3. WHAT IS HIPAA
Health Insurance Portability and Accountability Act
Established in 1996
2 Main parts: Privacy and Security
Privacy Basics
Standards developed to “address the use and disclosure of
individual’s health information or Protected Health information
(PHI)” (3)
4. WHO MUST COMPLY WITH HIPAA
ALL employees of the organization must follow HIPAA
Privacy Rules
Figure 1
5. WHAT TO SAFEGUARD: PROTECTED
HEALTH INFORMATION
Basic Definition: identifiable health related information
about an individual
3 elements of PHI(1):
Individual is identified
Health conditions or related information (e.g. Legal
proceedings)
Information is held by a Covered Entity (CE)
6. HOW TO COMPLY WITH HIPAA
US Dept of Health and Human Services states the Privacy
Rule’s “Basic Principle”: (3)
“ ...purpose is to define and limit the circumstances in which an
individuals [PHI] is used or disclosed by [CEs]…”
2 ways use and disclosure can be done:
Permitted Uses
To the individual
Treatment, Payment, Operations (TPO)
12 public interest and benefit situations
Individual agreement/objection of additional uses and disclosures
Incidental Uses or disclosures
Limited Data set
Authorized Uses
Please visit the website for additional information:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
***Contact the Privacy Officer with any questions or concerns***
7. MINIMUM NECESSARY
Definition: A Privacy rule requirement that restricts
access to PHI to those who need the information to
complete the task it was meant for (1).
Information obtained is limited to the minimum necessary to
complete the task.
Be familiar with your specific department’s policies and
procedures as well as the organization’s.
8. RELEASE OF PHI GUIDELINES
Ensure information:
is being released to an authorized person
fits the minimum necessary standard to complete the task
has a valid date
is available to be released
Written authorization
Oral authorization
Or qualifies under authorized exceptions
request has been documented
Use professional judgment:
Make sure the information being requested will not cause:
- individual harm
- relationship damage between individual and
organization
9. PART II: TRAINING SCENARIOS
We will now discuss 4 different scenarios:
Identify the problem
Discussion
Implement the solution
10. SCENARIO 1
Situation:
You have an electronic health record. When an error is
made in the record, it is the policy of the facility to allow
the person who has made the error, to totally delete it
from the system
The Problem: This breaks 3 Elements
Integrity- record is accurate and complete
Authenticity- record is authentic
Non-Repudiation- record is undeniable
Brodnik states the goal of the Security Rule is to “...protect
ePHI from unauthorized access, alteration, deletion and
transmission.” (1)
11. SCENARIO 1 SOLUTION
General rules when dealing with an electronic health
record:
Records should never be deleted
When revision is required: The individual making the
correction needs to
identify the incorrect data
flag it
provide a link
Refer to Our Organization’s procedures and policies, in the
rare instance a deletion would need to be made or contact the
Privacy Officer
12. SCENARIO 1 SOLUTION
Access Control List has been established
Establishment of access controls to categorize which roles have
the authorization to delete records.
Parameters have been put in place by categories organized by
roles and groups.
Access rights have been implemented to identify the user and
certify that the user has the rights to complete the request.
If you do not have sufficient authorization rights for the task at hand please discuss how to
proceed with your supervisor or the HIM manager
13. SCENARIO 2
Situation:
Patients are allowed to amend the health record directly
into the electronic health record with no supervision of
staff
The Problem: Patient’s have the ability to change their
health records affecting:
Integrity
Authenticity
Non-repudiation
14. SCENARIO 2 SOLUTION
In compliance with HIPAA regulations, individuals must
have the right to request amendments to their records.
Patient Amendment Process:
Patient must complete an official request
Written form
Reason for amendment
HIM department will process the request and contact the
patient
15. SCENARIO 3
Situation:
When a visitor is on a nurses station, the screens to the
computers are visible and readable by the visitor leaving
a patient PHI totally available to the public
The Problem: Adequate measures are not being taken to
secure patient records privacy.
16. SCENARIO 3 SOLUTION
Workstation Use and Security Policies have been updated
to include the following requirements:
Workstation locations must be in monitored areas
Workstation screens need to be adjusted away from public
view
Use of applicable screen devices such as protectors to block
peripheral views recommended
Auto-time outs have been enabled on all workstations
Password re-entry is required
Security training and awareness program completion is
required for all employees who use workstations
17. SCENARIO 4
Situation:
When on the elevator, physicians, nurses, a custodian,
and a patient registrar, discussed patients by name,
health care problem, and in one case, an ongoing
litigation case about a malpractice suit.
The Problem: Breaches have occurred and Organizational
and Individual level
Employees have failed to protect the privacy of PHI
The minimum necessary standard has been violated
18. SCENARIO 4 SOLUTION
Employee Awareness Standards
Employees abide by Minimum Necessary Rule and HIPAA
Privacy rule
19. PENALTIES FOR NONCOMPLIANCE
It is important to note that there are penalties for non
compliance
Civil Penalties: range from $100/ violation to $25,000 max per
calendar year
Criminal Penalties: range from $50,000 fine and 1 year
imprisonment to $250,000 fine and 10 years imprisonment
20. THINKS TO REMEMBER
Closing thoughts:
We must uphold the responsibility of ensuring patient
information (PHI) is protected and that patients know their
rights.
