1
Alliance for Clinical Education (ACE)Student HIPAA Training
July 2008
2
Objectives
Describe the HIPAA Privacy rules and regulations
Identify patients’ rights and your role in protecting them
Discuss your responsibilities under HIPAA – related policies and procedures
Explain the penalties for non-compliance
3
Protecting Patient PrivacyIS EVERYONE’S RESPONSIBILITY
4
Your Responsibilities
Respect the patient’s right to privacy
Know the facility’s privacy policies
Be sensitive
5
Definitions HIPAA – the Health Insurance Portability and
Accountability Act of 1996. A federal law that specifies the types of measures required to protect the security and privacy of personally identifiable health information.
Patient Confidentiality – keeping information about a patient’s health care private. The information is shared only with those who need to know in order to perform their duties on behalf of the patient.
6
Definitions continued… Protected Health Information (PHI) – medical
information that can be traced to, or identified with, a particular patient. PHI is information created or received by a health care organization that relates to the past, present, or future health or condition of an individual.
Transaction – the exchange of information between two parties to carry out financial or administrative activities related to health care.
7
HIPAA
What is it?
“Patients have the right to have health information kept private and secure”
**HIPAA is mandatory, there are penalties for failure to comply
8
Covered Information
Confidentiality and PrivacyAll protected, identifiable health information (PHI) must be considered and treated as confidential and all patients have the right to request restrictions on who will see their PHI.
SecurityEstablishes the requirements for ensuring the confidentiality, availability and integrity of PHI
9
Patients have the Right to:
Expect privacy and freedom from intrusions or disturbances regarding his/her personal affairs.
Expect that all communications and records concerning his/her care will be treated as confidential. Information will be shared only with those who need to know the information to perform their duties on behalf of the patient.
Review the records pertaining to his/her medical care.
10
What must be
Kept
CONFIDENTIAL?
11
Confidential? How do I know?
Did you learn the information through caring for your patient?
If yes, then consider it confidential
12
Understanding PHI(Protected Health Information)
Protected Health Information Is created by a health care provider Is information that there is a reasonable
basis to believe it could be used to identify the patient
Relates to past, present or future physical or mental condition of an individual; provision of healthcare or for payment of care provided to an individual
Is transmitted or maintained in any form (electronic, paper or oral representation)
13
Privacy Protected Elements Health information is considered individually identifiable if any of the following are present:
Name Full address Names of relatives Name of employers Birth date Telephone numbers Fax numbers Electronic e-mail
addresses Social security number Medical record number Health plan beneficiary
number Account number
Certificate/license number Any vehicle or other
device serial number Web Universal Resource
Locator (URL) Internet Protocol (IP)
address number Finger or voice prints Photographic images Any other unique
identifying number, characteristic, code that could be used to identify the patient
14
Patients Right to Receive Notice of Privacy Practices
Items required to be included in the Notice:
How medical information is used and disclosed by an organization
How to access and obtain a copy of their medical records
A summary of patient rights and facility responsibilities under HIPAA
How to file a complaint and contact information for filing a complaint
15
Facilities Notice of Privacy Practices
The patient has the right to receive a Notice of Privacy Practices: Must provide the notice at the first
encounter with the patient Must attempt to obtain written
acknowledgement of receipt of the Notice of Privacy Practices
16
Minimum Necessary HIPAA
Requirement: Identify members of
the work group who need access to confidential information
Identify what information can be accessed
Limit access
WHAT GROUP DO YOU BELONG TO?
Complete Access:•Clinical departments•Health Information Management•Students: limited to assigned patient only
Limited Access:•Admissions/Business Office
No Access:•Departments or individuals whose job does not require any handling of PHI (Food Services, Environmental Services/Housekeeping)
17
Discussions of PHI Staff will discuss patient information to
share information and the treatment plan. Every effort should be made to protect the privacy of the patient by minimizing risk that others can overhear the conversation.
The discussion of PHI should never occur in public areas such as the cafeteria or elevators.
Discussions can occur at the nursing station and with a patient in a treatment area.
18
Minimum Necessary
What can I access as a student?
