HIPAAHIPAAHHealth ealth IInsurance nsurance PPortability and ortability and

AAccountability ccountability AActct

What part do students play in implementing What part do students play in implementing HIPAA?HIPAA?

How does this law affect your student role?How does this law affect your student role?

• Federal law passed by Congress in 1996 • Regulations promulgated by the Dept of Health

and Human Services • Guidelines implemented in April 2003

Click ‘Slide Show’ and View Show’

HIPAA regulations were designed to:HIPAA regulations were designed to:1) protect individuals’ rights to privacy and 1) protect individuals’ rights to privacy and

confidentialityconfidentialityandand2) assure the security of electronic transfer of 2) assure the security of electronic transfer of

personal informationpersonal information

The first, protecting privacy and confidentiality The first, protecting privacy and confidentiality rights, is the subject of this instructional rights, is the subject of this instructional program. program.

Health information is used by multiple agents in the course of a single episode with a health problem. Below are some of the agencies and individuals who may handle health information. You could, no doubt, add several more.

• Admitting clerks• Caregivers from the

ED to the morgue• Physical therapists• Nutritionists• Lab personnel• Receptionists in

MD offices

• Transport techs• Respiratory therapists• Billing clerks• Insurance agents/clerks• School teachers/nurses• Home health personnel• Medical records clerks• Website managers

HIPAA applies to us all--in all HIPAA applies to us all--in all settings. That means at school, at settings. That means at school, at

home, on the shuttle buses, as well home, on the shuttle buses, as well as the hospitals and clinics.as the hospitals and clinics.

Why HIPAA??Why HIPAA?? GeneticGenetic advancements - as more is known about our genetic advancements - as more is known about our genetic

predisposition to diseases, HIPAA will ensure that, for example, predisposition to diseases, HIPAA will ensure that, for example, an individual is not denied insurance because the company an individual is not denied insurance because the company knows that she may eventually develop MS.knows that she may eventually develop MS.

MarketingMarketing - as information is more easily captured concerning, - as information is more easily captured concerning, for example, the prescriptions we purchase, HIPAA is designed for example, the prescriptions we purchase, HIPAA is designed to prevent marketing of unsolicited products or services based to prevent marketing of unsolicited products or services based on harvested marketing data.on harvested marketing data.

TechnologyTechnology - as information is quickly and sometimes loosely - as information is quickly and sometimes loosely moved around networks, HIPAA standards will hold violators moved around networks, HIPAA standards will hold violators accountable for accidental or intentional ‘interception’ of accountable for accidental or intentional ‘interception’ of protected health information (PHI).protected health information (PHI).

Why HIPAA?Why HIPAA?

An Atlanta truck driver lost his job in early 1998 after An Atlanta truck driver lost his job in early 1998 after his employer learned from his insurance company his employer learned from his insurance company that he had sought treatment for a drinking problem. that he had sought treatment for a drinking problem.

The late tennis star Arthur Ashe’s positive HIV status The late tennis star Arthur Ashe’s positive HIV status was disclosed by a healthcare worker and published was disclosed by a healthcare worker and published by a newspaper without his permission.by a newspaper without his permission.

Tammy Wynette’s medical records were sold to Tammy Wynette’s medical records were sold to NationalNational EnquirerEnquirer by a hospital employee for $2,610. by a hospital employee for $2,610.

When and How Often do I When and How Often do I need to be Certified?need to be Certified?

The law requires that we comply with the The law requires that we comply with the regulations and adhere to agency guidelines.regulations and adhere to agency guidelines.

By passing this course, you will show evidence By passing this course, you will show evidence of understanding HIPAA guidelines and of understanding HIPAA guidelines and compliancecompliance

Be aware that individual agencies may have Be aware that individual agencies may have unique HIPAA policies, and it is your unique HIPAA policies, and it is your responsibility to know and implement those responsibility to know and implement those policies.policies.

What Objectives do the Privacy What Objectives do the Privacy Regulations Accomplish for Regulations Accomplish for

Patients?Patients? Give patients more control over their health information.Give patients more control over their health information. Set boundaries on the use and disclosure of health Set boundaries on the use and disclosure of health

records.records. Establish appropriate safeguards for all people who Establish appropriate safeguards for all people who

participate in or are associated with the provision of participate in or are associated with the provision of healthcare to ensure that they honor patients’ rights to healthcare to ensure that they honor patients’ rights to privacy of their PHI. privacy of their PHI.

Hold violators accountable through civil and criminal Hold violators accountable through civil and criminal penalties. penalties.

Strike a balance when public responsibility requires Strike a balance when public responsibility requires disclosure of some forms of data--for example, to protect disclosure of some forms of data--for example, to protect public health.public health.

