HIPAA Physician Guide

Stanford Hospital And Clinics Lucille Packard Children’s Hospital HIPAA Physician Guide Introduction Confidentiality of patients’ medical information has always been an important principle in medicine. The Hippocratic Oath includes: “What I may say or hear in the course of treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself holding such things shameful to be spoken about.” Patient autonomy, one of the cornerstones of medical ethics, holds that a patient is sovereign over his/her own body, including information about it. In addition, the patient-physician relationship is based in part on the patient’s trust that their physician will hold their medical information in confidence. The Health Insurance Portability and Accountability Act (HIPAA) passed by Congress in 1996 adds new specific rights and requirements to the long tradition of confidentiality in medicine. The initial purpose of the Act was to prevent people from loosing their health insurance when they changed jobs. It included additional measures to standardize the electronic transmission of medical data as a cost saving measure. This led to heightened patient concerns that the confidentiality of this information needed additional protection. In response the Secretary of the U. S. Department of Health & Human Services (HHS) developed the HIPAA privacy regulations. In total, these requirements prescribe standards for the security of stored information and privacy cautions in the collection, use and transfer of information. Security and privacy are both necessary to ensure confidentiality. The HIPAA privacy regulations pertain to information in any form – electronic, written, verbal and other media. This booklet provides only a very brief description of the HIPAA policies of SHC an LPCH. The entire text of the policies can be read at the Stanford Web Intranet site http://intranetmedcenter/shc/default.htm or at the HIPAA online training Internet site located at http://hipaainfo.stanfordmed.org. . To prepare for HIPAA and comply with requirements in the future, a physician should:  Complete the HIPAA E-learning training required of all members of the medical staff  Read this guide  Read the Notice of Privacy Practices  Know where to find additional help or advice for HIPAA compliance Patient Rights HIPAA grants new rights to patients and also will likely heighten awareness of existing rights: Patients have the right to:  Inspect and obtain a copy of any medical record that providers use to make decisions about them and their treatment. This includes the legal medical record and their billing records, and may extend to other shadow and research records if not included in the legal record.  Control, with certain limitations, the release of their medical information through authorization.  Request an "accounting of disclosures" - that is, a list describing with whom and for what reason 44244ced-4764-472f-b8c5-f429ee18348f.doc 1/9 Stanford Hospital And Clinics Lucille Packard Children’s Hospital     their medical information has been shared with outside parties. This list must even include those disclosures that are required by law. Add an addendum to or request a correction of their medical record Request restrictions on certain uses or disclosure of their medical information Request that we communicate with them in a certain way or at a certain location Receive a copy of the Notice of Privacy Practices Protected Health Information (PHI) What type of medical information is protected by HIPAA? Protected Health Information (PHI) is determined by whether the information includes any identifying elements that links it to a specific individual. It is not the content that makes something confidential; it is whether it can be individually identified. Individual identifiers include: • • • • • • • • • Name Social Security # Medical Record # Geographic Location, except for state All dates, except for year Age > 89 Phone Number Fax Number E-Mail Address • • • • • • • • • Full face photographs Biometric ID – finger, voice prints Health Plan Number Account Number License Number Vehicle Identification Device Numbers URL’s & IP Address Any other unique number, code Thus, when the data includes an identifier, a blood pressure or a tetanus shot is just as confidential as results of STD testing. Treatment, Payment and Healthcare Operations (TPO) Certain types of PHI can be collected, used and disclosed without patient authorization. These include direct treatment (T) situations, transmitting information in a billing process to get paid (P), and certain specific administrative functions necessary in the operations (O) of health care entities, such as accreditation, quality management, reporting to healthcare agencies for comparative analysis and internal training activities. Together these are often referred to as TPO. However, within these general categorical exemptions many actions must be performed carefully to comply with HIPAA. These will be apparent in the description of the policies in this booklet. Notice