Get documents about "HIPAA Education
Document Sample
HIPAA Compliance:
Self-Learning Program
for Clinical Team Members
Upper Chesapeake Health
HIPAA Education
Policies and Procedures to
assure compliance with
HIPAA Confidentiality and Privacy
2003
1
HIPAA EDUCATION
UCH HIPAA Education consists of 3
components:
1. Watch the video “Privacy and
Confidentiality: HIPAA Regulations.
1. The video is available during the
first ½ hour of each lecture
sessions (see below), on Video On
Demand at UCMC or as scheduled
by your Manager.
2. Complete the UCH Education
Program:
1. This is the Self-Learning Program
(available in paper copy or on CD
ROM). However there is another
option for Team Members. Team
Members may attend one of the
many schedule lectures – Attend
either the clinical or non-clinical
session.
3. Complete the POST-TEST and SIGN
the UCH Confidentiality Statement.
2
How to use this Self-
Learning Program
This Self-Learning Program, also know
as an SLP, is provided to you as one
way to learn about HIPAA.
A SLP is self paced so you can move
through the information at a speed
comfortable for your style of learning.
It also provides you with the chance to
go back and review information as
needed.
If you need any help with this SLP,
please contact Marty Knutson
(443.643.3374 or 443.843.6570) or Barb
Finch (443.643.2905 or 443.843.5345).
3
Program Objectives
Upon completion of this program,
the participant will be able to:
Explain what HIPAA is and how it
affects interactions with patients,
visitors, team members,
insurance companies, etc.
Implement UCH forms and
policies.
Demonstrate compliance with
HIPAA regulations specific to
role.
Integrate UCH policies regarding
privacy and confidentiality into
communications.
4
Program Content:
Clinical SLP
I. Overview of HIPAA
II. Key concepts of HIPAA
regulations
III. Patient Rights: Consent
and Authorization
IV. UCH Policies: Content
and application of policies
V. Team Member
Responsibilities
VI. Summation
5
Is there more?
For some of you, the answer is
YES . . .
There are regulations within
the law that pertain to specific
groups, departments or team
members.
An addendum may be
included in as part of your
SLP that focuses on this
information.
QHIM, Lab and Imaging have
designated Team Members
that will be required to
complete “Authorized
Discloser Training” and
specific policy/procedure
education. Directors of these
Departments will designate
Team Members required to
complete this education.
6
OVERVIEW OF
HIPAA
HIPAA: The Health
Insurance Portability and
Accountability Act
Public Law 104-191
-
7
What is HIPAA?
HIPAA stands for the Health
Insurance Portability and
Accountability Act of 1996.
Congress enacted the
legislation to ensure that
hospitals and health care
providers protect health
information privacy and
confidentiality.
DEADLINE: By April 14, 2003
All covered entities, MUST be in
compliance with the privacy
mandates of HIPAA.
8
HIPAA - It’s the LAW
The law ensures that a patient
has the right to have his/her
health information kept private
and secure/confidential.
Privacy and Confidentiality
mean:
Patients have the right to
control who sees their
protected, identifiable health
information.
Only those requiring information
in order to provide treatment,
payment and health care
operations will have access to
such information.
9
Purposes of HIPAA
Legislation
Protect the Standardize
privacy of health access to health
information. information
Provide among states.
standards to Decrease
facilitate the healthcare fraud
electronic and abuse.
exchange of
health
information.
Provide
individuals with
better access to
their health
information.
10
Defining the terms:
What is PORTABILITY?
Portability ensures that as
people move from one health
plan to another they will have
continuity of coverage and will
not be denied coverage under
pre-existing clauses.
What is ACCOUNTABILITY?
In HIPAA, accountability means
an increase in the government’s
fraud enforcement authority.
11
What are covered
entities?
Covered entities includes
hospitals, care providers, third
party payers, such as insurance
companies, and anyone who
processes health information.
Therefore, it covers everyone at
UCH that uses, accesses or
interacts with patients in any
way. These interactions may be
formal or informal, from those of
direct care givers to those that
enter a patient room simply to
clean or deliver items.
12
What information is
protected?
HIPAA protects the security
and privacy of all medical
records and other health
information that is used or
shared in any form:
Paper,
Electronic, or
Verbal.
13
Quick Review
Questions
We know that
medical records,
whether paper or
electronic, are
confidential.
What about
handwritten notes,
notes on report
sheets, patient
schedule forms
and phone calls?
14
Answer . . .
ALL FORMS of
information,
written, spoken
or electronic,
are confidential
and MUST be
protected!
15
Patient Rights
Patient rights are protected by current
regulations, such as Maryland State
Law.
UCH has a policy describing “Patient
Rights and Responsibilities” – it
protects patient’s confidentiality and
privacy.
HIPAA enhances those rights to
ensure compliance with law.
HIPAA is going to increase our
patient’s awareness of their privacy
and confidentiality rights – We must be
ready to meet their expectations!
16
Patient’s Rights under
HIPAA
Current Patient New Patient Rights
Rights Right to receive a
Right of access Notice of Privacy
to copies of Practices
medical record Right to request
Right to request exclusion from the
“Amendment of Hospital’s Public
the Medical Directory
Record” Right to limit who
Right to request the entity
restriction of communicates with
uses and Right to receive an
disclosures Accounting of
Right to request certain disclosures
confidential
communication
17
Why is HIPAA
needed?
Health care has always tried to
maintain confidentiality, but
efforts have not always been
successful.
Although providers and team
members are accustomed to
protecting the privacy and
confidentiality of our patients:
Did you know that public trust in
health care has eroded and we
need to work hard to regain that
trust?
18
More of why is HIPAA
needed?
Health care institutions and
providers have worked to make
sharing of medical information
easier to help facilitate care and
payment.
The increase in the number of
providers, insurance companies,
marketing initiatives and
technological advances means that
we must heighten our awareness of
where and how protected health
information might be accessed or
breached and how to protect it.
19
8 Major Actions required to
assure compliance with the
regulations (1-3)
Here is an overview of those
actions:
1. Assign responsibility for a
Privacy Officer to receive
complaints and concerns.
2. Develop a Notice of Privacy
Practices and publicize it
prominently.
3. Develop an authorization form
for the use and disclosure of
protected health information
outside of treatment, payment
and healthcare operations.
20
8 Major Actions required to
assure compliance with the
regulations (4-8)
Here is an overview of those actions
(continued):
4. Know and adhere to the Patients’
Rights that are afforded by HIPAA.
5. Only release or request the
Minimum Necessary information to
do your job.
6. Develop and implement business
associate agreements with vendors
in order to ensure that the business
associate handles your patient’s
protected health information
properly.
7. Provide education and training to all
personnel of a covered entity
8. Document policies and procedures,
as well as actions taken to ensure
that policies and procedures are
enforced.
21
The Privacy Officer
HIPAA requires that each
covered entity have a Privacy
Officer.
The role of the Privacy Officer is
to be accountable for Privacy
compliance efforts and provide a
formal reporting structure for
team members/employees,
patients and visitors to express
concerns or complaints.
This position is established by
the entity and may be a distinct
role or part of an established
person’s job.
22
The Privacy Officer
The Privacy Officers at UCH are:
UCMC, ACC and HSP: Lynne
Adams, Director of QHIM at
UCMC
HMH: Jane Gordon, Director of
QHIM at HMH
Home Care: Jonathan Binder,
Controller at UC/SJ HC
23
Contacting the Privacy
Officer
The Privacy Officers are available for
assistance, questions and to
investigate concerns of Team
Members, physicians, patients, etc.
To contact the Privacy Officer, send an
email addressed to “Privacy Officer”:
The message will go to the UCH
Privacy Officers.
You will receive a reply to your
question or acknowledgement that
your concern is being investigated.
This is not anonymous.
You may also continue to use the
“Comply” function in Meditech for
compliance issues/concerns.
24
HIPAA is Federal Law
As a law, HIPAA compliance is
mandatory.
The objective of this education
program is to make you aware of
your role in protecting the privacy of
your patients.
You should already have viewed the
video “Privacy and Confidentially:
HIPAA Regulations” and witnessed
how information may be shared.
Remember - patient information
must be protected through
conscious effort at all times no
matter where you are!
The only exception is when
information is shared in order to
provide care, treatment and
payment for services.
25
UCH GOAL:
A culture of confidentiality
Compliance and strong ethics will
ensure that UCH makes every
effort to prevent private health
information from getting into the
wrong hands.
Privacy is the responsibility of
everyone who works at Upper
Chesapeake Health as we all
potentially have access to private
patient information!
All of us must work together to
address and maintain the privacy
of patient information.
26
HIPAA Privacy
Standards
UCH training focuses on
privacy and confidentiality.
Privacy standards deal with
how health information is
used.
HIPAA puts into place
safeguards to guarantee that
only those people or entities
that have a real need for
protected medical information
have access to it.
Security standards will be put
into place in the near future.
27
What has UCH done to
prepare for HIPAA?
Developed or revised policies
and procedures.
Developed tools and
resources to ensure
compliance.
Defined consequences and
enforcement mechanisms to
ensure that we are in
compliance with the law and
protect the health information
of our patients.
