Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

HIPAA Education

VIEWS: 131 PAGES: 186

  • pg 1
									 HIPAA Compliance:
 Self-Learning Program
 for Clinical Team Members




   Upper Chesapeake Health
        HIPAA Education
   Policies and Procedures to
    assure compliance with
HIPAA Confidentiality and Privacy
              2003
                                    1
HIPAA EDUCATION
   UCH HIPAA Education consists of 3
    components:
    1.   Watch the video “Privacy and
         Confidentiality: HIPAA Regulations.
         1. The video is available during the
            first ½ hour of each lecture
            sessions (see below), on Video On
            Demand at UCMC or as scheduled
            by your Manager.
    2.   Complete the UCH Education
         Program:
         1. This is the Self-Learning Program
            (available in paper copy or on CD
            ROM). However there is another
            option for Team Members. Team
            Members may attend one of the
            many schedule lectures – Attend
            either the clinical or non-clinical
            session.
    3.   Complete the POST-TEST and SIGN
         the UCH Confidentiality Statement.

                                                  2
How to use this Self-
Learning Program
 This Self-Learning Program, also know
  as an SLP, is provided to you as one
  way to learn about HIPAA.
 A SLP is self paced so you can move
  through the information at a speed
  comfortable for your style of learning.
 It also provides you with the chance to
  go back and review information as
  needed.
 If you need any help with this SLP,
  please contact Marty Knutson
  (443.643.3374 or 443.843.6570) or Barb
  Finch (443.643.2905 or 443.843.5345).




                                            3
Program Objectives

 Upon completion of this program,
  the participant will be able to:
     Explain what HIPAA is and how it
      affects interactions with patients,
      visitors, team members,
      insurance companies, etc.
     Implement UCH forms and
      policies.
     Demonstrate compliance with
      HIPAA regulations specific to
      role.
     Integrate UCH policies regarding
      privacy and confidentiality into
      communications.

                                            4
Program Content:
Clinical SLP
 I.   Overview of HIPAA
 II. Key concepts of HIPAA
      regulations
 III. Patient Rights: Consent
      and Authorization
 IV. UCH Policies: Content
      and application of policies
 V. Team Member
      Responsibilities
 VI. Summation




                                    5
 Is there more?
 For some of you, the answer is
  YES . . .
    There are regulations within
     the law that pertain to specific
     groups, departments or team
     members.
    An addendum may be
     included in as part of your
     SLP that focuses on this
     information.
    QHIM, Lab and Imaging have
     designated Team Members
     that will be required to
     complete “Authorized
     Discloser Training” and
     specific policy/procedure
     education. Directors of these
     Departments will designate
     Team Members required to
     complete this education.
                                        6
OVERVIEW OF
HIPAA



 HIPAA: The Health
 Insurance Portability and
 Accountability Act
     Public Law 104-191
              -




                             7
What is HIPAA?

 HIPAA stands for the Health
  Insurance Portability and
  Accountability Act of 1996.
     Congress enacted the
      legislation to ensure that
      hospitals and health care
      providers protect health
      information privacy and
      confidentiality.
 DEADLINE: By April 14, 2003
     All covered entities, MUST be in
      compliance with the privacy
      mandates of HIPAA.

                                         8
HIPAA - It’s the LAW

 The law ensures that a patient
  has the right to have his/her
  health information kept private
  and secure/confidential.
 Privacy and Confidentiality
  mean:
     Patients have the right to
      control who sees their
      protected, identifiable health
      information.
     Only those requiring information
      in order to provide treatment,
      payment and health care
      operations will have access to
      such information.

                                         9
Purposes of HIPAA
Legislation
 Protect the          Standardize
  privacy of health     access to health
  information.          information
 Provide               among states.
  standards to         Decrease
  facilitate the        healthcare fraud
  electronic            and abuse.
  exchange of
  health
  information.
 Provide
  individuals with
  better access to
  their health
  information.


                                           10
Defining the terms:

 What is PORTABILITY?
     Portability ensures that as
      people move from one health
      plan to another they will have
      continuity of coverage and will
      not be denied coverage under
      pre-existing clauses.
 What is ACCOUNTABILITY?
     In HIPAA, accountability means
      an increase in the government’s
      fraud enforcement authority.




                                        11
What are covered
entities?
 Covered entities includes
  hospitals, care providers, third
  party payers, such as insurance
  companies, and anyone who
  processes health information.
 Therefore, it covers everyone at
  UCH that uses, accesses or
  interacts with patients in any
  way. These interactions may be
  formal or informal, from those of
  direct care givers to those that
  enter a patient room simply to
  clean or deliver items.

                                      12
What information is
protected?


  HIPAA protects the security
   and privacy of all medical
   records and other health
   information that is used or
   shared in any form:
        Paper,

        Electronic, or

        Verbal.




                                 13
Quick Review
Questions
        We know that
         medical records,
         whether paper or
         electronic, are
         confidential.

         What about
         handwritten notes,
         notes on report
         sheets, patient
         schedule forms
         and phone calls?


                              14
Answer . . .


 ALL FORMS of
 information,
 written, spoken
 or electronic,
 are confidential
 and MUST be
 protected!




                    15
Patient Rights

 Patient rights are protected by current
  regulations, such as Maryland State
  Law.
 UCH has a policy describing “Patient
  Rights and Responsibilities” – it
  protects patient’s confidentiality and
  privacy.
 HIPAA enhances those rights to
  ensure compliance with law.
 HIPAA is going to increase our
  patient’s awareness of their privacy
  and confidentiality rights – We must be
  ready to meet their expectations!




                                            16
 Patient’s Rights under
 HIPAA
 Current Patient          New Patient Rights
  Rights                      Right to receive a
      Right of access         Notice of Privacy
       to copies of            Practices
       medical record         Right to request
      Right to request        exclusion from the
       “Amendment of           Hospital’s Public
       the Medical             Directory
       Record”                Right to limit who
      Right to request        the entity
       restriction of          communicates with
       uses and               Right to receive an
       disclosures             Accounting of
      Right to request        certain disclosures
       confidential
       communication


                                                     17
Why is HIPAA
needed?
 Health care has always tried to
  maintain confidentiality, but
  efforts have not always been
  successful.
 Although providers and team
  members are accustomed to
  protecting the privacy and
  confidentiality of our patients:
      Did you know that public trust in
       health care has eroded and we
       need to work hard to regain that
       trust?


                                           18
 More of why is HIPAA
 needed?
 Health care institutions and
  providers have worked to make
  sharing of medical information
  easier to help facilitate care and
  payment.
 The increase in the number of
  providers, insurance companies,
  marketing initiatives and
  technological advances means that
  we must heighten our awareness of
  where and how protected health
  information might be accessed or
  breached and how to protect it.


                                       19
 8 Major Actions required to
 assure compliance with the
 regulations (1-3)
 Here is an overview of those
   actions:
  1. Assign responsibility for a
     Privacy Officer to receive
     complaints and concerns.
  2. Develop a Notice of Privacy
     Practices and publicize it
     prominently.
  3. Develop an authorization form
     for the use and disclosure of
     protected health information
     outside of treatment, payment
     and healthcare operations.


                                     20
8 Major Actions required to
assure compliance with the
regulations (4-8)
   Here is an overview of those actions
    (continued):

    4.   Know and adhere to the Patients’
         Rights that are afforded by HIPAA.
    5.   Only release or request the
         Minimum Necessary information to
         do your job.
    6.   Develop and implement business
         associate agreements with vendors
         in order to ensure that the business
         associate handles your patient’s
         protected health information
         properly.
    7.   Provide education and training to all
         personnel of a covered entity
    8.   Document policies and procedures,
         as well as actions taken to ensure
         that policies and procedures are
         enforced.

                                                 21
The Privacy Officer

  HIPAA requires that each
   covered entity have a Privacy
   Officer.
  The role of the Privacy Officer is
   to be accountable for Privacy
   compliance efforts and provide a
   formal reporting structure for
   team members/employees,
   patients and visitors to express
   concerns or complaints.
  This position is established by
   the entity and may be a distinct
   role or part of an established
   person’s job.




                                        22
The Privacy Officer

 The Privacy Officers at UCH are:


      UCMC, ACC and HSP: Lynne
       Adams, Director of QHIM at
       UCMC

      HMH: Jane Gordon, Director of
       QHIM at HMH

      Home Care: Jonathan Binder,
       Controller at UC/SJ HC




                                       23
Contacting the Privacy
Officer
 The Privacy Officers are available for
  assistance, questions and to
  investigate concerns of Team
  Members, physicians, patients, etc.
 To contact the Privacy Officer, send an
  email addressed to “Privacy Officer”:
    The message will go to the UCH
     Privacy Officers.
    You will receive a reply to your
     question or acknowledgement that
     your concern is being investigated.
    This is not anonymous.
    You may also continue to use the
     “Comply” function in Meditech for
     compliance issues/concerns.


                                            24
HIPAA is Federal Law

 As a law, HIPAA compliance is
    mandatory.
   The objective of this education
    program is to make you aware of
    your role in protecting the privacy of
    your patients.
   You should already have viewed the
    video “Privacy and Confidentially:
    HIPAA Regulations” and witnessed
    how information may be shared.
   Remember - patient information
    must be protected through
    conscious effort at all times no
    matter where you are!
   The only exception is when
    information is shared in order to
    provide care, treatment and
    payment for services.

                                             25
UCH GOAL:
A culture of confidentiality
  Compliance and strong ethics will
   ensure that UCH makes every
   effort to prevent private health
   information from getting into the
   wrong hands.
  Privacy is the responsibility of
   everyone who works at Upper
   Chesapeake Health as we all
   potentially have access to private
   patient information!
  All of us must work together to
   address and maintain the privacy
   of patient information.



                                        26
 HIPAA Privacy
 Standards
 UCH training focuses on
  privacy and confidentiality.
 Privacy standards deal with
  how health information is
  used.
 HIPAA puts into place
  safeguards to guarantee that
  only those people or entities
  that have a real need for
  protected medical information
  have access to it.
 Security standards will be put
  into place in the near future.