Only the information you “NEED TO KNOW” to care for assigned patient
DO NOT access information when you are not caring for that patient any longer or for any patients you are not assigned to care for
19
Patient Right to Access
Patients have the right to: Access or inspect their health record Obtain a copy of their health record from the
healthcare provider Reasonable fees may be charged for copying
Access and copying for as long as the information is retained
Facility must act on request for access no later than 10 days after receipt (Colo. Law)
Students: Refer requests for access to the facility staff
20
Patients Right to Request Privacy Restrictions The patient has the right to request an
organization restrict the use and disclosure (release) of their protected health information Can request restriction in use of information
for treatment, payment or healthcare operation purposes (TPO)
Organization is not required to agree with the request for restrictions
Requests must be made in writing No staff level individual should accept any
requested restrictions Students: Refer requests for restrictions to
the facility staff
21
Patients Right to Amend Patients have the right to
request an amendment to their PHI
Amend is defined as the right to add/revise information with which s/he disagrees. The original information is not removed from the record but the amended/corrected information is added to the record.
Students: Refer requests for amendments to the facility staff
22
As a Student How do I Handle….
An individual asking for access to their record?
Students: Refer requests for access to the facility staff
The staff will follow-up per specific facility policy
23
Disclosure ??? What is it???
The release, transfer, access or divulging of PHI (protected health information) to an outside person or entity
Students do not participate in this process
24
Disclosure can occur without the patient’s consent under the following conditions:
When required by law For public health activities to control
disease, injury or disability For disaster relief In cases of abuse and neglect For coroners, funeral directors and organ
donation For legal proceedings For worker’s compensation In cases of communicable diseases
25
Student Responsibilities In a patient room or exam room
Knock before entering room Identify yourself as a student Close door after entering the room Ask visitors to leave the room unless patient
requests otherwise Speak softly if roommate present
In a clinic or office setting Sign in sheets should contain minimal amount of
PHI Street address or reason for visit should not be on
sign in sheets
26
Student Responsibilities cont… At the Nurses Station
Do not leave patient information, e.g. flow sheets, charts, sticky notes, lab reports or x-rays out in the open where others may view. When finished working on it, put it back where it belongs
Shred all documents with PHI, do not put in garbage, do not take them home
When at the nurses’ station, speak softly when discussing PHI. It is best to use a private area to discuss the patient
27
Student Responsibilities cont… At the Computer
Have screen facing away from the public so it is not visible to patients, visitor and other unauthorized persons
Always log off when leaving the computer
Change the password on your computer if required by clinical facility
Do not share your log-in information or password with anyone else. You are responsible for what is done under your log-in
28
Student Responsibilities cont… Using E-mail
Always use protected, encrypted email to communicate with your faculty and clinical instructors
Never use PHI in e-mail attachments or in the email itself for the following reasons E-mail can easily be sent to the wrong
person, either on purpose or by accident
E-mail does not ensure privacy of information transmitted
29
Student Responsibilities cont…
Do not post PHI or discuss patients you have met on web-based chat rooms (My Space, Facebook)
Do not take photos of patients Do not photocopy medical records At the Fax
Students do not use the fax machine during the clinical experience
30
Student Responsibilities cont…
Using an Interpreter When interpreter services are needed,
follow clinical agency practice In Public
Never mention a patient’s PHI in public as people are often watching and listening, as you never know who knows the patient
Never carry, review, discuss or disclose a patient’s chart or PHI in a public place
31
Scenarios
Following are scenarios to help you think through privacy related situations in the clinical facilities
After reading each scenario, think how you would answer the question before going to the next slide
Scenario answers follow each scenario
32
Scenario #1
One of your fellow students who had lab work done recently, called you from home and asked you to look up her lab results on the computer and give her the results.
Do you look up your fellow students lab results?
33
Scenario #1 Answer
No. Since you are not providing treatment to your fellow student, you are not permitted to look up her lab results and provide them to her. She needs to get this information from her doctor
This applies to your own records as well
34
Scenario #2
You see your fellow student reading through a patient's medical record. She is not providing treatment for this patient.
What do you do?
35
Scenario #2 Answer
Tell your clinical instructor. He/she will follow-up with the student.
The clinical instructor then needs to notify the facility privacy officer of this action
36
Scenario #3
Your sister’s close friend is having surgery at the organization where you are doing a clinical rotation. She asks you to find out what you can about the friend’s condition. Should you call and ask around to the nurses you know? Should you look up the friend’s medical record?
37
Scenario #3 Answer No. Even if you and your sister have the best intentions
you have no right to look at private information about her friend’s health. Suggest to your sister that she call the facility or visit the information desk. If the patient has agreed to have her information available, hospital staff will assist her in obtaining information on her friend.