Planned and implemented
education for you so
everyone is aware of his or
her responsibilities.
28
Key Concepts of
the HIPAA
Regulations
Understanding HIPAA
29
Let’s review the BASICS of
HIPAA!
In the following pages we will
overview the following:
Who is included in the HIPAA
regulations?
What health information is
covered by the regulations?
Disclosure: How and when can
information be shared?
What are the penalties if the law
is not followed?
30
Who is included?
Four entities are covered by HIPAA:
Health care providers,
Health plans,
Health care clearinghouses, and
The business associates on any of the
three entities above.
Simply put . . . HIPAA includes those
that provide, bill or pay for medical care
or process health information that may
be request access in order to conduct
their business.
Let’s review who may be included in
these entities . . .
31
1. Health Care Providers
The first of the 4 entities is health care
providers.
“Health care providers” are defined as
any person or business that furnishes
bills or is paid for health care services in
the normal course of business. Included
are:
Hospitals Nursing Homes
Home Health Outpatient Services
Agencies Home dialysis supplies
Physicians and Allied and equipment
Health Staff Contracted services
All Team Members at with access to medical
UCH information
Pharmacies
In summary, in our Hospitals and Home
Health Agency, anyone who uses or may
see or hear confidential patient
information is included. 32
The other three entities . . .
(2 & 3)
2. A “Health plan” provides for or
pays the cost of medical care,
such as insurance companies,
Medicare, employee benefit
plans, etc.
3. “Health care clearinghouses”
receive health information from
providers and plans and help to
standardize that information into
the required format for claims
processing. An example is a
billing service.
33
The other three entities . . .
(4)
4. “Business associates” are
persons or entities that provide
certain services for or to a
HIPAA covered entity, but who
are not part of that entities
workforce. Examples are
accountants, data processing
firms, consultants, etc. Specific
contracts have been developed
with UCH business associates
to protect the privacy of
protected health information.
34
What health information
is covered by HIPAA?
The health information that is
covered is called PROTECTED
HEALTH INFORMATION or PHI.
PHI is any information, whether
spoken, electronic or written, that
relates to the past, present, or
future physical or mental health or
condition of an individual, as well
as the provision or payment related
to that health care.
PHI is vital in providing health care
services.
PHI may be used by professionals
to provide medical care/treatment.
35
What is the definition
of PHI?
Protected Health Information
(PHI) is health information
created or received by a
covered entity, regardless of
form, that could be used directly
or indirectly to identify the
individual.
Think about all the places that such
information is available . . .
36
Where is PHI found?
Here are examples of where PHI may
be found . . .
• Paper Records of health information:
• Medical Records / Patient’s charts
• Faxed copies of medical information
• Computer (electronic) information or
files
• Information read off of a computer
screen
• Information transmitted over the
internet
• Laptops and PDAs (hand held
devices)
• Video or audio tape
• Photographs
37
PHI includes:
Information that identifies the
individual, or can be reasonably
believed to provide information that
can be used to identify the
individual.
Information is considered de-
identified if it can not be used to
identify the individual. De-identified
information is not subject to HIPAA
requirements.
Everyone must become aware of
all the ways people are identifiable
and take care not to share this
information inappropriately.
38
Examples of PHI:
Examples include:
Name
Address
Birth date
Identifying numbers such
as telephone number,
social security number,
medical record number,
account number, etc.
39
Disclosure
Who has access to
information?
How and when can
information be
shared?
What are the policies
that UCH has in
place to ensure
compliance?
40
Protecting PHI
UCH policies protect PHI.
Information that relates to a
patient’s health cannot be used
unless authorized by either the
patient or someone acting on the
patient’s behalf, or unless
permitted by regulation.
Access to information is limited to
only those individuals who need
the information for a legitimate
purpose.
HIPAA ensures that an
individual's health information
may only be used for health
purposes.
41
UCH Policy
Disclosure Policy
Defines who has access to private
information
Lists the types of disclosures and
the procedure for releasing the
information.
When information may be released
and how that release is
documented.
Take extra care . . .
Maintain the confidentiality of your
computer access codes
Position computer screens away
from public access or view
LOG OFF computers when you are
no longer able to secure the
computer information
42
Incidental Exposures
Many worry about disclosing
information even when they have
done everything possible to avoid one
– this is called an incidental exposure.
It is a disclosure that cannot be
reasonably prevented, is limited in
nature, and occurs as a by-product of
otherwise permitted use or disclosure.
Example: A patient walking down the
hall accidentally hears part of a
telephone conversation that takes
place while the therapist is talking to a
physician on the phone.
Remember: It is important that we are
aware that our conversation may be
overheard and take reasonable steps
to safeguard information!
43
When does incidental disclosure
not apply?
Here’s 2 examples of when the
incidental disclosure exception
would not protect the health care
worker:
A technician finishes documenting
vital signs on a patient’s chart,
leaves the chart on the nursing
station desk and walks away.
A receptionist always leaves the
window open to the waiting room
while he converses with patients
on the phone. Patients and
visitors in the waiting room
routinely overhear the
conversations.
44
Another safe guard to
prevent disclosure . . .
The law states that any
information that is shared
should be limited to the
“minimum necessary”.
Minimum necessary information
(MNI) is defined as the least
amount of information
necessary to accomplish the
purpose of the request.
The UCH policy on minimum
necessary information will be
reviewed later in this program.
45
When Minimum
Necessary Does NOT
Apply . . .
MNI does not apply to sharing
medical records for treatment
purposes as providers need full
access to medical records in
order to provide the best possible
care.
It also does not apply when a
patient authorizes disclosure to
federal or state agencies or third
parties.
MNI also does not apply if the
patient signs an authorization
form to release the medical
information and the release is
done pursuant to the terms of the
authorization. 46
Setting Up “Reasonable
Safeguards”
Even when policies regarding
minimum necessary
disclosures are in place,
accidental or incidental
disclosures may occur.
These are common sense
safeguards:
Ensure that information is kept
out of public view/access.
Remain aware of where
information is shared and
cognizant of one’s
surroundings. This will help to
ensure that others cannot
overhear PHI under normal
circumstances. 47
Quick Review
Questions
Who is
responsible for
maintaining a
confidentiality
and patient
privacy?
48
Answer . . .
EACH ONE OF US!
49
Accounting for
Disclosures
The law requires entities to keep
track of disclosures that are
required by law or public health
officials.
Each entity must establish a
tracking mechanism for such
releases of information and
provide that information to
patients if requested.
More information is included in a
later section of this program for
those of you that have
responsibilities for disclosure
and/or documentation of
disclosure, so stay tuned!
50
Penalties
HIPAA has specific penalties if
anyone obtains or discloses
protected health information for
personal or commercial gain or for
malicious purposes.
Failure to comply may result in
penalties ranging from $100 to
$250,000 per violation.
Prison time may also be part of
the penalty.
Violations of HIPAA may also
cause a Type I recommendation
from JCAHO or a citation from
another regulatory agency such as
CMS. 51
Severe civil and
criminal penalties for
noncompliance!
General penalty for failure to comply:
Each violation: $100.
Maximum penalty for all violations of an
identical requirement: May not exceed
$25,000.
Wrongful Disclosure of Individually
Identifiable Health Information:
Wrongful disclosure offense: $50,000,
imprisonment of not more than one year,
or both.
Offense under false pretenses: $100,000,
imprisonment of not more than 5 years, or
both.
Offense with intent to sell information:
$250,000, imprisonment of not more than
10 years, or both.
52
Breaches of privacy are
potentially damaging to the
patient and UCH!
If you suspect there has
been an actual or
attempted privacy breach
to any form of protected
information, whether
electronic, paper or
recorded, report it to the
Privacy Officer using the
MediTech address
“Privacy Officer”.
53
Quick Review
Questions
What are some
examples of
occurrences that
you should report
to protect our
patients and the
organization?
54
Answers . . . Some
examples of serious
breaches of privacy
Sharing passwords.
Passwords out in the
open/in plain sight.
Seeing someone
look up patient
information, whether
paper or
computerized, that is
not for work
purposes.
Reports of patient
information left lying
out exposed.
55
What does all this mean
to healthcare providers?
HIPAA’s requirements for privacy
can be summarized as follows:
Patients must be provided with a
Notice of Privacy Practices that
outlines what UCH/providers will do
with their protected health information
– and attempt to get their written
acknowledgement that they’ve
received the notice.
Team members/employees can
ONLY have access to the minimum
necessary amount of protected
health information about patients that
they need to do their jobs.
Policies must be in writing and
training documented.
56
What does all this mean to
healthcare providers? (2)
Reasonable safeguards must be set
up to prevent incidental exposures,
such as a patient overhearing
information about another patient,
visitors being able to read health
information about those in the
hospital, patients overhearing team
members talking about another
patient, etc.
Each entity, such as a hospital,
physicians office, insurance
company, etc., must name a privacy
officer who is in charge of making
sure all in the entity are in
compliance with HIPAA and who
can handle any HIPAA related
requests or complaints.
57
What does all this mean to
healthcare providers? (3)
Entity must get authorization from
patients to release protected health
information for purposes other than
treatment, payment, or operations.
