HIPAA “Light” General Training - PowerPoint PPT Presentation

Hipaa light general training
1 / 58

  • Uploaded on
  • Presentation posted in: General

HIPAA “Light” General Training. Office of the General Counsel Johns Hopkins Medicine (Pathology Version). H opkins I nsures P rivacy A wareness for A ll. HIPAA “Light”. Privacy & Confidentiality of Patient Information Guidelines for All Employees/Staff. Hopkins’ Commitment.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

HIPAA “Light” General Training

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Hipaa light general training

HIPAA “Light” General Training

Office of the General Counsel

Johns Hopkins Medicine

(Pathology Version)

Hopkins Insures Privacy Awareness for All

Hipaa light

HIPAA “Light”

Privacy & Confidentiality of

Patient Information Guidelines for All Employees/Staff

Hopkins commitment

Hopkins’ Commitment . . . .

Protecting the privacy of our patients’ health information is part of providing for our patients’ health needs!

What is hipaa

What is HIPAA?

The Health Insurance Portability and Accountability Act (“HIPAA”) is a federal law which governs the use, transfer and disclosure of certain health information.

Hipaa is also

HIPAA is Also . . . .

The Privacy Regulations adopted under HIPAA include new rights for individuals and privacy requirements for health care providers and health plans. These new requirements go into effect April 14, 2003.

Why was hipaa passed

Why Was HIPAA Passed? . . . .

Some people misused identifiable health information:

  • A person stole computer disks with lists of HIV positive patients’ names on it

  • A banker gained access to patients’ medical records and used it to make financial decisions

  • The press gained access to psychiatric records about famous people and used it to hurt them

Why hipaa

Why HIPAA? . . . .

Privacy groups went to Congress to do something about protecting patient privacy and medical records

Congress passed HIPAA as a privacy standard so that health information is used only as intended

What does hipaa do

What Does HIPAA Do? . . . .

The privacy regulations give new rights to people (living and dead) regarding protection of their health information

HIPAA requires us to use or disclose health information only as allowed under the law

Things hopkins must do under hipaa

Things Hopkins Must Do Under HIPAA . . . .

  • Provide patients with Privacy Notice

  • Create policies and practices regarding the use of medical records

  • Use medical records only as allowed

  • Create methods to respond to patient rights

  • Train all workforce members including physicians, staff, employees and volunteers (all new employee/staff)

Hipaa and you

HIPAA and You

  • HIPAA Privacy Regulations give patients new privacy rights with respect to personal health data (Protected Health Information or PHI)

  • HIPAA Privacy Regulations affect all members of the Johns Hopkins Medicine community: faculty, staff, students, and others; and to all JHM activities: patient care, teaching, human subject research, administration, quality assurance, fundraising, etc.

Key privacy requirements

Key Privacy Requirements

  • Permission: You must have permission to use PHI

  • Confidentiality: You may reveal PHI only to those who have a legitimate need to know about it

  • Minimum Necessary: Except for treatment, you must use only the minimum amount of PHI

Patient privacy rights under hipaa

Patient Privacy Rights Under HIPAA . . . .

  • The right to receive Hopkins written Privacy Notice

  • The right to review and get a copy of medical records

  • The right to find out who outside of Hopkins has been given an individual’s certain medical information (begin April 14, 2003)

More patient privacy rights

More Patient Privacy Rights . . . .

  • The right to ask that their medical record be amended

  • The right to ask for restrictions in the use of their medical records

  • The right to ask for confidential communications

Identifiable health information

Identifiable Health Information? . . .

  • Identifiable health information is information about a person’s health, treatment, billing or payment for health services

  • Health information can be verbal, written on paper, or in E-mails, or recorded or any other form (such as x-rays)

Protected health information phi

Protected Health Information (PHI)

  • All individually identifiable health information in any form (electronic or non-electronic) that is created or received by a covered entity

  • HIPAA protects any patient information that could be used to identify an individual

Examples of health information

Examples of Health Information . . .

A person comes in for cancer treatment and the following items are used to identify them for treatment or billing purposes:

  • Name, address, age, telephone number

  • Diagnosis, department or doctors’ names

  • Vital signs and lab or x-ray results

  • Billing info or Medical Record Number

  • Anything that can link health information to an individual

Hopkins institutions covered under hipaa

Hopkins Institutions Covered Under HIPAA . . . .

  • JH Hospital & JH Health System

  • JH Bayview Medical Center

  • JH Howard County Hospital

  • JH Community Physicians

  • JH Home Health Services

Hopkins institution covered

Hopkins Institution covered . . . .

  • JH Pharmaquip

  • JH Pediatrics at Home

  • JH HealthCare

  • JH Priority Partners Managed Care Organization

More hopkins institutions covered

More Hopkins Institutions Covered. . . .

