1 / 43

Mount Auburn Hospital (MAH)

Mount Auburn Hospital (MAH). HIPAA Training: Ensuring Privacy for our Patients. Privacy. Information about ourselves we prefer not to share without permission Our right to keep this information from others if we choose

zanthe
Download Presentation

Mount Auburn Hospital (MAH)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mount Auburn Hospital (MAH) HIPAA Training: Ensuring Privacy for our Patients

  2. Privacy • Information about ourselves we prefer not to share without permission • Our right to keep this information from others if we choose • We expect healthcare providers and workers to protect the privacy of the information they learn about us

  3. Goals • Explain the basic principles of the Privacy Rule By the end of this program you will be able to: • Describe the basic policies/procedures you need to use to protect patient information • Describe patients’ rights • Identify your role in protecting patient information • Get help if you have a question

  4. Agenda • What is HIPAA/The Privacy Law? • Why is it important? • Who must follow the law? • What are the Mount Auburn Hospital’s responsibilities? • What does this mean for you?

  5. The Privacy Law • HIPAA—Health Insurance Portability and Accountability Act of 1996. • Protects all health information created by a healthcare provider, health plan, or healthcare clearinghouse • Defines who is allowed to see or use a patient’s private health information

  6. The Privacy Law • Protects the information whether it is: Oral Written Electronic

  7. Why is Patient Privacy important? • Safeguards protected identifiable patient health information • Provides patients with more control over what happens with their info • Provides patients with informed choices about how their information is used • Balances our need to use information to treat patients, teach, conduct research with the patient’s desire/need for privacy

  8. Protected Health Information (PHI) • Any information created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual

  9. Protected Health Information Includes, But is Not Limited to: • Medical Records • Billing information (bills, receipts, EOBs, etc.) • Labels on IV bags • Telephone notes (in certain situations) • Test results • Patient menus • Patient information on a palm device • X-rays • Clinic lists

  10. Who Must Follow the Law? • Healthcare Providers (and their Workforce) • Anyone who provides services, care, or supplies that relate to the health of a person (such as a hospital, doctor, dentist, or others) • Health Plans (such as Insurers, HMOs, etc.) • Healthcare Clearinghouses This means workforce members of MAH and Credentialed Physicians at MAH for services provided at the hospital.

  11. Am I Part of the Workforce? • You are considered a part of the Workforce if you are a: • Physician • Employee • Volunteer • Temporary Employee • Contractor • Consultant

  12. What Are the Mount Auburn Hospital’s Responsibilities? • Provide patients with a notice of our privacy practices • Protect the information from use or disclosure to those not allowed to see it by law or by the patient • Investigate complaints of breaches • Discipline breaches of confidentiality

  13. The Notice of Privacy Practices • Describes the ways we may use health information a person gives to us • Describes the rights the person has to protect their information • Describes the duties we have to the patient to protect their information • Informs the patient we have a complaint and investigation process • Must be given to a patient before the first treatment encounter and written acknowledgment obtained

  14. What are the Patient’s Rights? • To have their information protected • To be provided with a notice of our privacy practices • To have their questions answered • To see their information if they wish (restrictions apply) • To obtain copies of their records (for a fee) • To request to change their records • To limit (under specific circumstances) the use/disclosure of their information

  15. What Does This Mean for You? • Be careful with information to which you have access. Ask yourself: • Am I allowed to have this information? Is it required for me to do my job? • Is the person with whom I am about to share this information allowed to receive it? Do they need the information to do their job? • If I were the patient, and this were my information, how would I feel about it being shared?

  16. What Must I Do to Ensure Patient Privacy? • Be aware of who is around you when you are discussing patient information • Dispose of information appropriately • Use cover sheets for faxing • Share information only with those who are allowed to have it • If in doubt, ask for help

  17. You Should be Aware of Patient Privacy in: • Ensuring computer security • Sending/receiving faxes • Disposing of information • Using/disclosing information • Conducting everyday-work practices Each of these aspects of Patient Privacy are discussed in detail in the next few slides.

  18. Ensuring Computer Security • Never share passwords • Lock workstation/log off when leaving a workstation • Position workstation so screen does not face a public area if possible • Do not send email containing patient-identifiable information • Refer to MAH e-mail guidelines in the Administrative Policy Manual or on the intranet Continues

  19. Ensuring Computer Security, continued • Personal databases containing patient information are prohibited unless: • they support “TPO” • they contain “de-identified” information (as per HIPAA definition), or • you have received an IRB approval • Each DB has an “information custodian” who is responsible for maintaining security & access for the database • Store databases on a secure machine or network file area, not the “C” drive

  20. Sending/Receiving Faxes • Least controllable type of communication • When faxing information: • Use a cover sheet!! • Verify the sender has the correct fax number, and • The fax machine is in a secure location, and/or the receiver is available immediately to receive the fax Continues

  21. Sending/Receiving Faxes, continued • When receiving faxed patient information: • Immediately remove the fax transmission from the fax machine, and deliver it to the recipient • If information has been sent in error, immediately inform the sender, and destroy the faxed information (deposit in shredding bin, or other method)

  22. Disposing of Information Do not place identifiable health information in regular trash! Rip, shred, or otherwise dispose of identifiable health information