Examples include release for
marketing or research activities.
Business associate agreements must
be set up with vendors who work on
the entities behalf, who are not
employees, but who have access to
medical or payment information about
our patients.
The agreements force these
vendors to protect patients’
privacy
Patients must be provided with
access to their medical records if they
request to do so.
58
Patient Rights
Consent and
Authorization
59
Protecting Privacy
Patients expect their health
information to be kept private and
confidential.
Patients have the right to control
who sees their information.
UCH and other health care
organizations, as well as other
covered entities, must live by the
rules of HIPAA and protect PHI.
Reminder:
PHI is Protected Health Information
60
The “Need to Know” Rule
Communications, either with or
about patients, that involve
protected health information
(PHI), must be private and limited
to those that need to have the
information in order to provide
treatment, payment and other
healthcare operations.
Only those people or “computers”
with authorization will have
access to PHI.
HIPAA takes maintaining privacy
and confidentiality from ethically
correct to required by law.
61
Patient Consent for
release of PHI
The Privacy Rule does not require
providers to get a patients to sign a
consent form before PHI can be used or
disclosed for treatment, payment or
healthcare operations.
Obtaining consent is optional –
thankfully!
Imagine if a signed consent had been
required for release of information
regarding treatment, payment, etc., it
would have been a burden and may
have affected treatment and care.
There should still be a “good faith” effort
made to get patients’ “written
acknowledgement” of the Notice of
Privacy Practices.
Example: A form may be provided
for signature to patients when they
come to a physician’s office for
inclusion in their file.
62
However, patients need
assurance of how
information will be shared . .
.
Therefore, in place of a
signed consent form, all
entities must post a Notice
of Privacy Practices that is
visible in the hospital, office
or business.
Copies must also be
available to hand out to
patients.
Additional information
regarding the Notice of
Privacy Practices is
presented a bit later in this
program.
63
Quick Review
Questions
Under what
circumstances are you
free to repeat protected
health information that
you hear on the job?
a. After you no longer
work at the
organization/office.
b. After a patient is
discharged.
c. Only if you believe the
patient won’t mind.
d. When authorized for
business purposes.
64
Answer . . .
The only correct
answer is the last
one. Protected
health information
may be shared
only when
authorized for
business
purposes.
65
UCH Policies
Content and Application
66
What education do you
need on the UCH
Policies?
Education is based on your role and
what you need to understand in order
to be in compliance with HIPAA
regulations.
Therefore . . .
If you are a manager, your program
will contain all of the policies.
If you work with patients, your
education related to those interactions.
For those Team Members that have
limited contact with patients, your
program will summarize many of the
policies
Watch for pages with your department
or role highlighted and pay special
attention to that information!
67
What’s new and what’s
revised?
UCH has revised the following
Administrative Policies:
Audit to Computer Access
Amending the Medical Record
Patient Access to Protected Health
Information (PHI) in the Medical Record
UCH has developed the following
Administrative Policies:
Confidential Patients
Minimum Necessary Use or Disclosure of
Protected Health Information
Disclosure of Protected Health Information
Accounting for Disclosures Policy –
QHIM/Medical Records Policy
Notice of Privacy Practices
Let’s review each of these as it relates to
your role/job.
68
Audit of Computer
Access
This policy outlines the UCH
process for monitoring who is
accessing electronic medical
records.
The purpose is to protect
patient’s right to
confidentiality.
This is not a new policy,
however it has been revised
to assure compliance with
HIPAA.
69
Audit of Computer
Access
For those of you that have
access to computerized
medical records, review this
information:
Audits will be conducted on a regular
basis to identify inappropriate access to
medical record information.
Audits will be conducted on all records
for patients who are UCH team
members, medical staff, admitted under
an alias or recognized as high profile
patients.
Each month random samples of
records will also be audited.
The procedure is outlined in the policy
and is overseen by the Privacy Officers.
70
Audit of Computer Access
POLICY
Here is purpose and policy statement for your
review as appropriate to your role. The full policy
is available on-line in Meditech – UCH
Administrative Policy Manual.
Purpose: To provide a method of monitoring
access to the electronic medical record and
protect the patient’s right to confidentiality.
Policy: Audits will be conducted on a regular
basis to identify inappropriate access to medical
record information.
Audits will be conducted on all records for
patients who are UCH team members,
medical staff, admitted under an alias or
recognized as high profile patients.
Each month random samples of records will
also be audited.
The procedure is outlined in the policy and is
overseen by the Privacy Officers.
71
Next . . .
Amending Medical Records
The next part of the program deals
with policies and procedures related
to amending a patient’s medical
record.
This section is primarily for clinical
team members and those that work
closely with medical records.
72
Amending the Medical
Record
This UCH policy provides
guidelines for amending
protected health information
(PHI) maintained in the medical
record.
Patients or a person of interest
has the right to request an
amendment to protected health
information maintained in the
medical record that they believe
is incorrect or incomplete.
The policy defines how the
correction or amendment is
done.
73
Amending the Medical
Record Policy
For those of you who have
responsibility for administering
this policy, please review the
next several pages:
Purpose: To establish guidelines
for amending protected health
information (PHI) maintained in
the medical record.
Patients or a person of interest
has the right to request an
amendment to protected health
information maintained in the
medical record that they believe
is incorrect or incomplete.
74
Amending the Medical
Record (2)
The policy defines “patient” and
“person of interest”.
An example of a person of
interest is a parent, guardian or
custodian.
The Department of Quality and
Health Information Management
(QHIM) is responsible for
handling all requests for
amendments to the protected
health information.
Anyone who receives this type of
request is to refer the individual
to QHIM.
75
Amending the Medical
Record (3)
The policy defines how
amendments may be made in the
Medical Record by the Health
Care Provider:
Here are the steps in that
procedure as written in Section IV
of the policy:
1. Any person authorized by hospital
policy to make record entries may
correct minor errors.
2. Only the author of the entry may
correct the error.
3. An entry in the Event Tracking
system must be completed when
the error is corrected.
76
Amending the Medical
Record (4)
The remaining steps (4-6 of 8):
4. Late entries shall NOT be made
more than 24 hours after the
occurrence.
5. Contact Risk Management for
assistance in recording information
for omissions or errors discovered
greater than 24 hours or if there is
any question about correcting any
entry.
6. Correct a paper medical record
entry by:
a. Putting one line through the incorrect
information, insuring that it is still legible;
b. Dating and initialing the record at the
correction site;
c. Recording the corrected entry on the
next chronological line on the chart;
d. Entering the correction clearly, and
clearly indicating which entry the
correction is replacing.
e. Signing the late entry with name and title.
77
Amending the Medical
Record (5)
The remaining steps (7 0f 8):
7. Correct an electronic medical entry by:
a. Accessing the NUR Main Menu for the
Hospital;
b. Entering #5 Patient Notes;
c. Entering the Patient’s name or account
number;
d. Moving the highlighted bar down by using
the down arrow key to AMEND EXISTING
NOTES and right arrow into TYPE OF
NOTE BOX;
e. Using the arrow key, pick the NOTE TYPE
and right arrow into the notes:
f. Using the arrow key, highlight the note
you wish to amend;
g. Depress the except key to get into the
AMEND BOX which is the box to type in
the corrected note;
h. Typing the corrected note and hitting the
F12 to file;
i. Selecting the left arrow key to exit the
notes and the patient note screen.
78
Amending the Medical
Record (6)
The remaining steps (8 of 8):
8. If an entire report is misfiled in an
incorrect medical record, the
entire report will be removed from
the paper medical record and an
Event Tracking entry shall be
completed. If an entire report is
misfiled in the electronic medical
record, it must be amended to
designate the incorrect identity on
the record. The record cannot be
physically removed from the
electronic medical record.
79
Next: Patient Access to their
information
The next section
discusses policies and
procedures related to
patient’s accessing
their information in the
medical record.
This section is
important to those
Team Members that
work with patients who
may request this
access
80
Patient Access to Personal
Health Information in
Medical Record
This policy defines guidelines for
patients to access their medical
record.
The patient or person of interest
(this term is explained later) has the
right to access their medical record.
Contact QHIM/Medical Records for
assistance in following this policy
and the procedures contained
within it.
For Team Members that provide this
service, please review the next
several pages for the procedures
that apply to your role.
81
Patient Access to Personal
Health Information in
Medical Record Policy
Purpose: To establish
guidelines for patients
accessing the medical record.
Policy: Patients or person(s)
in interest have the right of
access to protected health
information (PHI) maintained
in the medical record except
as defined in this policy.
82
Patient Access to Personal
Health Information in Medical
Record (2)
Who are “Person(s) in interest”?
An adult on whom a health care provider
maintains a medical record;
A person authorized to consent to health care
for an adult;
A duly appointed personal representative of a
deceased person;
A minor, if the medical record concerns
treatment to which the minor has the right to
consent;
A parent, guardian, custodian, or a
representative of the minor designated by a
court, at the discretion of the attending
physician who provided the treatment to the
minor for the medical condition for which the
minor had the authority to consent;
A parent of the minor, except if the parent’s
authority to consent to health care for the minor
had the authority to consent to health care for
the minor has been specifically limited by a
court order or a valid separation agreement
entered into by the parents of a minor;
An attorney appointed in writing.
