hipaa privacy and security requirements what hipaa requires staff to do to protect the privacy and...
TRANSCRIPT
HIPAA Privacy and Security Requirements
What HIPAA requires staff to do to protect the privacy and safeguard the security of patient information
Program Content
Overview of Privacy and Security A Hypothetical Case History Using and Sharing Information The Notice of Privacy Practices Authorization Privacy Accounting Patient Access to Health Information Information Security Wrap-up
HIPAA Privacy & Security – Section 1
Overview of Privacy and Security
How HIPAA views privacy and security … and threats to privacy and security
Privacy & Security Goals
The goals of privacy—Patient control over sharing of informationDisclosure of how information will be used
The goals of security— Information available to those who need it Information not available to those who don’t
Key Concepts and Terms
Protected Health InformationUse and DisclosureNotice and AcknowledgementAuthorizationBusiness AssociateWorkforcePersonal RepresentativeMinimum necessary
Key Concepts and Terms
Protected Health Information
General definition Information that identifies an individual and
describes his/her medical condition or treatment
Specifically includes Clinical information Information on payment Basic demographic information Name, address, and telephone number
Applies to written and electronic information
Key Concepts and Terms
Use and Disclosure
Information is used by members of our workforce for Collection of information by clinical staff Review of patient charts by clinical staff Completion of billing forms by clerical staff Accounting and bookkeeping entries
Information is disclosed when it is shared with others Transmission of information to a health plan Transmission of information to a billing service Transmission of prescriptions to a pharmacy Consultation with an independent provider Reporting to government agencies
Key Concepts and Terms
Notice and Acknowledgement
Notice of Privacy PracticesA statement given to each patient
describing how the practice will use and disclose health information and outlining the patient’s rights under HIPAA
AcknowledgementWritten documentation that the notice was
provided to a patient, either signed by the patient or completed by a staff member explaining why the patient did not sign it
Key Concepts and Terms
Authorization
Required for uses and disclosures other than forTreatmentPaymentHealth care operationsTo comply with legal mandates
Signed by the patient or patient’s personal representative
Key Concepts and Terms
Workforce
Members of the medical practiceEmployees of the medical practiceIndependent contractors we hire
Key Concepts and Terms
Business Associate
An entity that performs services for the practice
Examples:Billing servicesAccreditation agencies
Must give satisfactory assurances
Key Concepts and Terms
Personal Representative
A person who can act on behalf of the patient Must have legal authority to act
on the patient’s behalf A personal representative may:
Acknowledge the Notice of Privacy Practices Authorize use and disclosure of information Request and receive an accounting of use and
disclosure Request amendment of health information
Key Concepts and Terms
Minimum necessary
HIPAA limits use and disclosure of protected health information to the ‘minimum necessary’ to accomplish an intended purpose
Examples: Any information requested for treatment Any information in a standard transaction Information required by administrative task Information specified in request from
Law enforcement officials Regulatory officials Subpoena or court order
Quiz 1: Key Concepts
Does protected health information includes the patient’s name, address, and basic demographic information?
Do privacy protections apply to both information recorded on paper and information stored electronically?
Can a family member or close personal friend act as the representative of the patient?
Is a business associate contract required only for those business associates who create or process protected health information?
HIPAA Privacy & Security – Section 2
A Hypothetical Case History
The privacy regulation in action: An overview
A Hypothetical Case History
A patient calls for an appointment The patient arrives for first visit The patient is called by the nurse Care discussed with patient’s spouse Claim prepared and submitted to health plan Newsletter sent to practice’s patients Mailing list requested by local pharmacy Patient requests accounting of disclosures Patient asks for information from chart Patient requests correction of information
A Hypothetical Case History
Making an appointment
Collect basic patient informationNameTelephone numberTelephone numberHealth plan
Information is protectedDoes not violate privacy rules
A Hypothetical Case History
Patient Arrival
Patient is given the Notice Staff seek Acknowledgement of Notice
A Hypothetical Case History
In the Waiting Room
Disclosure of limited informationPatients signature on “sign-in” sheetStaff call patient from waiting area
Does not violate privacy rules
A Hypothetical Case History
Discussion with patient’s spouse
Information shared with family membersPatient has opportunity to objectDoes not violate privacy rules
A Hypothetical Case History
Claim Submission
Disclosure of information to health planDoes not require patient authorizationDoes not violate privacy rules
A Hypothetical Case History
Patient Newsletter
Uses protected informationDoes not require authorizationDoes not violate privacy rules
A Hypothetical Case History
Mailing lists
Must have patient’s permission to sell or provide mailing lists to other organizations
A Hypothetical Case History
Accounting for disclosures
Must provide list of certain disclosuresWhen requested by patient
A Hypothetical Case History
Copying information from chart
Must allow patients to inspect chartsMust provide copies when requested
A Hypothetical Case History
Correction of information
Patients may request ‘corrections’No obligation to make changesMust document request and any
changes
HIPAA Privacy & Security – Section 3
Using & Sharing Information
Who can have what information and under what circumstances?
