Welcome to the 2018

HIPAA (Health Insurance Portability and Accountability Act)

Privacy Training Presentation and Annual Test

Protecting Patient PHI

is Everyone’s Responsibility

What is PHI? PHI (Protected Health Information) is individually identifiable health information that is transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form (oral or paper) or medium.

PHI includes patient identifiers such as: Names; Address and Phone/Fax Number; Date of Birth; Medical Record Number; Social Security Number; Employer; Diagnosis, Medical History, Medications; Surgical and other procedures; Names of relatives and their employers; Insurance / Health plan, billing records; Email address; and, Photographs, etc.

You may access PHI only if you have a need to know for TPO !

(Treatment, Payment or Healthcare Operations)

What types of Protected Health Information (PHI) are protected?

Paper medical records; Electronic medical records; Oral communication; Electronic (faxed, email) documents; Any information that can identify the

patient and is related to the person’s past, present or future physical or mental health condition; and,

Anything associated with healthcare services or treatment.

Who oversees HIPAA and Compliance at Torrance Memorial?

Mary Goodloe, Privacy Officer ext. 22069 Monitors compliance with HIPAA and privacy

regulations. Handles privacy incidents and breaches. Handles Business Associate Agreements.

Todd Felker, Information Security Officer ext. 22722 Overall accountability for Information

Security. Handles security incidents and breaches.

Dennis Kikuno, Director of Compliance ext. 16725 (Compliance Hotline 1-855-226-5554)

Oversees compliance program for preventing Medicare fraud and abuse.

Patient Rights mandated by HIPAA Patients have the right to:

Receive our Notice of Privacy Practices

Access their medical record

Request amendments to their medical record

An accounting of disclosures of their medical records

Request restrictions on release of Protected Health Information

File a complaint

“Minimum Necessary Rule”

Clinical staff, physicians and employees are required to access only the information they need to do their job for TPO Release of PHI for TPO is permitted (Treatment, Payment or Healthcare Operations) Release of PHI for Non-TPO is not permitted without a signed Authorization Form Access to your /your family records is not permitted without a signed Authorization Form

Who is Authorized to See Patient PHI?

“When is an Authorization Form required from the patient”

When the release of PHI is for Non-TPO reasons;

When a patient requests a copy of their medical record including images, tests results, etc.;

When the patient request ePHI (electronic PHI) be sent to a third party;

For marketing when direct or indirect payment is received;

For fundraising if more than the limited information is used or disclosed;

Prior to releasing PHI information to the media or for public display; or

When the release of PHI is to an attorney.

Release of Patient Protected Health Information (PHI)

Privacy and Social Networking:

Posting ANY patient information even without patient names, or

patient photos may lead to termination, fines and jail time

FACEBOOK

TWITTER

YOU Tube

California Law: Senate Bill 541 - Focus on Facilities

Assembly Bill 211- Focus of Providers

SB541: Hospitals must report every breach within 15

days after detected or discovered to: Department of Public Health (DPH); and Patient or Legal Representative

AB211: The Office of Health Information Integrity (OHII)

may assess an administrative fine against: Any person or any provider of health care for any violation under AB 211

What is a Breach? A breach is the unlawful or unauthorized

acquisition, access, use or disclosure of patient PHI.

Federal Law: HIPAA Violations

CARELESSNESS (Single Violation):

Faxing to the wrong fax number; Staff discuss patient medical information in presence of visitors (family, friends) without the patient consent; Patient is admitted with wrong guarantor/insurance; Patient receives PHI (discharge summary, results, etc.)

belonging to another patient

MISUSE OF PHI Staff reviews a record of a patient out of concern

or curiosity, or “peeking” in a patient record; Staff access patient record for Non-TPO and without a

signed authorization from the patient

MISUSE UNDER FALSE PRETENSES: Using another person’s password to get into a clinical application

MISUSE OF PHI WITH PERSONAL GAIN OR MALICE: Staff reviews a patient record for personal use or to sell patient PHI

Doing your part to protect Patient PHI:

1. Only access information if your job REQUIRES it for TPO. (Treatment, Payment, Healthcare Operations;

2. Authorization Form #17 is REQUIRED from the patient prior to Non-TPO access or release of PHI;

3. Faxes with a cover sheet can be sent to a physician office or other health care facilities fax machine that is within a secure location with:

– Approved fax numbers (on Medical Staff Roster); or – The recipient waiting by the machine to receive the fax.

4. When carrying documents with PHI around the hospital, cover up the patient’s name and never leave documents unattended;

5. Use sealed containers if taking documents outside of hospital; 6. Use a low or soft voice when speaking about a patient on the

telephone or in areas where you can be overheard by others;

Doing your part to protect Patient PHI, cont:

7. Use only the title (Mr. Mrs. Miss) and the last name when calling to a patient in a waiting room;

8. Select the correct patient and/or physician on patient records;

(avoid same name errors);

9. Check the name on results /reports/ CD’s BEFORE presenting to patient;

10. Use of protective mechanisms such as filters, mirrors or screen savers to block and protect patient information displayed on computer workstations located in general access areas;

11. Suspend, log off, tap out or lock down your PC before you walk away;

12. Protect your computer password; never share it or log on with someone else’s password;

13. Do not post or comment about any patient, even if I don’t use a name, on facebook or other social networking sites;

14. Do not share or disclose patient information with family, friends or co-workers;

Doing your part to protect Patient PHI, cont:

15. Do not email, text or post any information (or photos) that can identify a patient to personal devices;

16. Do not take photos of patients or photocopy documents with patient information for personal use;

17. Ask patients if they would like family/visitors to step out prior to discussing / administering procedures;

18. Close patient room doors / curtains when discussing / administering procedures;

19. Be aware of your surrounding and speak softly when conversing

with or treating patients;

20. Avoid discussions about patients in elevators, hallways, the cafeteria or other public area;

21. Do not leave messages regarding patient conditions or test

results on answering machines or with anyone except the patient;

22. Avoid paging patients using information that could reveal their health issues;

Doing your part to protect Patient PHI, cont:

23. Use shredding bins to discard documents, reports, labels, wrist bands, etc. containing PHI;

24. Use a marker to cover PHI on IV labels; 25. Emails with PHI sent outside of TMMC must be sent Secure; 26. Promptly report patient privacy incidents to your supervisor, Privacy Officer or the Compliance Department;

27. Treat your patient’s information the way you would want your OWN personal information treated;

28. Emergency care can proceed without getting authorizations signed;

29. HIPAA permits Reporting Domestic, Child and Elderly abuse; and

30. HIPAA permits Public Health Reporting. Remember “NO PEEKING”

Protecting PHI is everyone’s job, PHI is NOT everyone’s business. Y O U are the key to Preventing Violations !

Quiz Click the Quiz button to edit this object