak with the patient about test results. The patient introduces his daughter to the doctor, and then asks the doctor if the test results are back. The doctor begins to explain the results to the patient. Q: The doctor violated the patient’s privacy by talking about the test results with the daughter present in the room. True or False? To see the correct answer, click on NEXT.

Case Answer ANSWER: False Since the patient asked about the results with his daughter in the room, the doctor can assume that it is appropriate to share the results at that time.

Case Question In a Radiology waiting room, an x-ray technologist calls the next patient by name saying “Jane Smith, we are ready for your to get your sonogram now.” Q: The x-ray technologist violated the patient’s privacy by calling out her name and test to be performed. True or False? To see the correct answer, click on NEXT.

Case Answer ANSWER: True Employees in doctor’s offices and waiting rooms are allowed to publicly call a patient’s name. However, care should be taken to limit any other information communicated. The x-ray technologist should not have mentioned the test to be performed. Stating that the patient is having a sonogram is unacceptable. “Jane Smith, we are ready for you now.” is acceptable.

Non-Retaliation Policy There should also be a policy in place to safeguard the rights of a person who, in good faith, reports a privacy violation. Action should not be taken against anyone who, in good faith: Exercises her or his rights, including filing a complaint. Contacts or sends a complaint to the Department of Health and Human Services. Testifies, assists, or participates in an investigation, compliance review, proceeding, or hearing. Believes that an act or practice is against the law. The person reporting the violation must have a reason to believe that there is a problem and may not use or disclose PHI to address her or his concern.

Complaints If you feel there has been a privacy violation, inform your instructor who will immediately assist you in contacting the Privacy Officer. Refer patients who have a privacy concern or complaint to the nurse in charge of the unit.

Summary All health information that specifically identifies an individual is considered confidential. Protecting the privacy of patient information is everyone’s responsibility. Even though you are a student nurse, you are an active part of this program. Use patient information only to perform your responsibilities as assigned. Be aware! Don’t intentionally or unintentionally disclose patient information. Help others to do the same. If you suspect any privacy violations or concerns, notify your instructor who will immediately assist you in contacting the Privacy Office.

Thank You! We are HIPAA compliant... Are You?

HIPAA Basics

More Related Content

What's hot

Viewers also liked

Similar to HIPAA Basics

More from Karna *

Recently uploaded

HIPAA Basics