Do not seek out confidential patient information unless you need it to do your job. When you happen to hear confidential information, do not repeat it to anyone.
Looking at patient records for any non business reason is cause for disciplinary action and can have possible legal consequences.
38
Scenario #4
You are called to work in a patient's room to perform a routine job. You knock on the door and are invited in. You see that a nurse is in the room discussing the patient’s condition or medication.
What should you do?
39
Scenario #4 Answer If you must do the job immediately to properly care for
the patient, ask whether you can interrupt. If the job can wait, explain that you are there to perform a routine job and will return in 15-20 minutes. This protects the patient’s privacy by allowing him/her to openly discuss his/her condition without being overheard
Some patients may say that it is acceptable for you to stay in the room during the conversation. But remember that a patient may not feel comfortable sharing everything about his/her symptoms or medical history while you are in the room. They also might not feel comfortable asking you to leave. It would be best for you to come back later.
40
Scenario #5 You are working the ER when you see that
a neighbor has arrived for treatment after a car crash. You hear someone saying he will be taken to surgery soon. Your neighbor’s wife works in another part of the hospital.
Should you notify her that her husband is in the ER?
41
Scenario #5 Answer No. Tell the nursing staff that you know the patient
and his wife. Tell them that if they need to locate her, you can help. When patients are in the hospital, they have the right to decide who should know that they are there. Your neighbor has a right to privacy and may not want to notify his family of the accident. If he is conscious, the ER staff will allow him to decide whom to notify that he is there.
If he is unconscious, the doctors and nurses will use their professional judgment about whether to notify his wife. Leave the decision up to the ER staff. They will let you know whether they need your help to find the patients wife.
42
Scenario #6
You are in the nurses station where the patients medical records are located in the chart rack. You spot the name of a close friend.
Should you stop by her room?
43
Scenario #6 Answer
No. if you learned of your friend’s stay only by seeing the name on a medical record on the chart rack, you should not go to her room.
You should inform your clinical instructor of your relationship with her so that you are not assigned to care for her.
If you find out from the patient or her family member that she is a patient there, feel free to visit her after your shift.
44
Scenario #7
You are walking by a trashcan and notice a pile of photocopied records has been laid on top of the trash.
How should you handle this?
45
Scenario #7 Answer
Don’t just take the records to a shredder or locked disposal container yourself. Gather the records and take them to your clinical instructor. He or she will report it to the Manager of the unit who will investigate the incident and report it to the organization’s privacy officer.
46
Scenario #8
A woman provides the name of a patient and asks for information.
What can you tell her?
47
Scenario #8 Answer Refer the woman to the information desk Check the facility directory. If the patient
is listed in the directory, you can tell the woman the patient’s location.
If the patient has requested that his name not be included in the directory, you can not give out any information about them to anyone or even acknowledge that they are here, regardless of the person’s relationship to the patient.
48
Scenario #9
At the nursing station, you are approached by someone asking to see a patient record.
What do you do?
49
Scenario #9 Answer
Refer to agency staff for clarification of identification and appropriateness of request.
50
What Happens If….
A privacy policy is violated?
Patients have the right to file a complaint and
Civil and criminal penalties could occur
51
Patient’s Right to File a Complaint The patient has the
right to file a complaint if s/he believes privacy rights have been violated*
*Organization must provide contact information for filing a complaint
52
Doing Your Part Access confidential
information ONLY if you need it to care for your patient.
Protect your computer passwords
Understand the facility’s privacy policies
Report problems to the facility staff
53
As a Student Patient identification
Cannot use patients initials Need to assign a number to the patient
for identification
Care plans Any notes with PHI gathered must be
shredded after the assigned shift The use of PDAs or pocket PCs to RECORD
patient information is not allowed
54
Penalties……. Both criminal and civil penalties for:
Failure to comply with HIPAA requirements Knowingly or wrongfully disclosing or receiving
individually identifiable health information Obtaining information under false pretenses Obtaining information with intent to:
Sell or transfer it Use it for commercial advantage Use it for personal gain Use it for malicious harm
Fines as high as $250,000 and prison sentence of up to 10 years
55
References
HIPAA Programs from: ACC Craig Hospital Centura HCA-HealthONE Denver Health P/SL Regis University