83
Patient Access to Personal
Health Information in Medical
Record (3)
PROCEDURE: Request for
Access
A patient or person in
interest must request access
through the completion of the
“Authorization for Release of
Health Information” form or a
letter containing all the
elements of the form.
This form will be available in
the “Forms On Line” section
of Meditech.
84
Sample of Form: Authorization
for the Release of Health
Information - Side one
AUTHORIZATION FOR THE RELEASE OF HEALTH
INFORMATION
Medical Record
Number
This Authorization form is designed to meet the requirements of privacy
regulations issued by the federal Department of Health and Human Services at
42 CFR § 164.508 and the Annotated Code of Maryland, Title 10 Health General
Article § 4-301 – 4-307.
All items on this authorization must be completed in full, or the request will
not be honored.
I hereby authorize Upper Chesapeake Health to release the protected health
information of:
PATIENT:
DATE OF BIRTH: PHONE #:
ADDRESS:
The information is to be released to:
NAME:
ADDRESS:
PHONE #:
The information I wish to have released is (include dates of service):
Discharge summary Imaging reports
History and physical exam Diagnostic cardiology reports
Consultation reports Laboratory reports
Reports of operations Other
I do do not wish to have information about HIV/AIDS released under
this authorization.
85
Sample of Form: Authorization
for the Release of Health
Information - Side two
This authorization will expire within one year of the date it is signed unless
otherwise indicated here:
This authorization to disclose information may be revoked by me at any time,
except to the extent that action has been taken prior to receipt of revocation. To
revoke the authorization, I understand that I must notify the Quality and Health
Information Management Department in writing. I understand that treatment,
payment, enrollment, or eligibility for benefits may not be conditioned on
obtaining this authorization. I further understand that once information covered
by this authorization has been delivered to the recipient, redisclosure of the
information by that recipient is possible, cannot be predicted by this authorization
and may no longer be protected by the Privacy Regulations referenced above.
Patient or Personal Representative’s Signature Date
If signature is other than patient, explain your authority to act for the patient:
________
Witness Date
If there is a question or concern with responding to this authorization, you will be
contacted by a member of the UCH Quality and Health Information Management
department to discuss it. Questions or complaints about the privacy regulations
or UCH’s policies and procedures relating to these regulations should be directed
to the UCH Privacy Officer.
86
Patient Access to Personal
Health Information in Medical
Record (4)
B. The request is reviewed for the
appropriateness of the request.
C. If the request is granted, in whole or in part,
the patient or person(s) in interest is informed
of the acceptance and provided the access
requested.
D. The patient or person in interest must be
provided access within twenty-one (21) days
of receipt of the request, either by providing a
convenient place and time for inspection, a
copy of the protected health information or by
mailing the copy of the health information,
whichever is requested.
E. If the protected health information is not
available at the time of the request, the
patient or person in interest is notified in
writing of the reasons for delay and the date
by which the request will be honored.
87
Patient Access to Personal
Health Information in Medical
Record (5)
F. The patient or person in interest must be
provided access to the protected health
information in the form or format requested
by the individual.
G. A summary of the protected health
information requested may be provided to the
individual in lieu of providing access to the
protected health information, if the patient or
person in interest agrees in advance to such
a summary or explanation and fees if
applicable. (See policy on Fees for Obtaining
Copies of Medical Records)
The policy includes sections on “Denial of
Access” and “Reviewable Grounds for
Denial of Access”
These sections are the responsibility of the
Directors of QHIM. See the complete policy
in the Meditech Library for additional
information.
88
Quick Review
Questions
If a patient asks
for a copy of his
or her medical
record, what
should you do?
89
Answer . . .
Contact QHIM / Medical
Records.
Designated Team
Members in these
departments will assure
that
Our policy is followed,
and
The “Authorization for
the Release of Health
Information” is
completed.
There are also
designated Team
Members in the Lab,
Imaging and some other
clinical departments that
provide this service to
our patients and follow
the same processes as
outlined in the policy.
90
Confidential Patients
Policy
This policy is extremely
important to our patients
and our compliance with
HIPAA.
Every Team Member at UCH
that has patient contact or
receives inquiries related to
patients MUST review this
information!
The purpose of the policy,
as defined on the next few
pages reinforces our current
confidentiality practices.
91
What’s NEW ? ? ?
Patients will now indicate
upon admission their wishes
for being included in our public
hospital directory.
In the event that a patient
states they DO NOT want to
be included in the directory of
information, we MUST keep
their presence in the hospital
CONFIDENTIAL!
92
What’s NEW ? ? ?
This means when someone
calls requesting patient
information, requests to see a
patient, or comes to deliver
flowers to a patient listed as
confidential, they will need to
be told that “the person is not
listed in our Hospital Directory”.
Let’s review the policy then
review how confidential
patients will be protected at
UCH . . .
93
Confidential Patients
Policy
Review this policy if you
provide access to patients in
any manner
PURPOSE:
To provide a method for
ensuring patient’s rights to (1)
be excluded from the public
patient directory and / or (2) to
limit disclosures of information
to particular family or friends
involved in their care.
94
Confidential Patients
Policy (2)
POLICY:
It is the policy of Upper Chesapeake
Health to ask each patient upon
registration to indicate their wishes
regarding (1) inclusion in the
directory of information available to
the public and (2) whether there are
any friends or family members they
do not want their protected health
information (PHI) shared with and to
ensure that those wishes are
followed throughout the patient’s
care.
Review:
At the time of registration, patients
indicate their wishes.
All patients are placed in
CONFIDENTIAL status until they
indicate otherwise
95
Confidential Patients
Policy (3)
POLICY:
Appropriate decision makers will be
sought for all those patients
incapable of expressing their
wishes independently. Patients
will be “confidential” until this
information is obtained from
themselves or an appropriate
surrogate decision-maker.
96
Confidential Patients
Policy (4)
PROCEDURES:
Changing or Continuing
“Confidential” Status
1. A default status of “confidential” will
be used in the Meditech system for
each new patient account.
2. During the registration process
each patient will be asked to complete
a “Preliminary Patient Information”
sheet and indicate their wishes
regarding the patient directory and / or
communication with friends and
family. For scheduled outpatients,
direct admissions and outpatient
surgery patients the questions on this
form may be asked during
preregistration procedures and signed
when the patient physically presents
to the facility.
** Registration/Admitting Team
Members: A special note to remind 97
you of this new process!
NEW FORM
At this time, let’s look at the
new form developed to guide
our gathering of the information
required in the Confidential
Patients Policy.
The form is called “Preliminary
Patient Information” and is
discussed on the next few
pages.
98
Preliminary Patient
Information
This new form is used at the time of
patient’s admission for healthcare
services at UCH.
Includes:
Request and Consent for Treatment
Acknowledgement of receipt of the
UCH Notice of Privacy Practices
Decision section related to the
patient’s consent for release of
information in the Hospital Patient
Directory
Decision section as to the “Sharing of
information with those involved in my
care”.
Signature of the patient or designated
representative.
99
Sample of Preliminary
Patient Information Form
Upper Chesapeake Health …………Preliminary Patient Information
Request and Consent for Treatment
I request and consent to examination, testing, and treatment that the physicians who examine
me or consult about my condition feel is necessary and appropriate for diagnosis and
treatment. I understand that I will be asked for oral consent and / or be asked to sign
additional forms indicating my consent for specific procedures according to the Hospital’s
“Informed Consent” policy.
In particular, at this time I understand and agree that:
Medicine and surgery are not exact sciences and no guarantees have been made to
me about the results of my examination and treatment.
Properly supervised Medical, nursing and other health care students may
participate in my care as part of their training unless I tell you otherwise at a
particular time
The hospital may examine and retain or dispose of specimens and tissues
removed from my body.
Notice of Privacy Practices
I acknowledge that I am being given a copy of the UCH Notice of Privacy Practices at the
time I am signing this document.
Release of Information in the Patient Directory
YES, please include my name and room number in the directory of
patient information available to members of the public (florists, clergy, other
callers) who contact the hospital.
NO, do not include me in the public directory.
Sharing information with those involved in my care
YES, you may speak with the following people if they need to be
involved in my care:
ANY member of my family ___ Check here
These individuals: ____________________________
______________________________________________
NO, do not speak with my family or friends about my care unless I give
you specific permission at a later time.
_____________
Patient / Parent / Health Care Agent / Guardian Date signed
[Please circle]
100
Preliminary Patient
Information Form
IMPORTANT:
Every patient must receive and
complete this form during each
encounter with UCH.
Form becomes a part of the
permanent medical record.
Nursing must document who PHI
may be shared with in Part 4 of
the Admission Assessment.
101
Preliminary Patient
Information Form
Example of screen in Meditech
Medical Record:
SHARING INFORMATION WITH THOSE INVOLVED IN MY
CARE.
YES, you may speak with the following people if
they need to be involved in my care:
*ANY member of my family (Place X here)
or *These individuals:
_____________________________
______________________________
NO, do not speak with my family or friends about
my care unless I give you specific permission at a
later time.
