Clinical Non- Patient Care areas (job specific)

(Clinical Non - Patient Care Areas)
HIPAA Job Specific Education
Participants will be able to:
Describe an overview of HIPAA and HITECH privacy
key definitions and principles
Describe how HIPAA and HITECH affect job duties
List tips and guidance for applying privacy
HIPAA Terminology
HIPAA: Health Insurance Portability and Accountability Act
HITECH: Health Information Technology for Economic and Clinical Health Act
PHI: Protected Health Information
CE: Covered Entity (Hospital)
ACE: Affiliated Covered Entity (Common ownership)
OHCA: Organized Health Care Arrangement (The hospital and medical staff
will be considered an Organized Health Care Arrangement)
DRS: Designated Record Set (medical record and billing record)
AOD: Accounting of Disclosures (patient’s right to receive)
Directory: Hospital census list used by volunteers and operators with name
and room
Hospitals are required by law to maintain the
privacy of patients’ health information.
It is everyone's responsibility to ensure patient
information is properly protected and
Facility Privacy Official (FPO)
What is a FPO?
The FPO is the “go-to” person for any
Potential patient privacy issues
Questions on patient privacy matters
Patient privacy complaints
FPO for OU Medical Center Systems is Joan Crall
FPO for OUMC-Edmond is Wanda Price
Definition & Purpose
What is HIPAA?
• The Health Insurance Portability and Accountability Act (HIPAA) was
enacted by Congress in 1996. The HIPAA Privacy Rule provides
federal protections for personal health information held by covered
entities and gives patients an array of rights with respect to that
• Federal Law.
What is the purpose of the law?
• Guarantee privacy and security of health information
• Protect health insurance coverage, improve access to healthcare
• Reduce fraud, abuse and administrative health care cost
• Improve quality of healthcare in general
Definition & Purpose
What is HITECH?
The Health Information Technology for Economic and Clinical Health Act
(HITECH) was signed into law by the President on February 17, 2009. It is
the part of the American Recovery and Reinvestment Act of 2009.
It is a Federal Law.
HITECH Act strengthens those patient privacy protections of HIPAA and
places additional requirements on the healthcare community.
What is the purpose of the law?
Makes massive changes to existing privacy and security laws
Increases penalties for privacy and security violations
Creates a nationwide electronic health record
HITECH Changes
While there are many changes as a result of HITECH,
some of the more substantial changes include:
Requirements for notification when certain breaches of
protected health information (PHI) occur
Strengthened criminal provisions
Additional audit capabilities by the Office of Civil Rights
Changes to the patient's right to access his or her health
Let’s look at some of the details of these changes.
Breach Notification
A breach is a security incident in which sensitive,
protected or confidential data is copied, transmitted,
viewed, stolen or used by an individual unauthorized to
do so.
Certain breaches of protected health information can
result in potential significant risk of harm to the patient
and now require notification to:
The patient
The Department of Health and Human Services
And in some situations, the media
Civil Monetary Penalties for
Violation Category
Each Violation
All such violations of
an identical provision
in a calendar year
Reasonable Cause
Willful Neglect – Corrected
Did Not Know
Willful Neglect – Not Corrected
* As of 2/17/2009
Criminal Penalties for
• For health plans, providers, employees, clearinghouses and business
associates that knowingly and improperly disclose information or
obtain information under false pretenses can be assess penalties.
These penalties can also apply to any “person”.
 up to $50,000 and one year in prison for obtaining or disclosing
protected health information (PHI)
 up to $100,000 and up to five years in prison for obtaining protected
health information under "false pretenses"
 up to $250,000 and up to 10 years in prison for obtaining or disclosing
protected health information with the intent to sell, transfer or use it
for commercial advantage, personal gain or malicious harm
• Penalties are higher for actions designed to generate monetary gain.
What is Protected Health
Information (PHI)?
PHI is the information pertaining to healthcare that contains any of these identifiers.
People often believe that if the patient's name is removed then the information is
not PHI. That is not true. There are many types of patient identifying information.
Address including street, county,
zip code and equivalent geocodes
Name of relatives
Name of employers
All elements of dates except year
(DOB, admission/ discharge,
expiration, etc. )
Telephone numbers
Fax numbers
Email addresses
Social Security number
Medical Record number
Health plan beneficiary number
Account number
Certificate/license number
Any vehicle or other device serial
Web universal resource locator (URL)
Internet protocol address (IP)
Finger or voice prints
Photographic images
Any other unique identifying number,
characteristic or code
How will HIPAA affect you?
Coversheets with confidential statement need to be used on all faxes.
Screens will need to be placed out of public view and screensavers in use
Patients will identify who their information can be discussed with, including
All PHI will need to be placed in Shred-It containers (e.g., dietary slips)
Patient information should only be accessed if there is a need to know and
only the minimum necessary used
Adhere to all Information Security Policies and Standards.
