HIPAA Reference Tool  for  All Staff Clinical and Non-Clinical

HIPAA Reference Tool for All Staff Clinical and Non-Clinical PowerPoint PPT Presentation


  • 210 Views
  • Uploaded on
  • Presentation posted in: General

2. HIPAA and Its Purpose. What is HIPAA?Health Insurance Portability and Accountability Act of 1996It's a federal lawHIPAA is mandatory, penalties for failure to comply. Purpose:Protect health insurance coverage, improve access to healthcareReduce fraud and abuseImprove quality of healthcare in generalReduce healthcare administrative costs (electronic transactions).

Download Presentation

HIPAA Reference Tool for All Staff Clinical and Non-Clinical

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


1. 1 HIPAA Reference Tool for All Staff Clinical and Non-Clinical

2. 2 HIPAA and Its Purpose What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Itís a federal law HIPAA is mandatory, penalties for failure to comply Purpose: Protect health insurance coverage, improve access to healthcare Reduce fraud and abuse Improve quality of healthcare in general Reduce healthcare administrative costs (electronic transactions)

3. 3 Who Can You Contact at the Facility if You Have HIPAA Questions? FPO (Facility Privacy Official) Ė Monica Perches HIM DIRECTOR Ė Ann Todd HOW CAN YOU GET AHOLD OF THEM? Via MOX or telephone IF THEY ARE NOT IN THEIR OFFICE OR AFTER HOURS? Contact PBX they will initiate contact

4. 4 HIPAA Terminology HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information Directory Ė Hospital census list used by volunteers and operators with patient name and room number TPO Ė treatment, payment, healthcare operations

5. 5 HIPAA Terminology Privacy= the individuals right to decide who, when and how any information about him/herself is disclosed Confidentiality= the obligation of another to maintain the personís privacy

6. 6 What is Protected by HIPAA (PHI)? Name Address including street, city, county, zip code and equivalent geocodes Names of relatives Name of employers Birth date Telephone numbers Fax Numbers Electronic e-mail addresses Social Security Number Medical record number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Web Universal Resource Locator (URL) Internet Protocol (IP) address number Finger or voice prints Photographic images Any other unique identifying number, characteristic, code

7. 7 What Does Protecting PHI Mean? Making sure it is private Making sure it is accessible to the appropriate provider Making sure it is safeguarded from unauthorized users Educating staff

8. 8 Privacy Protection Coversheets with confidential statement needs to be used on all external faxes. Screens will need to be placed out of public view when possible Patient charts will need to be placed in secure area PHI will need to be placed in Shred-It containers not trash Ė the bins are located throughout the facility in the departments

9. 9 Privacy Protection Patient family members will be given a passcode for other than directory releases Patient information should only be accessed if there is a need to know. Do not discuss PHI in public places. Nursing stations and joint treatment areas like OR, ER double occupancy rooms are OK.

10. 10 Privacy Protection Registration will be giving out a Notice of Privacy Practices brochure to every patient concerning our patient privacy protection policy. Patients will be given the option to ďopt outĒ of our directory. Patients will have a right to a copy of their medical record Authorizations need to be obtained from patient to release information for reasons other than for treatment, payment or healthcare operations (TPO)

11. 11 Information Is Accessible to Authorized Users What is an authorized use? When requested by the individual, For treatment of the individual, For billing and payment purposes, and Certain healthcare operations

12. 12 Disclosing PHI to Family Members and Friends who call the unit Ė What is a Passcode? Prior to the disclosure of PHI, the individual requesting a patientís PHI must give the patientís passcode, consisting of the last four (4) digits of the patientís account number, to the individual with the PHI. To ensure the patientís true wishes are expressed, this permission should be discussed privately between the patient and the individual with access to disclose PHI, whenever possible.

13. 13 Disclosing PHI to Family Members and Friends who call the unit Ė What is a Passcode? Admissions/Registration department issues the passcode, the individual will receive a form with the following statement: PATIENT INFORMATION PASSCODE We are committed to providing quality care that is sensitive, compassionate, promptly delivered, and cost effective, as reflected in the HCA Commitment to Our Patients. The privacy of patient information is second only in importance to patient care itself. In order to better protect your privacy, we are assigning a four-digit passcode for you to give to the family members and friends whom you would like us to share your personal health information.

14. 14 Verification of Requestors What if the patient was transferred from another state and they did not go through the routine admissions/registration process; What if the patient was transferred from a local Nursing Home in an emergent status and a family member has guardianship of the patient but the guardian lives in another state and they did not receive a passcode and they are calling for information. How do you handle these types of situations? Is there another way to verify the requester via the telephone? How do you verify a requester?

15. 15 Verification of Requestors Every member of the facility workforce must verify the identity of any person or entity from outside the facility when the person or entity is unknown to the workforce member and is requesting protected health information (PHI) either in person, verbally or via written request.

16. 16 Verification of Requestors Requestor is able to provide a minimum of three information items from the following list of acceptable identifiers (The information may be provided verbally or in writing): Patient Social Security Number (required) and Patient Date of Birth (required) and Any one of the following: Account Number Street Address Insurance Carrier Name Insurance Policy Number Medical Record Number Birth Certificate Insurance Card

17. 17 Privacy Sign Awareness Background on the Need for Signs The HIPAA Privacy Rule (ß164.510(b)) states a facility may disclose PHI to a patientís family member, other relative or a close personal friend IF the facility obtains the patientís agreement and/or provides the patient the opportunity to object to the disclosure. The industry, including our facilities, continues to experience potential violations of this rule when clinicians are discussing medical conditions, treatments, results with the patient and the patientís visitors are present.

