HIPAA

Health Insurance Portability and Accountability Act

Barbara Benson, R.T.

History of Medical Ethics

Hippocrates 460 BC

• Practice medicine for the benefit of patients

• Primum non nocere First, do no harm

• Abstain from mischief and corruption

• Maintain doctor-patient confidentiality

History of Medical Ethics

Thomas Percival 1803

• Published the first code of medical ethics

• Later adopted by the AMA in 1847

• Moral authority and independence of physicians,

responsibility to care for the sick, and

individual honor

Declaration of Geneva 1948

• Meant to update the Hippocratic Oath

• Health and conscience

• Voluntary consent

• Access without discrimination

History of Medical Ethics

Commonalities

• Honesty

• Integrity

• Confidentiality

HIPAA -Kennedy-Kassenbaum Bill

Health Information Portability and Accountability Act

• Protects the privacy and security of patient

information

• Sets limits on who can look at and receive

health information

• Final rule issued 8-14-02 requiring compliance

by 8-14-03

HIPAA Enforcement

Civil Penalties

Up to $100 per violation per individual

Criminal Penalties

“Egregious violations”… the sale of information,

gaining access under false pretenses, or

releasing information with harmful intent

included

Up to $250,000 fine and possible incarceration

What is Protected?

Protected Health Information PHI

• Individually identifiable health information

• Information that can be linked to a particular

person originating from a health care service event

• A physical or mental health condition at any time

HIPAA Identifiers

Geographic subdivisions smaller than a State

Dates (except year) directly related to patient

Telephone numbers, Fax numbers, E-mail addresses, SS numbers

Medical record numbers , Health plan beneficiary numbers

Account numbers , Certificate/license numbers , Vehicle identifiers

Device identifiers and serial numbers, Web URLs , IP address numbers

Biometric identifiers, including finger and voice prints

Full face photos

Any other unique identifying number, characteristic, or code, except

as permitted under HIPAA to re-identify data

PHI Communication Methods

HIPAA governs where and how PHI is

communicated between all TPO’s

Electronic communication

Written communication including the medical record

Verbal communication between healthcare workers or between healthcare workers

and the patient

Privacy of Communication

Access, Use or Disclosure of all

Protected Health Information is based on :

• Need to Know

and

• Minimum Necessary

Who Must Protect it?

Covered Entities

• A Health Plan or a Healthcare Provider who

transmits any health information in electronic

form in connection with a transaction

• Business Associates with whom they share PHI

“Need to Know”

Individually identifiable information should

be made available only to persons whose

job requires access to that information.

“Minimum Necessary”

• Only information that is the minimum necessary

to get the job done no matter how much access

is provided or available

• Having access to patient information does not

give the right to access or disclose regardless of

intent

“Minimum Necessary”

Before looking at information, ask yourself

“Do I need to know this to do my job?”

Before sharing information, ask yourself

“Do they need to know this information to do their

job?”

“Minimum Necessary”

Clinicians may look at and share with other

clinicians the entire medical record of patients

they are treating

Patient Rights

Notice of Privacy Practices NPP

• Governs the uses of PHI as permissible by the

patient within Treatment, Payment and

Healthcare Operations (TPO’s)

• Once the patient is given a NPP at the first

treatment encounter, PHI can be used for any TPO

purpose

NPP is a once in a lifetime requirement

NPP Requirements

• Post NPP prominently

• The patient signs a separate acknowledgement

document that contains the privacy officer

contact information for that facility

• Copies of NPP and acknowledgement sheet to

patent

Patient Rights

NPP Includes the patient's right to:

• Restrict

• Access

• Amend

• Accounting

• Alternative Communication Methods

• Complain

Minors (under 18) have a right to confidential

treatment with respect to the following without

a parents consent or notice:

Abortion

Birth control

STD testing

HIV/AIDS testing

Mental health counseling

Patient Rights

Permitted by Law

Outside of TPO or patient authorization, the only

other permitted use of PHI are those required by law:

• Investigations by HHS

• Reporting about victims of abuse, neglect or

domestic violence

• Adverse Event Reporting

• Reporting to Public Health Authorities

HIPAA AuthorizationPatient Authorization Elements

• The information

• Who may use or disclose the information

• Who may receive the information

• Purpose of the use or disclosure

• Expiration date or event

• Individual’s signature and date

• Right to revoke authorization

• Right to refuse to sign authorization

• Redisclosure statement

Record Keeping

• Good record keeping is a must

• Authorizations for use of PHI should be kept for

at least six years

• Additionally, a record of what information was

sent, and to whom.

Privacy Protection

• Acceptable to use the patient’s full name on

sign in sheets but not the reason for the visit

• Acceptable to page a patient using their full name

• Ask companions to honor the patient’s privacy

by waiting in another room

Privacy Protection

Privacy Protection

• Do not leave medical information on

answering machines

• Do not leave the medical record unattended

• Dispose of patient information properly

Computer Privacy Protection

• Use 7 character alpha numeric passwords

• Do not share passwords

• Secure written passwords

• Log off

• Use screen savers

• Keep monitor facing away from onlookers

• Avoid sending the patient information using e-mail

•Be aware of your surroundings and who’s

listening

•Close doors whenever possible

•Speak as softly as possible

•Knock before entering

•Secure the privacy of all medical records before

walking away

Practical Privacy Tips

HIPAA and Research

HIPAADisclosureUniverse

Authorization signed by patient for

all clinical research

Waiver Criteriaapplied before

records research

Exceptions Documented

De-identifiedLimited Dataset TPO

Public Safety and other

exceptions

An authorization must be signed by patients for all clinical research

Research Authorization

• Who can use or disclose PHI

• To whom PHI may be disclosed

• What PHI may be used or disclosed

• The purposes of the used or disclosed PHI

• The duration of the authorization (expiration date

or event)