We must respect individuals, workforce members and the
organization to act respectfully, and in accordance to
standards
20
21. REFERENCES
REFERENCES
1) Brodnik, MS, McCain, MC, Rinehart-Thompson, LA, Reynolds, RB. Fundamentals of Law for Health
Informatics and Info Mgmt. Chicago: AHIMA Press, 2008. p. 134, 140, 159, 176, 179, 182, 214-5, 217, 222.
2) Hughes, G. Laws and regulations governing the disclosure of health information (updated). AHIMA 2002 Nov [ cited
2012 May 21]; Available from: URL: http://library.ahima.org/xpedio/groups/public/documents/ahima/
bok1_016464.hcsp?dDocName=bok1_016464
3) The HIPAA privacy rule’s right of access and health information technology. Available from: URL: http://www.hhs.gov/
ocr/privacy/hipaa/understanding/special/.../eaccess.pdf
4) The five Ws of HIPAA. Available from: URL: som.ucsd.edu/webfm_send/4665
5) Health and Human Services Website. Available from: URL:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
6) Wiedemann LA, Hjort B. HIPAA Privacy and Security Training (Updated). AHIMA 2010 Nov [cited 2012 May 20];
[1 screen]. Available from: URL:
http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_048509.hcsp?dDocName=bok1_048509
Fiigure 1: University of Southern Alabama [Online Image] Available at: http://www.southalabama.edu/healthprofessions/
21
Notes de l'éditeur
Welcome to St. Francis Hospital’s basic training of HIPAA. We will discuss how all Employees can do their part to ensure HIPAA compliance. It is our goal to provide professional, quality, and a secure environment for all interactions involving patients, employees, and business associates.\n\n
Slide 2\nWe acknowledge that there are a variety of backgrounds and exposures to HIPAA at our facility .Our goal is to bring awareness and educate employees on sound processes to ensure we act and handle patient information appropriately. There may be those of you may not deal with patient information on a day by day basis, but it is important for everyone to know what HIPAA is, how to deal with PHI, and most importantly where to go if you have any questions or need additional information.\n \nFirst we will go over Basic HIPAA information, terms and definitions related to this topic.\n\nThe we will apply what we’ve learned in part 1, and examine some scenarios to get a sense of how to identify a violation, and how to avoid them by following HIPAA compliant processes.\n\n
Slide 3 \nTo start with, we should discuss a little bit about HIPAA. HIPAA was established in 1996 and implemented as the Health Insurance Portability and Accountability Act. The goal of HIPAA is for covered entities to provide standards for protecting patient health information. (3) \n\nThere are 2 rules under HIPAA, the Privacy rule and the Security Rule. The Privacy rule provides national standards for safeguarding protect health information, while the Security Rule provides a set of standards for electronic health information storage, management, and transactions. (3)\n\nToday’s training module will focus on The Privacy Rule.\n\n
Slide 4: WHO MUST COMPLY W/HIPAA\nAll covered entities must comply with HIPAA. This includes insurance companies, health care providers, and health care clearing houses. (3) There fore it is necessary for all healthcare employees at St. Francis Hospital to comply with HIPAA, to ensure that protected health information is properly safeguarded will maintaining best quality care practices and services, while taking public well-being into consideration as required. (3)\n\n
Slide 5\nNow that we know what HIPAA is, let’s discuss what information we are guarding. \n\nProtected Health information consists of 3 basic components: The individual can be identified, information pertains to a health condition and related information( such as legal proceedings) and last of all information is collected and held by a covered Entity.\n\n
To comply w/ HIPAA it is important to remember the basic principle as defined by US Dept of Health and Human Services. This states, “ the purpose is to define and limit the circumstances in which an individuals {PHI} is used or disclosed to CEs”\n\nThere are 6 permitted uses when a written authorization is not required:\nIf the individual (or representative) is present and verbally agrees to the opportunity\nIf it related to treatment purposes\nIf it pertains to one of the 12 public interest and benefit situations\nIf information is going to the individual patient\nIncidental disclosures , when minimum necessary information is provided for business operations ( eg. Calling out a patient’s name in the waiting room) (pg. 175 brodik)\n\nFinally, the when used in a limited data set. Direct identifiers are removed, and the data can only be used for public health, healthcare operations or research ( 175).\n\nProvided is a link to the Department of Health and Human Services, which includes additional information on uses and disclosures.\n\nAgain, always reference St. Francis Hospital’s policies and procedures for additional information or contact the Privacy Officer.\n\n
The Minimum necessary Requirement is part of the Privacy Rule. The essential idea is that information should only be shared to those who need it to preform their job functions, and only the minimum amount of information will be shared to complete the task at hand.\n\nAccess Controls are enabled by individual, role, and group based access to enforce minimum necessary standards. Access privileges are based on work role, and what information is needed for the individual to do their job. Parameters have been set to to grant viewing rights at different levels depending on what data in necessary.\n\nPlease check with your department’s specific policies and procedures for complete information that pertains to your role.\n\n
