hipaa 2010
DESCRIPTION
TRANSCRIPT
HIPAA
Health Insurance Portability and Accountability Act
Barbara Benson, R.T.
History of Medical Ethics
Hippocrates 460 BC
• Practice medicine for the benefit of patients
• Primum non nocere First, do no harm
• Abstain from mischief and corruption
• Maintain doctor-patient confidentiality
History of Medical Ethics
Thomas Percival 1803
• Published the first code of medical ethics
• Later adopted by the AMA in 1847
• Moral authority and independence of physicians,
responsibility to care for the sick, and
individual honor
Declaration of Geneva 1948
• Meant to update the Hippocratic Oath
• Health and conscience
• Voluntary consent
• Access without discrimination
History of Medical Ethics
Commonalities
• Honesty
• Integrity
• Confidentiality
HIPAA -Kennedy-Kassenbaum Bill
Health Information Portability and Accountability Act
• Protects the privacy and security of patient
information
• Sets limits on who can look at and receive
health information
• Final rule issued 8-14-02 requiring compliance
by 8-14-03
HIPAA Enforcement
Civil Penalties
Up to $100 per violation per individual
Criminal Penalties
“Egregious violations”… the sale of information,
gaining access under false pretenses, or
releasing information with harmful intent
included
Up to $250,000 fine and possible incarceration
What is Protected?
Protected Health Information PHI
• Individually identifiable health information
• Information that can be linked to a particular
person originating from a health care service event
• A physical or mental health condition at any time
HIPAA Identifiers
Geographic subdivisions smaller than a State
Dates (except year) directly related to patient
Telephone numbers, Fax numbers, E-mail addresses, SS numbers
Medical record numbers , Health plan beneficiary numbers
Account numbers , Certificate/license numbers , Vehicle identifiers
Device identifiers and serial numbers, Web URLs , IP address numbers
Biometric identifiers, including finger and voice prints
Full face photos
Any other unique identifying number, characteristic, or code, except
as permitted under HIPAA to re-identify data
PHI Communication Methods
HIPAA governs where and how PHI is
communicated between all TPO’s
Electronic communication
Written communication including the medical record
Verbal communication between healthcare workers or between healthcare workers
and the patient
Privacy of Communication
Access, Use or Disclosure of all
Protected Health Information is based on :
• Need to Know
and
• Minimum Necessary
Who Must Protect it?
Covered Entities
• A Health Plan or a Healthcare Provider who
transmits any health information in electronic
form in connection with a transaction
• Business Associates with whom they share PHI
“Need to Know”
Individually identifiable information should
be made available only to persons whose
job requires access to that information.
“Minimum Necessary”
• Only information that is the minimum necessary
to get the job done no matter how much access
is provided or available
• Having access to patient information does not
give the right to access or disclose regardless of
intent
“Minimum Necessary”
Before looking at information, ask yourself
“Do I need to know this to do my job?”
Before sharing information, ask yourself
“Do they need to know this information to do their
job?”
“Minimum Necessary”
Clinicians may look at and share with other
clinicians the entire medical record of patients
they are treating
Patient Rights
Notice of Privacy Practices NPP
• Governs the uses of PHI as permissible by the
patient within Treatment, Payment and
Healthcare Operations (TPO’s)
• Once the patient is given a NPP at the first
treatment encounter, PHI can be used for any TPO
purpose
NPP is a once in a lifetime requirement
NPP Requirements
• Post NPP prominently
• The patient signs a separate acknowledgement
document that contains the privacy officer
contact information for that facility
• Copies of NPP and acknowledgement sheet to
patent
Patient Rights
NPP Includes the patient's right to:
• Restrict
• Access
• Amend
• Accounting
• Alternative Communication Methods
• Complain
Minors (under 18) have a right to confidential
treatment with respect to the following without
a parents consent or notice:
Abortion
Birth control
STD testing
HIV/AIDS testing
Mental health counseling
Patient Rights
Permitted by Law
Outside of TPO or patient authorization, the only
other permitted use of PHI are those required by law:
• Investigations by HHS
• Reporting about victims of abuse, neglect or
domestic violence
• Adverse Event Reporting
• Reporting to Public Health Authorities
HIPAA AuthorizationPatient Authorization Elements
• The information
• Who may use or disclose the information
• Who may receive the information
• Purpose of the use or disclosure
• Expiration date or event
• Individual’s signature and date
• Right to revoke authorization
• Right to refuse to sign authorization
• Redisclosure statement
Record Keeping
• Good record keeping is a must
• Authorizations for use of PHI should be kept for
at least six years
• Additionally, a record of what information was
sent, and to whom.
Privacy Protection
• Acceptable to use the patient’s full name on
sign in sheets but not the reason for the visit
• Acceptable to page a patient using their full name
• Ask companions to honor the patient’s privacy
by waiting in another room
Privacy Protection
Privacy Protection
• Do not leave medical information on
answering machines
• Do not leave the medical record unattended
• Dispose of patient information properly
Computer Privacy Protection
• Use 7 character alpha numeric passwords
• Do not share passwords
• Secure written passwords
• Log off
• Use screen savers
• Keep monitor facing away from onlookers
• Avoid sending the patient information using e-mail
•Be aware of your surroundings and who’s
listening
•Close doors whenever possible
•Speak as softly as possible
•Knock before entering
•Secure the privacy of all medical records before
walking away
Practical Privacy Tips
HIPAA and Research
HIPAADisclosureUniverse
Authorization signed by patient for
all clinical research
Waiver Criteriaapplied before
records research
Exceptions Documented
De-identifiedLimited Dataset TPO
Public Safety and other
exceptions
An authorization must be signed by patients for all clinical research
Research Authorization
• Who can use or disclose PHI
• To whom PHI may be disclosed
• What PHI may be used or disclosed
• The purposes of the used or disclosed PHI
• The duration of the authorization (expiration date
or event)