In the event that the patient indicates a change to
the above information, the change is made by
nursing in the Medical Record.
102
Confidential Patients
Policy (5)
Changing or Continuing
“Confidential” Status
3. If the patient indicates “YES” with
regard to both information
disclosure choices on the
Preliminary Patient Information
form his / her status will be
changed by the Registration
Coordinator or other person
preregistering him/her to release
the confidential status default.
4. If the patient answers “NO” to
either question on the Preliminary
Patient Information sheet, they will
remain in “confidential” status in
the Meditech system.
103
Confidential Patients
Policy (6)
Changing or Continuing
“Confidential” Status
5. For patients registering in the
ED a colored sticker will be
added to the face sheet of
patients requesting information
restrictions to alert team
members and physicians.
** Emergency Dept. and ED
Registrar Team Members: A
special note to remind you of
this new process!
104
Confidential Patients
Policy (7)
Changing or Continuing
“Confidential” Status
6. If the patient gives permission for
information to be shared with the
family or friends involved in his/her
care, the names of the individuals
with whom information may be
shared will be requested on the
Preliminary Patient Information
sheet. These names and any others
obtained by the admitting nurse
during his/her initial assessment will
be included in the Meditech
Assessment screen, Kardex and
Administrative Data Screen.
** RN Team Members: A special note
to remind you of this new process!
105
Confidential Patients
Policy (8)
Changing or Continuing
“Confidential” Status
7. The names of friends and family to whom
the patient has indicated that information
may be disclosed that are captured via the
nursing assessment will also be available
via the “Who PHI may be shared with”
element in Patient Care Inquiry (PCI) view in
Meditech.
8. At the patient’s request or that of his/her
surrogate decision-maker, a patient may be
changed to confidential status or have the
status removed at any time by executing a
new Preliminary Patient Information sheet. A
registration coordinator will update a
patient’s status when this sheet is
completed.
** Registration/Admitting Team
Members: A special note to remind
you of this new process!
106
Confidential Patients
Policy (9)
Incapable Patients:
1. If a patient is not capable of answering
the Preliminary Patient Information
questions due to injury, illness or
minority, an appropriate surrogate
decision-maker will be asked to sign on
their behalf.
2. For emergency room patients the
charge nurse or his/her designee will be
responsible for using available sources
of information to identify and contact an
appropriate surrogate decision-maker.
3. If an incapable patient requires
admission and no surrogate decision-
maker has been identified the treating
nurse will contact the case manager on
call who will continue efforts to identify a
surrogate decision-maker.
** Emergency Dept. Charge Nurses: A special
note to remind you of this new process! 107
Confidential Patients
Policy (10)
Incapable Patients:
4. The patient will remain a confidential
patient until the form is completed.
5. If a team member is contacted by
someone inquiring about an admitted
patient who remains in “confidential”
status because no surrogate decision-
maker has been identified, the team
member will take the caller’s name and
contact information, ask them to await a
call back, and notify the on duty nursing
supervisor of the call. The nursing
supervisor will return the call and make a
good faith effort to determine if the
person is or has information about an
appropriate surrogate decision maker for
the patient. The supervisor will
document the contact in the patient’s
electronic medical record.
108
Confidential Patients
Policy (11)
Maintaining PHI Restrictions
1. All individuals having access to
PHI within the UCH Hospitals
are responsible for reviewing
who, if anyone, the patient’s PHI
may be shared with. This
information will be available in
the “Preliminary Patient
Information Sheet” responses,
the nursing assessment, the
“Who PHI may be shared with”
element in PCI, the nursing
kardex and the administrative
data screen.
109
Confidential Patients
Policy (12)
Maintaining PHI Restrictions
2. UCH team members, members of the UCH
Medical Staff and anyone else having access
to Patient Information within the UCH
facilities and Home Care will not share
information regarding patients to a family
member or friend involved in that patient’s
care unless:
a. The person is identified by the patient as
permitted access to information or,
b. It may be reasonably inferred from the
circumstances that the patient does not
object to information being shared, for
example when the patient requests that
another person remain during an
examination or interview; or
c. The person is a parent, guardian,
healthcare agent or surrogate decision-
maker making healthcare decisions on
behalf of the patient.
110
Confidential Patients
Policy (13)
Maintaining PHI Restrictions
3. Members of the UCH Medical Staff, team
members and others having access to PHI will
be alerted to a patient’s confidential status by a
“c” attached to the patient’s account number, by
a message appearing on the Meditech screen
when accessing the patient’s record and/or the
“Confidential”’ sticker on the patient’s
registration sheet. Whenever a physician, team
member or other person encounters a
“Confidential” patient they are responsible for
reviewing the special restrictions on the patient’s
information and acting in accordance with those
restrictions.
4. UCH team members, members of the UCH
Medical Staff and anyone else having access to
Patient Information within the UCH facilities and
home care will not disclose in any way to
anyone not directly involved in the patient’s care
the presence of a patient who has indicated s/he
does not wish to be included in the public
patient directory. 111
A few more polices . . .
We have three more policies to review
The next one deals with a new
concept . . .
. . . Minimum Necessary Information
So, let’s keep going
112
The “Minimum Necessary”
Privacy Rule
Healthcare Providers and other
covered entities, such as as
discussed previously, must
make reasonable efforts to
disclose or use only the
information necessary in order to
do our jobs.
The Minimum Necessary
standard of HIPAA ensures that
methods are in place that guide
us to protect patient privacy.
Remember: Information may
be disclosed in order to
provide treatment and
services as discussed earlier.
113
The “Minimum Necessary”
Privacy Rule
There is NO minimum necessary
rule when it comes to sharing
information for treatment.
It is a balancing act . . . How much
information needs to be disclosed
to ensure quality care?
However, when providing care, there
may be information that you have that
does not need to be shared as it is
not necessary to do your job.
Let’s look at the UCH policy . . .
Review this section if you have access to
patient information . . . in any form!
114
Minimum Necessary Use or
Disclosure of Protected
Health Information Policy
PURPOSE:
To provide methods for
ensuring the minimum
necessary use or disclosure
of patients’ protected health
information (PHI) for purposes
of their treatment, payment
and/or UCH Health Care
Operations purposes.
115
Minimum Necessary Use or
Disclosure of Protected
Health Information (2)
POLICY:
When using or disclosing protected health
information or when requesting protected
health information from another physician,
team member or facility, a physician or UCH
team member will make reasonable efforts to
limit protected health information to the
minimum necessary to accomplish the
intended purpose of the use, disclosure, or
request. Physicians and team members will
raise any question about their need to use,
disclose or access information in particular
cases to the UCH Privacy Officer.
In addition, minimum necessary use and
disclosure will be established and maintained
by means of role based access to the UCH
Hospital Information System and specific
determinations by the UCH Policy Oversight
committee regarding the need for access to
protected health information to accomplish the
purpose of each UCH policy.
116
Minimum Necessary Use or
Disclosure of Protected
Health Information (3)
PROCEDURE:
Minimum Necessary Access,
Use or Disclosure
1. Team members and members
of the UCH medical staff may
access, use, request from or
disclose to another health care
provider any information
relating to a particular patient
which they believe in good faith
is necessary for the treatment
of that patient by them or the
individual or facility to whom the
information is disclosed.
117
Minimum Necessary Use or
Disclosure of Protected
Health Information (4)
2. Disclosures of information to family
members and friends of a patient who
are involved in his or her care will be
governed by any restrictions requested
by or on behalf of the patient. (See
“Confidential Patient Status” policy).
2. We have reviewed this in the program
when we discussed confidential
patient status.
3. As you can see, many of the policies
and procedures overlap to ensure
protection of patient privacy!
118
Minimum Necessary Use or
Disclosure of Protected
Health Information (5)
Patients may also request other
restrictions on use or disclosure of
their protected health information
which may or may not be agreed to
by UCH. Any patient requesting
another restriction on use or
disclosure should be sent to the
Director of QHIM for the facility
where they are a patient or the
UCH Privacy Officer.
Any other access, use, request for
or disclosure of patient protected
health information will be limited to
the minimum necessary to
accomplish a particular payment or
UCH Health Care Operations
purpose.
119
Minimum Necessary Use or
Disclosure of Protected
Health Information (6)
5. When making a disclosure of protected
health information for a purpose
required by law, such as the reporting
of abuse, dog bites, burns, organ
donation etc. the UCH team member or
member of the Medical Staff making
that disclosure may rely on the entity to
whom the disclosure is being made to
define the minimum necessary
disclosure for that purpose.
6. Requests by law enforcement
authorities or the Department of Health
and Human Services for protected
health information will be referred to the
UCH Privacy Officer. Team members
who believe they have been a victim of
a criminal act by a patient will also
review their need to disclose protected
health information with the UCH
Privacy Officer before making a
disclosure to law enforcement
120
authorities.
