HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY ACT HIPAA PRESENTATION

HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY ACT HIPAA PRESENTATION BY EDGE FOR DENTAL CLINIC ORIENTATION

WHAT IS HIPAA? HIPAA is a United States federal law passed by Congress in 1996 to help protect the privacy and security of health information. It is short for Health Insurance Portability and Accountability Act. PRIVACY SECURITY SIMPLY PUT – ALL PROTECTED HEALTH INFORMATION (phi) IS CONFIDENTIAL THERE ARE REAL CONSEQUENCES TO REVEALING phi – EVEN IF UNINTENDED – or incidental

WHO DOES HIPAA APPLY TO? HIPAA applies to: Health plans (such as health insurance companies) Health care clearinghouses (such as billing companies) Health care providers (including doctors, hospitals, laboratories, and pharmacies) YOU CAN CONSIDER YOURSELF LIKE A HEALTHCARE PROVIDER FOR PURPOSES OF hipaa – IN OTHER WORDS, it applies to you – always!

PRIVACY IS YOUR RESPONSIBILITY. As a health care worker, you are required by HIPAA to protect the privacy and security of the personal health information to which you have access.

IMPORTANCE OF PRIVACY…AN EXAMPLE You will have many opportunities to avoid disclosing protected health information. Here is one simple example: Ø Your best friend asks you to look up her mother's laboratory results. Knowing the HIPAA privacy regulation and your own departmental policies and procedures, you do not disclose the protected health information which she is requesting. You politely tell your friend that you are not allowed to give her the laboratory results.

WHAT IS THE HIPAA PRIVACY RULE? Protects the confidentiality of individuals' health data by regulating: How protected health information (PHI) is used To whom PHI is disclosed How and where PHI is maintained - PHI includes information about a person and their physical or mental health. It applies to all such information regardless of its form; it includes oral, written, and electronic communications. The HIPAA Privacy Rule: Requires reasonable security measures to protect individuals' health information. Establishes accountability for use and release of this information. Gives individuals rights regarding their health information.

MORE ABOUT HIPAA PRIVACY RULE… HIPAA PRIVACY RULE The intent of the HIPAA Privacy Rule is to permit important uses of health information while, at the same time, protecting the privacy of individuals who are seeking health care. RIGHTS OF THE INDIVIDUAL What can happen? § Right of notice § Right of access § Right to accounting of disclosures § Right to amend § Right to restrict The Secretary of HEALTH & HUMAN SERVICES (HHS) will investigate any HIPAA noncompliance Complaint PENALTIES START AT $100 UP TO $50, 000 – PER INSTANCE!

Case Study: Incidental disclosures and safeguards. As a manager, you guided a group of high school students through your clinical laboratory during a field trip. You did not explain the laboratory's privacy policy to the teacher and students, because you thought they would have little access to PHI. However, during the tour, the students overheard names of patients and associated blood tests, saw laboratory reports lying on desks, and viewed test results on computer screens. True or false: This is acceptable under the HIPAA Privacy Regulation since these were incidental disclosures that could not reasonably be prevented.

Case Study: Accessing PHI: You are answering the office phone today. A person claiming to be a patient, whose voice you do not recognize, calls demanding all his test results for the past 6 months. He threatens to complain to the government if you won't immediately read him the results over the phone. True or false: Under the HIPAA Privacy Regulations, you must immediately give the patient the requested information over the phone, regardless of your office policy as it pertains to release of patient results.

MINIMUM NECESSARY USE AND DISCLOSURE You are not likely to be the person responsible for use or disclosure of PHI if you are volunteering or shadowing. However, it is something you should be aware of… Use and disclose only the phi you need to get the job done – Exceptions: - When releasing PHI to another covered entity for treatment. - When releasing PHI to the individual who is the subject of the information. - When an individual has signed an authorization to release the PHI. - When required to do so by law.

Minimum Necessary Use and Disclosure…Some Examples to Consider You are a ward clerk responsible for inserting laboratory reports into patients' medical records (charts). You open the chart directly to the laboratory tab and insert the report. True or false: Paging through and reading other sections of the medical record that are not applicable to your job responsibilities would be a violation of the HIPAA Privacy Rule. You are a phlebotomist at a specimen collection center. A patient arrives with orders for a blood glucose test and a lipid profile. You get the patient's address, phone number, health insurance coverage, and ask how long ago he ate his most recent meal. You then ask him about his recent auto accident, his wound infection, and his family. You write down all the extra information. Under the HIPAA Privacy Regulations, which of these information requests are acceptable?

WHAT IS THE HIPAA SECURITY RULE? Defines how to protect electronic health information. Examples of e. PHI include: All PHI stored in computer systems and electronic storage media, including servers, workstations, laptops, PDAs, diskettes, CDs, tape, and USB drives. Electronic mail (email) messages. On the topic of electronic media…A NOTE ABOUT SOCIAL MEDIA Ø It is NEVER ok to take pictures in a healthcare environment and post or share them anywhere or with anyone – that is a clear violation of HIPAA! Ø It is NEVER ok to share a story about a patient in any social media, email, text or voice mail message – even if you never use the patient’s name, if it is even remotely possible for someone to identify a patient by the story, it is a clear HIPAA violation!

Physical safeguards include the physical aspects of protecting e. PHI, and are of course comparable to similar safeguards discussed with the Privacy regulation. Examples Limiting access to facilities where e. PHI is being used by: Locking doors in work areas Wearing your ID badge at all times Limiting visitor access Limiting access to workstations with e. PHI by: Turning computer screens away from view. Locking up or otherwise securing laptops and PDAs. Taking special precautions to secure workstations in public areas. As a volunteer or observer, you should be aware of these safeguards and follow any of these rules that apply to you. If you are not sure of your responsibility, ask someone!