Johns Hopkins University:

  • School of Medicine

  • School of Nursing

  • Parts of the:

    • School of Public Health

    • School of Engineering

    • School of Arts & Sciences

  • JH Kennedy-Krieger Institute

Hipaa covers our business partners also

HIPAA Covers our Business Partners, Also

  • Business Associates

    • Companies who do any work for Hopkins and receive patient information

      • Consultants

      • Vendors

      • Temp agencies

      • Accreditation/Regulatory Organizations

Business associate agreement

Business Associate Agreement

  • Hopkins must have a written business associate agreement with all business associates

  • A business associate agreement obligates the recipient to treat the PHI just as Hopkins must treat PHI under the HIPAA Privacy Regulations

Privacy authorizations


  • Specific authorizations from the patient are required for activities not included under treatment, payment and health care operations (TPO)

  • Activities requiring authorization are:

    - Fundraising

    - Marketing

    - Research

    - Use of PHI in publications



  • Authorization required from patient to use or disclose PHI

  • Waiver of authorization allowed in research protocols where it is impractical to obtain individual privacy authorizations and the Institutional Review Board (IRB) finds that the privacy of the PHI can be protected

  • Records must be kept of authorizations or waivers

Pathology policies procedures

Pathology Policies & Procedures

  • Covered entities must obtain, maintain,

    use and disclose PHI in compliance with


    1. Faxing Policy

    2. Paper Documents Containing PHI

    3. Telephone Inquiry Regarding PHI

Faxing policy

Faxing Policy

  • Coversheet – confidentiality clause

  • Send only to intended receiver(s)

  • Verify fax number prior to transmission

  • Locate fax machine in a secured, non-public area

  • Verify fax transmission

  • Remind fax recipients to provide notification if fax information changes

Paper documents containing phi

Paper Documents Containing PHI

  • Avoid unnecessary printing, photocopying, faxing

  • Shred/destroy documents no longer needed

  • Store documents in secure or limited access areas

  • Do not leave unattended in public areas

  • Mask patient identifiers (teaching,QA activities, etc)

  • Limit access to vendors, consultants, visitors, etc

  • Do not remove from premises

Telephone inquiry regarding phi

Telephone Inquiry Regarding PHI

  • Purpose: To ensure that telephone callers requesting patient data (PHI) are appropriately identified and have a legitimate need for requested PHI

  • Remind users of online resources (PDS/EPR)

  • Caller must request patient’s data using required identifiers (ex. name & MR#)

  • Pathology staff makes reasonable attempt to identify caller and legitimate need to know

  • May need to request a fax with additional details



  • Example 1: A worker with computer access could look up birthdays of a co-worker if they knew the co-worker had been a patient. The worker has no professional need-to-know of the date of birth, which is PHI, and therefore the worker should not access the PHI.

  • Example 2: An overhead page alerts a laboratory area that their assistance is needed for a particular procedure. The patient’s name and the procedure are included in the page. The information has become PHI when the procedure has been linked with a name. Confidentiality is in question when PHI is overheard by staff other than those who need to know.



  • Example 3: Housekeeping is emptying waste baskets at the end of the day. They find copies oflab reports in the trash. They need to alert their supervisor and the materials need to be shredded or secured. PHI should never be thrown in a trash can, unless it has been shredded.

  • Example 4: An employee pulls up patient lab records on the computer to troubleshoot a specimen problem. The information is left on the screen and can be viewed by nursing staff dropping off specimens. To protect patient privacy, information should be removed from computer screens when leaving the workstation.



  • Example 5:.A staff meeting is held in a conference room. Previously, the room was used by doctors discussing a case study. Extra hand-outs are still on the table. Staff need to ignore the patient records and tell their supervisor who will determine if the materials need to be shredded or secured.

  • Example 6:. A blood bank technologist calls from another local hospital to ask about a patient’s transfusion history. Staff must make a reasonable attempt to ascertain the identity of the caller and the need for the requested PHI. You can take the caller’s phone number and call them back or request a fax with additional details regarding the caller’s identity and the need for the PHI.



  • Example 7:.When a faculty member puts together a teaching lesson, if the name, SSN or other identifying information is not critical for the lesson, this information should not be included when copies or slides are made.

  • Example 8:. The lab receives a telephone call from a doctor. He is at home and needs lab results on a patient admitted to the hospital. He does not know the patient’s medical record number, only the name. Laboratory staff need to determine the identity of the caller and legitimate need to know before communicating PHI. The caller can be asked to fax their request for information along with documentation regarding their identity.

Enforcement of hipaa law

Enforcement of HIPAA Law . . . .

Federal Office of Civil Rights has the responsibility to investigate complaints of HIPAA privacy violations and can issue:

  • Civil Penalties -fines which may accumulate for each type of violation

  • Criminal Penalties -against institutions and individuals who intentionally misuse medical information

Your to do list

Your “To-Do” List . . . .

DO tell department management if you see an unattended PC that has patient information on the screen

DOtell department management if you see patient information that is unattended

More to dos

More “To-Dos” . . . .

DOremove patient information from trash bins and shred or dispose of patient information in confidential bins

DOaccess only the information that you require to perform your job duties

Things ok to do

Things OK “To Do” . . . .