                                   27
What has UCH done to
prepare for HIPAA?
  Developed or revised policies
   and procedures.
  Developed tools and
   resources to ensure
   compliance.
  Defined consequences and
   enforcement mechanisms to
   ensure that we are in
   compliance with the law and
   protect the health information
   of our patients.
  Planned and implemented
   education for you so
   everyone is aware of his or
   her responsibilities.
                                    28
Key Concepts of
the HIPAA
Regulations



Understanding HIPAA

                      29
Let’s review the BASICS of
HIPAA!
 In the following pages we will
  overview the following:
     Who is included in the HIPAA
      regulations?
     What health information is
      covered by the regulations?
     Disclosure: How and when can
      information be shared?
     What are the penalties if the law
      is not followed?




                                          30
Who is included?

 Four entities are covered by HIPAA:
    Health care providers,
    Health plans,
    Health care clearinghouses, and
    The business associates on any of the
     three entities above.
 Simply put . . . HIPAA includes those
  that provide, bill or pay for medical care
  or process health information that may
  be request access in order to conduct
  their business.
 Let’s review who may be included in
  these entities . . .




                                               31
 1. Health Care Providers

 The first of the 4 entities is health care
  providers.
 “Health care providers” are defined as
  any person or business that furnishes
  bills or is paid for health care services in
  the normal course of business. Included
  are:
    Hospitals                Nursing Homes
    Home Health              Outpatient Services
     Agencies                 Home dialysis supplies
    Physicians and Allied     and equipment
     Health Staff             Contracted services
    All Team Members at       with access to medical
     UCH                       information
    Pharmacies
 In summary, in our Hospitals and Home
  Health Agency, anyone who uses or may
  see or hear confidential patient
  information is included.                              32
The other three entities . . .
(2 & 3)
2. A “Health plan” provides for or
   pays the cost of medical care,
   such as insurance companies,
   Medicare, employee benefit
   plans, etc.

3. “Health care clearinghouses”
   receive health information from
   providers and plans and help to
   standardize that information into
   the required format for claims
   processing. An example is a
   billing service.

                                       33
The other three entities . . .
(4)

4. “Business associates” are
   persons or entities that provide
   certain services for or to a
   HIPAA covered entity, but who
   are not part of that entities
   workforce. Examples are
   accountants, data processing
   firms, consultants, etc. Specific
   contracts have been developed
   with UCH business associates
   to protect the privacy of
   protected health information.



                                       34
 What health information
 is covered by HIPAA?
 The health information that is
  covered is called PROTECTED
  HEALTH INFORMATION or PHI.
     PHI is any information, whether
      spoken, electronic or written, that
      relates to the past, present, or
      future physical or mental health or
      condition of an individual, as well
      as the provision or payment related
      to that health care.
     PHI is vital in providing health care
      services.
     PHI may be used by professionals
      to provide medical care/treatment.
                                              35
What is the definition
of PHI?
 Protected Health Information
  (PHI) is health information
  created or received by a
  covered entity, regardless of
  form, that could be used directly
  or indirectly to identify the
  individual.

 Think about all the places that such
  information is available . . .




                                         36
 Where is PHI found?

 Here are examples of where PHI may
  be found . . .

 • Paper Records of health information:
      • Medical Records / Patient’s charts
      • Faxed copies of medical information
 • Computer (electronic) information or
   files
      • Information read off of a computer
        screen
      • Information transmitted over the
        internet
      • Laptops and PDAs (hand held
        devices)
 • Video or audio tape
 • Photographs
                                              37
 PHI includes:
 Information that identifies the
  individual, or can be reasonably
  believed to provide information that
  can be used to identify the
  individual.
 Information is considered de-
  identified if it can not be used to
  identify the individual. De-identified
  information is not subject to HIPAA
  requirements.
 Everyone must become aware of
  all the ways people are identifiable
  and take care not to share this
  information inappropriately.




                                           38
Examples of PHI:

 Examples include:
   Name
   Address
   Birth date
   Identifying numbers such
    as telephone number,
    social security number,
    medical record number,
    account number, etc.



                               39
Disclosure

   Who has access to
    information?
   How and when can
    information be
    shared?
   What are the policies
    that UCH has in
    place to ensure
    compliance?

                            40
Protecting PHI

 UCH policies protect PHI.
 Information that relates to a
  patient’s health cannot be used
  unless authorized by either the
  patient or someone acting on the
  patient’s behalf, or unless
  permitted by regulation.
 Access to information is limited to
  only those individuals who need
  the information for a legitimate
  purpose.
 HIPAA ensures that an
  individual's health information
  may only be used for health
  purposes.

                                        41
UCH Policy
 Disclosure Policy
    Defines who has access to private
     information
    Lists the types of disclosures and
     the procedure for releasing the
     information.
    When information may be released
     and how that release is
     documented.

 Take extra care . . .
    Maintain the confidentiality of your
     computer access codes
    Position computer screens away
     from public access or view
    LOG OFF computers when you are
     no longer able to secure the
     computer information



                                            42
Incidental Exposures
     Many worry about disclosing
      information even when they have
      done everything possible to avoid one
      – this is called an incidental exposure.
     It is a disclosure that cannot be
      reasonably prevented, is limited in
      nature, and occurs as a by-product of
      otherwise permitted use or disclosure.
     Example: A patient walking down the
      hall accidentally hears part of a
      telephone conversation that takes
      place while the therapist is talking to a
      physician on the phone.
     Remember: It is important that we are
      aware that our conversation may be
      overheard and take reasonable steps
      to safeguard information!




                                                  43
When does incidental disclosure
not apply?

 Here’s 2 examples of when the
  incidental disclosure exception
  would not protect the health care
  worker:
     A technician finishes documenting
      vital signs on a patient’s chart,
      leaves the chart on the nursing
      station desk and walks away.
     A receptionist always leaves the
      window open to the waiting room
      while he converses with patients
      on the phone. Patients and
      visitors in the waiting room
      routinely overhear the
      conversations.
                                          44
Another safe guard to
prevent disclosure . . .
 The law states that any
  information that is shared
  should be limited to the
  “minimum necessary”.
 Minimum necessary information
  (MNI) is defined as the least
  amount of information
  necessary to accomplish the
  purpose of the request.
     The UCH policy on minimum
      necessary information will be
      reviewed later in this program.



                                        45
When Minimum
Necessary Does NOT
Apply . . .
 MNI does not apply to sharing
  medical records for treatment
  purposes as providers need full
  access to medical records in
  order to provide the best possible
  care.
 It also does not apply when a
  patient authorizes disclosure to
  federal or state agencies or third
  parties.
 MNI also does not apply if the
  patient signs an authorization
  form to release the medical
  information and the release is
  done pursuant to the terms of the
  authorization.                       46
Setting Up “Reasonable
Safeguards”

 Even when policies regarding
  minimum necessary
  disclosures are in place,
  accidental or incidental
  disclosures may occur.
     These are common sense
      safeguards:
         Ensure that information is kept
          out of public view/access.
         Remain aware of where
          information is shared and
          cognizant of one’s
          surroundings. This will help to
          ensure that others cannot
          overhear PHI under normal
          circumstances.                    47
Quick Review
Questions


         Who is
          responsible for
          maintaining a
          confidentiality
          and patient
          privacy?




                            48
Answer . . .


 EACH ONE OF US!




                   49
Accounting for
Disclosures
 The law requires entities to keep
  track of disclosures that are
  required by law or public health
  officials.
 Each entity must establish a
  tracking mechanism for such
  releases of information and
  provide that information to
  patients if requested.
 More information is included in a
  later section of this program for
  those of you that have
  responsibilities for disclosure
  and/or documentation of
  disclosure, so stay tuned!
                                      50
 Penalties

 HIPAA has specific penalties if
  anyone obtains or discloses
  protected health information for
  personal or commercial gain or for
  malicious purposes.
 Failure to comply may result in
  penalties ranging from $100 to
  $250,000 per violation.
 Prison time may also be part of
  the penalty.
 Violations of HIPAA may also
  cause a Type I recommendation
  from JCAHO or a citation from
  another regulatory agency such as
  CMS.                                 51
   Severe civil and
   criminal penalties for
   noncompliance!
 General penalty for failure to comply:
      Each violation: $100.
      Maximum penalty for all violations of an
       identical requirement: May not exceed
       $25,000.
 Wrongful Disclosure of Individually
  Identifiable Health Information:
      Wrongful disclosure offense: $50,000,
       imprisonment of not more than one year,
       or both.
      Offense under false pretenses: $100,000,
       imprisonment of not more than 5 years, or
       both.
      Offense with intent to sell information:
       $250,000, imprisonment of not more than
       10 years, or both.



                                                   52
Breaches of privacy are
potentially damaging to the
patient and UCH!

   If you suspect there has
    been an actual or
    attempted privacy breach
    to any form of protected
    information, whether
    electronic, paper or
    recorded, report it to the
    Privacy Officer using the
    MediTech address
    “Privacy Officer”.




                                 53
Quick Review
Questions


         What are some
         examples of
         occurrences that
         you should report
         to protect our
         patients and the
         organization?




                             54
Answers . . . Some
examples of serious
breaches of privacy

 Sharing passwords.
 Passwords out in the
  open/in plain sight.
 Seeing someone
  look up patient
  information, whether
  paper or
  computerized, that is
  not for work
  purposes.
 Reports of patient
  information left lying
  out exposed.




                           55
What does all this mean
to healthcare providers?
 HIPAA’s requirements for privacy
  can be summarized as follows:
     Patients must be provided with a
      Notice of Privacy Practices that
      outlines what UCH/providers will do
      with their protected health information
      – and attempt to get their written
      acknowledgement that they’ve
      received the notice.
     Team members/employees can
      ONLY have access to the minimum
      necessary amount of protected
      health information about patients that
      they need to do their jobs.
         Policies must be in writing and
          training documented.