With HIPAA we now have new With HIPAA we now have new terms and abbreviations to terms and abbreviations to

learn!!learn!! Protected Health InformationProtected Health Information (PHI) or (PHI) or Protected Medical Protected Medical InformationInformation (PMI) This is any data about the patient that would (PMI) This is any data about the patient that would tend to identify the individual: name, hospital #, SSN, diagnosis, tend to identify the individual: name, hospital #, SSN, diagnosis, lab results, past or current photos, etc, etc.lab results, past or current photos, etc, etc.

Privacy OfficerPrivacy Officer (PO) Each facility will have an employee who is (PO) Each facility will have an employee who is responsible for implementing and enforcing this law. Some may responsible for implementing and enforcing this law. Some may have one over a multi-facility network (Seton) others one at each have one over a multi-facility network (Seton) others one at each site (St. David’s Partnership). As a nursing student this individual site (St. David’s Partnership). As a nursing student this individual (after your instructor or preceptor) could be your point of (after your instructor or preceptor) could be your point of information regarding HIPAA.information regarding HIPAA.

Covered EntityCovered Entity (CE) This includes any health plan, healthcare (CE) This includes any health plan, healthcare provider, agency that processes claims, and any company that provider, agency that processes claims, and any company that subcontracts with them are covered by this law.subcontracts with them are covered by this law.

And more new terms and And more new terms and abbreviations to learn!!abbreviations to learn!!

Release/DisclosureRelease/Disclosure These are terms used in These are terms used in describing the release of PHI to other CEs for TPO, describing the release of PHI to other CEs for TPO, treatment. payment, or health care operationstreatment. payment, or health care operations..

Accounting of DisclosureAccounting of Disclosure (AOD) The patient has the (AOD) The patient has the right to have an AODs for his PHI or PMI.right to have an AODs for his PHI or PMI.

DirectoryDirectory This is CE’s census or list of patients used by This is CE’s census or list of patients used by volunteers and operators to direct visitors.volunteers and operators to direct visitors.

Different agencies may have other terms they use to communicate HIPAA policies. You will need to keep alert to these instances to comply with the spirit of the law.

• The seven rights in the HIPAA privacy guidelines

• Using equipment--computers, printers, fax, and similar

machines to transmit patient data

• Identifying patients/clients PHI in school papers

• Discarding or destroying papers containing patient PHI

• Communicating privacy questions/concerns in the agency

• Describing the consequences of violating HIPAA guidelines

The next few slides will present the basic principles of HIPAA as it applies to the student role:

What are the Seven Patient Rights What are the Seven Patient Rights Regarding Privacy of PHI (Protected Regarding Privacy of PHI (Protected

Health Information)Health Information)

Individuals have the right to:Individuals have the right to:

1.1. Receive noticeReceive notice of an agency’s privacy practices. of an agency’s privacy practices.

2.2. Know that an agency will useKnow that an agency will use its PHI ONLY for its PHI ONLY for treatment, payment, operations (TPO), certain other treatment, payment, operations (TPO), certain other permitted uses and uses as required by lawpermitted uses and uses as required by law

3.3. Consent to and control the use and disclosureConsent to and control the use and disclosure of their of their PHI.PHI.

Seven Rights…continuedSeven Rights…continued

4.4. AccessAccess their protected health information their protected health information (PHI), except for psychotherapy notes (PHI), except for psychotherapy notes (they might be charged for copies)(they might be charged for copies)

5.5. Request amendmentRequest amendment or addendum to or addendum to their PHI (not always granted)their PHI (not always granted)

6.6. Receive accountingsReceive accountings of disclosures of disclosures

7.7. File privacy complaintsFile privacy complaints to agency officer to agency officer

HIPAA Restricts Sharing PHIHIPAA Restricts Sharing PHI

Personal information cannot be released to Personal information cannot be released to individuals or companies interested in marketing individuals or companies interested in marketing ventures, without the patient’s written permission. ventures, without the patient’s written permission. For example:For example:

Names of patients on antihypertensive drugs cannot Names of patients on antihypertensive drugs cannot be released to a company marketing nutritional be released to a company marketing nutritional products to lower blood pressure.products to lower blood pressure.

Names and addresses of pregnant women cannot Names and addresses of pregnant women cannot be provided to infant formula companies.be provided to infant formula companies.

Contact information of previous patients cannot be Contact information of previous patients cannot be used to raise money for a hospital building used to raise money for a hospital building campaign.campaign.

How do students assure How do students assure patients’ rights to privacy and patients’ rights to privacy and

confidentiality?confidentiality?

Who has Access to PHI?Who has Access to PHI?The ‘Need-to-Know’ PrincipleThe ‘Need-to-Know’ Principle

PHI should be shared with as PHI should be shared with as few individuals as few individuals as neededneeded to ensure patient care and then only to to ensure patient care and then only to the extent demanded by the individual’s role.the extent demanded by the individual’s role.