of Privacy Practices The HIPAA privacy regulations require covered entities to provide patients with a statement of how the entity protects the privacy of PHI. This statement is titled “Notice of Privacy Practices.” This Notice must be provided to patients no later than their first date of service after the implementation date of April 14, 2003. SHC & LPCH will offer this Notice to the patient along with the Terms and Conditions of Treatment that all patients must sign when they register. The Notice is necessarily long and quite detailed because the HIPAA regulations specify numerous subjects that must be discussed. A one page summary is also provided. Although we will use our best efforts to obtain a signed acknowledgement of receipt of the notice, patients do not have to accept the Notice or sign the acknowledgement in 44244ced-4764-472f-b8c5-f429ee18348f.doc 2/9 Stanford Hospital And Clinics Lucille Packard Children’s Hospital order to be treated. Physicians should be familiar with what the Notice of Privacy Practices says, because patients may ask them questions about the content. See Web site: Notice of Privacy Practices Minimum Necessary A fundamental HIPAA tenant is that only the minimum amount of information needed to complete a particular task should be collected, used or divulged in the process. Fortunately, the minimum necessary principle does not apply in direct treatment situations. Thus, all the health professionals within a health care entity who are treating a patient have access to the entire medical record. However, physicians are often asked to provide medical information for purposes other than treatment, such as disability forms, life insurance and sports physical reports, and certifications for drivers and pilots. When releasing information of this type, only the minimum necessary should be divulged. (The patient’s authorization would also be required in these examples or any other release of information that is not TPO.) The minimum necessary principle does apply to (a partial list):      Claims & billing Quality assurance Strategic planning Quality improvement projects Benchmarking reports      Financial analysis Accreditation & licensure Credentialing Education & training Research The minimum necessary principle does not apply in:   Direct treatment situations in communications with another professional treating the patient. Disclosing medical information to the patient himself/herself    Disclosing medical information to the patient’s legal representative. Disclosing information authorized for release by the patient Certain disclosures required by law. However, even in the above situations to which the minimum necessary principle does not apply, a physician should always clarify the situation and be sure that the recipient of the information is indeed in the role specified. Of course, the physician should always use good judgment and not disclose extraneous additional information in any situation. 44244ced-4764-472f-b8c5-f429ee18348f.doc 3/9 Stanford Hospital And Clinics Lucille Packard Children’s Hospital Disclosures and Patient Access to Records General concept: The patient or his/her personal representative must authorize the disclosure of health information, except as permitted or required by law. A “disclosure” refers to information that goes outside the organization. Specific State regulations govern the request, use, and disclosure of PHI for special cases such as mental health information, alcohol and drug abuse, human immunodeficiency virus (HIV) test results, assault and abuse, and the records of minors. Authorization is not required when PHI is used or disclosed for treatment, payment, or healthcare operations (see TPO discussion above); disclosure of PHI as required by Law; and disclosure of PHI for peer review, quality assurance or quality improvement. Under various state and federal laws, PHI may be disclosed in the appropriate circumstances to workers’ compensation carriers, agencies involved in public health or healthcare oversight activities, law enforcement officers, coroners, medical examiners, funeral directors, agencies involved in tissue and organ donation, military command authorities, agencies doing national security and intelligence, correctional institutions (when treating inmates) and in response to subpoenas and court orders. (Not a complete list.) An individual has a right of access to inspect and obtain a copy of his/her Protected Health Information (PHI), with some restrictions. An individual’s request to access his/her information must be in writing. These requests should always be handled by the Health Information Management Service (Medical Records). Similarly, an individual has a right to inspect or obtain a copy of billing records. These requests are handled by the Customer Service Section of Patient Financial Services (PFS) and Physician Services Organization (PSO). See Web site: External Disclosures of Patient Information Accounting of Disclosures HIPAA grants individual a right to receive a written