Document Sample
hipaa Powered By Docstoc
   May 2005
HIPAA Tutorial

Health Insurance Portability and
Accountability Act of 1996
                         Rev 5/05 LAK
It was the night before clinical and all through the
Our professors were talking about some HIPAA rule
So in front of our computers we have to sit and rest
And when were finished we will take a test
It seems we will know all about HIPAA when we are
Even though right now it doesn’t seem like much fun
May as well get going, no sense having to pout
So we can find out what this HIPAA thing is all about
So What is this HIPAA thing,
Why do we have to review this?

   Because as a Nursing Student, you are
    expected to know, understand and comply with
    this federal regulation.
 Use this tutorial as a summary of the
  Privacy Rule which falls under HIPAA.
 Read the information and answer the quiz
 Give the answers to your questions to your
  Clinical instructor or as directed by your
Where did this information come
   This tutorial was adapted from the OCR Privacy
    Brief by Professor Lori Keough for training
    purposes at the University of Massachusetts,
   This brief may be reviewed in it’s entirety
    through the Office for Civil Rights @:

What is the purpose of the tutorial?

 Provide a basic overview of HIPAA
 Define Protected Health Information (PHI)
 Realize the impact of HIPAA on nursing
  students and your limits on sharing PHI
 Explain benefits for patients
 Understand patient rights
 Provide an overview of privacy rules
HIPAA- What is it?
 HIPAA stands for the Health Insurance
  Portability and Accountability Act of 1996
 The Standards for Privacy of Individually
  Identifiable Health Information (“Privacy
  Rule”) sets national standards for the
  protection of health information.
 It is issued by the U.S. Department of
  Health and Human Services (HHS).
What is HIPAA, cont.-----
 HIPAA required regulations governing
  identifiable health information……. The
  Privacy Rule, which was passed on
  December 28, 2000.
 In April of 2002 the regulation was
  published in its final format.
Many things are covered under the HIPAA
“umbrella” but for our purposes, we will be
covering the Privacy Rule.
Source: Luzerne Community College
The Privacy Rule…
   The Privacy component
    of HIPAA began
    enforcement in April 14,
   It is an attempt to
    regulate the exchange of
    electronic information and
    protect patient
What is the Major Purpose of the
Privacy Rule?
                     The major purpose is
                      to define and limit the
                      circumstances when
                      an individual’s
                      protected health
                      information is used or
Who is Covered by the Privacy
                   These are referred to as:
                  “Covered Entities”

 Health Plans
 Health Care Providers (That’s us!)
 Health Care Clearinghouses
 Business Associates*
       *Organization or individual that performs functions or activities
        on behalf of a covered entity that involves the use of PIH
What is covered by the Privacy Rule?

                       The Privacy Rule
                       “individually identifiable
                        health information” held
                        or transmitted by a
                        covered entity or
                        business associate in any
                        form of media (paper, oral
                        or electronic)”
Protected Health Information (PHI)

   The Privacy Act refers to certain information as
   This information is referred to as PHI
   It includes demographic information as well as identifiers
           Examples of
Protected Health Information (PHI)
   Name                 Med Record #
   Address              Account #
   DOB                  Photos
   SS#                  Certificate/license #
   Email                Finger or voice
   Employer              prints
   Fax/Phone #          Any “other”
   Internet              identifying number,
    address/Web URL       characteristic or
Protected        Also includes………………….
               Past, present or future physical or
                mental health condition
               The provision of health care to the
               Past, present or future payment for the
                provision of health care to the

   Written information related to the privacy
    practices must be given to each patient.
   Information must include the covered entities’
    responsibilities and legal obligations as well as
    the patient’s rights as they pertain to their PHI
How does this benefit patients?
   The goal of the rule is
    to assure individuals
    health information is
    protected. It is an
    attempt to allow the
    sharing of pertinent
    health information
    while protecting our
Access for patients……
Individuals have the right to review and obtain a
  copy of their PHI (except in certain
This PHI “record” is known as a “designated record
  set” which is a group of records maintained by or
  for a covered entity. Such information would be
  used to make decisions about individuals.
Patient Rights………
 Right     to Amend
     No alterations of medical records unless there is an
      obvious factual error
 Right     to Inspect and Copy
     (no psychotherapy notes)
      to request restrictions on
 Right
 uses of PHI
     Provider must respond to reasonable requests but
      check policy to determine what is reasonable
Patient Rights…..