Minimum Necessary
• Only workforce members with a legitimate “NEED TO KNOW” may
access, use or disclose PHI
- Regardless of the extent of the access provided
• Only the minimum amount of PHI necessary may be used to
accomplish the intended purpose of the access, use or disclosure
• Workforce members CANNOT access their own record
- Contact HIM/medical records to request access
Notice of Privacy
Practices (NOPP)
The patient receives NOPP at each registration.
Patient privacy rights are outlined in the NOPP:
o Right to Access
o Right to Amend
o Confidential Communication
o Right to Restrict
o Right to Opt out of the Directory
o Right to Request an Accounting Disclosure
Right to Privacy Restrictions
• Patients have the right to request a privacy restriction of
their PHI
• NEVER agree to a restriction that a patient may request.
Always refer the individual to the FPO
• All requests must be made in writing and given to the FPO to
make a decision on
• No request is so small that it should not be routed to the FPO
Accounting of Disclosures
• An individual has a right to receive an AOD of protected health
information made by a covered entity for up to 6 years:
Medical & Billing records
All required state reporting
Births and Deaths
Tumor Registry reporting
Domestic/Child Abuse suspect reporting
• Very complex to implement
• Due to HITECH, additional requirements are forthcoming
Patient Privacy Complaints
• ALL privacy complaints must be routed to the FPO
• FPO maintains complaint log in accordance with the complaint
• No retaliatory actions can be taken
• Disposition of the complaint must be consistent with the facility’s
Sanctions for Privacy Violations
• The Meditech Risk Management module may be used for complaint
For More Information Review:
Policy #: 20-09 Patient Privacy – Privacy Complaint
Examples of Exposure
• Lack of knowledge regarding permitted uses of PHI
• Discussions of patient information in public places
such as elevators, hallways and cafeterias
• Inappropriate control or use of patient lists with PHI
• PHI in regular trash
• Records that are accessed without need to know in
order to perform job duties
Examples of Exposure Cont.
• Sharing passwords
• Using business agents without contracts and
appropriate Business Associate Agreements
• Sharing PHI without an authorization when one is
• Failure to act proactively to prevent, detect, or correct
privacy or security breaches
• Discussing patient information on social networking
sites (e.g., Facebook, Twitter)
• There is a sanctions policy to address privacy and information
security violations
• Types of violations can include:
– Negligent (accidental or inadvertent)
– Intentional (purposeful)
• For specific information on sanctions policy contact FPO and/or
review the facility’s policy
For More Information Review:
Policy #: 20-19 Patient Privacy – Sanctions for
Privacy and Information Security Violations
Patient Privacy Policies and Forms
on the Intranet
Test Your Knowledge
Do you know who your FPO is?
What kinds of privacy rights does the patient have?
Can a patient amend their record?
Do you know who to refer patient privacy questions or
complaints to?
• What is an Accounting of Disclosures?
• When can you access, use or disclose the patient’s PHI?
• Where do you dispose of patient information?
The following are the policies related to the
HIPAA/HITECH. Review them further as needed:
20-01: Patient Privacy – Community Clergy Access to Patient Listings Under HIPAA
Privacy Standards
20-02: Patient Privacy – Designated Record Sets
20-03: Patient Privacy – Determination of, and Uses and Disclosures of De-Identified
20-04: Patient Privacy – Authorization for Uses and Disclosures of PHI
20-05: Patient Privacy – Hybrid Entity
20-06: Patient Privacy – Limited Data Set and Data Use Agreement
20-07: Patient Privacy – Marketing Under the HIPAA Privacy Standards/HITECH
20-08: Patient Privacy – Patient’s Right to Opt Out of Being Listed in Facility Directory
20-09: Patient Privacy – Privacy Complaint Process
20-10: Patient Privacy – Sanctions for Privacy and Information Security Violations
Policy and Procedure Cont.
20-11: Patient Privacy – Uses and Disclosures for Which an Authorization or
Opportunity to Agree or Object is not Required
20-12: Patient Privacy – Uses and Disclosures of Patient Health Information to
Other Treatment Providers Under the HIPAA Privacy Standards
20-13: Uses and Disclosures of Patient Health Information to Patients’ Family
Members or Friends for Patient Care Purposes
20-14: Patient Privacy – Uses and Disclosures Required by Law
20-15: Patient Privacy – Verification of External Requestors HIPAA and PHI
20-16: Patient Privacy – Electronic Incident Response
20-17: Patient Privacy – Confidential Patient Status
20-19: Patient Privacy – Photographing, Video Recording, Audio Recording, and
Other Imaging of Patients, Visitors, and Workforce Members
20-20: Patients’ Right to Access
Thank you for your attention and for
protecting our patient’s PHI.
Every patient, every time!

similar documents