                                                56
What does all this mean to
healthcare providers? (2)
    Reasonable safeguards must be set
     up to prevent incidental exposures,
     such as a patient overhearing
     information about another patient,
     visitors being able to read health
     information about those in the
     hospital, patients overhearing team
     members talking about another
     patient, etc.
    Each entity, such as a hospital,
     physicians office, insurance
     company, etc., must name a privacy
     officer who is in charge of making
     sure all in the entity are in
     compliance with HIPAA and who
     can handle any HIPAA related
     requests or complaints.
                                           57
What does all this mean to
healthcare providers? (3)
     Entity must get authorization from
      patients to release protected health
      information for purposes other than
      treatment, payment, or operations.
          Examples include release for
           marketing or research activities.
     Business associate agreements must
      be set up with vendors who work on
      the entities behalf, who are not
      employees, but who have access to
      medical or payment information about
      our patients.
          The agreements force these
           vendors to protect patients’
           privacy
     Patients must be provided with
      access to their medical records if they
      request to do so.

                                                58
Patient Rights


  Consent and
  Authorization


                  59
Protecting Privacy

 Patients expect their health
  information to be kept private and
  confidential.
 Patients have the right to control
  who sees their information.
 UCH and other health care
  organizations, as well as other
  covered entities, must live by the
  rules of HIPAA and protect PHI.
     Reminder:
          PHI is Protected Health Information




                                                 60
The “Need to Know” Rule

 Communications, either with or
  about patients, that involve
  protected health information
  (PHI), must be private and limited
  to those that need to have the
  information in order to provide
  treatment, payment and other
  healthcare operations.
 Only those people or “computers”
  with authorization will have
  access to PHI.
 HIPAA takes maintaining privacy
  and confidentiality from ethically
  correct to required by law.

                                       61
Patient Consent for
release of PHI
 The Privacy Rule does not require
  providers to get a patients to sign a
  consent form before PHI can be used or
  disclosed for treatment, payment or
  healthcare operations.

 Obtaining consent is optional –
  thankfully!
      Imagine if a signed consent had been
       required for release of information
       regarding treatment, payment, etc., it
       would have been a burden and may
       have affected treatment and care.
      There should still be a “good faith” effort
       made to get patients’ “written
       acknowledgement” of the Notice of
       Privacy Practices.
          Example: A form may be provided
           for signature to patients when they
           come to a physician’s office for
           inclusion in their file.
                                                     62
However, patients need
assurance of how
information will be shared . .
.
 Therefore, in place of a
  signed consent form, all
  entities must post a Notice
  of Privacy Practices that is
  visible in the hospital, office
  or business.
    Copies must also be
     available to hand out to
     patients.
 Additional information
  regarding the Notice of
  Privacy Practices is
  presented a bit later in this
  program.

                                    63
Quick Review
Questions

       Under what
        circumstances are you
        free to repeat protected
        health information that
        you hear on the job?
        a. After you no longer
            work at the
            organization/office.
        b. After a patient is
            discharged.
        c. Only if you believe the
            patient won’t mind.
        d. When authorized for
            business purposes.

                                     64
 Answer . . .


 The only correct
 answer is the last
 one. Protected
 health information
 may be shared
 only when
 authorized for
 business
 purposes.



                      65
  UCH Policies



Content and Application



                          66
What education do you
need on the UCH
Policies?
 Education is based on your role and
  what you need to understand in order
  to be in compliance with HIPAA
  regulations.
 Therefore . . .
      If you are a manager, your program
       will contain all of the policies.
      If you work with patients, your
       education related to those interactions.
      For those Team Members that have
       limited contact with patients, your
       program will summarize many of the
       policies
      Watch for pages with your department
       or role highlighted and pay special
       attention to that information!



                                                  67
 What’s new and what’s
 revised?
 UCH has revised the following
  Administrative Policies:
      Audit to Computer Access
      Amending the Medical Record
      Patient Access to Protected Health
       Information (PHI) in the Medical Record
 UCH has developed the following
  Administrative Policies:
      Confidential Patients
      Minimum Necessary Use or Disclosure of
       Protected Health Information
      Disclosure of Protected Health Information
         Accounting for Disclosures Policy –
          QHIM/Medical Records Policy
      Notice of Privacy Practices
 Let’s review each of these as it relates to
  your role/job.



                                                    68
Audit of Computer
Access
 This policy outlines the UCH
  process for monitoring who is
  accessing electronic medical
  records.
 The purpose is to protect
  patient’s right to
  confidentiality.
     This is not a new policy,
      however it has been revised
      to assure compliance with
      HIPAA.




                                    69
Audit of Computer
Access
 For those of you that have
  access to computerized
  medical records, review this
  information:
 Audits will be conducted on a regular
  basis to identify inappropriate access to
  medical record information.
      Audits will be conducted on all records
       for patients who are UCH team
       members, medical staff, admitted under
       an alias or recognized as high profile
       patients.
      Each month random samples of
       records will also be audited.
      The procedure is outlined in the policy
       and is overseen by the Privacy Officers.
                                                  70
Audit of Computer Access
POLICY
 Here is purpose and policy statement for your
  review as appropriate to your role. The full policy
  is available on-line in Meditech – UCH
  Administrative Policy Manual.
 Purpose: To provide a method of monitoring
  access to the electronic medical record and
  protect the patient’s right to confidentiality.
 Policy: Audits will be conducted on a regular
  basis to identify inappropriate access to medical
  record information.
    Audits will be conducted on all records for
      patients who are UCH team members,
      medical staff, admitted under an alias or
      recognized as high profile patients.
    Each month random samples of records will
      also be audited.
    The procedure is outlined in the policy and is
      overseen by the Privacy Officers.




                                                        71
Next . . .
Amending Medical Records

 The next part of the program deals
  with policies and procedures related
  to amending a patient’s medical
  record.
 This section is primarily for clinical
  team members and those that work
  closely with medical records.




                                           72
Amending the Medical
Record
 This UCH policy provides
  guidelines for amending
  protected health information
  (PHI) maintained in the medical
  record.
 Patients or a person of interest
  has the right to request an
  amendment to protected health
  information maintained in the
  medical record that they believe
  is incorrect or incomplete.
     The policy defines how the
      correction or amendment is
      done.
                                     73
Amending the Medical
Record Policy
 For those of you who have
  responsibility for administering
  this policy, please review the
  next several pages:
 Purpose: To establish guidelines
  for amending protected health
  information (PHI) maintained in
  the medical record.
 Patients or a person of interest
  has the right to request an
  amendment to protected health
  information maintained in the
  medical record that they believe
  is incorrect or incomplete.

                                     74
Amending the Medical
Record (2)
 The policy defines “patient” and
  “person of interest”.
     An example of a person of
      interest is a parent, guardian or
      custodian.
 The Department of Quality and
  Health Information Management
  (QHIM) is responsible for
  handling all requests for
  amendments to the protected
  health information.
     Anyone who receives this type of
      request is to refer the individual
      to QHIM.


                                           75
 Amending the Medical
 Record (3)
 The policy defines how
  amendments may be made in the
  Medical Record by the Health
  Care Provider:
 Here are the steps in that
  procedure as written in Section IV
  of the policy:
     1. Any person authorized by hospital
        policy to make record entries may
        correct minor errors.
     2. Only the author of the entry may
        correct the error.
     3. An entry in the Event Tracking
        system must be completed when
        the error is corrected.
                                            76
Amending the Medical
Record (4)
   The remaining steps (4-6 of 8):

    4.   Late entries shall NOT be made
         more than 24 hours after the
         occurrence.
    5.   Contact Risk Management for
         assistance in recording information
         for omissions or errors discovered
         greater than 24 hours or if there is
         any question about correcting any
         entry.
    6.   Correct a paper medical record
         entry by:
            a.   Putting one line through the incorrect
                 information, insuring that it is still legible;
            b.   Dating and initialing the record at the
                 correction site;
            c.   Recording the corrected entry on the
                 next chronological line on the chart;
            d.   Entering the correction clearly, and
                 clearly indicating which entry the
                 correction is replacing.
            e.   Signing the late entry with name and title.


                                                                   77
Amending the Medical
Record (5)
   The remaining steps (7 0f 8):

    7.   Correct an electronic medical entry by:
         a.   Accessing the NUR Main Menu for the
              Hospital;
         b.   Entering #5 Patient Notes;
         c.   Entering the Patient’s name or account
              number;
         d.   Moving the highlighted bar down by using
              the down arrow key to AMEND EXISTING
              NOTES and right arrow into TYPE OF
              NOTE BOX;
         e.   Using the arrow key, pick the NOTE TYPE
              and right arrow into the notes:
         f.   Using the arrow key, highlight the note
              you wish to amend;
         g.   Depress the except key to get into the
              AMEND BOX which is the box to type in
              the corrected note;
         h.   Typing the corrected note and hitting the
              F12 to file;
         i.   Selecting the left arrow key to exit the
              notes and the patient note screen.


                                                          78
Amending the Medical
Record (6)
   The remaining steps (8 of 8):

    8. If an entire report is misfiled in an
       incorrect medical record, the
       entire report will be removed from
       the paper medical record and an
       Event Tracking entry shall be
       completed. If an entire report is
       misfiled in the electronic medical
       record, it must be amended to
       designate the incorrect identity on
       the record. The record cannot be
       physically removed from the
       electronic medical record.




                                               79
Next: Patient Access to their
information

             The next section
              discusses policies and
              procedures related to
              patient’s accessing
              their information in the
              medical record.
             This section is
              important to those
              Team Members that
              work with patients who
              may request this
              access




                                         80
Patient Access to Personal
Health Information in
Medical Record
  This policy defines guidelines for
   patients to access their medical
   record.
  The patient or person of interest
   (this term is explained later) has the
   right to access their medical record.
       Contact QHIM/Medical Records for
        assistance in following this policy
        and the procedures contained
        within it.
       For Team Members that provide this
        service, please review the next
        several pages for the procedures
        that apply to your role.




                                              81
Patient Access to Personal
Health Information in
Medical Record Policy

  Purpose: To establish
   guidelines for patients
   accessing the medical record.
  Policy: Patients or person(s)
   in interest have the right of
   access to protected health
   information (PHI) maintained
   in the medical record except
   as defined in this policy.