Overview
Uses and disclosures that…Do not require patient authorizationRequire specific patient authorization
Disclosures to family membersIncidental disclosures
Authorization not needed for…
Treatment of the patientObtaining paymentOut day-to-day operationsLegally mandated reporting or disclosure
Authorization not needed
Use and Disclosure for Treatment
Definition of treatmentCollection of informationReview of patient records and test resultsConsultation with other providersReferral to another providerTransmitting information to other providers
No restriction on information sharing
Authorization not needed
Use and Disclosure for Payment
Definition of paymentEligibility inquiriesCoverage determinationsSubmission of claimsClaim status inquiriesRemittance of paymentCredit card and other payment methods
Standard transaction data elements
Authorization not needed
Use and Disclosure for Operations
Health Care Operations include: Maintenance of medical records Maintenance of accounting records Quality assurance activities Staff credentialing and performance evaluation Conducting financial and management audits Investigating complaints Supporting legal activities Resolving grievances General business management
Staff may use and disclose only the minimum necessary information
Authorization not needed
Legally Mandated Disclosures
Police and Law EnforcementPublic Health Reporting
Reportable infectious diseasesVital events (birth and death)
Abuse and Neglect ReportingLicensing and regulatory oversightLegal proceedings
Disclosures to Family Members
Disclosure is permitted…To spousesTo parents and legal guardiansTo others involved in care
Obtaining patient’s permissionWhen patient is able to objectWhen patient is not able to object
Allows sharing of Information related to the patient’s care
Incidental Disclosures
Examples of incidental disclosure An overheard conversation among staff members An overheard discussion between staff and patients An overheard telephone call to a patient Test results being filed in patient records
Incidental disclosures are permitted……but should be avoided Incidental disclosures need not be documented
Try to minimize incidental disclosures! Conduct discussions in private areas Limit discussion when others are present
Quiz 2: Using & Sharing Information
Are there any limits on the use or disclosure of patient information for the purpose of treatment?
Does a patient have to authorize the disclosure of information to a health plan?
Does a patient have to authorize disclosure of information to law enforcement agencies?
Does HIPAA prevent us from complying with state-mandated disease reporting, e.g., for infectious diseases?
Can we use patient information for any purpose without obtaining the patient’s authorization?
HIPAA Privacy & Security – Section 4
Notice of Privacy Practices
Helping patients understand how their information will be used – and how their privacy is protected
What the Notice Tells Patients
How their information will be usedWith whom their information will be
sharedWhen an authorization is neededHow to request an accounting
of uses and disclosuresHow to request access to informationHow to request changes in information
Review of the Notice
Uses and disclosures that don’t require authorization Treatment Payment Health care operations Legally mandated disclosures
Patient rights Request restrictions on use and disclosure Request confidential communications Obtain an accounting of uses and disclosures Review protected health information Request changes to information
Providing the Notice to Patients
Responsibility of receptionistProvide during first patient visitReview key provisionsDiscuss and resolve requests for…
Restrictions on use and disclosureConfidential communications
Acknowledgement By Patient
Staff must try to obtain acknowledgement Documents that notice was given Required on first visit only Obtain prior to treatment Use of acknowledgement form Patient signature and date
Document attempt if patient can’t acknowledge Emergency treatment exception Patient gets a copy of the acknowledgement Original filed with patient record
Quiz 3: Notice of Privacy Practices
Does a patient have to be given a Notice prior to treatment?
Does a patient have to be given a Notice on each visit?
Does the patient have to sign the acknowledgement of the Notice?
Do staff have to document a patient’s inability or refusal to sign an acknowledgement of the Notice?
Can a patient restrict use and disclosure of protected health information?
HIPAA Privacy & Security – Section 5
Authorization
Using and disclosing information for purposes not covered by the notice
When is authorization needed?
Medical/clinical research Investigational treatment Research protocols Exception for “de-identified” data
Marketing Promoting third-party products/services Providing mailing lists to others
Other uses and disclosures except For treatment, payment, health care operations To comply with legal mandates
Content of Authorization
Authorization must… Identify the information to be used or disclosed Identify users/persons to whom disclosed Identify purposes of use or disclosure Note the potential for redisclosure
Conditioning treatment on authorization Treatment available only to research subjects Treatment requested by the patient for disclosure
Authorization may signed by… Patient, or Patient representative
Obtaining Authorization
Review authorization form with patientWhat information will be usedWhat the information will be used forWho will use the information
Note the potential for re-disclosureObtain patient/representative signature File authorization form in records
Quiz 4: Authorization
Is an authorization needed if a patient has signed a consent to participate in a research program?
