hipaa privacy and security requirements what hipaa requires staff to do to protect the privacy and...

HIPAA Privacy and Security Requirements

What HIPAA requires staff to do to protect the privacy and safeguard the security of patient information

Program Content

Overview of Privacy and Security A Hypothetical Case History Using and Sharing Information The Notice of Privacy Practices Authorization Privacy Accounting Patient Access to Health Information Information Security Wrap-up

HIPAA Privacy & Security – Section 1

Overview of Privacy and Security

How HIPAA views privacy and security … and threats to privacy and security

Privacy & Security Goals

The goals of privacy—Patient control over sharing of informationDisclosure of how information will be used

The goals of security— Information available to those who need it Information not available to those who don’t

Key Concepts and Terms

Protected Health InformationUse and DisclosureNotice and AcknowledgementAuthorizationBusiness AssociateWorkforcePersonal RepresentativeMinimum necessary


Protected Health Information

General definition Information that identifies an individual and

describes his/her medical condition or treatment

Specifically includes Clinical information Information on payment Basic demographic information Name, address, and telephone number

Applies to written and electronic information


Use and Disclosure

Information is used by members of our workforce for Collection of information by clinical staff Review of patient charts by clinical staff Completion of billing forms by clerical staff Accounting and bookkeeping entries

Information is disclosed when it is shared with others Transmission of information to a health plan Transmission of information to a billing service Transmission of prescriptions to a pharmacy Consultation with an independent provider Reporting to government agencies


Notice and Acknowledgement

Notice of Privacy PracticesA statement given to each patient

describing how the practice will use and disclose health information and outlining the patient’s rights under HIPAA

AcknowledgementWritten documentation that the notice was

provided to a patient, either signed by the patient or completed by a staff member explaining why the patient did not sign it


Authorization

Required for uses and disclosures other than forTreatmentPaymentHealth care operationsTo comply with legal mandates

Signed by the patient or patient’s personal representative


Workforce

Members of the medical practiceEmployees of the medical practiceIndependent contractors we hire


Business Associate

An entity that performs services for the practice

Examples:Billing servicesAccreditation agencies

Must give satisfactory assurances


Personal Representative

A person who can act on behalf of the patient Must have legal authority to act

on the patient’s behalf A personal representative may:

Acknowledge the Notice of Privacy Practices Authorize use and disclosure of information Request and receive an accounting of use and

disclosure Request amendment of health information


Minimum necessary

HIPAA limits use and disclosure of protected health information to the ‘minimum necessary’ to accomplish an intended purpose

Examples: Any information requested for treatment Any information in a standard transaction Information required by administrative task Information specified in request from

Law enforcement officials Regulatory officials Subpoena or court order

Quiz 1: Key Concepts

Does protected health information includes the patient’s name, address, and basic demographic information?

Do privacy protections apply to both information recorded on paper and information stored electronically?

Can a family member or close personal friend act as the representative of the patient?

Is a business associate contract required only for those business associates who create or process protected health information?


A Hypothetical Case History

The privacy regulation in action: An overview


A patient calls for an appointment The patient arrives for first visit The patient is called by the nurse Care discussed with patient’s spouse Claim prepared and submitted to health plan Newsletter sent to practice’s patients Mailing list requested by local pharmacy Patient requests accounting of disclosures Patient asks for information from chart Patient requests correction of information


Making an appointment

Collect basic patient informationNameTelephone numberTelephone numberHealth plan

Information is protectedDoes not violate privacy rules


Patient Arrival

Patient is given the Notice Staff seek Acknowledgement of Notice


In the Waiting Room

Disclosure of limited informationPatients signature on “sign-in” sheetStaff call patient from waiting area

Does not violate privacy rules


Discussion with patient’s spouse

Information shared with family membersPatient has opportunity to objectDoes not violate privacy rules


Claim Submission

Disclosure of information to health planDoes not require patient authorizationDoes not violate privacy rules


Patient Newsletter

Uses protected informationDoes not require authorizationDoes not violate privacy rules


Mailing lists

Must have patient’s permission to sell or provide mailing lists to other organizations


Accounting for disclosures

Must provide list of certain disclosuresWhen requested by patient


Copying information from chart

Must allow patients to inspect chartsMust provide copies when requested


Correction of information

Patients may request ‘corrections’No obligation to make changesMust document request and any

changes


Using & Sharing Information

Who can have what information and under what circumstances?