Minimum Necessary Use or
Disclosure of Protected
Health Information (7)
Role Based Access to the
UCH Hospital Information
System (Meditech)
Individuals requiring access to
the hospital information system
(Meditech) at UCH will be
granted access based on a pre-
determined set of applications
and functions designed on
minimum, need-to-know access
levels. A system of user
templates will be designed and
utilized based on the following
standards as listed on the next
few pages:
121
Minimum Necessary Use or
Disclosure of Protected
Health Information (8)
User templates:
a. Menu templates will be designed
for each job code within the UCH
system in collaboration with
management and staff from the
departments where individuals in
that job code are employed
b. Each team member within the
same job code will be assigned
access based on the template
designated for that code.
c. Business partners not employed
by the hospital will be grouped
by functionality (Billing,
Transcription, Physicians, etc.)
and assigned menu templates
based on these roles.
122
Minimum Necessary Use or
Disclosure of Protected
Health Information (9)
User templates:
d. Exceptions to the templates must
be approved by the Manager of the
Department where an individual is
working, Privacy Officer and MIS
Applications Manager. The
exception justification must be noted
within the HIS menu design
application (Meditech NPR) along
with the names and positions of the
approving parties.
e. Changes to general templates will
be coordinated between the
Department Manager(s), Privacy
Officer and MIS Applications
Manager with justification noted
within the HIS menu design
application (Meditech NPR) along
with the names and positions of the
approving parties.
123
Minimum Necessary Use or
Disclosure of Protected
Health Information (10)
Minimum Necessary Use to Carry Out UCH
Policies
1. The need for access to, use or disclosure
of protected health information to carry out
UCH policies and procedures will be
accomplished by a determination made by
the Privacy Officer, as a member of the
Policy Oversight Committee (POC), with
regard to each policy as to whether, to
what extent and by whom a particular
policy requires access to, use or disclosure
of protected health information.
a. This determination will be memorialized in
each policy.
b. Once made, this determination may be
reviewed at any time by application to the
Privacy Officer and/or the Policy Oversight
Committee.
c. Team members and members of the UCH
Medical Staff attempting to carry out
particular policies or procedures will review
the policy to determine if they are
authorized to use, access, or disclose
protected health information for that 124
purpose and any limitations imposed by that
policy.
Quick Review
Questions
What is meant
by having
access to the
“minimum
necessary”
information to do
our jobs?
125
Answer . . .
We have
access to all
information
that we need
to do our jobs,
but we should
not have
access to
unnecessary
information!
126
What’s Next?
We’ve reviewed the
minimum necessary
standard.
NOW, on to
DISCLOSURE.
This section pertains to Team
Members that have access to
patient information.
If you do not handle patient
records or information you may
skip this section and proceed to
the section on “Notice of Privacy
Practices”.
127
Disclosure
Disclosure means the release,
transfer, provision of access
to, or divulging in any other
manner of information outside
the entity holding the
information.
For all uses or disclosures of
protected health information (PHI)
that do not involve treatment,
payment or healthcare operations,
healthcare entities MUST obtain a
valid patient “authorization”.
128
Disclosure of Protected
Health Information
There are 6 procedures defined in the
policy and include the following:
Disclosure of PHI for direct treatment
purposes
Disclosure for purposes of payment
Disclosure for or at the request of a patient
or patient representative
Disclosures required by Law
Disclosures for Research, in Response to
Subpoenas for Documents, and to
Attorney’s Representing UCH
Disclosures of Directory Information and to
Family and Friends involved in the
Patient's care
Any other disclosures of PHI to a person or
entity outside of UCH must be reviewed
and approved by the UCH Privacy Officer
or designee before such disclosure can
occur.
129
Disclosure of Protected Health
Information Policy
PURPOSE:
To clearly outline the authority of
various team members and members
of the UCH medical staff to disclose
protected health information (PHI) of
patients treated at the UCH facilities to
individuals or entities outside UCH.
POLICY:
Disclosure of PHI to individuals or
entities outside of UCH will be done in
strict adherence to the requirements of
federal and state law.
130
Disclosure of Protected
Health Information Policy
(2)
Disclosure of PHI for direct treatment
purposes
1. Any UCH team member or member of the
medical staff who is directly involved in
caring for a particular patient is authorized
to disclose that patient’s PHI by any
means (direct in person communication,
via telephone, by fax, by providing a
summary or copy of a portion of the
patient’s medical record) to another
individual who is or will be directly involved
in the care of that patient at the time of the
communication for the condition to which
the PHI relates.
2. This includes communications for the
purpose of determining if the patient is an
appropriate candidate for care by the other
provider or at another facility.
131
Disclosure of Protected
Health Information Policy
(3)
Disclosure of PHI for direct
treatment purposes (cont.)
2. For example, a nurse may give
report to another facility to
which the patient will be
transferred; a physician may
discuss a patient’s PHI with
individuals at another facility to
determine if a transfer would be
appropriate; a social worker
may contact an oxygen provider
to arrange for service at the
patient’s home after discharge.
132
Disclosure of Protected
Health Information Policy
(4)
Disclosure of PHI for direct treatment
purposes (cont.)
No disclosure will be made when the
patient has communicated a desire that
information not be disclosed to a
particular person or entity.
An appropriate notation should be
made in the patient’s medical record
indicating the fact of each such
disclosure. This notation may be made
in any portion of the record (e.g.
progress note, H & P, discharge
summary, transfer form).
133
Disclosure of Protected
Health Information (5)
Disclosure for purposes of payment
1. Team members in the QHIM,
Schedule First, Registration,
Patient Financial Services,
Clinical Resource Management
and Finance departments are
authorized to disclose a particular
patient’s PHI to persons and entities
outside of UCH for the purpose of
obtaining payment for care
provided by UCH or another
provider to that particular
individual.
134
Disclosure of Protected
Health Information (6)
Disclosure for purposes of payment
A notation of each such disclosure
apart from the submission of a
routine insurance claim, issuance
of a bill or the provision of
information for concurrent review
of inpatient admissions by an
insurer will be made in the
patient’s BAR registration, a
patient care note or the QHIM
correspondence module.
135
Disclosure of Protected
Health Information (7)
Disclosure for purposes of payment
(cont.)
3. Team members in departments not
listed above are not authorized to
disclose PHI for the purposes of
payment. Inquiries requesting such
information should be referred to one of
the departments listed above.
4. Members of the UCH medical staff are
not authorized to disclose PHI for
payment of any services other than
those they provide to a particular patient
at the UCH hospitals.
136
Disclosure of Protected
Health Information (8)
Disclosure for or at the request of a
patient or patient representative
1. Certain designated team members in
the Laboratories, QHIM, and
Imaging are authorized to disclose
PHI in response to a request from a
patient or patient representative.
2. These team members will complete
Authorized Discloser Training prior to
disclosing PHI in these circumstances.
137
Disclosure of Protected
Health Information (9)
Disclosure for or at the request of a
patient or patient representative
(Cont.)
1. All other team members and all
members of the UCH medical staff will
refer requests by patients and /or
patient representatives to one of these
departments. Team members and
members of the medical staff may provide
requesting individuals with copies of the
“Authorization for Release of Health
Information” form from the Meditech
“Forms On Line” system and send
completed copies of this form to the
appropriate department for follow-up on a
subsequent business day.
138
Disclosure of Protected
Health Information (10)
Disclosure Required by Law
1. Disclosures of PHI are made for the following
reasons in order to comply with various legal
requirements, including the license requirements
of individual nurses and physicians:
- Suspected abuse or neglect of a child
- Suspected abuse or neglect of a vulnerable adult
- Medical examiner cases - Organ
donation
- Infectious disease surveillance - Implant
reporting
- Notifications of first responders - Animal bite
and/or burn reporting
- Reporting a worker’s compensation claim
- Lookback (If a person is identified by the Lab has having
donated blood, and
this person has now been diagnosed with a reportable
communicable disease,
the Lab must report same to applicable agency,
- Responding to a properly served subpoena or court order
139
requiring testimony
Disclosure of Protected
Health Information (11)
Disclosure Required by Law (Cont.)
2. Any team member or any member of the Medical
Staff who believes in good faith that his/her license
or job assignment requires disclosure of PHI for one
of the reasons listed above is authorized to do so.
3. All disclosures authorized under this section will be
documented in the patient’s medical records using
the “Disclosure Notification” nursing intervention
or in the QHIM correspondence module.
a. All elements of the “Disclosure Notification”
entry must be completed.
b. These “Disclosure Notification” entries will be
compiled in to any “Accounting” of disclosures
requested by a patient or patient representative.
140
Disclosure of Protected
Health Information (12)
Disclosure for Research, in Response to
Subpoenas for Documents, and to Attorney’s
Representing UCH
1. Only certain members of the QHIM
department are authorized to disclose PHI (a)
for purposes of research either based on an
individual patient authorization or an IRB
waiver of authorization, (b) in response to
subpoenas requesting documents, or (c) to
attorneys representing UCH.
2. All such disclosures will be documented in
the QHIM correspondence module.
141
Disclosure of Protected
Health Information (13)
Disclosure for Research, in Response to
Subpoenas for Documents, and to Attorney’s
Representing UCH (Cont.)
3. These correspondence module entries will
be compiled in to any “Accounting” of
disclosures requested by a patient or patient
representative
4. All other team members will refer all such
requests to QHIM.
142
Disclosure of Protected
Health Information (14)
Disclosure of Directory Information and to
Family and Friends involved in the Patient's
care
1. These types of disclosures are covered by the
“Confidential Patient” policy.