18. 18 Privacy Sign Awareness Background on the Need for Signs Our facilities have submitted and continue to submit a number of Potential Reportable Events (PREs) related to this type of potential violation to the Office of Inspector General (OIG) Our facilities have received and continue to receive a number of patient complaints related to this type of potential violation Patients also have the right to complain directly to the Office of Civil Rights (OCR) which would then launch an investigation of our facility

19. 19 Privacy Sign Awareness Signs will be posted throughout the clinical floors: PROTECTING PATIENT PRIVACY All healthcare personnel must obtain permission from the patient prior to discussing any health care issues in front of a patientís visitors.

20. 20 Privacy Sign Awareness Cliniciansí Responsibility All clinicians must ensure they have the patientís agreement before discussing any PHI in front of the patientís visitors, including family members. It is not appropriate to assume the patient is comfortable having their PHI discussed in front of their visitors, even if the patient does not appear to object or ask the visitors to leave.

21. 21 Privacy Sign Awareness Approaches to compliance may include: Asking the visitor(s) to leave the room for a few minutes so that you can ask the patientís permission to discuss PHI in front of them. Clinicians can point to the sign as the rationale for their request. Ask patientís up front if you are free to discuss PHI in front of any/all visitors. The bottom line is no PHI should be discussed in front of a patient's visitors without the patientís specific agreement.

22. 22 External Faxing Guidelines Limit when possible Verify fax number Utilize preset numbers when applicable Locate fax machine in secure location ALWAYS use cover sheet with confidentiality statement for transmittals Highly sensitive information should NEVER be faxed (HIV status, abuse records, etc.)

23. 23 Notice of Privacy Practices Patient will receive Notice upon each registration Outlines patient rights Right to access Right to amend Right to Confidential Communication Right to Privacy Restriction Right to Opt out of Directory Right to an Accounting of Disclosures (AOD)

24. 24 Patientís Right to Access Forward to HIM (Health Information Management {Medical Records}) for processing Must be able to provide access and/or hard copy of record If patient is in-house, HIM will manage access process

25. 25 Patientís Right to Amend Forward request to HIM for processing Right of patient to provide amendment (append) to records Cannot change or omit documentation already in the medical record If patient in in-house HIM will manage amendment process

26. 26 Patientís Right to Opt out of Directory Patient can opt out of directory at anytime but will probably happen during admission process You may not acknowledge the patient is in the facility or give information about the patient to friends, family or others who may inquire Can still release information to family and friends with 4-digit passcode as defined in the Use and Disclosure of PHI to Family Members and Friends policy. Forward any request for opt out to Registration for processing

27. 27 Talking Points When Dealing with Visitors of Patients Who Have Opted Out of the Directory I am not comfortable stating a patient is not here when in fact they are a patient. Would it be acceptable to transfer the call to my supervisor or admitting? No - by doing so you are letting the caller know the patient is here. Part of healthcare is to protect the rights of the patient. The Patient Bill of Rights guarantees the patient confidentiality. HIPAA, a federal law, requires us to follow this policy.

28. 28 Talking Points When Dealing with Visitors of Patients Who Have Opted Out of the Directory What harm could come from delivering flowers to the patient? After all it is delivered by the florist and it would brighten the patientís day. Domestic Violence Issues Media Family Issues Not honoring the patientís request

29. 29 Talking Points When Dealing with Visitors of Patients Who Have Opted Out of the Directory Would it be okay to say I am not allowed to give out that information? No. By doing this, you are alerting the individual that the person is in the facility.

30. 30 Right to Privacy Restrictions Patients have the right to request a privacy restriction of their PHI NEVER agree to a restriction that a patient may request All requests must be made in writing and routed to the FPO NO request is so small that it should not be routed to the FPO

31. 31 Confidential Communications Request for use of alternate address or phone number for future contact Route any request for Confidential Communications to Admissions Should communicate only with alternate address given

32. 32 Accounting of Disclosures (AOD) Right to an accounting of disclosures of protected health information An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: For TPO To the patient For directory purposes To law enforcement or correctional institutions For national security

33. 33 Sharing information with other treatment providers We can share information with physicians and office staff, hospitals, or other treatment facilities just as we do today Need to verify the requestor according to policy Patient information (PHI) can be released for reasons of treatment, payment or health care operations (TPO)

34. 34 Common Exposures on Nursing Units Discussions of patient information in public places such as elevators, hallways and cafeterias Printed or electronic information left in public view Patient charts left on counters PHI in regular trash Records that are accessed without need to know in order to perform job duties Unauthorized individuals hearing patient sensitive information such as diagnosis or treatment

35. 35 Sanctions 3 levels of violations that require disciplinary action: Accidental and/or due to lack of proper education Purposeful violation of privacy policy or an unacceptable number of previous violations Purposeful violation of privacy policy with associated potential for patient harm

36. 36 Examples of Violations: Not properly verifying individuals by phone, in person, or in writing. (Negligent) Improper disposal of PHI (Negligent) Improper protection of medical records or other PHI (Negligent) Failure to verify a patientís Directory Opt out status. (Negligent) Faxing information to an incorrect fax number in error. (Negligent)

37. 37 Examples of Violations: Allowing another employee to utilize CPCS via your password. (Purposeful) Disclosure of PHI to unauthorized individual or company. (Purposeful) Disclosing PHI without a business ďneed to know.Ē (Purposeful) Any uses or disclosures that could invoke harm to a patient. (Purposeful)

  • Login