                                   82
Patient Access to Personal
Health Information in Medical
Record (2)
   Who are “Person(s) in interest”?

       An adult on whom a health care provider
        maintains a medical record;
       A person authorized to consent to health care
        for an adult;
       A duly appointed personal representative of a
        deceased person;
       A minor, if the medical record concerns
        treatment to which the minor has the right to
        consent;
       A parent, guardian, custodian, or a
        representative of the minor designated by a
        court, at the discretion of the attending
        physician who provided the treatment to the
        minor for the medical condition for which the
        minor had the authority to consent;
       A parent of the minor, except if the parent’s
        authority to consent to health care for the minor
        had the authority to consent to health care for
        the minor has been specifically limited by a
        court order or a valid separation agreement
        entered into by the parents of a minor;
       An attorney appointed in writing.


                                                            83
Patient Access to Personal
Health Information in Medical
Record (3)
 PROCEDURE: Request for
  Access
     A patient or person in
      interest must request access
      through the completion of the
      “Authorization for Release of
      Health Information” form or a
      letter containing all the
      elements of the form.
     This form will be available in
      the “Forms On Line” section
      of Meditech.



                                       84
Sample of Form: Authorization
for the Release of Health
Information - Side one

           AUTHORIZATION FOR THE RELEASE OF HEALTH
                         INFORMATION

                                                             Medical Record

  Number

  This Authorization form is designed to meet the requirements of privacy
  regulations issued by the federal Department of Health and Human Services at
  42 CFR § 164.508 and the Annotated Code of Maryland, Title 10 Health General
  Article § 4-301 – 4-307.

  All items on this authorization must be completed in full, or the request will
  not be honored.

  I hereby authorize Upper Chesapeake Health to release the protected health
  information of:

  PATIENT:
  DATE OF BIRTH:                                         PHONE #:
  ADDRESS:



  The information is to be released to:

  NAME:
  ADDRESS:
  PHONE #:

  The information I wish to have released is (include dates of service):


  Discharge summary                        Imaging reports
  History and physical exam                Diagnostic cardiology reports
  Consultation reports                     Laboratory reports
  Reports of operations                    Other

  I       do       do not wish to have information about HIV/AIDS released under
  this authorization.

                                                                                   85
Sample of Form: Authorization
for the Release of Health
Information - Side two

  This authorization will expire within one year of the date it is signed unless
  otherwise indicated here:




  This authorization to disclose information may be revoked by me at any time,
  except to the extent that action has been taken prior to receipt of revocation. To
  revoke the authorization, I understand that I must notify the Quality and Health
  Information Management Department in writing. I understand that treatment,
  payment, enrollment, or eligibility for benefits may not be conditioned on
  obtaining this authorization. I further understand that once information covered
  by this authorization has been delivered to the recipient, redisclosure of the
  information by that recipient is possible, cannot be predicted by this authorization
  and may no longer be protected by the Privacy Regulations referenced above.



  Patient or Personal Representative’s Signature                    Date

  If signature is other than patient, explain your authority to act for the patient:




                                              ________
  Witness                                                           Date

  If there is a question or concern with responding to this authorization, you will be
  contacted by a member of the UCH Quality and Health Information Management
  department to discuss it. Questions or complaints about the privacy regulations
  or UCH’s policies and procedures relating to these regulations should be directed
  to the UCH Privacy Officer.




                                                                                         86
Patient Access to Personal
Health Information in Medical
Record (4)
B.   The request is reviewed for the
     appropriateness of the request.
C.   If the request is granted, in whole or in part,
     the patient or person(s) in interest is informed
     of the acceptance and provided the access
     requested.
D.   The patient or person in interest must be
     provided access within twenty-one (21) days
     of receipt of the request, either by providing a
     convenient place and time for inspection, a
     copy of the protected health information or by
     mailing the copy of the health information,
     whichever is requested.
E.   If the protected health information is not
     available at the time of the request, the
     patient or person in interest is notified in
     writing of the reasons for delay and the date
     by which the request will be honored.




                                                        87
Patient Access to Personal
Health Information in Medical
Record (5)
F.   The patient or person in interest must be
     provided access to the protected health
     information in the form or format requested
     by the individual.
G.   A summary of the protected health
     information requested may be provided to the
     individual in lieu of providing access to the
     protected health information, if the patient or
     person in interest agrees in advance to such
     a summary or explanation and fees if
     applicable. (See policy on Fees for Obtaining
     Copies of Medical Records)

The policy includes sections on “Denial of
    Access” and “Reviewable Grounds for
    Denial of Access”
        These sections are the responsibility of the
         Directors of QHIM. See the complete policy
         in the Meditech Library for additional
         information.

                                                        88
Quick Review
Questions


         If a patient asks
          for a copy of his
          or her medical
          record, what
          should you do?




                              89
Answer . . .

 Contact QHIM / Medical
  Records.
      Designated Team
       Members in these
       departments will assure
       that
          Our policy is followed,
           and
          The “Authorization for
           the Release of Health
           Information” is
           completed.
 There are also
  designated Team
  Members in the Lab,
  Imaging and some other
  clinical departments that
  provide this service to
  our patients and follow
  the same processes as
  outlined in the policy.
                                     90
Confidential Patients
Policy
 This policy is extremely
  important to our patients
  and our compliance with
  HIPAA.
 Every Team Member at UCH
  that has patient contact or
  receives inquiries related to
  patients MUST review this
  information!
 The purpose of the policy,
  as defined on the next few
  pages reinforces our current
  confidentiality practices.



                                  91
 What’s NEW ? ? ?

 Patients will now indicate
  upon admission their wishes
  for being included in our public
  hospital directory.
     In the event that a patient
      states they DO NOT want to
      be included in the directory of
      information, we MUST keep
      their presence in the hospital
      CONFIDENTIAL!




                                        92
What’s NEW ? ? ?

 This means when someone
  calls requesting patient
  information, requests to see a
  patient, or comes to deliver
  flowers to a patient listed as
  confidential, they will need to
  be told that “the person is not
  listed in our Hospital Directory”.

 Let’s review the policy then
  review how confidential
  patients will be protected at
  UCH . . .

                                       93
Confidential Patients
Policy
 Review this policy if you
  provide access to patients in
  any manner

 PURPOSE:
     To provide a method for
      ensuring patient’s rights to (1)
      be excluded from the public
      patient directory and / or (2) to
      limit disclosures of information
      to particular family or friends
      involved in their care.



                                          94
Confidential Patients
Policy (2)
 POLICY:
    It is the policy of Upper Chesapeake
     Health to ask each patient upon
     registration to indicate their wishes
     regarding (1) inclusion in the
     directory of information available to
     the public and (2) whether there are
     any friends or family members they
     do not want their protected health
     information (PHI) shared with and to
     ensure that those wishes are
     followed throughout the patient’s
     care.
 Review:
    At the time of registration, patients
     indicate their wishes.
    All patients are placed in
     CONFIDENTIAL status until they
     indicate otherwise



                                             95
Confidential Patients
Policy (3)
 POLICY:


Appropriate decision makers will be
  sought for all those patients
  incapable of expressing their
  wishes independently. Patients
  will be “confidential” until this
  information is obtained from
  themselves or an appropriate
  surrogate decision-maker.




                                      96
 Confidential Patients
 Policy (4)
PROCEDURES:
 Changing or Continuing
  “Confidential” Status
  1. A default status of “confidential” will
     be used in the Meditech system for
     each new patient account.
  2. During the registration process
     each patient will be asked to complete
     a “Preliminary Patient Information”
     sheet and indicate their wishes
     regarding the patient directory and / or
     communication with friends and
     family. For scheduled outpatients,
     direct admissions and outpatient
     surgery patients the questions on this
     form may be asked during
     preregistration procedures and signed
     when the patient physically presents
     to the facility.
           ** Registration/Admitting Team
              Members: A special note to remind   97

              you of this new process!
NEW FORM

 At this time, let’s look at the
  new form developed to guide
  our gathering of the information
  required in the Confidential
  Patients Policy.
 The form is called “Preliminary
  Patient Information” and is
  discussed on the next few
  pages.




                                     98
Preliminary Patient
Information
 This new form is used at the time of
  patient’s admission for healthcare
  services at UCH.
 Includes:
      Request and Consent for Treatment
      Acknowledgement of receipt of the
       UCH Notice of Privacy Practices
      Decision section related to the
       patient’s consent for release of
       information in the Hospital Patient
       Directory
      Decision section as to the “Sharing of
       information with those involved in my
       care”.
      Signature of the patient or designated
       representative.

                                                99
Sample of Preliminary
Patient Information Form
    Upper Chesapeake Health …………Preliminary Patient Information

    Request and Consent for Treatment
    I request and consent to examination, testing, and treatment that the physicians who examine
    me or consult about my condition feel is necessary and appropriate for diagnosis and
    treatment. I understand that I will be asked for oral consent and / or be asked to sign
    additional forms indicating my consent for specific procedures according to the Hospital’s
    “Informed Consent” policy.

    In particular, at this time I understand and agree that:

                Medicine and surgery are not exact sciences and no guarantees have been made to
                 me about the results of my examination and treatment.
                Properly supervised Medical, nursing and other health care students may
                 participate in my care as part of their training unless I tell you otherwise at a
                 particular time
                The hospital may examine and retain or dispose of specimens and tissues
                 removed from my body.

    Notice of Privacy Practices
    I acknowledge that I am being given a copy of the UCH Notice of Privacy Practices at the
    time I am signing this document.

    Release of Information in the Patient Directory

                         YES, please include my name and room number in the directory of
                      patient information available to members of the public (florists, clergy, other
                      callers) who contact the hospital.

                         NO, do not include me in the public directory.

    Sharing information with those involved in my care

                         YES, you may speak with the following people if they need to be
                      involved in my care:
                                   ANY member of my family ___ Check here
                                   These individuals: ____________________________
                                  ______________________________________________

                        NO, do not speak with my family or friends about my care unless I give
                      you specific permission at a later time.

                                                                      _____________
    Patient / Parent / Health Care Agent / Guardian                   Date signed
    [Please circle]


                                                                                                        100
Preliminary Patient
Information Form

 IMPORTANT:
     Every patient must receive and
      complete this form during each
      encounter with UCH.
     Form becomes a part of the
      permanent medical record.
     Nursing must document who PHI
      may be shared with in Part 4 of
      the Admission Assessment.