For example, the physical therapist assistant For example, the physical therapist assistant ‘needs to know’ only the facts concerning the ‘needs to know’ only the facts concerning the patient’s current admission.patient’s current admission.

As a student PTA, you will discuss PHI only as it As a student PTA, you will discuss PHI only as it applies to your education or your patient’s care.applies to your education or your patient’s care.

Protecting your patient’s PHIProtecting your patient’s PHI

Take all reasonable steps to make sure Take all reasonable steps to make sure that individuals without the ‘need to know’ that individuals without the ‘need to know’ do not overhear conversations about PHI.do not overhear conversations about PHI.

DO NOT conduct discussion about PHI in DO NOT conduct discussion about PHI in elevators or cafeterias.elevators or cafeterias.

Do not let others see your computer Do not let others see your computer screen while you are working. Be sure to screen while you are working. Be sure to log out when done with any computer file.log out when done with any computer file.

• identify the patient/client by initials only• use other demographic data only to the extent necessary

to identify the patient and his/her needs to the instructor.• protect the computer screen, PDA, clip board, or notes

from other individuals who don’t have a ‘need to know’• protect your printer output from others who don’t have a

‘need to know’• protect your media storage device (computer, flash drive)

from loss

When preparing care plans or other course required documents take extra care to:

Protecting your patient’s PHI

In the student role you are In the student role you are NOT to NOT to photoduplicate or faxphotoduplicate or fax patient patient

documents in the process of working documents in the process of working with your patient’s PHI. As an with your patient’s PHI. As an

employee of an agency you must use employee of an agency you must use the agencies’ security procedures to the agencies’ security procedures to

transmit PHI.transmit PHI.

Protecting your patient’s PHI

Destroying PHI/PMIDestroying PHI/PMI

DO NOT put notes DO NOT put notes with PHI/PMI in with PHI/PMI in the trash or paper the trash or paper recycle cans.recycle cans.

Ask for the paper Ask for the paper shredder for these shredder for these materials.materials.

Consequences of HIPAA Consequences of HIPAA ViolationsViolations

In addition to federal laws, failure to comply In addition to federal laws, failure to comply with HIPAA also violateswith HIPAA also violates

Standards for Ethical Practice for Physical Standards for Ethical Practice for Physical Therapist AssistantsTherapist Assistants

State practice act for Physical TherapyState practice act for Physical Therapy LCC PTA program Policies and LCC PTA program Policies and

ProceduresProcedures

Potential Consequences ofPotential Consequences of HIPAA Violations HIPAA Violations

Legal consequencesLegal consequences Civil or criminal penaltiesCivil or criminal penalties Fines plus imprisonmentFines plus imprisonmentProfessional consequences:Professional consequences: Disciplinary action by the Physical Therapy Disciplinary action by the Physical Therapy

Licensing BoardLicensing BoardAcademic consequences:Academic consequences: ReprimandsReprimands Loss of points toward grade or failure of courseLoss of points toward grade or failure of course Dismissal from PTA programDismissal from PTA program

Application of HIPAA to Application of HIPAA to Common Situations Facing Common Situations Facing

PTA StudentsPTA Students

Johnny, an active 4 year old, breaks his Johnny, an active 4 year old, breaks his arm after falling from a climbing form at his arm after falling from a climbing form at his daycare. As the PTA student involved in daycare. As the PTA student involved in his rehab after the casting, you know that his rehab after the casting, you know that he is HIV positive. Your daughter attends he is HIV positive. Your daughter attends the same daycare. You alert some of the the same daycare. You alert some of the other parents at that center. other parents at that center.

What’s wrong with this scenario?What’s wrong with this scenario?

Who in this setting has a ‘need to know’ Who in this setting has a ‘need to know’ the HIV status of this child?the HIV status of this child?

Resisting the Need to Share PHI—Honoring the Patient’s right to Privacy

NextFormulate your answerthen click the button

Sharing this information with the other parents is a violation of the HIPAA statute--ensuring the child’s/family’s right to privacy and confidentiality.

The other parents did not ‘need to know’ this information. Really, nobody has the ‘need to know.’

A good action on your part as a PTA (or student PTA) would be to look into the day care’s first aid policies and help them develop policies that observe universal precautions in the care of all children and staff. This should be done even if you didn’t know that one of the children were HIV positive

PNPPNP

Complete the PNP to assess your Complete the PNP to assess your understanding and full credit for the HIPAA understanding and full credit for the HIPAA Lesson.Lesson.

Slide presentation adapted from Slide presentation adapted from www.www.utexas.eduutexas.edu/nursing/docs//nursing/docs/hipaahipaa.ppt.ppt, downloaded 12.24.09, downloaded 12.24.09