The University of Toledo
o Family Educational Rights and Privacy
Act - FERPA
o Public Records
o Obama Administration - 2010
Who is the Compliance Officer?
Health Insurance Portability and
Accountability Act (HIPAA)
o Privacy – covers certain
health information in any
form. Written, spoken,
electronic or any other
o Security – covers
information that is stored
What is HIPAA?
o Law created to improve access to
health insurance, protect the privacy
of health information and promote
standardization of electronic health-
care related records to improve and
safeguard their use.
Hospitals In Pain, Aguish, and Agony
Patient privacy is everyone’s concern.
It’s a basic part of patient care.
What can happen if you don’t follow the
o There may be a fine for each
violation of the rule. Total fines can
go up to $1.5 million per year.
o A person can be fined or sent to
o “Fifteen fired, eight disciplined for looking at medical records of
octuplet mother.” FoxNews.com March 2009
o “CVS Pays $2.25 Million to Settle HIPAA Privacy Case” HHS.gov Feb
o “Staff nurse faces jail time for copying medical record with intent to do
malicious harm. Possible 10 years in prison, fine of $250,000. The
nursing board is seeking to revoke her license.” Renal and Urology
News Oct. 2008
A Closer look at PHI
o Pay attention to information that gives details
about who a person is:
o Social Security Number, Account Number, MRN
o All or part of an address
o Phone or fax number
o Drivers License number, license plate
o Date of Birth
o Admission or discharge date
When combined with health information these could
be considered PHI. Health Information is protected
if it could be used to identify somebody.
Examples of PHI:
o Medical record o Information sent from
o Prescription label one place to another-
computer, fax, phone
o An x-ray or mail.
o Doctor’s notes about a o Computer monitors
patient that can be seen by
o A letter giving patient the public
test results o Information that you
o Facesheet say ALOUD.
o Waste material that o Facebook, pictures of
contains personal patients.
label To name a few!!!
HIPAA Rule: Minimum Necessary
o Only access PHI you need to do
o Any time you share PHI with
others provide only the
information the other person or
General rules for
disclosing and using PHI
o You may disclose or use PHI for
Treat a patient
Get payment for health-care services
Continuity of Care
Fraud and Compliance programs
Competency activities –accreditation
Suspected abuse or neglect
o O-Health care operations
In all instances, strict regulations apply.
Incidental disclosures of PHI
o When PHI is seen or heard by
someone who does not need to
o Even though UTMC has taken
appropriate steps to limit the
information shared or keep the
Example-nurses stations or two patients in the
Getting authorization to disclose
o Authorization to disclose PHI must
be obtained when
o Provided to insurer or other business
o Information is communicated to an
employer (pre-employment physical)
Some Do’s and Don’ts when talking
o Speak quietly when o Share PHI with people
possible who don’t need to
o Avoid using patient know it to do their job
names in hallways and o Share PHI you are not
public areas authorized to disclose
o Share information o Let privacy issues
needed to treat the keep you from
patient treating the patient
o Use a private space to properly
o Shut and lock doors when leaving
o PHI should be not visible or audible
o Computer monitors should be turned away
from the direction of public view
o Copy only the minimum necessary
o Securely dispose of all PHI
o Home offices subject as well
o Record storage areas must be secure
Safeguard guidelines cont.
o Printers and Fax Machines must be
o Unauthorized personnel may not be left
alone without supervision
o Policies apply to any Portable Device or
o Visitors must be accompanied
o EVERYONE is responsible for PHI
o DO NOT SHARE YOUR LOG-IN OR
Protect printed PHI
o Where is printed PHI?
o Patient chart
o Wrist tag
o Prescription bottle
o Lab report
o Log sheets/patient lists
o Patient mailing list
o ALWAYS use a shred bin for printed PHI!
o They have them
o They know them
o Respect them
o Know policies and practice
appropriate procedures within your
o If unsure, ASK
o The Family
and Privacy Act of
o Protects students
o The University of Toledo’s
operational functions are considered
President Obama legislative changes
o Health Care Reform
o American Recovery & Reinvestment
Act of 2009 (ARRA)
o New requirements will include:
o Notification of HIPAA breaches
o Application of HIPAA to BA’s
o Restrictions requested by patients
o Electronic Health Records
o Increased penalties and enforcement
o HITECH Act
How do I report….
o Report concerns in these steps:
o First to your professor
o Advisor or Dean of College
o Student Academic Affairs
o Compliance/Privacy Officer, x 6933
What are my rights….
o Non-retaliation policy
o Qui tam provisions (“whistleblower” )
o Who’s the Compliance/Privacy Officer?
o Name 3 safeguards for PHI?
o What does HIPAA stand for?
o Name 3 examples of PHI.
o Can you be held personally responsible
for a HIPAA violation?
o What is minimum necessary?
o If you are unsure, what should you do?
o PHI used for TPO are permitted
disclosures, what does TPO stand for?
It’s YOUR Responsibility.