143
Disclosure of Protected
Health Information (15)
Any other disclosure of PHI to a person or
entity outside of UCH
1. Any disclosure of PHI for a purpose not specified
above must be reviewed and approved by the UCH
Privacy Officer or her designee before it takes place.
2. The Privacy Officer will determine on a case by case
basis if an entry needs to be made in the QHIM
correspondence module regarding a particular disclosure
so that it can be included in any “Accounting” of
disclosures given to a patient or patient representative.
144
Disclosure of Protected
Health Information (16)
In addition to this policy, there is a
policy in QHIM that defines the
process to account for disclosures.
To assist with understanding disclosure,
please see the charts on the next few
pages that list the “purpose” of the
disclosure, who may disclose that
information, and the documentation
requirements.
Remember . . .
If you are one of the individuals
that may disclose the information,
you are responsible for adhering
to the policy.
If you are not responsible or
allowed to disclose information,
please be sure to refer the person
to the correct Team Member or
Department. 145
Disclosure of Protected
Health Information (17)
Purpose of the Who May Documentation
Disclosure Disclose Requirements
Provide, consult Anyone directly treating Notation of the
and/or direct the patient. disclosure in the
treatment from patient’s medical
outside UCH. record
Payment Team Members in Notation in BAR or
QHIM, ScheduleFIRST, QHIM.
Patient Financial Correspondence
Services, Clinical module if not related
Resource Management to submission of
and Finance. claim, issuance of a
bill or concurrent
review.
Comply with patient Team Members in Lab, Completed copy of
request Imaging and QHIM “Authorization for
who have completed Release of Medical
“Authorized Discloser Information” form.
Training” Notation in QHIM
correspondence
module.
146
Disclosure of Protected
Health Information (18)
Purpose of the Who May Documentation
Disclosure Disclose Requirements
Disclosure required Any Team Member Completion of the
by Law whose job or license “Disclosure
requires making the Notification”
disclosure. intervention in the
Nursing or QHIM
correspondence
modules.
Research, or Designated QHIM Notation in the
Responding to Team members who QHIM
Document have completed correspondence
Subpoenas, or “Authorized Discloser module.
Disclosure to Training”.
Attorneys
Representing UCH
Directory Anyone as long as the None
Information patient is not listed as
“Confidential”, I.e. the
patient permits the
disclosure.
147
Disclosure of Protected
Health Information (19)
Purpose of the Who May Documentation
Disclosure Disclose Requirements
Disclosure to Family Anyone directly None
and Friends involved in the patient’s
involved in the care if the patient
patient’s care permits the disclosure.
Any other disclosure Privacy Officer Depends on the
to someone outside nature of the
of UCH disclosure.
148
One more policy to
review
The last topic/policy to review is
the Notice of Privacy Practices.
Any Team Member working with
patients needs to be aware of
this policy.
If you do not work with patients,
the information in this section is
limited to a general overview.
149
What is “Notice of Privacy
Practices”?
A “Notice of Privacy Practices” is
a required notice that defines and
informs patients of the uses and
disclosures of confidential
information that may be made by
the healthcare team.
What must be included?
Steps taken to protect privacy;
Uses that may be made of the
PHI; and
Guidelines for patients who want
access to their medical records.
150
Notice of Privacy Practices
Policy
PURPOSE:
To define the Notice of Privacy
Practices as required by the
Federal Health Insurance
Portability and Accountability Act
(HIPAA). This Act established
federal guidelines that require a
health care provider, such as
UCH, maintain the privacy of
patient’s protected health
information though proper
disclosure and privacy practices
and to provide a notice to each
patient that describes their rights
under this provision.
151
Notice of Privacy
Practices (2)
Definitions:
Disclosure means the release, transfer, provision
of access to, or divulging in any other manner of
information outside the entity holding the
information.
Health Care means care or service related to the
health of an individual. Health Care includes, but
is not limited to, diagnostic, therapeutic,
rehabilitative care and/or the sale or dispensing
of a drug, equipment, or other item in
accordance with a prescription.
Protected Health Information means any
individually identifiable health information,
whether oral or recorded in any form, that is
created and relates to the past, present, or
future physical or mental health, condition or
care of an individual.
152
Notice of Privacy
Practices (3)
POLICY:
UCH makes public a Notice of
Privacy Practices which defines
legal duties and privacy practices
with respect to a patient’s
protected health information.
The Notice will describe how
medical information about our
patients may be used and
disclosed and how patients can
gain access to their information.
153
Notice of Privacy
Practices (4)
1. This Notice will be provided to patients
at the time of registration for admission
and/or outpatient services.
2. The Notice of Privacy Practices will
also be posted on our website.
3. The Notice will be posted in signage
throughout the UCH facilities.
4. Acknowledgement of the receipt of this
notice will be attempted by completion
of the “Preliminary Patient Information”
sheet upon registration/admission.
154
Notice of Privacy
Practices (5)
UCH maintains the right to change the
terms of the Notice and to make the
new Notice provisions effective for all
protected health information that UCH
maintains. In the event changes are
made to the Notice, we will 1) make
the changes apparent in the new
document, 2) post the changes in the
signage within the UCH facilities, 3)
include them on the UCH website, and
4) UCH will not individually notify every
past patient, but will attempt to abide
by the requirements of the Notice in
effect at the time the health care
service.
155
Notice of Privacy
Practices (6)
Any person stating complaints
relative to this Privacy Notice will
be treated with dignity, courtesy,
regard for the person’s privacy
and in accordance with the UCH
Non-Discrimination policy.
1. Complaints can be lodged with the
Privacy Officer or communicated to
any UCH Team Member for entry into
the ETSystem for system notification
of designated persons and trending.
2. Individuals requesting additional
information about the Notice or the
practices described in it will be
directed to the Privacy Officer.
156
The UCH Notice of Privacy
Practices
A three page document
that will be:
Posted in public areas
Available as a handout to
all patients
Available on the UCH
Website
The next several pages
contain the content of the
notice for your review.
157
The UCH Notice of Privacy
Practices Sample:
UCH NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL
INFORMATION ABOUT YOU MAY BE USED
AND DISCLOSED AND HOW YOU CAN GET
ACCESS TO THIS INFORMATION. PLEASE
REVIEW IT CAREFULLY
Upper Chesapeake Health (UCH) and the physicians who
participate in your care here are committed to your
personal well being. Protecting the privacy and security
of the information you share with us is included in that
commitment. While we do not sell or trade any
information to third parties, we do share information with
entities such as your insurance company and quality
review organizations as part of our routine and necessary
business operations. We do this with the utmost care
and sensibility.
This Notice is being provided to explain how your personal
healthcare information is used, and your rights to review,
amend and/or request limitations on the disclosure of this
information.
158
The UCH Notice of Privacy
Practices Sample:
Your Rights to Privacy and Disclosure:
You have the Right to request restriction of uses and
disclosures of your Protected Health Information as
outlined below. However, there are some instances
where UCH is not required to agree to a requested
restriction.
A. At the time you initially receive service at UCH, you
may request that UCH restrict the use or disclosure
of your protected health information to carry out
treatment, payment, or healthcare operations. To
request a restriction of your information, contact our
Medical Records Department and say that you want
to restrict the release of all or part of your
information.
B. You can request to receive confidential
communications concerning your health information.
To receive your information confidentially, contact
our Medical Records Department and direct them to
how and where you wish to receive your information.
159
The UCH Notice of Privacy
Practices Sample:
Your Rights to Privacy and Disclosure:
You have the Right to request restriction of uses and
disclosures of your Protected Health Information as
outlined below. However, there are some instances
where UCH is not required to agree to a requested
restriction.
C. You can inspect and obtain a copy of your protected
health information / Medical Record, unless
otherwise protected by Law. Contact our Medical
Records Department to make the request.
D. You can obtain a copy of this Notice at any time. You
will receive one at the time of service.
E. You can amend your protected health information by
contacting our Medical Records Department. We
cannot destroy or otherwise remove the original
information, but you may add/amend information in
your record pursuant to UCH’s policy.
160
The UCH Notice of Privacy
Practices Sample:
Your Rights to Privacy and Disclosure:
You have the Right to request restriction of uses and
disclosures of your Protected Health Information as
outlined below. However, there are some instances
where UCH is not required to agree to a requested
restriction.
F. You can request an accounting of our disclosures of
your protected health information, unless protected by
Law, by contacting the UCH Medical Records
Department.
Definitions:
Disclosure means the release, transfer, provision of access to, or
divulging in any other manner of information outside the entity
holding the information.
Healthcare means care or service related to the health of an
individual. Healthcare includes, but is not limited to,
diagnostic, therapeutic, rehabilitative care and/or the sale or
dispensing of a drug, equipment, or other item in accordance
with a prescription.
Protected Health Information means any individually identifiable
health information, whether oral or recorded in any form, that
is created and relates to the past, present, or future physical
or mental health, condition or care of an individual.