                                        101
Preliminary Patient
Information Form

 Example of screen in Meditech
   Medical Record:
SHARING INFORMATION WITH THOSE INVOLVED IN MY
  CARE.
   YES, you may speak with the following people if
   they need to be involved in my care:
     *ANY member of my family (Place X here)
       or *These individuals:
        _____________________________

       ______________________________
   NO, do not speak with my family or friends about
   my care unless I give you specific permission at a
   later time.


In the event that the patient indicates a change to
the above information, the change is made by
nursing in the Medical Record.
                                                      102
Confidential Patients
Policy (5)
   Changing or Continuing
    “Confidential” Status
    3. If the patient indicates “YES” with
       regard to both information
       disclosure choices on the
       Preliminary Patient Information
       form his / her status will be
       changed by the Registration
       Coordinator or other person
       preregistering him/her to release
       the confidential status default.
    4. If the patient answers “NO” to
       either question on the Preliminary
       Patient Information sheet, they will
       remain in “confidential” status in
       the Meditech system.
                                              103
Confidential Patients
Policy (6)
 Changing or Continuing
  “Confidential” Status
  5. For patients registering in the
     ED a colored sticker will be
     added to the face sheet of
     patients requesting information
     restrictions to alert team
     members and physicians.


   ** Emergency Dept. and ED
      Registrar Team Members: A
      special note to remind you of
      this new process!


                                       104
 Confidential Patients
 Policy (7)
 Changing or Continuing
  “Confidential” Status
  6. If the patient gives permission for
     information to be shared with the
     family or friends involved in his/her
     care, the names of the individuals
     with whom information may be
     shared will be requested on the
     Preliminary Patient Information
     sheet. These names and any others
     obtained by the admitting nurse
     during his/her initial assessment will
     be included in the Meditech
     Assessment screen, Kardex and
     Administrative Data Screen.
           ** RN Team Members: A special note
              to remind you of this new process!
                                                   105
    Confidential Patients
    Policy (8)
    Changing or Continuing
     “Confidential” Status
    7.   The names of friends and family to whom
         the patient has indicated that information
         may be disclosed that are captured via the
         nursing assessment will also be available
         via the “Who PHI may be shared with”
         element in Patient Care Inquiry (PCI) view in
         Meditech.
    8.   At the patient’s request or that of his/her
         surrogate decision-maker, a patient may be
         changed to confidential status or have the
         status removed at any time by executing a
         new Preliminary Patient Information sheet. A
         registration coordinator will update a
         patient’s status when this sheet is
         completed.
         ** Registration/Admitting Team
            Members: A special note to remind
            you of this new process!
                                                         106
    Confidential Patients
    Policy (9)
    Incapable Patients:
     1. If a patient is not capable of answering
        the Preliminary Patient Information
        questions due to injury, illness or
        minority, an appropriate surrogate
        decision-maker will be asked to sign on
        their behalf.
     2. For emergency room patients the
        charge nurse or his/her designee will be
        responsible for using available sources
        of information to identify and contact an
        appropriate surrogate decision-maker.
     3. If an incapable patient requires
        admission and no surrogate decision-
        maker has been identified the treating
        nurse will contact the case manager on
        call who will continue efforts to identify a
        surrogate decision-maker.

    ** Emergency Dept. Charge Nurses: A special
       note to remind you of this new process!     107
    Confidential Patients
    Policy (10)
    Incapable Patients:
     4. The patient will remain a confidential
        patient until the form is completed.
     5. If a team member is contacted by
        someone inquiring about an admitted
        patient who remains in “confidential”
        status because no surrogate decision-
        maker has been identified, the team
        member will take the caller’s name and
        contact information, ask them to await a
        call back, and notify the on duty nursing
        supervisor of the call. The nursing
        supervisor will return the call and make a
        good faith effort to determine if the
        person is or has information about an
        appropriate surrogate decision maker for
        the patient. The supervisor will
        document the contact in the patient’s
        electronic medical record.

                                                 108
Confidential Patients
Policy (11)
Maintaining PHI Restrictions
1. All individuals having access to
   PHI within the UCH Hospitals
   are responsible for reviewing
   who, if anyone, the patient’s PHI
   may be shared with. This
   information will be available in
   the “Preliminary Patient
   Information Sheet” responses,
   the nursing assessment, the
   “Who PHI may be shared with”
   element in PCI, the nursing
   kardex and the administrative
   data screen.
                                       109
Confidential Patients
Policy (12)
Maintaining PHI Restrictions
2.  UCH team members, members of the UCH
    Medical Staff and anyone else having access
    to Patient Information within the UCH
    facilities and Home Care will not share
    information regarding patients to a family
    member or friend involved in that patient’s
    care unless:
   a. The person is identified by the patient as
        permitted access to information or,
   b. It may be reasonably inferred from the
        circumstances that the patient does not
        object to information being shared, for
        example when the patient requests that
        another person remain during an
        examination or interview; or
   c. The person is a parent, guardian,
        healthcare agent or surrogate decision-
        maker making healthcare decisions on
        behalf of the patient.


                                                   110
Confidential Patients
Policy (13)
Maintaining PHI Restrictions
3.  Members of the UCH Medical Staff, team
    members and others having access to PHI will
    be alerted to a patient’s confidential status by a
    “c” attached to the patient’s account number, by
    a message appearing on the Meditech screen
    when accessing the patient’s record and/or the
    “Confidential”’ sticker on the patient’s
    registration sheet. Whenever a physician, team
    member or other person encounters a
    “Confidential” patient they are responsible for
    reviewing the special restrictions on the patient’s
    information and acting in accordance with those
    restrictions.

4.   UCH team members, members of the UCH
     Medical Staff and anyone else having access to
     Patient Information within the UCH facilities and
     home care will not disclose in any way to
     anyone not directly involved in the patient’s care
     the presence of a patient who has indicated s/he
     does not wish to be included in the public
     patient directory.                               111
A few more polices . . .

 We have three more policies to review


 The next one deals with a new
  concept . . .
      . . . Minimum Necessary Information


 So, let’s keep going




                                             112
The “Minimum Necessary”
Privacy Rule

 Healthcare Providers and other
  covered entities, such as as
  discussed previously, must
  make reasonable efforts to
  disclose or use only the
  information necessary in order to
  do our jobs.
 The Minimum Necessary
  standard of HIPAA ensures that
  methods are in place that guide
  us to protect patient privacy.
      Remember: Information may
       be disclosed in order to
       provide treatment and
       services as discussed earlier.

                                        113
The “Minimum Necessary”
Privacy Rule

 There is NO minimum necessary
  rule when it comes to sharing
  information for treatment.
 It is a balancing act . . . How much
  information needs to be disclosed
  to ensure quality care?
 However, when providing care, there
  may be information that you have that
  does not need to be shared as it is
  not necessary to do your job.

 Let’s look at the UCH policy . . .
      Review this section if you have access to
       patient information . . . in any form!



                                                   114
Minimum Necessary Use or
Disclosure of Protected
Health Information Policy

 PURPOSE:
      To provide methods for
       ensuring the minimum
       necessary use or disclosure
       of patients’ protected health
       information (PHI) for purposes
       of their treatment, payment
       and/or UCH Health Care
       Operations purposes.




                                        115
Minimum Necessary Use or
Disclosure of Protected
Health Information (2)
POLICY:
 When using or disclosing protected health
  information or when requesting protected
  health information from another physician,
  team member or facility, a physician or UCH
  team member will make reasonable efforts to
  limit protected health information to the
  minimum necessary to accomplish the
  intended purpose of the use, disclosure, or
  request. Physicians and team members will
  raise any question about their need to use,
  disclose or access information in particular
  cases to the UCH Privacy Officer.
 In addition, minimum necessary use and
  disclosure will be established and maintained
  by means of role based access to the UCH
  Hospital Information System and specific
  determinations by the UCH Policy Oversight
  committee regarding the need for access to
  protected health information to accomplish the
  purpose of each UCH policy.

                                                   116
Minimum Necessary Use or
Disclosure of Protected
Health Information (3)
PROCEDURE:
 Minimum Necessary Access,
  Use or Disclosure
  1. Team members and members
     of the UCH medical staff may
     access, use, request from or
     disclose to another health care
     provider any information
     relating to a particular patient
     which they believe in good faith
     is necessary for the treatment
     of that patient by them or the
     individual or facility to whom the
     information is disclosed.



                                          117
Minimum Necessary Use or
Disclosure of Protected
Health Information (4)
 2.   Disclosures of information to family
      members and friends of a patient who
      are involved in his or her care will be
      governed by any restrictions requested
      by or on behalf of the patient. (See
      “Confidential Patient Status” policy).

      2. We have reviewed this in the program
         when we discussed confidential
         patient status.
      3. As you can see, many of the policies
         and procedures overlap to ensure
         protection of patient privacy!




                                                118
Minimum Necessary Use or
Disclosure of Protected
Health Information (5)
    Patients may also request other
     restrictions on use or disclosure of
     their protected health information
     which may or may not be agreed to
     by UCH. Any patient requesting
     another restriction on use or
     disclosure should be sent to the
     Director of QHIM for the facility
     where they are a patient or the
     UCH Privacy Officer.

    Any other access, use, request for
     or disclosure of patient protected
     health information will be limited to
     the minimum necessary to
     accomplish a particular payment or
     UCH Health Care Operations
     purpose.


                                             119
Minimum Necessary Use or
Disclosure of Protected
Health Information (6)
 5.   When making a disclosure of protected
      health information for a purpose
      required by law, such as the reporting
      of abuse, dog bites, burns, organ
      donation etc. the UCH team member or
      member of the Medical Staff making
      that disclosure may rely on the entity to
      whom the disclosure is being made to
      define the minimum necessary
      disclosure for that purpose.
 6.   Requests by law enforcement
      authorities or the Department of Health
      and Human Services for protected
      health information will be referred to the
      UCH Privacy Officer. Team members
      who believe they have been a victim of
      a criminal act by a patient will also
      review their need to disclose protected
      health information with the UCH
      Privacy Officer before making a
      disclosure to law enforcement
                                                   120
      authorities.
Minimum Necessary Use or
Disclosure of Protected
Health Information (7)
 Role Based Access to the
   UCH Hospital Information
   System (Meditech)
     Individuals requiring access to
      the hospital information system
      (Meditech) at UCH will be
      granted access based on a pre-
      determined set of applications
      and functions designed on
      minimum, need-to-know access
      levels. A system of user
      templates will be designed and
      utilized based on the following
      standards as listed on the next
      few pages:
                                        121
Minimum Necessary Use or
Disclosure of Protected
Health Information (8)
 User templates:
    a. Menu templates will be designed
       for each job code within the UCH
       system in collaboration with
       management and staff from the
       departments where individuals in
       that job code are employed
    b. Each team member within the
       same job code will be assigned
       access based on the template
       designated for that code.
    c. Business partners not employed
       by the hospital will be grouped
       by functionality (Billing,
       Transcription, Physicians, etc.)
       and assigned menu templates
       based on these roles.


