Transcription
CBL - HIPAA Training for CliniciansThis CBL is required for all HHmembers of the workforce whohave clinical job functions.Contact your manager or theprivacy officer for moreinformation.
Data Privacy and Security TrainingIntroductionClinicians have an ethical and legal obligation to protect personal healthinformation related to the care of their patients. The HIPAA Regulationsprovide caregivers guidelines and rules to follow to better protect thatinformation. Many of the rules in the regulations reflect what we already dohere at Huntsville Hospital. However, now we must be more diligent andconsistent when complying with the rules.Clinicians often bear the responsibility of using professional judgment whentreating patients. Privacy rules are no different. However, clinicians mustunderstand the guidelines and policies related to Data Privacy and Securityin order to make professional judgments based on best practices and laws.HIPAA Clinical
Data Privacy and Security Training1-1 Incidental Uses and Disclosures of PHIThe Privacy Rule permits certainincidental uses and disclosuresthat occur as A by-product of anotherpermissible or required useor disclosure, As long as the coveredentity has applied reasonablesafeguards And has implemented theminimum necessarystandard, where applicable,with respect to the primaryuse or disclosure.HIPAA ClinicalAn example of an incidentaluse or disclosure would besharing test results with familymembers in public areas.
Data Privacy and Security Training1-2 Incidental Uses and Disclosures of PHI You may discuss PHI with other caregivers orwhen necessary for the care of the patient. You may discuss PHI with family members thatare directly involved in the patient’s care. Usereasonable precautions and common sense! You may have a sign in sheet and you may callnames in waiting rooms unless other privacyreasons exist. You may discuss a patient’s treatment andcare when a curtain is the only provision forprivacy. Use discretion.HIPAA Clinical
Data Privacy and Security Training1-3 Verification of the Identity of those Requesting PHICan you give methe patient’s nameand date of birth?This is Mr. Edwards’sister. Can you tell me ifhis labs from thismorning have shownimprovement?You should reasonably verify the identity of thosewho request PHI if you don’t know them.Your manager will help determine the best methodof verification for your department. If an individualbecomes insistent or agitated, call Security 6660.If possible, ask the patient.HIPAA Clinical
Data Privacy and Security Training1-4 Involvement in the Care & Notification You may disclose PHI to a family member, other relative, a close personal friend of thepatient, or any other person identified by the patient.When the patient is present and able, you may disclose information after the patient hasbeen given an opportunity to object. You may infer from the circumstances that the patientdoes not object to the disclosure.Remember that an adolescent 14 years or older should be given an opportunity to objectto disclosures in the presence of others, unless involvement in care has already beenestablished.In the event of a patient’s incapacitation, you may use professional judgment to determinewhether it is in the best interest of the patient to disclose PHI if involvement cannot bedetermined. This should be documented in the patient’s chart.The PHI disclosed is in direct relationship to the person’s involvement with the patient’shealth care (minimum necessary—reveal only necessary information for the situation).You may use or disclose PHI to notify or assist in the notification of a family memberor personal representative. As a rule, you should include only the patient’s location,general condition, or death. An exception may be a close relative that lives in another city.HIPAA Clinical
Data Privacy and Security Training1-5 Verification of Authority of those Requesting PHI You must take reasonable steps to verify the authority to have access to a patient’sPHI if you don’t know whether the person has such authority.Verification of authority also refers to other outsiders who request PHI, such as aphysician office. If you know the office, or they fax the request on letterhead and theyhave told you they are involved in the patient’s care, then you have reasonably verifiedthe outsider’s authority.In an emergency, you may disclose PHI to notify someone without verifying authority.You may use professional judgment and experience with common practice to makereasonable inferences for the individual’s best interest in allowing a person to act onbehalf of the individual to pick up prescriptions, medical supplies, X-rays, or othersimilar forms of PHI.If an unconscious patient has an unusual circumstance that makes it difficult todetermine which family members have authority, document their authority in the chartso that it does not have to be re-determined.HIPAA Clinical
Data Privacy and Security Training1-6 AuthorizationsNo need for an Authorization to disclose PHI: To the patient’s physician for treatment and continuity of careTo report infectious diseases to the Public Health AuthorityTo report gun shot wounds to law enforcement, as required by lawTo report child abuse or vulnerable adult abuseTo registries required by lawTo health oversight agenciesFor organ donation purposes You will need an authorization to release PHI forbaby photos, life insurance companies, and otherdisclosures you may identify that are not fortreatment, payment, or operations. Call the privacy officer if in doubt.HIPAA Clinical
Data Privacy and Security Training1-7 Release to Law Enforcement Officials Remember that you may release only specific information to law enforcementofficials about persons suspected to be suspects, fugitives, material witnesses ormissing persons. Do not disclose other than the allowed information.Victims should be asked if they agree to disclosures to law enforcement officialsabout themselves.Document disclosures to law enforcement officialsin the chart: Agency Officer’s name Date Purpose for disclosure Description of dataHIPAA Clinical
