HIPAA TRAINING
What is HIPAA?
As part of the promise to give patients the highest quality of health care, we have always kept information about their health confidential, sharing it only with people who need the information to do their jobs.
Until now this promise was part of our Code of Ethics. But until a new federal law that goes in to effect in April 14, 2003, it will be illegal to violate this code.
This law, the Health Insurance Portability & Accountability Act of 1996 or “HIPAA” for short, makes them a federal mandate for the first time.
What are the components of HIPAA?
There are three components: insurance portability, fraud enforcement, and administration simplification. The first two components of HIPAA, portability and accountability, have been put into effect. Portability ensures that individuals moving from one health plan to another will have continuity of coverage and will not be denied coverage under pre-existing conditions/clauses. Accountability significantly increases the federal government’s fraud enforcement ability in many different areas.
Health information is easy to share and easy to misuse, as is all information. Let us give you some examples:
OR waiting room
RPH pick-up
Rosters
Two staff overheard talking to each other
Enforcement.
Breaking HIPAA’s privacy or security rules can mean either a civil or criminal sanction. Criminal penalties for “wrongful disclosure” can include not only large fines, but also jail time. The criminal penalties increase as the seriousness of the offense increases. These penalties can be as high as fines of $250,000 or prison sentences of up to ten years:
· Knowingly releasing patient information will result in a one year jail sentence and $50,000 fine
· Gaining access to health information under false pretenses can result in a five year jail sentence and $100,000 fine
· Releasing patient information with harmful intent or selling information can lead to a ten year jail sentence and $250,000 fine.
Confidential information equals identifiable information.
Let’s think about what information you give out that is identifiable information. Elements that make up information individually identifiable include the following:
· Names
· Addresses
· Employers
· Relatives names
· Dates of Birth
· Telephone numbers
· FAX numbers
· Email addresses
· Social Security numbers
· Medical record numbers
· Member or account numbers
· Certificate numbers
· Voice prints
· Finger prints
· Photos
· Codes
· Any other characteristic, such as occupation, which may identify the individual.
Essentially, identifiable information is anything that can be used to identify a patient. Releasing any of this information for other than permissible purposes is in violation of the HIPAA policy regulation.
This individually identifiable information is referred to as PHI (Protected Health Information). This information can be written, spoken, or electronic, all forms are protected by HIPAA.
There are two major ways in which one can protect patient privacy:
1. Ask yourself the question “Do I need to know this to do my job?”
2. Do not pass information you are privileged to have on to anyone else without appropriate authority.
While doing your job, there will be times or occasions when you will have access to confidential information you do not need for your own work. For example, you may become aware that a patient is a client of home health, receiving foot care, or other information about a person whom you know or don’t know. This is confidential information; do not communicate it to anyone else.
You may also see patient information as you walk through the public health department , on charts laying on desks, on computer screens or have access to it through billing or legal proceedings. In the course of your work, you may work in areas where this information is visible. You must keep this information confidential. Do not disclose it to anyone, including coworkers, visitors, or anyone else who may ask or who may also know or not know the patient. Or, in the course of your job, you may also find that a patient speaks to you about their condition. Although there is nothing wrong with this, you must remember that they trust you to keep what they tell you confidential. Do not pass it on, for any reason, at any time.
What are the rules for the use and disclosure of protected health information (PHI)?
With few exceptions, PHI can’t be used or disclosed by anyone unless it is permitted or required by the privacy rule.
PHI is used when:
· Shared
· Examined
· Applied
· Analyzed
PHI is disclosed when:
· Released
· Transferred
· Accessed by anyone outside the covered entity
You are permitted to use or disclose PHI:
· For treatment, payment, and health care operations
· With authorization or agreement from individual patient
* authorization must be obtained to disclose PHI not used for tx, pymt, or healthcare operations
* an authorization must be signed and dated with an expiration date
* signed authorization can be revoked by the patient at any time
· For disclosure to the individual patient
· For incidental use as physician’s talking to patient in a semi-private room
You are required to release PHI for use and disclosure when:
· It is requested or authorized by the individual – although some exceptions apply
· When required by the Department of Health and Human Services for compliance or investigation
There are six reasons to release confidential information without authorization:
1. State Health agencies require providers to report to them when patient’s have certain communicable diseases, even if the patient does not want the information reported
2. The Food & Drug Administration requires providers to report certain information about medical devices and/or malfunction
3. Some states require physicians and other caregivers who suspect child abuse, neglect or domestic violence to report it to the police
4. Police have a right to request certain information about patients to determine whether they are suspects in a criminal investigation or to assist them in locating a missing person, material witness, or suspect
5. The courts have a right to order providers to release information
6. Providers must report cases of suspicious death or suspected crime victims.
These HIPAA privacy rules also provide you, as a client, NEW rights.
· Receive privacy notice at the time of first delivery of services
· Restrict use and disclosure, although the covered entity is not required to agree
· Have PHI communicated to them at alternate means at alternate locations to protect confidentiality
· Inspect, correct, and amend PHI and obtain copies, with some exceptions
· Request a history of non-routine disclosures for six years prior to the request, and
· Contact designated persons regarding any privacy concern or breach of privacy within the facility or at HHS.
Along with your privileges come responsibilities. Your responsibilities include understanding what protected health information entails, all sixteen components. Knowing the rules regarding treatment, payment, and health care operations, when authorizations are required, and when disclosure is appropriate. This includes knowing how to implement these rules in your own department.
As an employee in this organization, part of your job is to help maintain privacy for patients as they receive care. Employees are encouraged to report violations to the agency’s privacy officials. These officials are Connie Griffin in Public Health and Chuck Klein in Human Resources. You may report them anonymously, if you wish, by following the procedures in the agency’s privacy policy. However, do not fear any retaliation if you report the privacy violation. The organization does not punish employees for reporting violations. In fact, it is part of your job to report instances where you suspect the privacy or confidentiality policies are being broken.
Although the security regulations are not yet finalized, we know that we cannot have privacy without security. Many security issues have already been addressed in the privacy policies. Some of these include the ability to speak privately to a client over the phone or in person, having computers out of the direct eye-sight of other clients, keeping medical records locked, etc.
If you want more information you may ask the privacy officers or contact the Dept. of Human Services.
Are there any questions?
PF:aja:HIPAATRAINING