  23. Using and Disclosing Information • You may use/disclose patient information without specific authorization from the patient for: • Treating a patient • Getting paid for treating a patient • Other healthcare operations These uses are commonly referred to as TPH (Treatment Payment Healthcare Operations) or TPO

  24. About Authorizations • What is an Authorization? • Permission from the patient to release information • Must be obtained where Protected Health Information is used for other than TPH (except psychotherapy) • Are time limited • May be revoked by the patient • What is Needed for an Authorization • State to whom information will go • State for what purpose the information will be used • State what information will be sent

  25. There are Times when Information May be Disclosed Without Authorization • If Required by Law • Court Order • Subpoena • Public-Health Reporting • Incidental Disclosures • Overhearing a patient’s conversation with their doctor or nurse in a semi-private room These are discussed in more detail on the following slides

  26. Disclosures Required by Law • If the release complies with and is limited to what the law requires, you may give information to (see “Authentication” below): • Public health authorities • Health oversight agencies • Employers responsible for workplace surveillance • Must post notice of privacy practices • Coroners, Medical Examiners, and Funeral Directors • Organ procurement organizations

  27. About Incidental Use or Disclosure Hallmarks • Occurs as by-product of an otherwise permitted use or disclosure • Cannot be reasonably prevented • Is limited in nature • Is permissible to the extent that reasonable safeguards exist

  28. Authentication • To the degree practicable you must ensure that the person to whom you give the information is the person allowed to receive it • Ask for identification

  29. Minimum Necessary The Privacy Law generally requires that we all take reasonable steps to limit the use or disclosure of, and requests for Protected Health Information (PHI) to the minimum amount of information necessary to accomplish the intended purpose

  30. Minimum Necessary • Disclosures to a health care provider for treatment purposes • Made pursuant to an authorization by the individual • Disclosures to the individual • Uses/disclosures required for compliance with standardized HIPAA transactions • Disclosures to DHHS required under the rule for enforcement • Uses/disclosures required by other law Does not apply to:

  31. Accounting for Disclosures • Upon request, we must provide patients with a list of the names of people to whom we have disclosed the patient’s information except for: • Instances when the information is disclosed to the individual themselves • TPO • Under a specific authorization

  32. How to Account for Disclosures Unless limited by the request, the accounting must cover the full six years prior to the request, and must include: • To whom information was disclosed • When it was disclosed • What was disclosed • Why it was disclosed

  33. Conducting Your Everyday-Work Practices • Evaluate how you disclose patient identifiable data • Look for opportunities to streamline work and reduce unnecessary uses and/or disclosures • What data do you create? • What data do you send to others outside of MAH? For what purpose? • What data do you receive from others? For what purpose?

  34. Guidelines for Directories • Information in a patient directory is limited to: • Name • Location within facility • Condition in general terms • Religious affiliation may be given to clergy • This information may be given out only if the person asks for the patient by their full name

  35. Guidelines for Fundraising • We may use PHI for fundraising only if: • We only use demographic information and dates when care provided • We tell patients in our Notice of Privacy Practices that we use some of their information for fundraising • Must allow patients to opt out of this use • Must make reasonable effort not to send further materials to patients who opt out

  36. Guidelines for Business Associates • Persons or entities to whom a covered entity discloses PHI so that the person or entity may carry out, assist with, or perform a function on behalf of the covered entity who created the PHI • Does not apply to providers who receive information for treatment purposes

  37. Business Associates, continued • Covered entity must obtain, typically by contract, satisfactory assurances that the business associate will: • Use the information only for purposes for which they were engaged by the covered entity • Will safeguard the information from misuse, and • Will help the covered entity comply with the covered entity’s duties to provide individuals with access to health information about them and a history of certain disclosures • PHI disclosed may not be for independent use by the business associate

  38. Who is Responsible? • We are all responsible! • Anyone who cares for patients, works in the hospital environment, or is responsible for using identifiable information in order to perform their jobs • Anyone who works for providers that perform functions on our behalf that involve patient identifiable information

  39. What Else Can You Do? • You’re responsible for protecting patient privacy and confidentiality does not end with your work shift • Don’t divulge any patient information when in an informal atmosphere or social setting • If asked about a patient, simply reply “I’m sorry, that information is confidential” • Respect everyone as if they were your familymember!

  40. How to Report a Privacy Concern or Breach Contact Your supervisorPatient Relations Hotline (617) 499-5100 MAH Privacy Officer (617) 441-1665

  41. Where Can You Get Help? • Ask your supervisor • Check our HIPAA web site on the MAH CareGroup Portal • Call the Privacy Officer (617) 441-1665 • By e-mail at privacy@mah.harvard.edu

  42. Thank you • You have completed the MAH general training about the Privacy Rule • Your job may require more specialized training which will be done by your manager • Thank you for your support in our efforts to protect the private information of our patients Remember….

  43. Be careful with information to which you have access. Ask yourself: • Am I allowed to have this information? Is it required for me to do my job? • Is the person with whom I am about to share this information allowed to receive it? Do they need the information to do their job? • If I were the patient, and this were my information, how would I feel about it being shared?

More Related