HIPAA by liwenting


									Alliance for Clinical Education
Student HIPAA Training

June 2008


 Describe the HIPAA Privacy rules and
 Identify patients’ rights and your role in
  protecting them
 Discuss your responsibilities under HIPAA –
  related policies and procedures
 Explain the penalties for non-compliance

Protecting Patient Privacy

Your Responsibilities
 Respect the
  patient’s right to

 Know the facility’s
  privacy policies

 Be sensitive

 HIPAA – the Health Insurance Portability and
  Accountability Act of 1996. A federal law that
  specifies the types of measures required to
  protect the security and privacy of personally
  identifiable health information.

 Patient Confidentiality – keeping information
  about a patient’s health care private. The
  information is shared only with those who need
  to know in order to perform their duties on
  behalf of the patient.
Definitions continued…
 Protected Health Information (PHI) – medical
  information that can be traced to, or identified
  with, a particular patient. PHI is information
  created or received by a health care
  organization that relates to the past, present,
  or future health or condition of an individual.

 Transaction – the exchange of information
  between two parties to carry out financial or
  administrative activities related to health care.

 What is it?

  “Patients have the right to have
    health information kept private and

    **HIPAA is mandatory, there are
    penalties for failure to comply
Covered Information
   Confidentiality and Privacy
    All protected, identifiable health
    information (PHI) must be considered
    and treated as confidential and all
    patients have the right to request
    restrictions on who will see their PHI.
   Security
    Establishes the requirements for
    ensuring the confidentiality, availability
    and integrity of PHI
Patients have the Right to:
 Expect privacy and freedom from intrusions or
  disturbances regarding his/her personal
 Expect that all communications and records
  concerning his/her care will be treated as
  confidential. Information will be shared only
  with those who need to know the information to
  perform their duties on behalf of the patient.
 Review the records pertaining to his/her
  medical care.

 What must be

Confidential? How do I know?

 Did you learn the
  through caring
  for your patient?

 If yes, then
  consider it
Understanding PHI
(Protected Health Information)
  Protected Health Information
    Is created by a health care provider
    Is information that there is a reasonable basis
      to believe it could be used to identify the
    Relates to past, present or future physical or
      mental condition of an individual; provision of
      healthcare or for payment of care provided to an
    Is transmitted or maintained in any form
    (electronic, paper or oral representation)
Privacy Protected Elements
Health information is considered individually identifiable if
any of the following are present:

   Name
                                 Certificate/license number
   Full address
                                 Any vehicle or other device
   Names of relatives            serial number
   Name of employers            Web Universal Resource
   Birth date                    Locator (URL)
   Telephone numbers            Internet Protocol (IP)
   Fax numbers                   address number
   Electronic e-mail            Finger or voice prints
    addresses                    Photographic images
   Social security number       Any other unique
   Medical record number         identifying number,
   Health plan beneficiary       characteristic, code that
    number                        could be used to identify
                                  the patient
   Account number
Patients Right to Receive Notice of
Privacy Practices
 Items required to be included in the Notice:

      How medical information is used and disclosed
       by an organization
      How to access and obtain a copy of their
       medical records
      A summary of patient rights and facility
       responsibilities under HIPAA
      How to file a complaint and contact information
       for filing a complaint

 Facilities Notice of Privacy Practices
 The patient has the right to receive a Notice of
  Privacy Practices:
   Must provide the notice at the first
     encounter with the patient
   Must attempt to obtain written
     acknowledgement of receipt of the Notice of
     Privacy Practices

 Minimum Necessary
 HIPAA                   WHAT GROUP DO YOU BELONG
  Requirement:               Complete Access:
   Identify members of          •Clinical departments
    the work group who           •Health Information
    need access to               Management
                                 •Students: limited to assigned
                                 patient only
    information              Limited Access:
   Identify what                •Admissions/Business Office
    information can be       No Access:
    accessed                     •Departments or individuals
                                 whose job does not require any
   Limit access                 handling of PHI (Food
                                 Services, Environmental
Discussions of PHI
 Staff will discuss patient information to share
  information and the treatment plan. Every
  effort should be made to protect the privacy
  of the patient by minimizing risk that others
  can overhear the conversation.
 The discussion of PHI should never occur in
  public areas such as the cafeteria or elevators.
 Discussions can occur at the nursing station
  and with a patient in a treatment area.

