This training program is designed to introduce staff
- 1. This training program is designed to introduce staff, volunteers, and students to the requirements for privacy and confidentiality under the Health Insurance Portability and Accountability Act (HIPAA) for the sake of patients. Confidentiality and patient privacy has been part of ourCode of Conduct, Standards of Behavior, State laws, and JCAHO standards for patient care. Under a new national law it will be illegal to violate this code. The Health Insurance Portability and Accountability Act or HIPAA for short, includes punishments for anyone caught violating patient privacy. Under HIPAA, the mission is that patients will be able to trust their providers and the organization in which they work. To build trust, HIPAA calls on health care workers and others with access to patient information be knowledgleable of the rules for privacy and confidentiality and abide by them in the workplace. Health care organizations are committed to protecting patient privacy and confidentiality and expects all employees to adhere to the privacy and confidentiality policies. When you fail to protect patient information and patient records by not following the hospital’s privacy policy, it can have an impact on on the whole organization, your status with the organization, and your license to practice. It is very in important to become familiar with the policies as they become available. If you are unsure or have any questions, see your supervisor or consult with the hospital’s privacy officer. Employees are encouraged to report violations or suspected abuse to the hospital’s privacy officer (Tris Jackson ext. 1234). Violations may be reported anonymously, if you wish, and should not fear retaliation for reporting a privacy violation. It is part of your job obligation to report instances where you suspect the privacy or confidentiality policies are being broken.
- 2. ¨ The HIPAA Privacy Rule The privacy rule creates national standards to protect individuals’ medical records and other personal health information. The rule: · Gives patients more control over their health information. · Sets boundaries on the use and release of health records. · Establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information. · Holds violators accountable with civil and criminal penalties that can be imposed if they violate patients’ privacy rights. · Takes into account public responsibility to disclose some forms of data to protect public health ¨ Who Is Covered By the Privacy Rule? Providers who conduct electronic transactions, health plans and clearinghouses are covered. If business associates receive or create protected health information to perform some function for a hospital, contracts must declare that those business associates will use the information only for the purposes that they were hired to perform, will safeguard the information form misuse and will help the covered entity comply with its HIPAA obligations. They are prohibited from using information in any way that would violate HIPAA. ¨ Protected Health Information (PHI)) · HIPAA protections extend to any identifiable information related to the "past, present or future physical or mental health condition" of a person · In any form or medium
- 3. · Only adequately “de-identified information” is exempt: · Information that contains no direct identifiers · It would be virtually impossible to identify from the indirect one that remain Examples of protected health information include: zip codes, telephone numbers, fax numbers, e-mail addresses, pictures, dates of service, patient history, discharge summary, phone notes, inpatient progress notes, outpatients progress notes, census and allergies. The Minimum Necessary Standard states that when using or disclosing protected health information or when requesting protected health information from another covered 8 entity, the provider must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. “Incidental disclosures” are not a violation of the privacy rule. ¨ Who is authorized to see protected health information? Healthcare providers who are directly involved in providing treatment, payment, or involved with health operations (TPO) are authorized to see access patient information. ¨ Health care staff Responsibilities · Ensure that patient information is not disclosed improperly. · Allow patients access to examine their records. · Allow patients to suggest changes to those records. · Educate patients on privacy policies (how their data will be used). · Give patients the right to revoke permission to use data. · Notify patients of anyone who has seen their records. · Provide a formal complaint process for patients.
- 4. · Allow patients to determine where communications are sent. · Mitigate damage from inappropriate uses or disclosure. · Respond within reasonable time and costs to patient requests. · Maintain a permanent copy of the record (required by law) and appropriately manage it. ¨ HIPAA Rights Guaranteed to Patients HIPAA provides rights to patients for their protected health inforamtion: · "access" - to see, get copy of one's records · "amendment"- to request corrections, statement of disagreement when errors are found · "accounting" - of uses and disclosures of protected health information (patient may request a list of (some of) the entities to which/whom one's records has been disclosed) · for especially sensitive information, can request extra protections and/or confidential communications · to complain about, get resolution of, privacy problems ¨ Provider Rights · Use patient information for treatment, payment, and health care operations. · Disclose information for treatment, payment and operations by other covered entities. · Withhold part of the record if disclosure would result in patient harm. · Disclose information to family members or other patient representatives, if patients cannot speak for themselves. ¨ Fines and Penalties for Violating HIPAA Standards Civil and criminal penalties for noncompliance include fines up to $250,000 and/or
- 5. imprisonment up to 10 years for knowing misuse of individually identifiable health information. HIPAA Sanctions · Civil $100 each violation, up to $25,000/person/year liability of knew, or reasonably should have known, and attempted cur · Criminal - “knowing”- up to $50,000, 1 year in prison - “under false pretenses”- $100,00, 5 years in prison - with “malice” or intent for “personal or commercial gain” - $250,000, 10 years in prison Other Sanctions · Institutional reputation – loss of business, profits · Employee suspension or termination · Loss of license to practice · Civil fines · Criminal fines and imprisonment