Data Privacy and Security Training2-1 Reasonable SafeguardsHuntsville Hospital has long made it a practice to ensure reasonable safeguards forindividuals’ health information – for instance: Speaking quietly when discussing a patient’s condition with family members in public areas Avoiding using patients’ names in public areas Insuring that charts are not left unattended in unsecured areas Providing additional security, such as passwords, on computers maintaining personal information Not discussing Patients in public areas such as the cafeteria Students shall not take PHI out of the facility, even when the name has been coveredIf precautions have NOT been implemented, Huntsville Hospital may be in violation of thePrivacy Rules if a breach occurs.HIPAA Clinical
Data Privacy and Security Training2-2 Identify and Train “People Milling Around” Drug reps IT vendors DME Reps People delivering equipment, messages or food Ambulance and emergency crews Security and law enforcement personnel Equipment and supply vendors Outside auditors, consultants or attorneys Highly sociable employees who may regularly windup in parts of your facility where they “have nobusiness being”What was wrongwith the man webrought in thismorning?Employees should be aware of people in our facility who do NOT have abusiness need to know. Care should be taken to: restrict these people to certain areas; remind them of their responsibility when in our facility; and/or avoid discussing PHI around them.HIPAA Clinical
Data Privacy and Security Training2-3 Handling PHI In Meetings Meetings where PHI is discussed should only be attended byindividuals who have been specifically invited or who have a specificbusiness purpose for attending. These meetings should be conducted in an area, such that PHI is notoverheard or viewed by unauthorized individuals. When PHI has been recorded on boards, it must be erased beforeleaving the area. If documents containing PHI are distributed during the course of themeeting, and those documents are not required by the recipient forhealth care operations, the documents must be collected and destroyedat the completion of the meeting.HIPAA Clinical
Data Privacy and Security Training2-4 PHI on Equipment and Telecom - Review Position equipment, including telephones, workstations,fax machines, copiers and printers so that PHI may notbe easily heard or viewed by unauthorized individuals.Employees who work on transportable computers(e.g. PDA’s, laptops) and paper records should alsobe cognizant of their position with regard to unauthorized viewing ofPHI.Verbal communication should be conducted in the most discreetmanner possible.Computer printouts, medical records and other paper records shouldnot be left in open work areas so as to expose the contents of therecords.Files and papers should be closed or put away when not in use.Paper charts should never be unattended in public areas.Faxes, computer printouts, and copies / originals should be collected assoon as possible and appropriately filed.HIPAA Clinical
Data Privacy and Security Training2-5 Secured/Unsecured Areas HIPAA ClinicalAll documents, to include paper, supplies, x-rays,etc. that contain PHI or other confidential information,should be disposed of in receptacles in designatedsecure areas.Department managers may determine a need for ahigher level of security in their department.Should the secured area not be supervised 24/7, receptacles should beemptied or stored in locked areas during closed times.Environmental Services employees and contractors responsible forcollecting the trash should not leave containers unattended in publicareas or should cover the container securely. Notify your managerimmediately otherwise.Where shredding receptacles exist, documents containing PHI shouldbe placed there.Outlying buildings that have trash receptacles in public areas havepadlocks.
Data Privacy and Security Training3-1 Attempt to Obtain an AcknowledgementIf the Patient Agreement and Acknowledgement Form has not been signedand no reason has been documented, staff should immediately attemptto get the signature or document the reason.Make sure you refer to the 112 Signature Privacy Policy if you aren’t surewho has authority to sign.Full instructions to complete this form are included in theHIPAA online training module “Registration and DirectReport.”HIPAA Clinical
Data Privacy and Security Training3-2 RestrictionsPatients who request a restriction aboutthe use of their PHI should completethe “Request for Restrictions” formfound on PULSE.The restriction must be approved by theprivacy officer.Do not commit to a patient’s request for arestriction to their data privacy. ThePrivacy Officer will deny or approve.At any time during their stay, a patient may requestsome kind of restriction to the use of his PHI.HIPAA Clinical
Data Privacy and Security Training3-3 Research The term “Research” at HH refers to researchapproved by the IRC. Uses and disclosures thatrequire authorizations have been approved duringthe approval process. All other studies, investigations, audits, operationalreports and the like that involve PHI, should beapproved by completing the “Request for Uses orDisclosures of PHI” form found on PULSE andsubmitted to the Medical Records Director or thePrivacy Officer. The “approval” is primarily for tracking or accountingpurposes. Users of information should not alter theircurrent practices unless notified to do so.HIPAA Clinical
Data Privacy and Security Training3-4 Correctional InstitutionsWe may disclose PHI to a correctional institution or a law enforcementofficial having lawful custody of an inmate, if the correctional institution orsuch law enforcement official represents that such protected healthinformation is necessary for: Health care to the individual The health and safety of the individual or other inmates The health and safety of the officer or othersDocument any disclosures to Correctional Institutions inthe chart: Agency Officer’s name Date Purpose for disclosure Description of dataDo not disclose PHI to inmates’ families. This is theresponsibility of the Correctional Institution.HIPAA Clinical
