HIPAA Privacy Education for Physicians

1
HIPAA Privacy Education for Physicians

• The following course may be used to fulfill
  Lifespans HIPAA privacy awareness training
  requirements by physicians. Check with your
  Department Chair to make sure that you have
  permission to take this course and to determine
  if there are additional HIPAA training
  requirements you must complete.
• Please note that there is also an Office of
  Research Administration training course that may
  be more applicable for physicians performing
  research.
• You must take the test accompanying this course
• to fulfill your HIPAA awareness
• training requirement.

2
HIPAA

• The Health Insurance Portability and
  Accountability Act (HIPAA) was enacted by
  Congress in 1996. HIPAA has many components, one
  of which is its Privacy Rule.
• After much Congressional delay HHS implemented
  the final Privacy Rule on April 14, 2003. It
  requires that
• Training be tailored to address the specific
• functions that Lifespan physicians perform.

3
HIPAA Expectations of Lifespan Employees
Including Physicians

• Use or disclose Protected Health Information
  (PHI) only for work related purposes
• Limit uses and disclosures to the minimum
  necessary to achieve those work purposes
• Exercise reasonable caution to protect PHI under
  your control
• Understand and follow Lifespans privacy policies
  
• Try to remedy any privacy problems or to report
  them to the Privacy Officer at 401-444-4728 or
  via a confidential email to privacyofficer_at_lifespa
  n.org

4
HIPAA Expectations of Lifespan Employees
Including Physicians

• Note that incidental uses and disclosures are
  inevitable and do not violate the privacy rule as
  long as reasonable precautions are taken
• Understand that reasonable limits and efforts,
  appropriate to the circumstances are all that
  HIPAA requires
• Recognize that Lifespan will not retaliate or
  discriminate against any patient or worker who
  express a privacy concern.

5
Key Lifespan HIPAA Documents

• In addition to the material contained in this
  presentation you may want to review the following
  important HIPAA documents/policies.
• Lifespan Joint Privacy Notice
• Incidental Disclosure of Protected Health
• Information
• Verifying Identity and Authority of Requestor
• Privacy Related Complaints
• Prohibiting Intimidating or Retaliatory Acts
• This information is contained on the Compliance
  web page http//intra.lifespan.org/compliance/

6
The Privacy Rule

• Ensures nationwide uniform procedural protection
  for all health information
• Imposes new restrictions on the use and
  disclosure of protected health information
  (PHI)
• Gives patients greater access to their medical
• records
• Provides patients with more control over their
• health information

7
What is Protected Health Information (PHI)?

• When a patient gives personal health information
  to Lifespan, that information becomes PHI.

8
Examples of PHI

• Examples of information that might connect
  personal health information to the individual
  patient include

• The individuals name or address
• Social Security or other identification number
• Physicians personal notes
• Billing information

9
What are the Rules for Use/Disclosure of
Protected Health Information?

• HIPAAs Privacy Rule is all about the use and
  disclosure of PHI. PHI cant be used or disclosed
  by anyone unless it is permitted or required by
  the Privacy Rule.

• PHI is used when
• Shared
• Examined
• Applied
• Analyzed

• PHI is disclosed when
• Released
• Transferred
• In any way accessed by anyone outside of the
  covered entity

10
Lifespan employees are permitted to use or
disclose PHI for

• Treatment, payment, and healthcare operations
• With authorization or agreement from the
  individual patient
• For disclosure to the individual patient
• For incidental use such as physicians talking to
  patients in a semi-private room.

11
Lifespans Joint Privacy Notice

• The Lifespan Joint Privacy Notice is a required
  document which is provided to all patients
  receiving direct care after April 13, 2003.
• It describes how PHI may be used and disclosed
  by Lifespan and how patients can get access
  to this information.
• Patients must acknowledge receipt
• of the Notice in writing, if possible.
• Copies are kept of all notices and
• acknowledgements.

12
Lifespans Joint Privacy Notice describes

• 1.) Who we are
• Lifespan is a single covered entity that can
  share patient information across affiliates.
• 2.) Our pledge to protect health information
• 3.) How we may use and disclose PHI For
  instance, we do not need patient authorization to
  use PHI for treatment, payment and healthcare
  operations.
• As an example, a doctor treating a patient for a
  broken leg may need to know if the patient has
  diabetes because diabetes may slow the healing
  process. Different healthcare professionals may
  share the patients medical information in order
  to coordinate the different treatments/procedures
  needed, such as, lab work, x-rays and
  prescriptions. Also, in order to coordinate the
  patients care the hospital may share the
  patients information with a physician to which
  the patient is being referred. No
  Authorization is needed .

13
Lifespans Privacy Notice describes

• 4.) When Patient Authorizations are required or
  the patient has an opportunity to object, for
  example
• To being placed on the Hospital Directory
• For marketing, research activities etc.
• 5.) Patients Rights regarding their PHI
  specifically, patients have rights to
• Request Restrictions
• Request confidential communication
• Inspect and copy their PHI
• Amend their PHI if incorrect
• Receive an accounting of non-routine
• disclosures of PHI

14
Lifespans Privacy Notice describes

• 6.) Who to contact with inquiries or complaints.
• In many cases the Privacy protections outlined
  in the Privacy Notice were already in place
  because RI law is often more stringent than the
  Privacy Rule.
• The RI State law pre-empts the Privacy Rule

15
What is Minimum Necessary?

• In general, use/disclosure of PHI is limited to
  the minimum amount of health information
  necessary to get the job done. That means
• Lifespan has developed policies and practices to
  make sure the least amount of health
  information is shared
• Employees are identified who regularly access
  PHI
• The types of PHI they need and the conditions
  for access are approved
• See the policy entitled Minimum Necessary
  Protected Health Information for more
  information
• General Rule If you have no need to review the
  PHI then stop!