                                          122
Minimum Necessary Use or
Disclosure of Protected
Health Information (9)
   User templates:
      d. Exceptions to the templates must
         be approved by the Manager of the
         Department where an individual is
         working, Privacy Officer and MIS
         Applications Manager. The
         exception justification must be noted
         within the HIS menu design
         application (Meditech NPR) along
         with the names and positions of the
         approving parties.
      e. Changes to general templates will
         be coordinated between the
         Department Manager(s), Privacy
         Officer and MIS Applications
         Manager with justification noted
         within the HIS menu design
         application (Meditech NPR) along
         with the names and positions of the
         approving parties.

                                                 123
Minimum Necessary Use or
Disclosure of Protected
Health Information (10)
    Minimum Necessary Use to Carry Out UCH
     Policies
    1. The need for access to, use or disclosure
        of protected health information to carry out
        UCH policies and procedures will be
        accomplished by a determination made by
        the Privacy Officer, as a member of the
        Policy Oversight Committee (POC), with
        regard to each policy as to whether, to
        what extent and by whom a particular
        policy requires access to, use or disclosure
        of protected health information.
        a.   This determination will be memorialized in
             each policy.
        b.   Once made, this determination may be
             reviewed at any time by application to the
             Privacy Officer and/or the Policy Oversight
             Committee.
        c.   Team members and members of the UCH
             Medical Staff attempting to carry out
             particular policies or procedures will review
             the policy to determine if they are
             authorized to use, access, or disclose
             protected health information for that           124
             purpose and any limitations imposed by that
             policy.
Quick Review
Questions


         What is meant
          by having
          access to the
          “minimum
          necessary”
          information to do
          our jobs?




                              125
Answer . . .

 We have
 access to all
 information
 that we need
 to do our jobs,
 but we should
 not have
 access to
 unnecessary
 information!



                   126
What’s Next?

 We’ve reviewed the
  minimum necessary
  standard.
 NOW, on to
  DISCLOSURE.
     This section pertains to Team
      Members that have access to
      patient information.
     If you do not handle patient
      records or information you may
      skip this section and proceed to
      the section on “Notice of Privacy
      Practices”.
                                          127
Disclosure

 Disclosure means the release,
 transfer, provision of access
 to, or divulging in any other
 manner of information outside
 the entity holding the
 information.
     For all uses or disclosures of
      protected health information (PHI)
      that do not involve treatment,
      payment or healthcare operations,
      healthcare entities MUST obtain a
      valid patient “authorization”.




                                           128
 Disclosure of Protected
 Health Information
 There are 6 procedures defined in the
  policy and include the following:
         Disclosure of PHI for direct treatment
          purposes
         Disclosure for purposes of payment

         Disclosure for or at the request of a patient

          or patient representative
         Disclosures required by Law

         Disclosures for Research, in Response to

          Subpoenas for Documents, and to
          Attorney’s Representing UCH
         Disclosures of Directory Information and to

          Family and Friends involved in the
          Patient's care
      Any other disclosures of PHI to a person or
       entity outside of UCH must be reviewed
       and approved by the UCH Privacy Officer
       or designee before such disclosure can
       occur.
                                                          129
Disclosure of Protected Health
Information Policy

PURPOSE:
 To clearly outline the authority of
  various team members and members
  of the UCH medical staff to disclose
  protected health information (PHI) of
  patients treated at the UCH facilities to
  individuals or entities outside UCH.
POLICY:
 Disclosure of PHI to individuals or
  entities outside of UCH will be done in
  strict adherence to the requirements of
  federal and state law.




                                              130
 Disclosure of Protected
 Health Information Policy
 (2)
Disclosure of PHI for direct treatment
    purposes
   1.   Any UCH team member or member of the
        medical staff who is directly involved in
        caring for a particular patient is authorized
        to disclose that patient’s PHI by any
        means (direct in person communication,
        via telephone, by fax, by providing a
        summary or copy of a portion of the
        patient’s medical record) to another
        individual who is or will be directly involved
        in the care of that patient at the time of the
        communication for the condition to which
        the PHI relates.
   2.   This includes communications for the
        purpose of determining if the patient is an
        appropriate candidate for care by the other
        provider or at another facility.


                                                         131
Disclosure of Protected
Health Information Policy
(3)
Disclosure of PHI for direct
   treatment purposes (cont.)
2. For example, a nurse may give
   report to another facility to
   which the patient will be
   transferred; a physician may
   discuss a patient’s PHI with
   individuals at another facility to
   determine if a transfer would be
   appropriate; a social worker
   may contact an oxygen provider
   to arrange for service at the
   patient’s home after discharge.



                                        132
Disclosure of Protected
Health Information Policy
(4)
Disclosure of PHI for direct treatment
   purposes (cont.)

   No disclosure will be made when the
    patient has communicated a desire that
    information not be disclosed to a
    particular person or entity.

   An appropriate notation should be
    made in the patient’s medical record
    indicating the fact of each such
    disclosure. This notation may be made
    in any portion of the record (e.g.
    progress note, H & P, discharge
    summary, transfer form).



                                             133
Disclosure of Protected
Health Information (5)
Disclosure for purposes of payment
1. Team members in the QHIM,
   Schedule First, Registration,
   Patient Financial Services,
   Clinical Resource Management
   and Finance departments are
   authorized to disclose a particular
   patient’s PHI to persons and entities
   outside of UCH for the purpose of
   obtaining payment for care
   provided by UCH or another
   provider to that particular
   individual.


                                           134
Disclosure of Protected
Health Information (6)
Disclosure for purposes of payment
 A notation of each such disclosure
   apart from the submission of a
   routine insurance claim, issuance
   of a bill or the provision of
   information for concurrent review
   of inpatient admissions by an
   insurer will be made in the
   patient’s BAR registration, a
   patient care note or the QHIM
   correspondence module.




                                       135
Disclosure of Protected
Health Information (7)

Disclosure for purposes of payment
(cont.)
3.   Team members in departments not
     listed above are not authorized to
     disclose PHI for the purposes of
     payment. Inquiries requesting such
     information should be referred to one of
     the departments listed above.
4.   Members of the UCH medical staff are
     not authorized to disclose PHI for
     payment of any services other than
     those they provide to a particular patient
     at the UCH hospitals.



                                                  136
Disclosure of Protected
Health Information (8)

Disclosure for or at the request of a
patient or patient representative

1.   Certain designated team members in
     the Laboratories, QHIM, and
     Imaging are authorized to disclose
     PHI in response to a request from a
     patient or patient representative.
2.   These team members will complete
     Authorized Discloser Training prior to
     disclosing PHI in these circumstances.




                                              137
Disclosure of Protected
Health Information (9)

Disclosure for or at the request of a
patient or patient representative
(Cont.)
 1. All other team members and all
     members of the UCH medical staff will
     refer requests by patients and /or
     patient representatives to one of these
     departments. Team members and
     members of the medical staff may provide
     requesting individuals with copies of the
     “Authorization for Release of Health
     Information” form from the Meditech
     “Forms On Line” system and send
     completed copies of this form to the
     appropriate department for follow-up on a
     subsequent business day.
                                                 138
     Disclosure of Protected
     Health Information (10)
Disclosure Required by Law
1.    Disclosures of PHI are made for the following
      reasons in order to comply with various legal
      requirements, including the license requirements
      of individual nurses and physicians:
      - Suspected abuse or neglect of a child
      - Suspected abuse or neglect of a vulnerable adult
      - Medical examiner cases                     - Organ
      donation
      - Infectious disease surveillance            - Implant
      reporting
      - Notifications of first responders          - Animal bite
      and/or burn reporting
      - Reporting a worker’s compensation claim
      - Lookback (If a person is identified by the Lab has having
      donated blood, and
         this person has now been diagnosed with a reportable
      communicable disease,
         the Lab must report same to applicable agency,
      - Responding to a properly served subpoena or court order
                                                                    139
      requiring testimony
     Disclosure of Protected
     Health Information (11)
Disclosure Required by Law (Cont.)
2.    Any team member or any member of the Medical
      Staff who believes in good faith that his/her license
      or job assignment requires disclosure of PHI for one
      of the reasons listed above is authorized to do so.
3.    All disclosures authorized under this section will be
      documented in the patient’s medical records using
      the “Disclosure Notification” nursing intervention
      or in the QHIM correspondence module.
      a. All elements of the “Disclosure Notification”
      entry must be completed.
      b. These “Disclosure Notification” entries will be
      compiled in to any “Accounting” of disclosures
      requested by a patient or patient representative.




                                                              140
 Disclosure of Protected
 Health Information (12)
Disclosure for Research, in Response to
Subpoenas for Documents, and to Attorney’s
Representing UCH

1. Only certain members of the QHIM
department are authorized to disclose PHI (a)
for purposes of research either based on an
individual patient authorization or an IRB
waiver of authorization, (b) in response to
subpoenas requesting documents, or (c) to
attorneys representing UCH.

2. All such disclosures will be documented in
the QHIM correspondence module.



                                                141
Disclosure of Protected
Health Information (13)


Disclosure for Research, in Response to
Subpoenas for Documents, and to Attorney’s
Representing UCH (Cont.)

3. These correspondence module entries will
be compiled in to any “Accounting” of
disclosures requested by a patient or patient
representative
4. All other team members will refer all such
requests to QHIM.