Overview

Uses and disclosures that…Do not require patient authorizationRequire specific patient authorization

Disclosures to family membersIncidental disclosures

Authorization not needed for…

Treatment of the patientObtaining paymentOut day-to-day operationsLegally mandated reporting or disclosure

Authorization not needed

Use and Disclosure for Treatment

Definition of treatmentCollection of informationReview of patient records and test resultsConsultation with other providersReferral to another providerTransmitting information to other providers

No restriction on information sharing


Use and Disclosure for Payment

Definition of paymentEligibility inquiriesCoverage determinationsSubmission of claimsClaim status inquiriesRemittance of paymentCredit card and other payment methods

Standard transaction data elements


Use and Disclosure for Operations

Health Care Operations include: Maintenance of medical records Maintenance of accounting records Quality assurance activities Staff credentialing and performance evaluation Conducting financial and management audits Investigating complaints Supporting legal activities Resolving grievances General business management

Staff may use and disclose only the minimum necessary information


Legally Mandated Disclosures

Police and Law EnforcementPublic Health Reporting

Reportable infectious diseasesVital events (birth and death)

Abuse and Neglect ReportingLicensing and regulatory oversightLegal proceedings

Disclosures to Family Members

Disclosure is permitted…To spousesTo parents and legal guardiansTo others involved in care

Obtaining patient’s permissionWhen patient is able to objectWhen patient is not able to object

Allows sharing of Information related to the patient’s care

Incidental Disclosures

Examples of incidental disclosure An overheard conversation among staff members An overheard discussion between staff and patients An overheard telephone call to a patient Test results being filed in patient records

Incidental disclosures are permitted……but should be avoided Incidental disclosures need not be documented

Try to minimize incidental disclosures! Conduct discussions in private areas Limit discussion when others are present

Quiz 2: Using & Sharing Information

Are there any limits on the use or disclosure of patient information for the purpose of treatment?

Does a patient have to authorize the disclosure of information to a health plan?

Does a patient have to authorize disclosure of information to law enforcement agencies?

Does HIPAA prevent us from complying with state-mandated disease reporting, e.g., for infectious diseases?

Can we use patient information for any purpose without obtaining the patient’s authorization?


Notice of Privacy Practices

Helping patients understand how their information will be used – and how their privacy is protected

What the Notice Tells Patients

How their information will be usedWith whom their information will be

sharedWhen an authorization is neededHow to request an accounting

of uses and disclosuresHow to request access to informationHow to request changes in information

Review of the Notice

Uses and disclosures that don’t require authorization Treatment Payment Health care operations Legally mandated disclosures

Patient rights Request restrictions on use and disclosure Request confidential communications Obtain an accounting of uses and disclosures Review protected health information Request changes to information

Providing the Notice to Patients

Responsibility of receptionistProvide during first patient visitReview key provisionsDiscuss and resolve requests for…

Restrictions on use and disclosureConfidential communications

Acknowledgement By Patient

Staff must try to obtain acknowledgement Documents that notice was given Required on first visit only Obtain prior to treatment Use of acknowledgement form Patient signature and date

Document attempt if patient can’t acknowledge Emergency treatment exception Patient gets a copy of the acknowledgement Original filed with patient record

Quiz 3: Notice of Privacy Practices

Does a patient have to be given a Notice prior to treatment?

Does a patient have to be given a Notice on each visit?

Does the patient have to sign the acknowledgement of the Notice?

Do staff have to document a patient’s inability or refusal to sign an acknowledgement of the Notice?

Can a patient restrict use and disclosure of protected health information?


Authorization

Using and disclosing information for purposes not covered by the notice

When is authorization needed?

Medical/clinical research Investigational treatment Research protocols Exception for “de-identified” data

Marketing Promoting third-party products/services Providing mailing lists to others

Other uses and disclosures except For treatment, payment, health care operations To comply with legal mandates

Content of Authorization

Authorization must… Identify the information to be used or disclosed Identify users/persons to whom disclosed Identify purposes of use or disclosure Note the potential for redisclosure

Conditioning treatment on authorization Treatment available only to research subjects Treatment requested by the patient for disclosure

Authorization may signed by… Patient, or Patient representative

Obtaining Authorization

Review authorization form with patientWhat information will be usedWhat the information will be used forWho will use the information

Note the potential for re-disclosureObtain patient/representative signature File authorization form in records

Quiz 4: Authorization

Is an authorization needed if a patient has signed a consent to participate in a research program?