   Right to Accounting of Disclosures
       Required to track all disclosures or uses of PHI
          Back 6 years or date of HIPAA enforcement
          Information used for Treatment, Payment or Operations-

   Right to request restrictions on uses of
       Provider must respond to reasonable requests but check
        policy to determine what is reasonable
How does it benefit providers?
   Minimizes potential
    for civil and/or
    criminal penalties and
   Increases patient
    confidence and
    positive image
Provider Responsibilities….
   Secure patient records           Train employees about
   Establish sanctions for
    employees that violate           Designate a Privacy
   Take reasonable steps to
    limit use/disclosure of PHI      Obtain signed
                                      authorization from a
   Adopt policy and privacy          patient for use of PHI
    procedures                        (N/A to TPO)
TPO- Treatment Payment
   Providers can disclose PHI for treatment,
    payment and operations
     Must have consent: (written permission from
     individuals to use and disclose their PHI for
     Oral consent OK for facility directory (i.e.,
     Hospital directory):
          Name, location in hospital, general conditions,
           religious affiliation (for CLERGY ONLY)
                  Can be given by
                   patient for providers
                   to disclose PHI
                    Specific  info as written
                    Case by Case basis
                    Can be cancelled by
                     patient (in writing)
                    There are
   Psychotherapy Notes
     Inorder to disclose psychotherapy notes, a covered
      entity (that’s us), must obtain an individual’s
      authorization with these EXCEPTIONS:
        The entity from where the notes originated may be
         used for treatment
        The entity may also disclose the notes for its own
         training or defend itself in legal proceedings. Also,
         if there is a threat to public health or safety or by a
         coroner or medical examiner
What?      What did that last slide
            just say?
               What it said is that
                psychotherapy notes may
                not be disclosed unless it
                is within the realm of where
                they were created and/or
                they are being used in
                litigation or there is a threat
                of harm to oneself or
               Also they may be used by
                a medical examiner or
Incidental Use and Disclosure
 Privacy Rule does NOT require every risk
  of incidental use or disclosure of PHI be
 These disclosures must be minimized and
  the provider must take steps to do so.
 Permissible is a bedside conversation
  overheard by patient’s family or the
  patient in the next bed…………..
Incidental Disclosures
                 NOT permissible
                  are the casual
                  conversations in
                  cafeteria, elevator,
                  parking lot, Nurse’s
                  station etc…..
Public Interest…
                      This refers to the
                       permissible use of PHI for
                       12 national priority
                      Specific conditions or
                       limitations apply to
                       facilitate equality between
                       private interest and
                       privacy and public
                       interest and need
12 National Priority Purpose
   Required by Law                Law Enforcement
   Public Health                   Activities
   Victims of Abuse, Neglect      Organ, Eye or Tissue
    or Domestic Violence            Donation
   Health Oversight               Decedents
    Activities                     Research
   Judicial and                   Serious Threat to Health
    Administrative                  or Safety
    Proceedings                    Essential Government
                                   Workers Compensation
When PHI is disclosed…
 When you are giving information, ask
  yourself if the receiver needs this
  information. In other words, give out
  information on a need to know basis.
 An integral component if the Privacy Rule
  is the premise of “minimum” amount of use
  and disclosure. This does NOT apply in
  all circumstances………….
When is the minimum necessary
NOT a requirement?
   Health provider for             Disclosure of HHS for
    treatment                        investigation, review or
   Individual who is the            enforcement to determine
    subject of the information       compliance
    or their representative         Disclosure that is
   use made pursuant to an          required by law
    authorization                   Use of disclosure for
                                     compliance with HIPAA
                                     Transaction Rule or
                                     Simplification Rules
Commonly Asked Questions?
   Can I fax patient information to another
     Yes,you may send PHI for treatment
      purposes. Before you do be certain:
        You have the right fax # in a secure location
        The information’s privacy is protected

        The SENDER can confirm the fax # is the correct
         one for the provider they are sending info to
   What about childhood immunizations.
    Can I release that information to schools
    without written consent?
     Yes. This falls under the 12 National Priority
      Purpose and is within the realm of acceptable.
   How about on the job injuries? Can I
    relate information to the employer’s
    insurance company about a pt’s condition?
     Yes.   This also falls under the 12 National
      Priority Purpose.
So what is the take home
Clinical institutions expect that students are
  familiar with HIPAA and the Privacy Rule

They also expect you to follow these guidelines
  when accessing information and providing care
  to patients as a student in their establishment.

In other words, you are held to the same standard
  as the licensed RN
For more information……….
                 Review the United
                  States Department of
                  Health and Human
                  Services OCR
                  PRIVACY BRIEF on
                  the web @:
                 www.hhs.gov/ocr/hipaa