                                                142
Disclosure of Protected
Health Information (14)

Disclosure of Directory Information and to
Family and Friends involved in the Patient's
care

1. These types of disclosures are covered by the
   “Confidential Patient” policy.




                                                   143
 Disclosure of Protected
 Health Information (15)


Any other disclosure of PHI to a person or
entity outside of UCH

1. Any disclosure of PHI for a purpose not specified
above must be reviewed and approved by the UCH
Privacy Officer or her designee before it takes place.

2. The Privacy Officer will determine on a case by case
basis if an entry needs to be made in the QHIM
correspondence module regarding a particular disclosure
so that it can be included in any “Accounting” of
disclosures given to a patient or patient representative.




                                                            144
Disclosure of Protected
Health Information (16)
 In addition to this policy, there is a
  policy in QHIM that defines the
  process to account for disclosures.
 To assist with understanding disclosure,
  please see the charts on the next few
  pages that list the “purpose” of the
  disclosure, who may disclose that
  information, and the documentation
  requirements.
    Remember . . .
        If you are one of the individuals
         that may disclose the information,
         you are responsible for adhering
         to the policy.
        If you are not responsible or
         allowed to disclose information,
         please be sure to refer the person
         to the correct Team Member or
         Department.                        145
  Disclosure of Protected
  Health Information (17)
Purpose of the        Who May                  Documentation
Disclosure            Disclose                 Requirements
Provide, consult      Anyone directly treating Notation of the
and/or direct         the patient.             disclosure in the
treatment from                                 patient’s medical
outside UCH.                                   record
Payment               Team Members in          Notation in BAR or
                      QHIM, ScheduleFIRST,     QHIM.
                      Patient Financial        Correspondence
                      Services, Clinical       module if not related
                      Resource Management      to submission of
                      and Finance.             claim, issuance of a
                                               bill or concurrent
                                               review.
Comply with patient   Team Members in Lab,     Completed copy of
request               Imaging and QHIM         “Authorization for
                      who have completed       Release of Medical
                      “Authorized Discloser    Information” form.
                      Training”                Notation in QHIM
                                               correspondence
                                               module.




                                                                   146
  Disclosure of Protected
  Health Information (18)

Purpose of the        Who May                    Documentation
Disclosure            Disclose                   Requirements
Disclosure required   Any Team Member            Completion of the
by Law                whose job or license       “Disclosure
                      requires making the        Notification”
                      disclosure.                intervention in the
                                                 Nursing or QHIM
                                                 correspondence
                                                 modules.
Research, or          Designated QHIM            Notation in the
Responding to         Team members who           QHIM
Document              have completed             correspondence
Subpoenas, or         “Authorized Discloser      module.
Disclosure to         Training”.
Attorneys
Representing UCH
Directory             Anyone as long as the      None
Information           patient is not listed as
                      “Confidential”, I.e. the
                      patient permits the
                      disclosure.


                                                                       147
  Disclosure of Protected
  Health Information (19)

Purpose of the         Who May                     Documentation
Disclosure             Disclose                    Requirements
Disclosure to Family   Anyone directly             None
and Friends            involved in the patient’s
involved in the        care if the patient
patient’s care         permits the disclosure.
Any other disclosure Privacy Officer               Depends on the
to someone outside                                 nature of the
of UCH                                             disclosure.




                                                                    148
One more policy to
review
 The last topic/policy to review is
  the Notice of Privacy Practices.
 Any Team Member working with
  patients needs to be aware of
  this policy.
 If you do not work with patients,
  the information in this section is
  limited to a general overview.




                                       149
What is “Notice of Privacy
Practices”?

 A “Notice of Privacy Practices” is
  a required notice that defines and
  informs patients of the uses and
  disclosures of confidential
  information that may be made by
  the healthcare team.
 What must be included?
     Steps taken to protect privacy;
     Uses that may be made of the
      PHI; and
     Guidelines for patients who want
      access to their medical records.


                                         150
Notice of Privacy Practices
Policy

 PURPOSE:
     To define the Notice of Privacy
      Practices as required by the
      Federal Health Insurance
      Portability and Accountability Act
      (HIPAA). This Act established
      federal guidelines that require a
      health care provider, such as
      UCH, maintain the privacy of
      patient’s protected health
      information though proper
      disclosure and privacy practices
      and to provide a notice to each
      patient that describes their rights
      under this provision.
                                            151
Notice of Privacy
Practices (2)
 Definitions:
   Disclosure means the release, transfer, provision
      of access to, or divulging in any other manner of
      information outside the entity holding the
      information.

   Health Care means care or service related to the
     health of an individual. Health Care includes, but
     is not limited to, diagnostic, therapeutic,
     rehabilitative care and/or the sale or dispensing
     of a drug, equipment, or other item in
     accordance with a prescription.

   Protected Health Information means any
     individually identifiable health information,
     whether oral or recorded in any form, that is
     created and relates to the past, present, or
     future physical or mental health, condition or
     care of an individual.



                                                          152
Notice of Privacy
Practices (3)
 POLICY:


 UCH makes public a Notice of
 Privacy Practices which defines
 legal duties and privacy practices
 with respect to a patient’s
 protected health information.
 The Notice will describe how
 medical information about our
 patients may be used and
 disclosed and how patients can
 gain access to their information.


                                      153
Notice of Privacy
Practices (4)
 1.   This Notice will be provided to patients
      at the time of registration for admission
      and/or outpatient services.

 2.   The Notice of Privacy Practices will
      also be posted on our website.

 3.   The Notice will be posted in signage
      throughout the UCH facilities.

 4.   Acknowledgement of the receipt of this
      notice will be attempted by completion
      of the “Preliminary Patient Information”
      sheet upon registration/admission.




                                                  154
Notice of Privacy
Practices (5)
 UCH maintains the right to change the
  terms of the Notice and to make the
  new Notice provisions effective for all
  protected health information that UCH
  maintains. In the event changes are
  made to the Notice, we will 1) make
  the changes apparent in the new
  document, 2) post the changes in the
  signage within the UCH facilities, 3)
  include them on the UCH website, and
  4) UCH will not individually notify every
  past patient, but will attempt to abide
  by the requirements of the Notice in
  effect at the time the health care
  service.


                                              155
Notice of Privacy
Practices (6)
  Any person stating complaints
  relative to this Privacy Notice will
  be treated with dignity, courtesy,
  regard for the person’s privacy
  and in accordance with the UCH
  Non-Discrimination policy.
 1.   Complaints can be lodged with the
      Privacy Officer or communicated to
      any UCH Team Member for entry into
      the ETSystem for system notification
      of designated persons and trending.
 2.   Individuals    requesting     additional
      information about the Notice or the
      practices described in it will be
      directed to the Privacy Officer.



                                                 156
The UCH Notice of Privacy
Practices

 A three page document
 that will be:
   Posted    in public areas
    Available as a handout to
     all patients
    Available on the UCH
     Website
 The next several pages
  contain the content of the
  notice for your review.

                                 157
 The UCH Notice of Privacy
 Practices Sample:
UCH NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL
  INFORMATION ABOUT YOU MAY BE USED
  AND DISCLOSED AND HOW YOU CAN GET
  ACCESS TO THIS INFORMATION. PLEASE
  REVIEW IT CAREFULLY
Upper Chesapeake Health (UCH) and the physicians who
   participate in your care here are committed to your
   personal well being. Protecting the privacy and security
   of the information you share with us is included in that
   commitment. While we do not sell or trade any
   information to third parties, we do share information with
   entities such as your insurance company and quality
   review organizations as part of our routine and necessary
   business operations. We do this with the utmost care
   and sensibility.
This Notice is being provided to explain how your personal
   healthcare information is used, and your rights to review,
   amend and/or request limitations on the disclosure of this
   information.

                                                           158
 The UCH Notice of Privacy
 Practices Sample:
Your Rights to Privacy and Disclosure:

You have the Right to request restriction of uses and
     disclosures of your Protected Health Information as
     outlined below. However, there are some instances
     where UCH is not required to agree to a requested
     restriction.

A.   At the time you initially receive service at UCH, you
     may request that UCH restrict the use or disclosure
     of your protected health information to carry out
     treatment, payment, or healthcare operations. To
     request a restriction of your information, contact our
     Medical Records Department and say that you want
     to restrict the release of all or part of your
     information.
B.   You can request to receive confidential
     communications concerning your health information.
     To receive your information confidentially, contact
     our Medical Records Department and direct them to
     how and where you wish to receive your information.

                                                              159
 The UCH Notice of Privacy
 Practices Sample:
Your Rights to Privacy and Disclosure:

You have the Right to request restriction of uses and
     disclosures of your Protected Health Information as
     outlined below. However, there are some instances
     where UCH is not required to agree to a requested
     restriction.

C.   You can inspect and obtain a copy of your protected
     health information / Medical Record, unless
     otherwise protected by Law. Contact our Medical
     Records Department to make the request.
D.   You can obtain a copy of this Notice at any time. You
     will receive one at the time of service.
E.   You can amend your protected health information by
     contacting our Medical Records Department. We
     cannot destroy or otherwise remove the original
     information, but you may add/amend information in
     your record pursuant to UCH’s policy.



                                                             160
 The UCH Notice of Privacy
 Practices Sample:
Your Rights to Privacy and Disclosure:
You have the Right to request restriction of uses and
     disclosures of your Protected Health Information as
     outlined below. However, there are some instances
     where UCH is not required to agree to a requested
     restriction.
F.   You can request an accounting of our disclosures of
     your protected health information, unless protected by
     Law, by contacting the UCH Medical Records
     Department.
Definitions:
 Disclosure means the release, transfer, provision of access to, or
     divulging in any other manner of information outside the entity
     holding the information.
   Healthcare means care or service related to the health of an
     individual. Healthcare includes, but is not limited to,
     diagnostic, therapeutic, rehabilitative care and/or the sale or
     dispensing of a drug, equipment, or other item in accordance
     with a prescription.
 Protected Health Information means any individually identifiable
     health information, whether oral or recorded in any form, that
     is created and relates to the past, present, or future physical
     or mental health, condition or care of an individual.
                                                                  161
      The UCH Notice of Privacy
      Practices Sample:
Permitted Disclosures:
UCH and/or your physician may not use or disclose
    protected health information, except as
    permitted or required by Law. The following
    are permitted uses and disclosures under
    current Laws. We can release information to
    the following unless otherwise restricted by
    law:

i.     to the patient the information pertains to or
       his/her representative;
ii.    to UCH business associates or other
       healthcare providers, to carry out treatment,
       payment, or healthcare operations purposes;




                                                       162
   The UCH Notice of Privacy
   Practices Sample:
Permitted Disclosures:
UCH and/or your physician may not use or disclose
    protected health information, except as
    permitted or required by Law. The following
    are permitted uses and disclosures under
    current Laws. We can release information to
    the following unless otherwise restricted by
    law:

iii.   to anyone in compliance with an authorization
       completed by the patient or patient’s
       representative, such as that from a healthcare
       provider regarding psychotherapy notes
iv.    to others as permitted by and in compliance
       with some other law or regulation such as
       those that require us to make certain reports to
       health oversight agencies, like Maryland’s
       Department of Health and Mental Hygiene.