accounting of both written and verbal disclosures of his/her PHI with certain exceptions. A “disclosure” refers to information that goes outside the organization. SHC/LPCH Health Information Management Service (Medical Records) Department provides the centralized repository to capture disclosures of PHI and report these to a patient when requested. This requirement does not include disclosures made in the course of treatment of the patient. However, this policy does have important implications for physicians. In the course of caring for patients, physicians are asked to complete a myriad of forms that disclose PHI to external agencies. Examples include schools, employers, the DMV, community agencies providing health programs, disability insurance providers and life insurance companies. These disclosures all require authorization (often built into the form itself), and also must be captured for accounting of disclosures. This can be most easily accomplished by always sending a copy of such forms, including the patient’s medical record number, to Medical Records. All other disclosures done by physicians should be documented by using a Documentation of Disclosure Form. Disclosures of information directly to the patient him/herself by a physician in the course of treatment do not require accounting. 44244ced-4764-472f-b8c5-f429ee18348f.doc 4/9 Stanford Hospital And Clinics Lucille Packard Children’s Hospital Restrictions on the Uses and Disclosure of PHI Individuals have a right to request restrictions on the uses and disclosures of their protected health information. For example, a patient might request that information not be given to certain family members. Such requests must be made in writing, usually on a special form provided by SHC/LPCH. Clinic and unit managers are trained to respond to some common restriction requests. More unusual requests must be sent to the Privacy Officer to determine if SHC/LPCH can comply. SHC/LPCH is not required to accept a requested restriction, unless required by law, and will not accept requests that it cannot enforce or reasonably execute. See Web site: Restrictions on the Uses and Disclosure of Protected Health Information Record Corrections and Amendments Individuals have a right to request, in writing, a correction or addendum to their record for as long as LPCH / SHC maintains the record. LPCH / SHC must accept the request for an addendum from an adult patient to the record and may accept or reject the request for a correction (amendment) or an addendum from an Individual. If SHC/LPCH denies a request to correct (amend) the record, a written explanation of the denial must be provided to the requestor. Individuals have a right to appeal, in writing. The decision to accept or deny an amendment is made by the treating physician, who must make a decision to accept or deny the request for a correction within 60 days. If the physician decides to reject a request for a record correction, the patient has appeal rights. Providers who accept a correction will write an amendment to the patient’s record. Providers who deny a request for an amendment must respond directly to the individual, stating their reasons for the denial The Health Information Management Service (Medical Records), 725-6291, is available to provide consultative help as necessary and will ensure that the amendment related documentation is added to the legal medical record. See Web site: Record Correction and Addendum Policy Requests for Confidential Communication HIPAA provides patients the right to request communication of Protected Health Information (PHI) by an alternative means or at an alternative location. For example, a patient may request that the results of a particular test be sent to a different address or called to a special telephone number. SHC/LPCH must accommodate reasonable requests for communications through alternative means and/or at an alternative location. However, if a request cannot be accommodated (e.g., beyond SHC/LPCH current technical capability) or reasonably executed (e.g., a list of multiple locations at different points in time) it can be denied. Requests must be in writing, and the patient must be given a written acknowledgement that the request for confidential communications has been accepted or denied. If a request is denied, the reason for the denial will be provided. The Privacy Officer will make the final decision on requests. See Web site: Patient Request for Confidential Communications 44244ced-4764-472f-b8c5-f429ee18348f.doc 5/9 Stanford Hospital And Clinics Lucille Packard Children’s Hospital Communication with Family, Friends and Others General rule: A physician should not discuss PHI with family members, friends and others involved with a patient unless the patient indicates either explicitly or implicitly that communication is appropriate. Communication is usually appropriate when the patient brings other individuals into the examination or hospital room. However, a brief introduction of these individuals and checking with the patient