Does an authorization have to specify the information to be disclosed and the purpose of the disclosure?

Does an authorization have to identify who will use or receive the information?

Does a patient have to authorize disclosure of a camp or school physical?

Can a patient be denied care if he or she doesn’t authorize use or disclosure of information in a research study?

Does a patient have to authorize disclosure of information to himself or herself or to a spouse?


Privacy Accounting

Informing patients of certain uses and disclosures of protected health information

Recording Uses/Disclosures

The goal of the accounting Let patients know who has received their information –

and why Facilitate amendment/correction when erroneous information

has been disclosed Does not require tracking of…

Uses and disclosures for purposes of treatment, payment, and health care operations

Uses and disclosures covered by an authorization Bottom line: only requires tracking and disclosure of…

Legally mandated disclosures Unauthorized disclosures

Requesting an Accounting

Patients submit an accounting requestFees for accounting

No charge for first accountingMay charge for second and subsequent

accountings in 12 month period

Content of the Accounting

Identity of the person or organization to whom information was disclosed

Description of the information disclosedDescription of the purpose of the

disclosure

Quiz 5: Accounting for Disclosures

Do all uses and disclosures have to be included in an accounting?

Do disclosures to health plans have to be included in an accounting?

Do authorized disclosures have to included in an accounting?

Do disclosures to police and law enforcement agencies have to be included in an accounting?

Do disclosures to business associates have to be included in an accounting?


Patient Access to Information

How patients can obtain and request changes in their medical information

Patient and Provider Rights

HIPAA gives patients certain rightsTo review and copy their recordsTo request changes in their recordsTo have changes communicated to others

HIPAA gives providers certain rightsTo charge for copies of health informationTo deny requested changes in patient

records

Requesting Amendment

Patients may request correction of information in their records

Approving or denying requestsCommunicating correctionsDocumentation requirements

Quiz 6: Access and Amendment

Can a patient examine his or her medical information?

Can a patient obtain a copy of information in his or her medical chart?

Do patients have to request information from their records in writing?

Can patients change information in their medical records?

Do corrections in patient information have to be transmitted to prior recipients of the incorrect information?


Information Security

Staff responsibilities for keeping information secure

Overview

The basic concepts of securityThe responsibility for securityThreats to securitySecurity protectionsWhat you can do

Security Basics

Two aspects of securityPreventing unauthorized access/disclosurePreventing loss of information

Scope of security concernsSecuring electronic informationSecuring paper records

Security is everybody’s business

Information systems managers & staffMedical professionalsClerical and billing staffManagers and supervisorsConsultants and contractors

Security Threats

Loss of informationTheft of informationUnauthorized disclosuresAccidental disclosures

Loss of Information

Unintended destruction of information Human error Hardware failure Fires, floods, and power failures Computer viruses

Response to the threat Staff training and procedures Backup procedures and system design Disaster and contingency plans Anti-virus software

Theft of Information

How information is stolenComputer system penetration by hackersDisclosure caused by computer viruses

Preventing theftHardware/software firewallsUse of password protectionUser authenticationAnti-virus softwareEncryption

Unauthorized Disclosures

Intentional, but unauthorized, disclosureFailure to check credentials of requesterFailure to check patient authorization

Unintentional disclosureBreakdown of security during disasters

Accidental Disclosures

Overheard conversationsAmong staffBetween staff and patients

Information left in public view Information displayed on computer screensPrinted information left on desksFiles accessible to public/passers-by

Security Protections

Backup proceduresContingency plansOrganizational safeguardsTechnical (hardware and software)

safeguards

Guidelines for Computer Use

Log on and log off our networkNever let others use your user IDChoose a secure passwordRegularly update your passwordNever share your passwordNever write your password downSecure your workstation

Quiz 7: Security Measures

Is the accidental destruction of information a security problem?

What is the most serious threat to security?

Should people ever let others use their computer ID or password?

Should anti-virus software ever be turned off?


Security & Privacy Wrap-up

What you can do to protect the privacy and safeguard the security of patient information

Privacy Wrap-upFive things you can do to protect privacy

Store all patient information securely Discuss patient information in private Avoid unnecessary discussion of patient

information Review restrictions on disclosure and

communication before making disclosures Confirm credentials of recipients before

disclosing protected health information

Security Wrap-upFive things you can do to safeguard security

Log on and log off of your computerNever let others use your log-onFollow guidelines for password useNever disable anti-virus softwareNever install unapproved software