welcome to the 2018 hipaa - torrance, ca€¦ · 29. hipaa permits reporting domestic, child and...
TRANSCRIPT
Welcome to the 2018
HIPAA (Health Insurance Portability and Accountability Act)
Privacy Training Presentation and Annual Test
Protecting Patient PHI
is Everyone’s Responsibility
What is PHI? PHI (Protected Health Information) is individually identifiable health information that is transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form (oral or paper) or medium.
PHI includes patient identifiers such as: Names; Address and Phone/Fax Number; Date of Birth; Medical Record Number; Social Security Number; Employer; Diagnosis, Medical History, Medications; Surgical and other procedures; Names of relatives and their employers; Insurance / Health plan, billing records; Email address; and, Photographs, etc.
You may access PHI only if you have a need to know for TPO !
(Treatment, Payment or Healthcare Operations)
What types of Protected Health Information (PHI) are protected?
Paper medical records; Electronic medical records; Oral communication; Electronic (faxed, email) documents; Any information that can identify the
patient and is related to the person’s past, present or future physical or mental health condition; and,
Anything associated with healthcare services or treatment.
Who oversees HIPAA and Compliance at Torrance Memorial?
Mary Goodloe, Privacy Officer ext. 22069 Monitors compliance with HIPAA and privacy
regulations. Handles privacy incidents and breaches. Handles Business Associate Agreements.
Todd Felker, Information Security Officer ext. 22722 Overall accountability for Information
Security. Handles security incidents and breaches.
Dennis Kikuno, Director of Compliance ext. 16725 (Compliance Hotline 1-855-226-5554)
Oversees compliance program for preventing Medicare fraud and abuse.
Patient Rights mandated by HIPAA Patients have the right to:
Receive our Notice of Privacy Practices
Access their medical record
Request amendments to their medical record
An accounting of disclosures of their medical records
Request restrictions on release of Protected Health Information
File a complaint
“Minimum Necessary Rule”
Clinical staff, physicians and employees are required to access only the information they need to do their job for TPO Release of PHI for TPO is permitted (Treatment, Payment or Healthcare Operations) Release of PHI for Non-TPO is not permitted without a signed Authorization Form Access to your /your family records is not permitted without a signed Authorization Form
Who is Authorized to See Patient PHI?
“When is an Authorization Form required from the patient”
When the release of PHI is for Non-TPO reasons;
When a patient requests a copy of their medical record including images, tests results, etc.;
When the patient request ePHI (electronic PHI) be sent to a third party;
For marketing when direct or indirect payment is received;
For fundraising if more than the limited information is used or disclosed;
Prior to releasing PHI information to the media or for public display; or
When the release of PHI is to an attorney.
Release of Patient Protected Health Information (PHI)
Privacy and Social Networking:
Posting ANY patient information even without patient names, or
patient photos may lead to termination, fines and jail time
YOU Tube
California Law: Senate Bill 541 - Focus on Facilities
Assembly Bill 211- Focus of Providers
SB541: Hospitals must report every breach within 15
days after detected or discovered to: Department of Public Health (DPH); and Patient or Legal Representative
AB211: The Office of Health Information Integrity (OHII)
may assess an administrative fine against: Any person or any provider of health care for any violation under AB 211
What is a Breach? A breach is the unlawful or unauthorized
acquisition, access, use or disclosure of patient PHI.
Federal Law: HIPAA Violations
CARELESSNESS (Single Violation):
Faxing to the wrong fax number; Staff discuss patient medical information in presence of visitors (family, friends) without the patient consent; Patient is admitted with wrong guarantor/insurance; Patient receives PHI (discharge summary, results, etc.)
belonging to another patient
MISUSE OF PHI Staff reviews a record of a patient out of concern
or curiosity, or “peeking” in a patient record; Staff access patient record for Non-TPO and without a
signed authorization from the patient
MISUSE UNDER FALSE PRETENSES: Using another person’s password to get into a clinical application
MISUSE OF PHI WITH PERSONAL GAIN OR MALICE: Staff reviews a patient record for personal use or to sell patient PHI
Doing your part to protect Patient PHI:
1. Only access information if your job REQUIRES it for TPO. (Treatment, Payment, Healthcare Operations;
2. Authorization Form #17 is REQUIRED from the patient prior to Non-TPO access or release of PHI;
3. Faxes with a cover sheet can be sent to a physician office or other health care facilities fax machine that is within a secure location with:
– Approved fax numbers (on Medical Staff Roster); or – The recipient waiting by the machine to receive the fax.
4. When carrying documents with PHI around the hospital, cover up the patient’s name and never leave documents unattended;
5. Use sealed containers if taking documents outside of hospital; 6. Use a low or soft voice when speaking about a patient on the
telephone or in areas where you can be overheard by others;
Doing your part to protect Patient PHI, cont:
7. Use only the title (Mr. Mrs. Miss) and the last name when calling to a patient in a waiting room;
8. Select the correct patient and/or physician on patient records;
(avoid same name errors);
9. Check the name on results /reports/ CD’s BEFORE presenting to patient;
10. Use of protective mechanisms such as filters, mirrors or screen savers to block and protect patient information displayed on computer workstations located in general access areas;
11. Suspend, log off, tap out or lock down your PC before you walk away;
12. Protect your computer password; never share it or log on with someone else’s password;
13. Do not post or comment about any patient, even if I don’t use a name, on facebook or other social networking sites;
14. Do not share or disclose patient information with family, friends or co-workers;
Doing your part to protect Patient PHI, cont:
15. Do not email, text or post any information (or photos) that can identify a patient to personal devices;
16. Do not take photos of patients or photocopy documents with patient information for personal use;
17. Ask patients if they would like family/visitors to step out prior to discussing / administering procedures;
18. Close patient room doors / curtains when discussing / administering procedures;
19. Be aware of your surrounding and speak softly when conversing
with or treating patients;
20. Avoid discussions about patients in elevators, hallways, the cafeteria or other public area;
21. Do not leave messages regarding patient conditions or test
results on answering machines or with anyone except the patient;
22. Avoid paging patients using information that could reveal their health issues;
Doing your part to protect Patient PHI, cont:
23. Use shredding bins to discard documents, reports, labels, wrist bands, etc. containing PHI;
24. Use a marker to cover PHI on IV labels; 25. Emails with PHI sent outside of TMMC must be sent Secure; 26. Promptly report patient privacy incidents to your supervisor, Privacy Officer or the Compliance Department;
27. Treat your patient’s information the way you would want your OWN personal information treated;
28. Emergency care can proceed without getting authorizations signed;
29. HIPAA permits Reporting Domestic, Child and Elderly abuse; and
30. HIPAA permits Public Health Reporting. Remember “NO PEEKING”
Protecting PHI is everyone’s job, PHI is NOT everyone’s business. Y O U are the key to Preventing Violations !
Quiz Click the Quiz button to edit this object