HIPAA establishes national standards to protect patients' personal health information. It applies to covered entities like health care providers and insurers, as well as their business associates. HIPAA protects individuals' medical records and other personal health information by setting rules for use and disclosure of protected health information. It provides patients rights over their health information including rights to examine and obtain a copy of their records, and to request corrections. HIPAA also protects security of health information whether stored electronically or on paper. Violations of HIPAA can result in fines and penalties.

1. HIPAA

2. 2
What is HIPAA?
 HIPAA stands for the Health Insurance
Portability and Accountability Act of 1996
 A national law that prohibits the violation of
patient privacy and establishes standards for
the privacy and security of Individually
Identifiable Healthcare Information

3. 3
Who Must Comply?
 Covered Entity (CE): Health Plans, Clearing Houses,
and Providers who transmit any health information in
electronic form in connection with a standard transaction.
 Examples
 Insurance Companies
 Ambulatory Care Facilities ~The Stone Center
 Same Day SurgiCenters
 Hospitals
 Physician Offices
 Business Associate (BA)

4. 4
Business Associate (BA)
A business associate is a person or entity that
performs certain functions or activities that
involve the use or disclosure of protected
health information on behalf of, or provides
services to, a covered entity.
For example: Pharmacy Consultant, Information
Management Consultant, The Board of Governors, etc.
They may have access to patient information but it is
used for the purpose of The Stone Center not for their
own personal use.

5. HITECH -
ADDITION TO HIPAA
5
The Health Information Technology for
Economic and Clinical Health Act,
abbreviated HITECH Act, was added to
HIPAA effective in 2013.
The HITECH Act provides financial
incentives for the use of electronic health
records(EHR) in healthcare as well as
regulations for electronic use and
transmissions.

6. 6
HITECH -
ADDITION TO HIPAA
As technology has evolved HITECH stipulates that that
technologies and technology standards created under
HITECH do not compromise HIPAA privacy and security
laws. It requires:
•The healthcare providers' Business Associates (BA) are
accountable for the same liability of data breaches as the
providers themselves.
•Increased fines and penalties for breaches
•Requires practices to notify patients of any unsecured data
breaches related to Protected Health Information (PHI)
•Requires patients and designated third parties to be given
access to their PHI in an electronic format if available

7. 7
What is PHI?
 Protected Health Information (PHI): All
individually identifiable health information held or
transmitted by The Stone Center or its business
associate in any form
 Examples:
 Insurance Information
 Billing Information
 Patient Satisfaction Surveys
 Discharge Summaries
 Medical Records
PHI is Confidential!!

8. 8
What is Confidential?
 All information about patients is considered
private or “confidential,” whether written on
paper, saved on a computer, or spoken aloud.
 Individually identifiable data or data that identifies
an individual patient such as the following must
be carefully considered:
 Name, address, SSN, age
 Illness, treatments, medications, notes

9. 9
Use and Disclosure of PHI
HIPAA refers to the Use and/or Disclosure of PHI for
the purpose of:
 Treatment – the provision of health care
 Payment – the provision of benefits & premium
payment
 Operations – normal business activities
(reporting, data collection & eligibility checks, etc.)
These terms are collectively referred to as TPO.
PHI must not be used outside of TPO!

10. 10
Disclosure/Sharing-”Giving” PHI
 HIPAA states that The Stone Center must share
only the minimum necessary PHI
 Before sharing PHI, ask yourself:
“Does this person need this PHI to treat the
patient, receive payment or conduct
eligibility?
 Limit exposure of PHI to only what is needed to
perform your job

11. 11
Scenario
A co-worker calls you and asks for
information about his friend’s
procedure at The Stone Center. How
do you respond?

12. 12
Answer
Before looking at a patient’s health information, ask
yourself one simple question: “Do I need to know this to
do my job?”
If the answer is no, STOP! Do not attempt to access
the PHI. If the answer is yes, you have nothing to worry
about.
Before sharing a patient’s health information, ask
yourself: “Does this person need to know this to do
their job?”
If you reveal any information to someone who does
not need to know it, you have violated a patient’s
confidentiality, and you have broken the law!

13. 13
Scenario
A physician’s office calls to get
information on a patient who was
treated at The Stone Center. Do you
give the information to the office?
You must receive a request from the
patient that allows for his medical
information/record to be given to the
physician’s office. Once the request
is received the information can be
sent to the requesting physician.

14. 14
What happens if you
break the law???

15. 15
Sanctions
Disciplinary sanctions can be
imposed, up to and including
termination, on employees who
breach patient confidentiality.
The severity of the sanction will be
based on the nature of the violation
and include fines and prison.