Minimum Necessary
                What can I access as a

                     Only the information you
                      “NEED TO KNOW” to care
                      for assigned patient

                     DO NOT access information
                      when you are not caring for
                      that patient any longer or
                      for any patients you are not
                      assigned to care for

 Patient Right to Access
 Patients have the right to:
    Access or inspect their health record
    Obtain a copy of their health record from the
     healthcare provider
      Reasonable fees may be charged for copying
    Access and copying for as long as the information is
    Facility must act on request for access no later than
     10 days after receipt (Colo. Law)
    Students: Refer requests for access to the facility
Patients Right to Request Privacy
 The patient has the right to request an
  organization restrict the use and disclosure
  (release) of their protected health information
   Can request restriction in use of information for
     treatment, payment or healthcare operation
     purposes (TPO)
   Organization is not required to agree with the
     request for restrictions
   Requests must be made in writing
   No staff level individual should accept any
     requested restrictions
   Students: Refer requests for restrictions to
     the facility staff
Patients Right to Amend
                   Patients have the right to
                    request an amendment to their

                   Amend is defined as the right to
                    add/revise information with
                    which s/he disagrees. The
                    original information is not
                    removed from the record but
                    the amended/corrected
                    information is added to the

                   Students: Refer requests for
                    amendments to the facility

As a Student How do I Handle….
                      An individual asking
                       for access to their

                        Students: Refer
                         requests for access
                         to the facility staff

                          The staff will follow-
                          up per specific
                          facility policy

Disclosure ??? What is it???

                       The release,
                        transfer, access or
                        divulging of PHI
                        (protected health
                        information) to an
                        outside person or
                       Students do not
                        participate in this
Disclosure can occur without the
patient’s consent under the following
 When required by law
 For public health activities to control disease,
  injury or disability
 For disaster relief
 In cases of abuse and neglect
 For coroners, funeral directors and organ
 For legal proceedings
 For worker’s compensation
 In cases of communicable diseases
Student Responsibilities
 In a patient room or exam room
    Knock before entering room
    Identify yourself as a student
   Close door after entering the room
   Ask visitors to leave the room unless patient
     requests otherwise
   Speak softly if roommate present
 In a clinic or office setting
   Sign in sheets should contain minimal amount of PHI
   Street address or reason for visit should not be on
     sign in sheets

Student Responsibilities cont…
 At the Nurses Station
   Do not leave patient information, e.g. flow
    sheets, charts, sticky notes, lab reports or
    x-rays out in the open where others may
    view. When finished working on it, put it
    back where it belongs
   Shred all documents with PHI, do not put in
    garbage, do not take them home
   When at the nurses’ station, speak softly
    when discussing PHI. It is best to use a
    private area to discuss the patient
Student Responsibilities cont…
 At the Computer
   Have screen facing away from the public so
    it is not visible to patients, visitor and other
    unauthorized persons
   Always log off when leaving the computer
   Change the password on your computer if
    required by clinical facility
   Do not share your log-in information or
    password with anyone else. You are
    responsible for what is done under your log-
Student Responsibilities cont…
 Using E-mail
   Always use protected, encripted email to
    communicate with your faculty and clinical
   Never use PHI in e-mail attachments or in
    the email itself for the following reasons
     E-mail can easily be sent to the wrong
       person, either on purpose or by accident
     E-mail does not ensure privacy of
       information transmitted

Student Responsibilities cont…
 Do not post PHI or discuss patients you have
  met on web-based chat rooms (My Space,
 Do not take photos of patients
 Do not photocopy medical records
 At the Fax
   Students do not use the fax machine during
    the clinical experience

Student Responsibilities cont…
 Using an Interpreter
   When interpreter services are needed,
     follow clinical agency practice
 In Public
   Never mention a patient’s PHI in public as
     people are often watching and listening, as
     you never know who knows the patient
   Never carry, review, discuss or disclose a
     patient’s chart or PHI in a public place

 Following are scenarios to help you think
  through privacy related situations in the
  clinical facilities
 After reading each scenario, think how you
  would answer the question before going to the
  next slide
 Scenario answers follow each scenario

Scenario #1
 One of your fellow students who had lab work
  done recently, called you from home and asked
  you to look up her lab results on the computer
  and give her the results.

 Do you look up your fellow students lab

Scenario #1 Answer
 No. Since you are not providing treatment to
  your fellow student, you are not permitted to
  look up her lab results and provide them to her.
  She needs to get this information from her
 This applies to your own records as well

Scenario #2
 You see your fellow student reading through a
  patient's medical record. She is not providing
  treatment for this patient.

 What do you do?

Scenario #2 Answer
 Tell your clinical instructor. He/she will follow-
  up with the student.
 The clinical instructor then needs to notify the
  facility privacy officer of this action

Scenario #3
 Your sister’s close friend is having surgery at
  the organization where you are doing a clinical
  rotation. She asks you to find out what you can
  about the friend’s condition. Should you call
  and ask around to the nurses you know? Should
  you look up the friend’s medical record?