about privacy concerns is wise. If a patient has indicated a desire to restrict communication, the physician should confirm the identity of any third party and be sure he/she is one to whom communication has been authorized by the patient. When a patient is unable to communicate his/her wishes about communication with others, the physicians should make an effort to determine that the third party has a relationship to the patient that makes communication reasonable. Information can be shared with others in this situation when in the judgment of the physician it is in the best interest of the patient to do so. The above cautions should also apply to communication to others by telephone, fax and email. See Web site: Communication with Individuals Involved with Patients Care Fundraising HIPAA regulations allow limited demographic information to be released by SHC, LPCH, or the School of Medicine to its fundraising organizations for the purpose of raising funds without requiring a specific patient authorization. However, the requirements and rules governing how this can be done are detailed and complex. After receiving an initial request for donations, patients have the right to request that their name be removed from the fundraising list. Physicians who are interested in fundraising for any purpose should always work with their fundraising organizations to ensure compliance with HIPAA requirements. See Web site: Patient Fundraising Policy Marketing Physicians usually do not see themselves as marketing services to patients. However, depending on the details of the situation, efforts to promote new programs and services or refer patients to outside vendors for something a patient needs, could be considering marketing, and therefore require authorization, under HIPAA regulations. For example, a patient having surgery could require a special device or appliance from an outside vendor after discharge from the hospital. The physician cannot give the patient’s name, or any other patient specific information, to the vendor who provides this device without getting the patient’s consent even if the device is part of a standard protocol of post operative care. On the other hand, physicians can tell patients about treatment alternatives, coordinate care, and provide materials to patients describing SHC, LPCH, and School of Medicine programs and services without getting an authorization. In general, there are no restrictions on face-to-face discussions of any this information. See Web site: Marketing Policy Electronic Mail A growing number of patients are seeking to communicate with their physician via e-mail. This presents potential problems in protecting privacy due to the technical shortcomings of most e-mail systems. To 44244ced-4764-472f-b8c5-f429ee18348f.doc 6/9 Stanford Hospital And Clinics Lucille Packard Children’s Hospital be secure, e-mail must use a server that resides behind a firewall, and both the sender and receiver must be using encryption technology. Secure e-mail is available but costly. Typical commercial email systems as well as those currently in use in the hospitals and university do not provide this kind of protection. Patients must understand these limitations and provide authorization before e-mail correspondence can occur. The minimal requirements for e-mail correspondence with patients include: (a) authentication (passwords); (b) a consent form signed by that patient that details privacy risk, appropriate and inappropriate uses of e-mail; and (c) capturing the e-mail for inclusion in the patient’s medical record. Certain information cannot by law be transmitted to patients electronically: STD, HIV, mental health, alcohol abuse or drug abuse issues, and test results related to routinely processed tissues, including skin biopsies, Pap smear tests, products of conception, and bone marrow aspirations for morphological evaluation, if they reveal a malignancy. In addition, it is unwise to use e-mail for especially sensitive or emotionally charged issues. Tips on e-mail correspondence with patients (partial list):              Appropriate uses: questions about follow up, requests for prescription refills and appointments, patient reports of self monitoring, such as blood pressures or blood sugars, lab and imaging results with low sensitivity. Inappropriate uses: sensitive lab and imaging results; information prohibited by law. Set patient expectation: not for urgent or emergent issues, won’t be read every day, automatic replies when out of office for prolonged periods Do not use patient name, medical record number or any specifics in the subject heading. Use general subject headings such as “prescription, appointment, advice.” Name and medical record number should be included in the body of the text to facilitate inclusion in medical records. Avoid anger, sarcasm, harsh criticism or libelous references to third parties Do not send blind copies Do sent send group e-mails where recipients are visible to each other Determine who other than the patient reads his/her e-mail