                                                          163
    The UCH Notice of Privacy
    Practices Sample:
Permitted Disclosures:
Individually identifiable health information is
      frequently shared with the following types of
      entities for purposes related to the function and
      operation of a healthcare facility or physician
      practice:
        Consulting physicians
        Managed care organizations
        Health insurance companies
        Home Health Care
        Health benefit managers
        State/Federal agencies
        Clinical laboratories

This information is released for the purposes of
      ensuring continuity of care, billing, conducting
      quality assessment and improvement
      activities, and reviewing the competence or
      qualifications of healthcare professionals.



                                                          164
  Your
  Responsibilities


Overview/review of your
 responsibilities in your
          role
                            165
Now, let’s talk about how
HIPAA will effect your
everyday work!
   In this section we will
    review and emphasize
    some very important
    information including the
    following topics:
        The Hospital Patient
         Directory
             Family Inquiries
             Clergy and other
              religious personnel
        Special situations
         through examples



                                    166
The Hospital Directory

 As discussed previously in this
  program, patients have the right
  to state if they want their name
  included in the public directory.
 If they are not in the directory,
  information about their presence
  in the facility will not be available
  to the information desks and may
  not be disclosed by other team
  members.
 It is imperative that we uphold
  the patient’s request.


                                          167
Confidential Patients

 Confidential Patients will not be
  listed in the Hospital Directory:
      Here’s an example: A friend of
       Adam Current calls asking for his
       room number. His name is not
       listed in the hospital directory.
           Words to use:
              “Thank you for calling/asking, but
               we do not have any information on
               that person at this time.”
           If the person becomes adamant
            that the individual is in the hospital
            refer the caller to Guest Services
            or the Privacy Officer.



                                                     168
Impact on Our
Community:
 This is going to be a major change for
  our community, patients and families.
 Many of us are used to routinely
  confirming the presence of non-
  psychiatric patients in the hospitals.
  Now we will have to check on the
  patient’s directory status before we
  answer.

 Patients will also be unfamiliar with the
  “public directory” concept.
 Let’s discuss how we can help our
  community with this new concept




                                              169
Helpful phrases to use

 Many of us will be required to
  answer questions from patients,
  families and visitors.
 As some patients may elect to
  not be identified as being in the
  hospital, key words and/or
  phrases should be used as
  appropriate to the situation.
 In order to help team members in
  answering questions in a manner
  that respects patient privacy and
  confidentiality, several examples
  are given on the next few pages.



                                      170
Calls to nursing units
A patient is in “Confidential” status -
 The sister of Sam Rale calls and asks
  for a report on his condition. His
  medical record indicates that he is a
  confidential patient.
      Words to use:
             “Thank you for calling/asking, but we do
              not have any information on that person
              at this time. You may wish to contact a
              family member to find out the
              information you are trying to locate.”
             I understand your concern, however it
              is important that UCH protect patient
              privacy as requested by the patient.
              Therefore, I’m not able to give you
              information regarding this person as he
              is not in our Hospital Directory. You
              may wish to contact another family
              member or friend to help in locating
              your brother.”
      As in the previous example, if the person
       becomes adamant that the individual is in
       the hospital they may be referred to Guest
       Services or the Privacy Officer.
                                                         171
Examples of sharing
information
 A Mother calls asking about the
  condition of her daughter. The
  daughter has indicated that
  information can be provided to
  family members only. But are
  you sure this is the patient's
  Mother?
     Giving information over the
      phone – in good faith - is OK. If
      the individual states who they
      are, we need to believe what
      they say.



                                          172
Examples of sharing
information
 A patient calls your department
  and requests that their test
  results be faxed to a specialist.
  They provide you with the
  number. Should you fax this
  information?
     The only team members
      authorized to respond to such a
      request are those who have
      completed “Authorized Discloser
      Training”.
     Therefore this request must be
      referred to QHIM, the Lab,
      Imaging or other department that
      provides clinical reports.
                                         173
One more example:

 You are asked by a member of the
  Clergy as to what room Bruce Mahi is
  in. How do you respond?
      FIRST - Check the patient’s confidential
       status.
           What are you looking for . . .
               The following alerts are in place to
                identify confidential patients:
                   A “c” attached to the patient’s
                    account number,
                   A message appears on the
                    Meditech screen when accessing
                    the patient’s record, and/or
                   There is a “Confidential” colored
                    sticker on the patient’s registration
                    sheet or ED record.
      There is no such alert for Mr. Mahi,
       therefore you may inform the Clergy of his
       room number.
                                                            174
Preventing disclosures of patient
information
 Increase your awareness of
  your work environment
  looking and listening from the
  patient and visitor’s
  perspective!
 Walk through your work
  area(s) paying close
  attention to the environment.
 Look and listen for possible
  breaches of privacy or
  situations that may allow
  confidential information to be
  seen or heard by others.


           Let’s look at activities or
           situations that put
           information at risk.

                                         175
Preventing disclosures of
patient information
Look and listen:
           Are patient charts left unattended?
           Are sign-in sheets with patient information
            available to be read by other patients or
            visitors?
           Is patient information accessible/readable on
            unattended computer screens?
           Are patient location boards, assignment
            sheets, report records left in accessible
            areas?
           Can telephone conversations regarding
            patient information be overheard by
            individuals that are not required to hear that
            information?
           Do you hear Team Members talking about a
            patient in the elevator?
           Are team members leaving messages on
            answering machines or sending emails that
            may be intercepted by others than those
            intended to receive the
            message/information?
      If you answered yes to any of these
       questions, actions must be taken to
       prevent access to this information!

                                                             176
Let’s check how you are
doing with this
information . . .
   Read each of the following statements.
    Is it a HIPAA violation?
    1.   Patient-identifiable information is left
         open, displayed or accessible to
         unauthorized personnel.
    2.   Team member refuses to share his/her
         computer password.
    3.   Team member views lab results of a
         patient for which he/she has no direct
         involvement in patient care.
    4.   Team member views another team
         member’s medical file.




                                                    177
Check your answers . . .

   How did you do with this quick quiz
    ...
    1.   Patient-identifiable information is
         left open, displayed or accessible
         to unauthorized personnel. Yes!
         HIPAA Violation.
    2.   Team member refuses to share
         his/her computer password. Not a
         HIPAA violation! This is the right
         action to take.
    3.   Team member views lab results of
         a patient for which he/she has no
         direct involvement in patient care.
         Yes! HIPAA Violation.
    4.   Team member views another team
         member’s medical file. Yes! HIPAA
         Violation.

                                               178
OK, let’s do four more . . .

   Read each of the following
    statements. Is it a HIPAA violation?
    1.   The computer monitor screen is
         positioned to protect the privacy of
         patient from unauthorized users.
    2.   Physician puts printed lab results that
         he/she no longer needs into the
         shredder/paper destruction
         receptacle.
    3.   White board is used to display patient
         names, diagnosis, physician and/or
         room numbers in the hallway.
    4.   A nurse and a physician discuss a
         patient’s treatment in the hospital
         elevator.



                                                   179
Now, check your answers on
the last four statements . . .
   How did you do on part two of the quick
    quiz . . .
    1.   The computer monitor screen is
         positioned to protect the privacy of
         patient from unauthorized users. Not a
         HIPPA violation! This is the correct
         placement of the screen.
    2.   Physician puts printed lab results that
         he/she no longer needs into the
         shredder/paper destruction receptacle.
         Not a HIPPA violation! This is the
         correct action to take.
    3.   White board is used to display patient
         names, diagnosis, physician and/or
         room numbers in the hallway. Yes!
         HIPAA Violation.
    4.   A nurse and a physician discuss a
         patient’s treatment in the hospital
                                                   180
         elevator. Yes! HIPAA Violation.
What would you do?

 A nurse calls a restaurant
 where a physician is having
 dinner and asks the hostess
 to have doctor call the
 hospital regarding Mrs.
 Green who needs a change
 in pain medication since her
 fall last evening?
   Is this an appropriate
    message to leave?



                                181
Here’s the answer . . .

 The answer is NO.
     The message contains
      identifying information and is
      therefore a breach of
      confidentiality
          Lesson: Never leave a message
           with a third party that contains
           specific information about a
           patient that can identify him or her
          Correct action: Call and simply
           leave a message for the doctor to
           call the unit as soon as possible
           and ask for Ellie Sue.




                                                  182
 Congratulations

 Great job – You have
  completed this program
 In order to assess your
  knowledge of the material,
  you must complete the
  post-test and sign the
  confidentiality agreement.
 These items are available
  with this packet or from
  your manager or on-line:
  U:HIPAA/Education/Post-
  test. confidentiality
  statement




                               183
Summation


  Final review and
  requirements for
 completion of this
program – Post-Test
                      184
You’ve learned A
LOT!
 HIPAA education and implementation
  of our policies and procedures ensures
  that we maintain the privacy and
  confidentiality of our patients
 The UCH Policies are on-line in the
  Meditech Library for your review at
  anytime. They will be effective as of
  March 1, 2003
 Compliance with the Law is everyone’s
  responsibility!




                                           185
Final Steps

 In order to receive credit for this
  program, please remember to
  complete the post-test and sign
  the confidentiality agreement

 Forward these items to the
  Education and Resource
  Development Department at
  HMH or UCMC.

 Thank you!



                                        186

								
To top