Scenario #3 Answer
 No. Even if you and your sister have the best intentions you
  have no right to look at private information about her friend’s
  health. Suggest to your sister that she call the facility or
  visit the information desk. If the patient has agreed to have
  her information available, hospital staff will assist her in
  obtaining information on her friend.
 Do not seek out confidential patient information unless you
  need it to do your job. When you happen to hear confidential
  information, do not repeat it to anyone.
 Looking at patient records for any non business reason is
  cause for disciplinary action and can have possible legal

Scenario #4
 You are called to work in a patient's room to
  perform a routine job. You knock on the door
  and are invited in. You see that a nurse is in
  the room discussing the patient’s condition or

 What should you do?

Scenario #4 Answer
 If you must do the job immediately to properly care for the
  patient, ask whether you can interrupt. If the job can wait,
  explain that you are there to perform a routine job and will
  return in 15-20 minutes. This protects the patient’s privacy
  by allowing him/her to openly discuss his/her condition
  without being overheard
 Some patients may say that it is acceptable for you to stay in
  the room during the conversation. But remember that a
  patient may not feel comfortable sharing everything about
  his/her symptoms or medical history while you are in the
  room. They also might not feel comfortable asking you to
  leave. It would be best for you to come back later.

Scenario #5
 You are working the ER when you see that a
  neighbor has arrived for treatment after a car
  crash. You hear someone saying he will be
  taken to surgery soon. Your neighbor’s wife
  works in another part of the hospital.

 Should you notify her that her husband is in
  the ER?

Scenario #5 Answer
 No. Tell the nursing staff that you know the patient and
  his wife. Tell them that if they need to locate her, you
  can help. When patients are in the hospital, they have the
  right to decide who should know that they are there. Your
  neighbor has a right to privacy and may not want to notify
  his family of the accident. If he is conscious, the ER staff
  will allow him to decide whom to notify that he is there.
 If he is unconscious, the doctors and nurses will use their
  professional judgment about whether to notify his wife.
  Leave the decision up to the ER staff. They will let you
  know whether they need your help to find the patients

Scenario #6
 You are in the nurses station where the
  patients medical records are located in the
  chart rack. You spot the name of a close

 Should you stop by her room?

Scenario #6 Answer
 No. if you learned of your friend’s stay only by
  seeing the name on a medical record on the
  chart rack, you should not go to her room.
 You should inform your clinical instructor of
  your relationship with her so that you are not
  assigned to care for her.
 If you find out from the patient or her family
  member that she is a patient there, feel free
  to visit her after your shift.

Scenario #7
 You are walking by a trashcan and notice a pile
  of photocopied records has been laid on top of
  the trash.

 How should you handle this?

 Scenario #7 Answer

 Don’t just take the records to a shredder
  or locked disposal container yourself.
  Gather the records and take them to your
  clinical instructor. He or she will report it
  to the Manager of the unit who will
  investigate the incident and report it to
  the organization’s privacy officer.

Scenario #8
 A woman provides the name of a patient and
  asks for information.

 What can you tell her?

Scenario #8 Answer
 Refer the woman to the information desk
 Check the facility directory. If the
  patient is listed in the directory, you can
  tell the woman the patient’s location.
 If the patient has requested that his
  name not be included in the directory, you
  can not give out any information about
  them to anyone or even acknowledge that
  they are here, regardless of the person’s
  relationship to the patient.
Scenario #9
 At the nursing station, you are approached by
  someone asking to see a patient record.

 What do you do?

Scenario #9 Answer
 Refer to agency staff for clarification of
  identification and appropriateness of request.

What Happens If….
                 A privacy policy is

                     Patients have the
                      right to file a
                      complaint and
                     Civil and criminal
                      penalties could occur

Patient’s Right to File a Complaint
 The patient has the
  right to file a
  complaint if s/he
  believes privacy
  rights have been

*Organization must provide
   contact information for
   filing a complaint

Doing Your Part
              Access confidential
               information ONLY if you
               need it to care for your
              Protect your computer
              Understand the facilities
               privacy policies
              Report problems to the
               facility staff

As a Student
 Patient identification
   Cannot use patients initials
   Need to assign a number to the patient for

 Care plans
   Any notes with PHI gathered must be
    shredded after the assigned shift
   The use of PDAs or pocket PCs to RECORD
    patient information is not allowed
 Both criminal and civil penalties for:
   Failure to comply with HIPAA requirements
   Knowingly or wrongfully disclosing or receiving
    individually identifiable health information
   Obtaining information under false pretences
   Obtaining information with intent to:
        Sell or transfer it
        Use it for commercial advantage
        Use it for personal gain
        Use it for malicious harm
 Fines as high as $250,000 and prison sentence
  of up to 10 years

 HIPAA Programs from:
     ACC
     Craig Hospital
     Centura
     HCA-HealthONE
     Denver Health
     P/SL
     Regis University


To top