Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

Start

Protecting a Patient’s Privacy

What is HITECH

Use or Disclosure of PHI

Protected Health Information

How HIPAA Applies to You

Remember

Protected Health Information Identifiers

Notice of Privacy Practice for PHI

What is HIPAA?

Who uses PHI

Health Information Technology for Economical and Clinical Health

Updated the standards for HIPAA privacy and security provisions

  • Required notification of breach of security /privacy
  • Increased fines and penalties for privacy violations
  • Patient right to restrict disclosure to health plans for services self paid in full (hide rule or self-pay restriction)
  • Mandates that Business Associates are directly liable for compliance with HIPAA provisions

Course Objectives

It’s common sense

  • Use information only when necessary to perform your job duties
  • Use only the minimum necessary to perform your job duties
  • Ask if you do not know

Ways in which you can ensure a patient’s information is protected

  • Treat all information as if it were about you or your family
  • Do not discuss confidential patient information in hallways, break room, restroom, etc.
  • Shred all documents, and CDs with patient information before discarding
  • Don’t discuss with family, friends, or people in the facility who are not directly involved in treatment, payment or operation.
  • Don’t leave charts, schedules or leave open documents on your computer that may contain patient information in plain view.
  • Access only the information you are authorized to access
  • Do not share passwords with anyone
  • Do not allow visitors or patients in areas where charts are stored
  • Conduct telephone conversation with regard to confidential patient information in a discreet manner.

All Huntsville Pediatric and Adult Medicine Associate employees must be trained on HIPAA policies and specific procedures which may affect the work you do. The rules apply to you when you look at, use, or share protected health information.

Protected Health Information (PHI) is:

  • Any information related to a patient’s past, present, or future physical and/or mental health or condition
  • Includes at least one of 18 personal identifiers
  • Can be in any form: written, spoken, or electronic (x-rays, video, and photographs)
  • Excludes information on individuals who have been deceased for 50 years or greater.

  • Name
  • Postal address
  • All elements of dates except year
  • Telephone number
  • Fax number
  • Email address
  • URL address
  • IP address
  • Social security number
  • Account numbers
  • License numbers
  • Do not share any patient information on social media
  • Information obtained from your patient/provider relationship is confidential
  • Posting information without authorization is a violation of the patient’s right to privacy and confidentiality
  • Even if you think you’ve de-identified the information, it still might be identifiable to others
  • NOTE: de-identification of PHI requires removal of all 18 PHI identifiers

  • Medical record number
  • Health plan beneficiary #
  • Device identifiers and their serial numbers
  • Vehicle identifiers and serial number
  • Biometric identifiers (finger/voice prints)
  • Full face photos and other comparable images
  • Any other unique identifying number, code, or characteristics

  • Anyone who works with or may view health, financial, or confidential information with HIPAA protected health identifiers
  • Everyone who uses a computer or electronic device which stores and/or transmits information
  • All medical staff
  • Administrative staff with access to PHI
  • Accounting and payroll staff
  • Researchers and staff investigators
  • Almost EVERYONE, at one time or another

Notice of Privacy Practice allows PHI to be used and disclosed for purposes of TPO

  • Treatment (T), Payment (P), and Operations (O)
  • TPO includes teaching, medical staff/peer review, legal, auditing, customer service, business management, and releases mandated by law
  • HPAM must have a Business Associate Agreement with vendors who will use or potentially have access to PHI when providing a service for Institute for Life Enrichment

HIPAA stands for the Health Information Portability and Accountability Act

A federal law that specifies administrative simplification provisions that:

  • Protects the privacy of patient information both electronic and physical
  • Requires “minimum necessary” use and disclosure
  • Specifies patient rights to approve access and use of their medical information
  • Provides a complaints process that accepts, records, and investigates patient complaints
  • Designates a Privacy Official

Privacy and Security Training explains:

  • The requirements of HIPAA/HITECH regulations, privacy laws and procedures that protect the privacy and security of confidential data
  • How these affect your job
  • What information must be protected
  • Your responsibilities for good computer practices
  • How to report privacy and security breaches

In order for Huntsville Pediatric and Adult Medicine Associates to use or disclose PHI:

  • Each patient must receive and sign a Notice of Privacy Practice that:
  • Describes how HPAM may use and disclose the patient’s PHI
  • Advises the patient of his/her privacy rights
  • HPAM must attempt to obtain the patient’s signature acknowledging the receipt of the Notice. In emergency situations, if the signature is not obtained, document the reason why it was not.

Security of Electronic Patient Information (ePHI)

Privacy Breach from Lost, Stolen, or Misdirected Information

Computer Security

Know Where You Left Your Paperwork

Scenario 2

Verbal Exchanges

Scenario 1

When you suspect or know of a breach you must report it to the privacy officer IMMEDIATLEY

Scenario 1 - Answer

Good security standards follow the “90/10” Rule:

  • 10 % of security safeguards are technical
  • 90 % of security safeguards rely on the computer user (YOU) to adhere to good computer practices

Scenarios

  • You are responsible for protecting your user ID
  • You are responsible for protecting your password
  • You are responsible for logging out of programs that access PHI when not in use
  • Privacy violations carry penalties to include fines, termination from employment and imprisonment
  • Immediately report any known or suspected privacy breaches to the Privacy officer at x 8926

The correct answer is A.

Information can only be used as needed for your job

A. You may not discuss any patient information with anyone unless required for your job

Double check !!

Verify that you are giving documents to the correct patient.

Check printers, copiers and faxes when you are done using them.

