hipaa awareness training
DESCRIPTION
TRANSCRIPT
HIPAA Awareness Training
Self-study training module
HIPAA Training Module
This module features the following lessons: What is HIPAA? Why do I need to take this training? What are IURA’s policies and procedures
regarding patient information and confidentiality
FAQ’s – Frequently asked questions
HIPAA
Recently there has been a great deal of talk about HIPAA and what it means to healthcare. Many people have suggested that the changes that HIPAA brings to healthcare will be monumental.
HIPAA
Overview• Privacy = Confidentiality• Compliance with the Privacy Rules requires
cooperation among the medical center affiliates (IUSM, Clarian, VA, Wishard, practice plans, School of Nursing, all must comply)
• Everyone at IUSM must comply
What is HIPAA?
HIPAA stands for:HealthInsurancePortability andAccountabilityAct of 1996
No, it’s not short for
hippopotamus!
What is HIPAA?
HIPAA is a federal regulation that most healthcare providers have to comply with that protects the privacy, security and confidentiality of a patient’s health information.
What is HIPAA?
With HIPAA, the government mandates that IURA protect the privacy, security and confidentiality of our patients.
What is HIPAA?
What is protected?• Protected health information (PHI) is:
– Individually identifiable health information
• Identifies the individual where there is a reasonable basis to believe that the information can be used to identify the individual (ex: name, social security number, demographic information)
– Transmitted or maintained in any form or medium
What is HIPAA?
De-Identified Information• PHI is de-identified by removing, coding,
encryption, or otherwise eliminating or concealing individually identifiable information
• Regulations do not apply to de-identified information
– May be used or disclosed freely as long as the code to re-identify the information is not accessible
HIPAA
HIPAA requires that all health care organizations have a privacy officer.
Our Privacy Officer is Marcia Gonzales in the IUSM Office of
Compliance Services278-4891
* The HIPAA liaison for the Radiology Department is Rita McFarland
UH 0663C 274-4328
HIPAA
Their roles are to provide in house reference and guidance for the processes established to comply with the HIPAA privacy regulations.
HIPAA – Why is training necessary?
The Privacy, Security and Confidentiality of patient information is important to IURA.
…and it’s important that you know the rules regarding patient
confidentiality.
HIPAA – Why is training necessary?
Confidentiality is so important, that IURA requires that:
1. All employees and workforce members be informed of their responsibility to protect confidentiality.
2. Proven violation of the confidentiality of patient information shall include immediate disciplinary action up to and including termination.
HIPAA – Policy
What is Indiana University Radiology Associate’s policy?
• Our policy states that patient information will be kept private and confidential
• Our policy also guides us on who should have access to patient information
– Direct access to patient information shall only be permitted to those employees who have a “need to know” to perform their job functions
HIPAA - Policy
What patient information does IURA require me to keep confidential?– Demographic information
• Examples: Name, social security number, date of birth, address, etc.
– Information about injury, illness or condition – including symptoms, diagnosis or treatment
– Conversations between the patient and health care workers
HIPAA - Policy
In regard to HIPAA:
The “need to know” is defined as
Minimum Necessary Information.
HIPAA - Policy
When do I “need to know”?“Need to Know” is when you need information to:1. Document the patient’s treatment2. Facilitate communication between physicians and
other professionals contributing to the patient’s care3. Provide continuity of patient care4. Provide a basis for review, study, and evaluation of
patient care processes5. Provide clinical data for approved research, study,
and education; and for legitimate business purposes.
HIPAA - Policy
What are legitimate business purposes?Legitimate business purposes include provision of:1. Statistical data for decision making and planning2. Data to third parties as specified by law (e.g.
communicable diseases, coroner’s cases, burns, cancer registry reporting, etc.)
3. Documentation for billing and insurance claims processing
4. Appropriate access to medical records and data as required for licensing and accreditation purposes.
HIPAA - Policy
Our policy also guides us on when and where we can discuss patient information.
• Discuss patient information privately; never in elevators, lobbies, cafeterias, or corridors
• Make sure requisitions, forms, and computer screens with patient names and information are not easily viewed by others
• Dispose of unnecessary patient information in proper receptacles for shredding, not ordinary trash bins
HIPAA
And remember….Co-workers can be patients, too. They have
every right to expect the same level of privacy…
Just like you do whenever you’re a patient!
HIPAA
HOW do I protect the privacy of my co-workers?– Take special care to respect the privacy of co-workers
and colleagues who are patients.
– Do NOT discuss the health care services of your co-workers with anyone who is not directly involved in their care.
– Do NOT ask co-workers why they are a patient, or their reasons for accessing health services.
– Do NOT access their private health information unless it is for patient care purposes
HIPAA – Privacy, Security, and ConfidentialityThere will be a few changes brought about by
HIPAA. These are summarized below: We are required to provide a Notice of Privacy
Practices to all patients that describes their rights over their PHI
Patients will sign an acknowledgement form stating that they received a copy of the Privacy Notice
We are required to make a “good faith effort” to obtain this acknowledgement (Verbal acknowledgement is not enough, must be in writing)
HIPAA – Privacy, Security, and Confidentiality There will be a formal process for patients
to:– Request copies of their medical record– Obtain a list of who has accessed their
information– Make amendments to their medical records– Complain to our HIPAA liaison or privacy
officer about our privacy practices
Security Safeguards
Passwords-don’t share and don’t post Workstations-secure your workstation, use screen
savers, lock your computer if unattended, log off when not in use, log off at night
E-mail-avoid sending sensitive/confidential patient information, Outlook is not currently encrypted
Removable media (disks, CDs,)-lock up and store, dispose/destroy properly
Internet-VPN, firewalls, monitor and audit usage, utilize virus protection
FAQ’s
The following pages provide answers to some Frequently Asked Questions about HIPAA.