DO report any suspicious activity related topatient information to your management

DOrefer patient information requests to appropriate personnel or department

Do as part of your job

Do, As Part of Your Job . . . .

DO treat all patient information with the utmost concern for confidentiality and privacy

DOshut doors or pull privacy curtains before talking to patients or their


Your do not do list

Your “Do-Not-Do” List . . . .

DO NOT open sealed, confidential envelopes addressed to someone else

DO NOTthrow patient information in the trash

DO NOT tell your friends or relatives about patients in the hospital

Can t do these either

Can’t Do These Either . . . .

DO NOT send patient information in e-mails

DO NOT discuss patient information in public areas, especially food lines and elevators

DO NOT discuss patient information on house phones or cell phones in public areas

More things not to do

More Things “Not-To-Do” . . . .

DO NOT leave patient information unattended in public areas (e.g. when delivering patient records)

DO NOT share patient information with anyone who does not have a need to know

Wrong things to do

Wrong Things To Do . . . .

DO NOT access health information of co-workers, family members or celebrities

DO NOTsell patient information

Related work examples

Related Work Examples . . . .

  • What do you do when Health Information is spotted or overheard while you do your job

  • Health Information that is “needed” or “not needed” to do your job

  • Consider the privacy of patients when discussing their health condition

Work examples continued

Work Examples, continued . . . .

  • How to respond when a person you don’t know asks about a patient

  • Cannot share Health information regarding a friend or member of your family being treated at Hopkins

  • Resist temptation to tell friends or family members when a “famous person” has been treated at Hopkins

Work examples continued1

Work Examples, continued . . . .

  • Request Health Information of your child or family member appropriately

  • Report suspicious activities or inquiries about health information to your supervisor or security

  • In transporting a patient from one treatment area to another, be sensitive in public areas

Hopkins compliance line

Hopkins Compliance Line . . . .


1-877-932-6675 (Toll Free)

The Compliance Line is administered through an independent company and is in place to give you a way to report your concerns to Hopkins' management in a confidential manner, without fear of reprisal.

Callers do not have to give their names if they don’t want to.

Hopkins compliance line1

Hopkins Compliance Line . . . .

The Compliance Line is a toll-free, 24-hour, 7-day-a-week telephone resource that allows you to report workplace concerns

  • Suspected illegal or unethical behavior

  • Non-compliance with laws, regulations and policies

  • Safety violations

  • Criminal offenses

  • Other concerns

What do you know about hipaa

What Do You Know About HIPAA?


  • A State law covering patient privacy.

  • A Federal law covering how medical information can and cannot be used.

  • A Hopkins policy that is used to tell patients what they must do.

  • None of the above.

  • All of the above.

What do you know about hipaa1

What Do You Know About HIPAA?

As a Hopkins employee you can:

  • Remove patient medical information from plain view of the public.

  • Report suspicious activities related to patient information to supervision or security.

  • Verify identity of anyone requesting patient information.

  • None of the above.

  • All of the above.

What do you know about hipaa2

What Do You Know About HIPAA?

As an employee, you work on one of the Wilmer units. It’s OK to tell your brother that Stevie Wonder is coming for an examination next week.

  • True

  • False

What do you know about hipaa3

What Do You Know About HIPAA?

Why was HIPAA passed?

  • Medical information was used inappropriately.

  • Psychiatric information was released about famous people.

  • Congress was asked to do something about insuring patient privacy.

  • None of the above.

  • All of the above.

What do you know about hipaa4

What Do You Know About HIPAA?

HIPAA does not give any rights to patients regarding their medical records.

  • True

  • False

What do you know about hipaa5

What Do You Know About HIPAA?

What are some examples of Health Information?

  • Patient’s name.

  • Doctor’s name or office where a patient was seen.

  • Billing information.

  • None of the above.

  • All of the above.

What do you know about hipaa6

What Do You Know About HIPAA?

Bayview and Howard County Hospitals are Hopkins Institutions that are not covered under HIPAA.

  • True

  • False

What do you know about hipaa7

What Do You Know About HIPAA?

As an employee of Hopkins, I can:

  • Tell a co-worker my PC password.

  • Open confidential envelopes that come to my work area.

  • Share patient information with anyone who asks me.

  • None of the above.

  • All of the above.

What do you know about hipaa8

What Do You Know About HIPAA?

As long as my supervisor knows about HIPAA, I have no responsibility to know anything about that Federal law.

  • True

  • False

What do you know about hipaa9

What Do You Know About HIPAA?

My friend was treated at Hopkins on a unit where a co-worker is assigned. It is OK for that co-worker to tell you what they know about your friend or make a copy of the doctors’ notes for you.

  • True

  • False



  • http://pathology.jhu.edu/hipaa

  • www.insidehopkinsmedicine.org/hipaa

  • www.hhs.gov/ocr/hipaa/privacy.html

Hipaa light general training1

HIPAA “Light” General Training

Office of the General Counsel

Johns Hopkins Medicine

Hopkins Insures Privacy Awareness for All

  • Login