16. 16
HIPPA ALLOWS
You are permitted to disclose PHI with or without authorization,
outside of TPO to a health oversight agency,in special
circumstances such as:
 required by law
 emergencies
 abuse
 neglect
 domestic violence
Examples:
 Notifying police of a potential neglect or domestic violence
situation
 Speaking to a patient’s friend who brought them into the
emergency room regarding details of an accident, when
waiting to speak to the patient may delay treatment

17. 17
HIPPA REQUIRES
 Designate a Privacy Officer
 Protect health information
 Post our Privacy Notice
 Create and maintain policies and procedures required to
comply with HIPAA
 Amend all policies and procedures as changes in the law
occur
 Track all intentional or unintentional PHI disclosures
 Train all employees on the Privacy Rule and its
application
 Report and track any breaches of PHI

18. 18
Scenario
A Stone Center nurse attempts to reach a
patient following his lithotripsy procedure.
The spouse answers the phone. Can the
nurse discuss the patient with the spouse?

19. 19
Answer
It depends…
Protected health information may only be disclosed to the patient but:
 A personal representative may be designated by the individual and
allowed to act on their behalf this would be documented in the
patient’s medical record.
 If a patient has an obvious caregiver, such as a spouse, discussion
regarding follow up care and medications may occur.
 Example: If you ask “Are you the patient’s caregiver?” and the
response is ‘Yes, we’ve been married 57 years and my wife is
sleeping after returning home from The Stone Center”, then it is
reasonable to assume it is appropriate to discuss the patient’s follow
up care with that person.
 If Mabel from next door is just dropping off soup, and answers the
phone, it’s NOT ok to discuss the patient with her.

20. 20
Patient Rights
 HIPAA’s focus is on the Rights of the Patient and confidentiality
of their information. Under HIPAA, patients have the right to
several key issues:
 Right to Request Amendment of their medical record
 Right to Request to Inspect and Copy their record
 Right to Restrict what information and to whom it can
be released
 Right to Receive Confidential Communication
 Right to Complain about a disclosure of their PHI
These are all listed on the HIPPA Form that is given to
each patient that is treated at The Stone Center &
also in TSC’s HIPAA Patient Rights Policy

21. 21
HIPAA Security
The Stone Center is responsible to control the means by
which health information remains confidential:
 Administrative Requirements – Tracking & Policy
documentation
 Physical Safeguards – Door locks & fire protection
 Technical Security Services – virus detection
software
 Technical Security Mechanisms – passwords &
encryption, shredding

22. 22
 Password protection for users
 Timed screen lock-out
 Secured/locked access to building
 Locked bins, drawers and files where applicable
 Protecting the PHI in your workspace - Faxes, printouts, reports
not left laying around
 Proper shredding & disposal
 Encrypted email
 Visitor access to facility
HIPAA Security at
The Stone Center

23. 23
Date: 3/04
PURPOSE: To establish written policies regarding the patient’s
rights to gain access to, and more control over the
use and disclosure of his/her personal health
information in accordance with the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) and
to make these rights available to the patient.
RESPONSIBILITY: Staff
PROCEDURE:
The Stone Center is required by law to:
• Make sure that health information that identifies you is
kept private;
• Give you a copy of the Notice of Privacy Practices which
explains our legal duties and privacy practices with
respect to health information about you; and
• Follow the terms set forth in the the Notice of Privacy
Practices.
In addition, you have the following rights regarding health
information The Stone Center maintains about you:
1. You have the right to inspect and copy health information
that may be used to make decisions about your care.
Usually, this includes health and billing records.
2. You have the right to request an amendment of your health
information if you feel that health information we have
about you is incorrect or incomplete, for as long as we
keep the information.
3. You have the right to request a list of accounting for
disclosures of your health information that we have made.
Generally, such uses and disclosures pursuant to treatment,
payment and health care operations are exempt from this
right, in addition to any uses and disclosures pursuant to
an authorization that is signed by you or your personal
representative.

24. CHANGES TO HIPPA RULE
On January 25, 2013, the Department of Health and
Human Services (HHS) posted Modifications to the HIPAA
Privacy, Security, Enforcement, and Breach Notification
Rules (the Final Rule) under the authority of the HITECH
Act and the Genetic Information Nondiscrimination Act
(GINA).
The Enforcement Rule changes are effective on March 26, 2013. The
additional 180 days afforded for most of the provisions in the Final Rule apply
only to modified standards or implementation specifications.
24

25. 25
 Ask questions when you are unsure & report
Disclosures immediately
 Contact the Privacy Officer Meg Oser
 Become Familiar with all HIPAA Policies &
Procedures
 Within the scope of caring for patients it is not a
violation of HIPAA to call the patient by
his/her name. This is incidentally disclosed,
However no other information should be called
out (i.e. test results, demographic information)
 Discussing patients by name in front of visitors is
a violation of HIPAA.
HIPAA TIDBITS

26. 26