Remember that e-mails are easy to forward to others to whom you may not want to share the information Always either copy the e-mail to medical records (shc-medrec@stanfordmed.org, or lpchmedrec@stanford.org) or print a copy and send it to medical records If you save e-mails on your own computer, it must have adequate technical and physical security measures in place (such as, strong passwords, password protected screen saver, data encryption, located in a locked room). If you want information on using a secure e-mail system, contact the Health Information Management Services Department (Medical Records). See Web site: Electronic Mail Use Between Provider and Patient Fax Faxing poses very significant risks to patient privacy because of the uncertainty about the conditions around the receiving fax machine. Faxing of PHI should be limited to those circumstances when alternate, more secure transmission is not viable. A confidentiality fax cover should precede all faxed information. Information transmitted must be limited to the minimum necessary to meet the requester’s 44244ced-4764-472f-b8c5-f429ee18348f.doc 7/9 Stanford Hospital And Clinics Lucille Packard Children’s Hospital emergent or urgent needs. Sensitive confidential information such as psychiatric, drug/alcohol abuse, genetic, and HIV treatment records must not be transmitted by facsimile. SHC and LPCH fax machines, as well as those in community physician offices and Stanford physician academic offices, must be placed in secure areas with no public access. Especially when faxing to external locations unfamiliar to the sender, appropriate backend management control must be used to insure that the fax was properly received. This would include requestor and destination verification prior to faxing. See Web site: Facsimile Transmission of Health Information Portable Computers Do you use a personal digital assistant (e.g., Palm Pilot) or a laptop/notebook computer? Do you store patient information is any form on this device? Do you have patient information on a home computer? Increasingly physicians are using digital tools to assist them in their work. Because of their size and mobility, SHC/LPCH considers portable devices riskier to patient privacy than other electronic data collection and storage instruments. If you store logs of patients, lists of patient care tasks, copies of patient results, or data you are using to monitor your care patterns or some other quality improvement work, etc., on a computer that you carry outside SHC/LPCH, you are personally responsible for ensuring the privacy and security of this information. You should take the following precautions: (a) Your name and contact information should be on the device. (b) It should be password protected. (c) It must be in a secure location at all times if it is not in your personal possession. (d) Erase PHI immediately when you are no longer using it. (e) Irretrievably erase all data if you give the device to someone else. See Web site: Mobile and Portable Device Access to Protected Health Information Complaints Complaints regarding potential violations of privacy rights must be directed to Patient Representation (SHC) 723-7167 or Patient Relations (LPCH) 498-4847. See Web site: Complaint Policy Penalties If physicians make conscientious efforts to comply with HIPAA regulations, there should be little need to worry about sanctions or penalties. However, the law does provide for fines of $100 per incident up to $25,000 per person, per year, per standard for violations. These amounts can rise to $250,000 if violations are done “willingly and knowingly,” under false pretenses, or for personal gain, commercial advantage or malicious harm. These latter types of infractions are criminal offenses and also carry penalties of imprisonment. 44244ced-4764-472f-b8c5-f429ee18348f.doc 8/9 Stanford Hospital And Clinics Lucille Packard Children’s Hospital Getting Help with HIPAA The above information is intended to give physicians a basic knowledge of HIPAA requirements that will cover most of their daily activities. Each physician should also identify managers or others in their usual work settings who have more advanced knowledge about HIPAA and to whom they can turn as questions arise. For additional information on HIPAA: Information Government Website of Regulations Hospital HIPAA Intranet Site Hospital HIPAA Training Site School of Medicine Website SHC/LPCH Policies Location http://www.hhs.gov/ocr/hipaa http://intranet-medcenter/shc/default.htm http://hipaainfo.stanfordmed.org www.med.stanford.edu/HIPAA Administrative Manuals and Hospital HIPAA Intranet Site (Manuals and References) Role Privacy Officer Associate Chief of Staff Chief Compliance Officer IT Security Officer School of Medicine Health Information Management Service (Medical Records) Person D'Arcy Myjer Joe Hopkins, MD Carole Klove Scott Blanchette Todd Ferris, MD Phone Number 723-7410 723-6975 724-2572 724-9207 725-1825 725-6291 Anonymous Hot Line 800-216-1784 44244ced-4764-472f-b8c5-f429ee18348f.doc 9/9