Data Privacy and Security Training3-5 Age of AgreementA person who is 14 years old orolder should sign the PatientAgreement and AcknowledgementForm. The parent may also sign theform.Until the patient turns 19, you maydisclose PHI to parents unless arestriction is in force. Usediscretion.The laws of the State of Alabama govern theage of consent for medical care, services, andtreatment. Under specified conditions theadolescent may place restrictions on who hasaccess to his medical records.HIPAA Clinical
Data Privacy and Security Training3-6 Access to the Medical Record for Inpatients HIPAA ClinicalRequests to access the medical recordfor inpatients should be directed to theNurse Manager.The requestor will be informed that therequest will be forwarded during regularbusiness hours.The nurse manager will notify theattending physician prior to meeting withthe patient, giving the physician anopportunity to be present.The nurse manager should refer to therecord and answer factual questions.If the patient requests a paper copy of adocument, he must sign the “132Authorization to Disclose HealthInformation” found on PULSE.Where there are concerns ofappropriateness, action should bepostponed until issues can be resolved.A patient has the right to inspectand obtain a copy of his record.HH will act on a request for accessno later than 30 days after therequest.
Data Privacy and Security Training3-7 MarketingYou may not sell or give lists of patients to those outside our organization who will usethe information for their own best interest.1. An example would be give a list of new parents to a diaper company. Youmay give diaper samples to patients, but it is their choice to notify thecompany.2. Another example may be the Surgery Schedule. You may not view or printthe schedule or share it with others, unless it is within your job responsibilityin our organization to have the information.Outside vendors should never solicit our patients.HIPAA Clinical
Data Privacy and Security Training3-8 Complaints/Patient ConcernsIf, in the process of care, a patient indicates that hebelieves his data privacy has been compromised,notify your supervisor immediately.It is a basic HIPAA right to complain.Complete a 323 Incident Report if appropriate.If it sounds like a data privacy complaint, listen.It’s better to correct the issue before it becomes a problem.HIPAA Clinical
Data Privacy and Security TrainingWhat have you learned?You are required to pass HIPAA Clinical only once. Additional changesor additions to the HIPAA Regulations will be communicated to you asnecessary.HIPAA Clinical
Data Privacy and Security TrainingDefinitions A-D Administrative Simplification: The provisions of HIPAA relating to standards for electronic health caretransactions, the privacy and security of health information, and national identifiers. Authorization: A written authorization by an individual authorizing the use or disclosure of his or herhealth information. Business Associate: A person or organization that assists a covered entity with treatment oroperations, and generates, receives or has access to protected health information. Covered entities arerequired to obtain confidentiality agreements (called business associate agreements) with their businessassociates. Business Associate Agreement (Contract): An agreement between a covered entity and its businessassociate in which the business associate agrees to restrict its use and disclosure of the covered entity'sprotected health information. CMS: The Centers for Medicare and Medicaid Services, a department within the U.S. Department ofHealth and Human Services (formerly Health Care Financing Administration). Covered Entity: A health plan, a health care clearinghouse, or a health care provider that transmitselectronic transactions. Data Aggregation: The combining of such protected health information by a business associate onbehalf of more covered entities than one, to permit data analysis relating to the health care operations ofthe participating covered entities. Data Use Agreement: A confidentiality agreement between a covered entity and the recipient of healthinformation in a limited data set.HIPAA Clinical
Data Privacy and Security TrainingDefinitions D-H De-identified Health Information: Health information from which individual identifiers have beenremoved, so that it cannot be used to identify an individual. De-identified health information is notprotected by HIPAA. Designated Record Set: A health care provider's medical records and billing records aboutindividuals, a health plan's enrollment, payment, claims adjudication, and case or medicalmanagement records, and any other records used by a covered entity to make decisions aboutindividuals. Direct Treatment Relationship: A treatment relationship between an individual and a health careprovider that is not an indirect treatment relationship. Disclosure: The release, transfer, provision of access to, or divulging in any other manner ofinformation outside the covered entity holding the information. Group Health Plan: An employee welfare benefit plan that provides medical care. HHS: The U.S. Department of Health and Human Services. Health Care: Care, services, or supplies related to the health of an individual. Health Care Clearinghouse: An organization that processes health information received fromanother entity in a nonstandard format or containing nonstandard data content into standard dataelements or a standard transaction, or vice versa. Health Care Operations: Business management and operations, including quality assessment andimprovement, peer review, underwriting, medical review, audits, and business planning,management and development.HIPAA Clinical