Don't leave hard copies of

PHI laying on your desk

Question and Answer

  • Ensure your computer and data are secured by using locked drawers, placed in secure areas, etc.
  • Create strong passwords and do not share your passwords
  • Logoff the terminal when you are done, or even if you walk away
  • Use a privacy screen
  • Lock your PC using Ctrl + Alt + Delete
  • Use passwords to start or wake up your computer

  • Patients may see normal clinical operations as violating their privacy
  • Be aware of your surroundings when talking
  • Do not leave PHI on answering machines
  • Ask yourself” what if it was my information being discussed like this?”

My co-worker’s husband notified me that my co-worker was recently admitted to the Emergency Department and won’t be coming into work tomorrow. My co-worker and I have a great relationship, and I’d like to know how she’s doing. May I access her records to check on her condition?

A. It is okay as we are friends, so I’m sure she wouldn’t mind me looking at her records.

B. I already have approval to access patient clinical systems, so no one will know I accessed it.

C. It is not necessary for my job, so I would be violating the patient’s privacy by accessing her records. I should contact her husband to check on her condition

Privacy breach occurs when information is:

  • Physically lost or stolen
  • Paper copies, films, tapes, electronic devices
  • Misdirected to others
  • Verbal messages sent to or left on wrong voicemail or wrong person
  • Mislabeled mail, misdirected email
  • Wrong fax number, wrong phone number
  • Placed on Internet, websites, Facebook, Twitter

I do not work with patients or have access to medical records, however I see patients pass by my desk in the clinic. Can I talk about the patients with my coworkers, family and friends even if it has nothing to do with my job?

A. You may not discuss any patient information with anyone unless required for your job

B. You may only talk about the patient with coworkers

C. You may only talk about the patient with your family and friends

As an employee of HPAM, you are responsible to follow policies and procedures to protect the privacy and security of all protected Health information.

HIPAA Resources

Scenario 4 - Answer

Scenario 5 - Answer

Scenario 5

Scenario 4

Scenario 3 - Answer

Scenario 2 - Answer

Scenario 3

  • Health and Human Services- understanding HIPAA: www.hhs.gov/ocr/privacy
  • Texas Medical Association Legal section: www.texmed.org
  • Texas Medical Association Polices and Procedures
  • HIPAA Privacy Rule: what employers need to know: www.twc.state.tx.us/news/efta/hipaa

I called a patient’s phone number and left a voice mail for Mr. John Smith to contact UCSF regarding his scheduled thyroid surgery. Was this a privacy breach?

A. No, the patient provided his phone number

B. Potentially, I stated his name and medical procedure

C. No, I did not state the medical reason for the surgery

Is the Facebook post below a privacy breach?

A. Yes

B. No

Profile

Name: Jane Doe

Lives In: San Francisco, CA

Works At: Patient Coordinator at the Helen Diller Family

Comprehensive Cancer Center UCSF Medical Center

September 4, 2013 at 3:12PM:

Jane writes: “OMG, I was just face to face with someone REALLY famous in my clinic today… so sad though, she was just diagnosed with stage 3 breast cancer. :(“

Profile

Name: Jane Doe

Lives In: San Francisco, CA

Works At: Patient Coordinator at the Helen Diller Family

Comprehensive Cancer Center UCSF Medical Center

September 4, 2013 at 3:12PM:

Jane writes: “OMG, I was just face to face with someone REALLY famous in my clinic today… so sad though, she was just diagnosed with stage 3 breast cancer. :(“

The correct answer is A.

Even though Jane tried to de-identify the information by omitting the celebrity’s name, it is still PHI.

Remember: PHI = Health Information + one or more of the 18 PHI identifiers

Health information: celebrity’s diagnosis (breast cancer)

Identifier: Date of service

Someone may have seen a celebrity walk to the medical center practice on 9/4/13, or saw a celebrity’s name on the practice’s 9/4/13 schedule; IF SO…

This post reveals to that the celebrity has breast cancer

Best Practice: Do not share on social media any details of a patient situation you experienced at work.

The correct answer is B.

Patient name in conjunction with any medical information constitutes PHI. You do not know who will hear the message; the patient may not have told his family, friend or roommate. It is best practice to leave the minimum amount of information needed: your name, phone number, and that you are from UCSF. Never leave PHI on an answering machine. Ask your supervisor for the voicemail procedure in your area.

B. Potentially, I stated his name and medical procedure.

You are very upset because a young patient of yours has just coded and was not able to be resuscitated. You want to share this experience and your thoughts and feelings with your family and friends on Facebook. What must you consider before doing this?

A. Posting this on Facebook is OK as long as you do not identify the patient by name, or identify the hospital, and you are limiting the recipients to your friends and family.

B. You cannot post anything on Facebook that could possibly lead to identification of the patient.

The correct answer is B.

Facebook is considered a public domain, and anything you post there is considered public information.

Posting clinical details is a violation of your patients right to privacy and confidentiality without authorization.

Your Facebook profile may identify your place of work and your occupation. When linked with your posting, this provides additional details that may identify the patient.

Information you obtain from your patient/provider relationship is confidential.

B. You cannot post anything on Facebook that could possibly lead to identification of the patient.

The correct answer is C.

It is not part of your job – your access to your co-worker’s record would be for personal reasons. Therefore, accessing the record will be a violation of your co-workers privacy. Furthermore, your access to the record will automatically be recorded and is tracked. There could be serious consequences to your employment.

C. It is not necessary for my job, so I would be violating the patient’s privacy by accessing her records. I should contact her husband to check on her condition.

Finish

Learn more about creating dynamic, engaging presentations with Prezi