Does an authorization have to specify the information to be disclosed and the purpose of the disclosure?
Does an authorization have to identify who will use or receive the information?
Does a patient have to authorize disclosure of a camp or school physical?
Can a patient be denied care if he or she doesn’t authorize use or disclosure of information in a research study?
Does a patient have to authorize disclosure of information to himself or herself or to a spouse?
HIPAA Privacy & Security – Section 6
Privacy Accounting
Informing patients of certain uses and disclosures of protected health information
Recording Uses/Disclosures
The goal of the accounting Let patients know who has received their information –
and why Facilitate amendment/correction when erroneous information
has been disclosed Does not require tracking of…
Uses and disclosures for purposes of treatment, payment, and health care operations
Uses and disclosures covered by an authorization Bottom line: only requires tracking and disclosure of…
Legally mandated disclosures Unauthorized disclosures
Requesting an Accounting
Patients submit an accounting requestFees for accounting
No charge for first accountingMay charge for second and subsequent
accountings in 12 month period
Content of the Accounting
Identity of the person or organization to whom information was disclosed
Description of the information disclosedDescription of the purpose of the
disclosure
Quiz 5: Accounting for Disclosures
Do all uses and disclosures have to be included in an accounting?
Do disclosures to health plans have to be included in an accounting?
Do authorized disclosures have to included in an accounting?
Do disclosures to police and law enforcement agencies have to be included in an accounting?
Do disclosures to business associates have to be included in an accounting?
HIPAA Privacy & Security – Section 7
Patient Access to Information
How patients can obtain and request changes in their medical information
Patient and Provider Rights
HIPAA gives patients certain rightsTo review and copy their recordsTo request changes in their recordsTo have changes communicated to others
HIPAA gives providers certain rightsTo charge for copies of health informationTo deny requested changes in patient
records
Requesting Amendment
Patients may request correction of information in their records
Approving or denying requestsCommunicating correctionsDocumentation requirements
Quiz 6: Access and Amendment
Can a patient examine his or her medical information?
Can a patient obtain a copy of information in his or her medical chart?
Do patients have to request information from their records in writing?
Can patients change information in their medical records?
Do corrections in patient information have to be transmitted to prior recipients of the incorrect information?
HIPAA Privacy & Security – Section 8
Information Security
Staff responsibilities for keeping information secure
Overview
The basic concepts of securityThe responsibility for securityThreats to securitySecurity protectionsWhat you can do
Security Basics
Two aspects of securityPreventing unauthorized access/disclosurePreventing loss of information
Scope of security concernsSecuring electronic informationSecuring paper records
Security is everybody’s business
Information systems managers & staffMedical professionalsClerical and billing staffManagers and supervisorsConsultants and contractors
Security Threats
Loss of informationTheft of informationUnauthorized disclosuresAccidental disclosures
Loss of Information
Unintended destruction of information Human error Hardware failure Fires, floods, and power failures Computer viruses
Response to the threat Staff training and procedures Backup procedures and system design Disaster and contingency plans Anti-virus software
Theft of Information
How information is stolenComputer system penetration by hackersDisclosure caused by computer viruses
Preventing theftHardware/software firewallsUse of password protectionUser authenticationAnti-virus softwareEncryption
Unauthorized Disclosures
Intentional, but unauthorized, disclosureFailure to check credentials of requesterFailure to check patient authorization
Unintentional disclosureBreakdown of security during disasters
Accidental Disclosures
Overheard conversationsAmong staffBetween staff and patients
Information left in public view Information displayed on computer screensPrinted information left on desksFiles accessible to public/passers-by
Security Protections
Backup proceduresContingency plansOrganizational safeguardsTechnical (hardware and software)
safeguards
Guidelines for Computer Use
Log on and log off our networkNever let others use your user IDChoose a secure passwordRegularly update your passwordNever share your passwordNever write your password downSecure your workstation
Quiz 7: Security Measures
Is the accidental destruction of information a security problem?
What is the most serious threat to security?
Should people ever let others use their computer ID or password?
Should anti-virus software ever be turned off?
HIPAA Privacy & Security – Section 9
Security & Privacy Wrap-up
What you can do to protect the privacy and safeguard the security of patient information
Privacy Wrap-upFive things you can do to protect privacy
Store all patient information securely Discuss patient information in private Avoid unnecessary discussion of patient
information Review restrictions on disclosure and
communication before making disclosures Confirm credentials of recipients before
disclosing protected health information
Security Wrap-upFive things you can do to safeguard security
Log on and log off of your computerNever let others use your log-onFollow guidelines for password useNever disable anti-virus softwareNever install unapproved software