Data Privacy and Security TrainingDefinitions H Health Care Provider: A person or organization who furnishes, bills, or is paid for health care in thenormal course of business. Health Information: Any information, whether oral or recorded in any form or medium, that:(1) Iscreated or received by a health care provider, health plan, public health authority, employer, lifeinsurer, school or university, or health care clearinghouse; and(2) Relates to the past, present, orfuture physical or mental health or condition of an individual; the provision of health care to anindividual; or the past, present, or future payment for the provision of health care to an individual. Health Insurance Issuer: A company that is licensed to engage in the business of insurance in aState and is subject to State law that regulates insurance. Health Maintenance Organization (HMO) A federally qualified HMO, or an organization regulatedby State law as a health maintenance organization. Health Oversight Agency: A governmental that is authorized by law to oversee the health caresystem (whether public or private) or government programs in which health information is necessaryto determine eligibility or compliance, or to enforce civil rights laws for which health information isrelevant. Health Plan: An organization that provides, or pays the cost of, medical care. Employee healthbenefit plans are health plans, unless they are self-administered, and have fewer than 50 participants.Government-funded progams whose principal function is providing direct health care services are nothealth plans.HIPAA Clinical
Data Privacy and Security TrainingDefinitions I-M Individually Identifiable Health Information: Information that relates to an individual's physical ormental health; the provision of health care to an individual; or the payment for health care provided toan individual, that identifies the individual or could be used to identify the individual. Indirect Treatment Relationship: The provider delivers health care to the individual based on theorders of another health care provider; and the health care provider typically provides services orproducts, or reports the diagnosis or results associated with the health care, directly to another healthcare provider, who provides the services or products or reports to the individual. Law Enforcement Official: An officer or employee of any governmental agency who is empoweredby law to investigate or prosecute violations of law. Limited Data Set: Health information from which specified identifiers have been removed.Information in a limited data set is protected, but may be used for research, health care operationsand public health activities without the individual's authorization. Marketing: A communication about a product or service that encourages recipients of thecommunication to purchase or use the product or service. It does not include communications fortreatment, case management or care coordination. Minimum Necessary: applies when using or disclosing protected health information or whenrequesting protected health information from another covered entity, a covered entity must makereasonable efforts to limit protected health information to the minimum necessary to accomplish theintended purpose of the use, disclosure, or request.HIPAA Clinical
Data Privacy and Security TrainingDefinitions O-S Organized Health Care Arrangement: An organized system of health care in which more than onecovered entity participates, and in which the participating covered entities hold themselves out to thepublic as participating in a joint arrangement; and participate in joint utilization review, quality assuranceor financial risk for health care services. Payment: The activities of a health care provider to obtain payment for health care services, or of ahealth plan to obtain premiums, or to adjudicate and pay claims. PHI--Protected Health Information: Individually identifiable health information in any form. Public Health Activities: The activities of public health authorities to collect information for the purposeof preventing or controlling disease, illness or injury. Public Health Authority: A government that is responsible for public health matters. Public Interest Disclosures: Disclosures for a variety of public interest-related purposes, which HIPAApermits without the individual's authorization. Research: A systematic investigation, including research development, testing, and evaluation,designed to develop or contribute to knowledge. Secretary: The Secretary of Health and Human Services. Secure Area: An area that has physical safeguards to eliminate or minimize the possibility ofunauthorized access to confidential information--for example, a locked room or an area that is attendedby authorized employees. Department managers are responsible for designating the area within theirdepartment that will be considered secure. All trash receptacles within designated secure areas will beconsidered secure and will be disposed of in a secure mannerHIPAA Clinical
Data Privacy and Security TrainingDefinitions T-W Transaction: The transmission of information between two parties to carry out financial oradministrative activities related to health care. HIPAA sets standards for the following electronictransactions:1. Health care claims or equivalent encounter information.2. Health care payment and remittance advice.3. Coordination of benefits.4. Health care claim status.5. Enrollment and disenrollment in a health plan.6. Eligibility for a health plan.7. Health plan premium payments.8. Referral certification and authorization. Treatment: The provision, coordination, or management of health care and related services by ahealth care provider. Unsecured Area: Areas outside or inside of the department that are exposed to the public, i.e. publicareas, waiting rooms, patient rooms, restrooms, etc. Use: The sharing, employment, application, utilization, examination, or analysis of information withinthe entity that maintains such information. Workforce: A company's employees, volunteers, trainees, and other persons under the direct controlof the company.HIPAA Clinical
CBL -HIPAA Training for Clinicians This CBL is required for all HH members of the workforce who have clinical job functions. Contact your manager or the