Read them to learn more about how HIPAA will (and won’t) change the way you work…..
Access to Information
What happens when the patient wants to know what is in his/her medical record?
Patients have the right to access and obtain a copy of their medical or billing information
We must act upon their request within 30 days
We may deny a patient’s request in some circumstances
Access to Information
Does the Privacy Rule require us to provide private rooms and soundproof walls to avoid any possibility that a conversation is overheard?
No, the Privacy Rule does not require these types of structural changes
However, we must have in place appropriate administrative, technical and physical
safeguards to protect the privacy of health information
Access to Information
“Reasonable safeguards” mean that we must make reasonable efforts to prevent uses and disclosures not permitted by the rule.
Access to Information
Does HIPAA force us to isolate X-ray view boxes?– No, HIPAA standards do not require that we
take this specific measure. However, we must take reasonable precautions to prevent inadvertent or unnecessary disclosures. While the Privacy Rule does not require that we totally isolate view boxes, it does require that we take reasonable precautions to protect X-rays from being accessible to the public.
Access to Information
If health care providers engage in confidential conversations with other providers or patients, have they violated HIPAA if there is a possibility that they could be overheard?– As long as reasonable precautions are taken to
minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart, etc.), health care staff may discuss a patient’s condition at nurse’s stations, over the phone with the patient, a provider, or a family member, or during training rounds in an academic or training institution.
Access to Information
Can we FAX patient medical information to a physician’s office?– The Privacy Rule permits the disclosure of protected
health information to another health care provider for treatment purposes. This can be done by fax or other means. Health care providers must have in place reasonable safeguards to protect the privacy of the protected health information such as confirming that the fax number to be used is correct and placing fax machines in secure locations to prevent unauthorized access to the information.
Access to Information
Can we use patient sign-in sheets or call out the names of patients in their waiting rooms?– Yes, patient sign-in sheets and calling out names in
waiting rooms may be used as long as the information disclosed is appropriately limited. The Privacy Rule explicitly permits certain “incidental disclosures” that occur as a by-product of an otherwise permitted disclosure-for example, the disclosure to other patients in a waiting room the identity of the person whose name is called; however, it is only permitted if reasonable and appropriate safeguards are utilized to limit confidential patient information such as the diagnosis or history of the patient.
Business Associates
What happens when the radiologist dictates a report that is transcribed by an outside transcription agency?– The transcription company is a business
associate because they are interacting with health information and performing the service on our behalf. A Business Associate Agreement with the company that meets HIPAA standards is required.
Complaints
Can patients complain to us?– Patients have always had the right to complain
to us or any of our state, federal, or accrediting bodies.
– Under HIPAA, we have to tell patients that they can complain to us, or the Department of Health and Human Services, Office of Civil Rights. This is outlined in our Notice of Privacy Practices.
– If a patient wants to file a complaint with IURA, contact the HIPAA liaison.
Complaints
If a patient wants to file a complaint with the Department of Health and Human Services, it must meet the following requirements:
• A complaint must be filed in writing• The person must name the facility where the
violation occurred and describe what happened
• The complaint must be filed within 180 days of occurrence
Complaints
Can employees report possible violations of the privacy rule to us?– Employees are encouraged to report possible violations
of the privacy rule to us. If there’s a problem, we want to fix it. Employees should feel comfortable to know that we will not take any retaliatory action when employees file complaints
– Employees should submit their complaint to the Radiology HIPAA Liaison
– Employees may also use the IU Compliance Notification Line (877) 526-6759
Amendment to Record
What if the patient disagrees with the information in his medical record?– An individual has a right to request an amendment– We can require a written request with reason for the
change– We have 60 days to act– We must notify the individual if the amendment was
accepted and inform relevant persons identified by the individual
– We can never delete the original information-the amendment allows the patient to supply a written supplement to their medical record
Amendment to Record
Can we deny the patient’s request to amend his medical record?– We may deny the request if the health
information:• Was not created by us
• Is not part of their medical or billing records
• Was not available for inspection
• Is accurate and complete
Amendment to Record
What happens if we deny the request for amendment?– We must provide timely, written notice to the
individual– The notice must explain the reason for denial, the right
to submit a written statement of disagreement, and the individual’s right to complain to us or directly to the government
– We may prepare a rebuttal statement and give a copy to the individual
– We must include request and denial with future disclosures
Authorization
What happens if the patient’s spouse wants a copy of his/her record?– PATIENT authorization is REQUIRED– Valid authorization must be in writing
Consent
What happens when a patient comes into our facilities after April 14, 2003?– Healthcare Providers are required to have a
Privacy Notice• At registration, patients will be given a copy of
IURA’s Notice of Privacy Practices
• There will be a written acknowledgement from the patient that they’ve been given a copy of this notice
• We are also required to post the Privacy Notice in the waiting rooms and on our website
Don’t see the answer to your question here?
Try looking at the HIPAA website:
http://www.hhs.gov/ocr/hipaa/privacy.html
http://www.hhs.gov/ocr/hipaa/whatsnew.html
http://www.hhs.gov/ocr/index.html
Don’t see the answer to your question here?
Or contact the following:– IURA HIPAA Liaison-Rita McFarland
• Phone number: 274-4328• E-mail: [email protected]
– Office of Compliance Services• Phone number (317) 278-4891• Website: www.medicine.iu.edu/~wecomply
– IU Compliance Notification Line• Phone number (877) 526-6759
Conclusion
After reviewing the study packet, complete the attached short quiz to receive credit for this training. Please print out the completed quiz and training form and forward to:
Rita McFarland
Radiology Department
UH 0663C