Slide 8\nBefore examining a couple scenarios, lets talk about release of PHI and guidelines that should be followed. \n\nBefore releasing information obligatory steps must be taken.\n1)confirm the person requesting information is authorized to receive it. \na.Verify their identity. \nb.Check the record to make sure there aren’t any restrictions, revocations, or anything that would keep you from disclosing information. \n2)Make sure you are enforcing the Minimum necessary standard. Only give what has been requested when permissible.\n3)Verify the date of the request is valid\n4)When completing a request make sure you are following the rules for the situation. If authorization is required make sure you have collected the correct form, (in most cases it will be written authorization, though there are some exceptions, please check the policies and procedures manual). \n5)Finally make sure you have documented the request\n\nAnd always use your professional judgment to make sure the request is valid, appropriate, and secure. \n\n
Now lets discuss 4 scenarios. These scenarios have been extracted from a recent audit done at St. Francis that reviewed the orgnazation’s processes and checked for HIPAA compliance. This section will act as a review and an educational tool to discuss modification of PHI-related processes.\n
Slide 10\nThe situation: You have an electronic health record.  When an error is made in the record, it is the policy of the facility to allow the person who has made the error, to totally delete it from the system\n\nThe problem: this violates the security rule\n\nLets review, as Brodnik states the goal of the security rule is to “protect ePHI from unauthorized access, alteration, deletion, and transmission.”\n\nIn this case the electronic health record is being altered. This affects the integrity, authenticity and non-repudiation of the record.\n\n
Slide 11\nHow can we rectify this situation?\nBy ensuring we follow electronic health record standard procedures:\nIn general, a record should never be deleted. If there is an error, or something needs to be modified follow the subsequent steps:\n- Identify the incorrect data\n- Flag it\n- And provide a link to it\n\nIn the rare instance that a deletion is called for please discuss this with your supervisor or contact the Privacy Officer.\n\n
Slide 12: scenario 1 solution part II\nFinally just be aware that access controls have been reviewed and modified to ensure only appropriate workforce roles have access to information need to accomplish their duties.\n\nIf you are trying to perform a task and are unable to, please contact your supervisor or HIM Manager \n\n
Slide 13 Scenario 2\nThe situation: Patients are allowed to amend the health record directly into the electronic health record with no supervision of staff\n\nThe problem: Patient’s have the ability to alter their health record affecting the integrity, authenticity and non-repudiation of the record. This is similar to the first scenario, but in this example it is the patient that is able to alter the record. This is a violation of the security rule.\n\n
Slide 14: Scenario 2 solution\nUnder HIPAA regulation, patients have the right to request amendments to their records. We are discontinuing the previous policy and in its place requiring that a written request must be completed, including the reason for the amendment. This will then be processed by the HIM department in a timely fashion. They will contact the individual once a decision has been made.\n\nPlease contact the HIM Department for any further questions or concerns.\n\n
Slide 15:Scenario 3\nThe situation: When a visitor is on a nurses station, the screens to the computers are visible and readable by the visitor leaving a patient PHI totally available to the public\n\nThe problem: Adequate measures are not being taken to enforce the Privacy rule, protecting patient health information.\n\n
Slide 16: SOLUTION\nWe have assessed the situation and have updated the workstation use and security policies to be in accordance with HIPAA standards. The following requirements have been implemented:\n\n♣Workstation locations are located in monitored areas\n♣Workstation screens have been adjusted away from public view\n♣Use of applicable screen devices such as protectors to block peripheral views recommended\n♣Auto-time outs have been enabled on all workstations\n♣Password re-entry is required \n♣Security training and awareness program completion is required for all employees who use workstations\n \n
Slide 17: Scenario 4\nthe situation: When on the elevator, physicians, nurses, a custodian, and a patient registrar, discussed patients by name, health care problem, and in one case, an ongoing litigation case about a malpractice suit.\n\nThe problem: the American Health and Information Management Association (AHIMA) identifies this situation as “breaches to the organization and Individual”.\n\nEmployees are discussing PHI outside of normal business operations. In this situation it is evident that not all roles need this information to complete routine duties. Though we don’t know the extent of why this information was being discussed, professionals should use best judgement , and discretion when relaying PHI.\n\n
Slide 18: SOLUTION\nLets review employee awareness key points:\nUnderstanding confidentiality and role responsibilities (1)\nRespecting patient privacy and taking active measures to protect confidentiality (1)\nFollowing guidelines that support HIPAA requirements and recommendations such as the minimum necessary and Privacy rule standards.\n\nAdditional Employee Awareness training is has been implemented and is now an annual requirement. An email notification will be sent with more details.\n\n
\nIt is important to note that there are penalties for noncompliance of HIPAA regulations. These include both civil and criminal penalties.\n\n
I would like to end today’s basic HIPAA training with a couple reminders. We all hold valuable roles in healthcare, and we need to know and understand our responsibilities to protect pation health information, informing patient’s of their rights, act ethically and abide by legal standards. This will benefit patient care and services, and create a more sound professional environment.\n