16
What is Minimum Necessary?

• The Minimum Necessary Rule does not apply to
  use/disclosure of medical records for treatment,
  since healthcare providers need the entire record
  to provide quality care.
• Per HHS disclosure of PHI that exceeds the
  minimum necessary standard is one of the areas
  receiving the greatest number of patient
  complaints.

17
Privacy Practices Designed to Protect PHI

• All Lifespan professional staff have an
  obligation to follow
• these general practices, which are designed
  to limit
• inappropriate disclosures.
• 1.) Follow IS guidelines designed to minimize
  access to
• our computerized systems specifically,
• never give out your password
• never post your password where it
• can be seen by others
• never use another persons password
• avoid passwords that can be easily
• guessed
• only access systems when you have a
• legitimate need.

18
Privacy Practices Designed to Protect PHI

• 2.) Release PHI only after verifying the identity
  and authority
• of the requestor.
• 3.) Ensure that PHI is appropriately discarded by
  such means
• as shredding.
• Remove PHI from laptops and home computers.
• 4.) Limit faxing PHI,
• only fax to a designated protected fax machine
• confirm the fax number
• verify receipt of the fax
• use a confidential cover sheet.
• 5.) Limit PHI in E-mails, going out on the
  internet, unless passwords or other
  authentication mechanisms are appropriately used.

19
Privacy Practices Designed to Protect PHI

• 6.) Transmit PHI by telephone only when it can
  not be overheard,
• the recipient should be identified
• before PHI is released
• messages left on a phone should be limited
• to the name of the person, a request that the
  
• call be returned and the name, and telephone
• number of the person placing the call.
• 7.) When performing physical examinations, take
  steps to
• ensure confidentiality for example, ask non
  essential
• persons to step outside.
• 8.) Use cell phones in discrete areas conduct
  conversations
• in a low voice.

20
Privacy Practices Designed to Protect PHI

• 9.) Dont discuss PHI in public areas such as
  hallways,
• elevators, cafeterias.
• 10.) Limit public access to computer monitors
  which may
• contain PHI.
• 11.) Keep medical records in a secure location,
  locked room,
• or locked cabinet.

21
Incidental Use and Disclosure

• The Privacy Rule recognizes that incidental use
  and disclosure is inevitable and is not a
  violation if Lifespan has implemented reasonable
  safeguards.
• Lifespans Incidental Disclosure policy
  describes general privacy
• practices which are deemed to be reasonable
  safeguards.

22
Misuse of PHI

• Misuse of PHI can result in civil and criminal
  sanctions
• Inadvertent violations up to 25,000 per year per
  each violation.
• Deliberate violations up to 250,000 fine and
  prison sentence of up to 10 years.

23
Examples of Misuse of PHI

• The HIPAA Privacy Rule is designed to minimize
  careless or unethical disclosures of health
  information, for example.
• A South Dakota medical student took home copies
  of 125
• patients psychiatric records to work on a
  research project.
• When finished, he disposed of the material
  in the dumpster
• of a fast food restaurant, where they were
  found by a
• newspaper reporter.
• In Florida, several hundred hospital workers
  browsed
• through the records of a famous patient that
  had recently
• come to the facility, even though few of them
  were actually
• involved in the case.

24
Examples of Misuse of PHI

• A Montana hospital posted over 400 psychiatric
  records of 62 children on its public web site
  where they remained for weeks until they were
  discovered by a newspaper reporter.
• A Florida county health department worker copied
  lists of HIV patients, distributed the
  information to his friends and sent the
  information to a local newspaper.

25
Specific Privacy Risk Area

• Minors/Emancipated Minors
• Confidentiality depends on competency of person
  receiving care. If you believe that the minor
  patient had the right to consent to care, it is
  reasonable to maintain the minors
  confidentiality.
• RI Law - under 18 may consent for routine
  emergency care testing , examination
• and/or treatment for any reportable
  communicable disease - HIV, STDs, etc.
• Emancipated - any minor who lives away
• from home with parent permission but without
  parent support may consent to his/her own
  treatment.

26
Key Points

• No Lifespan patient will be penalized for filing
  a complaint
• or exercising their rights.
• No adverse action will be taken against any
  employee or
• professional staff member who reports to the
  Privacy
• Officer in good faith, any violation or
  threatened violation
• of the Privacy Rule or related policies.
• Lifespan affiliate staff will investigate all
  patient complaints
• within a reasonable amount of time.
• Lifespan employees and professional staff
  members can
• pose their concerns or questions directly to
  their supervisor
• or to the Privacy Officer, Tom Igoe,
  401-444-4728.
• The Privacy Office can be anonymously contacted
  via the Response Line 1-888-678-5111 or by using
  the confidential email site http//intra.lifespan
  .org/compliance/Form.htm