161
The UCH Notice of Privacy
Practices Sample:
Permitted Disclosures:
UCH and/or your physician may not use or disclose
protected health information, except as
permitted or required by Law. The following
are permitted uses and disclosures under
current Laws. We can release information to
the following unless otherwise restricted by
law:
i. to the patient the information pertains to or
his/her representative;
ii. to UCH business associates or other
healthcare providers, to carry out treatment,
payment, or healthcare operations purposes;
162
The UCH Notice of Privacy
Practices Sample:
Permitted Disclosures:
UCH and/or your physician may not use or disclose
protected health information, except as
permitted or required by Law. The following
are permitted uses and disclosures under
current Laws. We can release information to
the following unless otherwise restricted by
law:
iii. to anyone in compliance with an authorization
completed by the patient or patient’s
representative, such as that from a healthcare
provider regarding psychotherapy notes
iv. to others as permitted by and in compliance
with some other law or regulation such as
those that require us to make certain reports to
health oversight agencies, like Maryland’s
Department of Health and Mental Hygiene.
163
The UCH Notice of Privacy
Practices Sample:
Permitted Disclosures:
Individually identifiable health information is
frequently shared with the following types of
entities for purposes related to the function and
operation of a healthcare facility or physician
practice:
Consulting physicians
Managed care organizations
Health insurance companies
Home Health Care
Health benefit managers
State/Federal agencies
Clinical laboratories
This information is released for the purposes of
ensuring continuity of care, billing, conducting
quality assessment and improvement
activities, and reviewing the competence or
qualifications of healthcare professionals.
164
Your
Responsibilities
Overview/review of your
responsibilities in your
role
165
Now, let’s talk about how
HIPAA will effect your
everyday work!
In this section we will
review and emphasize
some very important
information including the
following topics:
The Hospital Patient
Directory
Family Inquiries
Clergy and other
religious personnel
Special situations
through examples
166
The Hospital Directory
As discussed previously in this
program, patients have the right
to state if they want their name
included in the public directory.
If they are not in the directory,
information about their presence
in the facility will not be available
to the information desks and may
not be disclosed by other team
members.
It is imperative that we uphold
the patient’s request.
167
Confidential Patients
Confidential Patients will not be
listed in the Hospital Directory:
Here’s an example: A friend of
Adam Current calls asking for his
room number. His name is not
listed in the hospital directory.
Words to use:
“Thank you for calling/asking, but
we do not have any information on
that person at this time.”
If the person becomes adamant
that the individual is in the hospital
refer the caller to Guest Services
or the Privacy Officer.
168
Impact on Our
Community:
This is going to be a major change for
our community, patients and families.
Many of us are used to routinely
confirming the presence of non-
psychiatric patients in the hospitals.
Now we will have to check on the
patient’s directory status before we
answer.
Patients will also be unfamiliar with the
“public directory” concept.
Let’s discuss how we can help our
community with this new concept
169
Helpful phrases to use
Many of us will be required to
answer questions from patients,
families and visitors.
As some patients may elect to
not be identified as being in the
hospital, key words and/or
phrases should be used as
appropriate to the situation.
In order to help team members in
answering questions in a manner
that respects patient privacy and
confidentiality, several examples
are given on the next few pages.
170
Calls to nursing units
A patient is in “Confidential” status -
The sister of Sam Rale calls and asks
for a report on his condition. His
medical record indicates that he is a
confidential patient.
Words to use:
“Thank you for calling/asking, but we do
not have any information on that person
at this time. You may wish to contact a
family member to find out the
information you are trying to locate.”
I understand your concern, however it
is important that UCH protect patient
privacy as requested by the patient.
Therefore, I’m not able to give you
information regarding this person as he
is not in our Hospital Directory. You
may wish to contact another family
member or friend to help in locating
your brother.”
As in the previous example, if the person
becomes adamant that the individual is in
the hospital they may be referred to Guest
Services or the Privacy Officer.
171
Examples of sharing
information
A Mother calls asking about the
condition of her daughter. The
daughter has indicated that
information can be provided to
family members only. But are
you sure this is the patient's
Mother?
Giving information over the
phone – in good faith - is OK. If
the individual states who they
are, we need to believe what
they say.
172
Examples of sharing
information
A patient calls your department
and requests that their test
results be faxed to a specialist.
They provide you with the
number. Should you fax this
information?
The only team members
authorized to respond to such a
request are those who have
completed “Authorized Discloser
Training”.
Therefore this request must be
referred to QHIM, the Lab,
Imaging or other department that
provides clinical reports.
173
One more example:
You are asked by a member of the
Clergy as to what room Bruce Mahi is
in. How do you respond?
FIRST - Check the patient’s confidential
status.
What are you looking for . . .
The following alerts are in place to
identify confidential patients:
A “c” attached to the patient’s
account number,
A message appears on the
Meditech screen when accessing
the patient’s record, and/or
There is a “Confidential” colored
sticker on the patient’s registration
sheet or ED record.
There is no such alert for Mr. Mahi,
therefore you may inform the Clergy of his
room number.
174
Preventing disclosures of patient
information
Increase your awareness of
your work environment
looking and listening from the
patient and visitor’s
perspective!
Walk through your work
area(s) paying close
attention to the environment.
Look and listen for possible
breaches of privacy or
situations that may allow
confidential information to be
seen or heard by others.
Let’s look at activities or
situations that put
information at risk.
175
Preventing disclosures of
patient information
Look and listen:
Are patient charts left unattended?
Are sign-in sheets with patient information
available to be read by other patients or
visitors?
Is patient information accessible/readable on
unattended computer screens?
Are patient location boards, assignment
sheets, report records left in accessible
areas?
Can telephone conversations regarding
patient information be overheard by
individuals that are not required to hear that
information?
Do you hear Team Members talking about a
patient in the elevator?
Are team members leaving messages on
answering machines or sending emails that
may be intercepted by others than those
intended to receive the
message/information?
If you answered yes to any of these
questions, actions must be taken to
prevent access to this information!
176
Let’s check how you are
doing with this
information . . .
Read each of the following statements.
Is it a HIPAA violation?
1. Patient-identifiable information is left
open, displayed or accessible to
unauthorized personnel.
2. Team member refuses to share his/her
computer password.
3. Team member views lab results of a
patient for which he/she has no direct
involvement in patient care.
4. Team member views another team
member’s medical file.
177
Check your answers . . .
How did you do with this quick quiz
...
1. Patient-identifiable information is
left open, displayed or accessible
to unauthorized personnel. Yes!
HIPAA Violation.
2. Team member refuses to share
his/her computer password. Not a
HIPAA violation! This is the right
action to take.
3. Team member views lab results of
a patient for which he/she has no
direct involvement in patient care.
Yes! HIPAA Violation.
4. Team member views another team
member’s medical file. Yes! HIPAA
Violation.
178
OK, let’s do four more . . .
Read each of the following
statements. Is it a HIPAA violation?
1. The computer monitor screen is
positioned to protect the privacy of
patient from unauthorized users.
2. Physician puts printed lab results that
he/she no longer needs into the
shredder/paper destruction
receptacle.
3. White board is used to display patient
names, diagnosis, physician and/or
room numbers in the hallway.
4. A nurse and a physician discuss a
patient’s treatment in the hospital
elevator.
179
Now, check your answers on
the last four statements . . .
How did you do on part two of the quick
quiz . . .
1. The computer monitor screen is
positioned to protect the privacy of
patient from unauthorized users. Not a
HIPPA violation! This is the correct
placement of the screen.
2. Physician puts printed lab results that
he/she no longer needs into the
shredder/paper destruction receptacle.
Not a HIPPA violation! This is the
correct action to take.
3. White board is used to display patient
names, diagnosis, physician and/or
room numbers in the hallway. Yes!
HIPAA Violation.
4. A nurse and a physician discuss a
patient’s treatment in the hospital
180
elevator. Yes! HIPAA Violation.
What would you do?
A nurse calls a restaurant
where a physician is having
dinner and asks the hostess
to have doctor call the
hospital regarding Mrs.
Green who needs a change
in pain medication since her
fall last evening?
Is this an appropriate
message to leave?
181
Here’s the answer . . .
The answer is NO.
The message contains
identifying information and is
therefore a breach of
confidentiality
Lesson: Never leave a message
with a third party that contains
specific information about a
patient that can identify him or her
Correct action: Call and simply
leave a message for the doctor to
call the unit as soon as possible
and ask for Ellie Sue.
182
Congratulations
Great job – You have
completed this program
In order to assess your
knowledge of the material,
you must complete the
post-test and sign the
confidentiality agreement.
These items are available
with this packet or from
your manager or on-line:
U:HIPAA/Education/Post-
test. confidentiality
statement
183
Summation
Final review and
requirements for
completion of this
program – Post-Test
184
You’ve learned A
LOT!
HIPAA education and implementation
of our policies and procedures ensures
that we maintain the privacy and
confidentiality of our patients
The UCH Policies are on-line in the
Meditech Library for your review at
anytime. They will be effective as of
March 1, 2003
Compliance with the Law is everyone’s
responsibility!
185
Final Steps
In order to receive credit for this
program, please remember to
complete the post-test and sign
the confidentiality agreement
Forward these items to the
Education and Resource
Development Department at
HMH or UCMC.
Thank you!
186
