HIPAA Awareness Training

1
HIPAA Awareness Training

• Self-study training module

2
HIPAA Training Module

• This module features the following lessons
• What is HIPAA?
• Why do I need to take this training?
• What are IURAs policies and procedures regarding
  patient information and confidentiality
• FAQs Frequently asked questions

3
HIPAA

• Recently there has been a great deal of talk
  about HIPAA and what it means to healthcare.
  Many people have suggested that the changes that
  HIPAA brings to healthcare will be monumental.

4
HIPAA

• Overview
• Privacy Confidentiality
• Compliance with the Privacy Rules requires
  cooperation among the medical center affiliates
  (IUSM, Clarian, VA, Wishard, practice plans,
  School of Nursing, all must comply)
• Everyone at IUSM must comply

5
What is HIPAA?

• HIPAA stands for
• Health
• Insurance
• Portability and
• Accountability
• Act of 1996
• No, its not short for hippopotamus!

6
What is HIPAA?

• HIPAA is a federal regulation that most
  healthcare providers have to comply with that
  protects the privacy, security and
  confidentiality of a patients health information.

7
What is HIPAA?

• With HIPAA, the government mandates that IURA
  protect the privacy, security and confidentiality
  of our patients.

8
What is HIPAA?

• What is protected?
• Protected health information (PHI) is
• Individually identifiable health information
• Identifies the individual where there is a
  reasonable basis to believe that the information
  can be used to identify the individual (ex name,
  social security number, demographic information)
• Transmitted or maintained in any form or medium

9
What is HIPAA?

• De-Identified Information
• PHI is de-identified by removing, coding,
  encryption, or otherwise eliminating or
  concealing individually identifiable information
• Regulations do not apply to de-identified
  information
• May be used or disclosed freely as long as the
  code to re-identify the information is not
  accessible

10
HIPAA

• HIPAA requires that all health care
  organizations have a privacy officer.
• Our Privacy Officer is Marcia Gonzales in
  the IUSM Office of Compliance Services
• 278-4891
• The HIPAA liaison for the Radiology Department
  is
• Rita McFarland
• UH 0663C
• 274-4328

11
HIPAA

• Their roles are to provide in house reference and
  guidance for the processes established to comply
  with the HIPAA privacy regulations.

12
HIPAA Why is training necessary?

• The Privacy, Security and Confidentiality of
  patient information is important to IURA.
• and its important that you know the rules
  regarding patient confidentiality.

13
HIPAA Why is training necessary?

• Confidentiality is so important, that IURA
  requires that
• All employees and workforce members be informed
  of their responsibility to protect
  confidentiality.
• Proven violation of the confidentiality of
  patient information shall include immediate
  disciplinary action up to and including
  termination.

14
HIPAA Policy

• What is Indiana University Radiology Associates
  policy?
• Our policy states that patient information will
  be kept private and confidential
• Our policy also guides us on who should have
  access to patient information
• Direct access to patient information shall only
  be permitted to those employees who have a need
  to know to perform their job functions

15
HIPAA - Policy

• What patient information does IURA require me to
  keep confidential?
• Demographic information
• Examples Name, social security number, date of
  birth, address, etc.
• Information about injury, illness or condition
  including symptoms, diagnosis or treatment
• Conversations between the patient and health care
  workers

16
HIPAA - Policy

• In regard to HIPAA
• The need to know is defined as
• Minimum Necessary Information.

17
HIPAA - Policy

• When do I need to know?
• Need to Know is when you need information to
• Document the patients treatment
• Facilitate communication between physicians and
  other professionals contributing to the patients
  care
• Provide continuity of patient care
• Provide a basis for review, study, and evaluation
  of patient care processes
• Provide clinical data for approved research,
  study, and education and for legitimate business
  purposes.

18
HIPAA - Policy

• What are legitimate business purposes?
• Legitimate business purposes include provision
  of
• Statistical data for decision making and planning
• Data to third parties as specified by law (e.g.
  communicable diseases, coroners cases, burns,
  cancer registry reporting, etc.)
• Documentation for billing and insurance claims
  processing
• Appropriate access to medical records and data as
  required for licensing and accreditation purposes.

19
HIPAA - Policy

• Our policy also guides us on when and where we
  can discuss patient information.
• Discuss patient information privately never in
  elevators, lobbies, cafeterias, or corridors
• Make sure requisitions, forms, and computer
  screens with patient names and information are
  not easily viewed by others
• Dispose of unnecessary patient information in
  proper receptacles for shredding, not ordinary
  trash bins

20
HIPAA

• And remember.
• Co-workers can be patients, too. They have every
  right to expect the same level of privacy
• Just like you do whenever youre a patient!

21
HIPAA

• HOW do I protect the privacy of my co-workers?
• Take special care to respect the privacy of
  co-workers and colleagues who are patients.
• Do NOT discuss the health care services of your
  co-workers with anyone who is not directly
  involved in their care.
• Do NOT ask co-workers why they are a patient, or
  their reasons for accessing health services.
• Do NOT access their private health information
  unless it is for patient care purposes

22
HIPAA Privacy, Security, and Confidentiality

• There will be a few changes brought about by
  HIPAA. These are summarized below
• We are required to provide a Notice of Privacy
  Practices to all patients that describes their
  rights over their PHI
• Patients will sign an acknowledgement form
  stating that they received a copy of the Privacy
  Notice
• We are required to make a good faith effort to
  obtain this acknowledgement (Verbal
  acknowledgement is not enough, must be in writing)

23
HIPAA Privacy, Security, and Confidentiality

• There will be a formal process for patients to
• Request copies of their medical record
• Obtain a list of who has accessed their
  information
• Make amendments to their medical records
• Complain to our HIPAA liaison or privacy officer
  about our privacy practices

24
Security Safeguards

• Passwords-dont share and dont post
• Workstations-secure your workstation, use screen
  savers, lock your computer if unattended, log off
  when not in use, log off at night
• E-mail-avoid sending sensitive/confidential
  patient information, Outlook is not currently
  encrypted
• Removable media (disks, CDs,)-lock up and store,
  dispose/destroy properly
• Internet-VPN, firewalls, monitor and audit usage,
  utilize virus protection

25
FAQs

• The following pages provide answers to some
  Frequently Asked Questions about HIPAA.
• Read them to learn more about how HIPAA will (and
  wont) change the way you work..

26
Access to Information

• What happens when the patient wants to know what
  is in his/her medical record?
• Patients have the right to access and obtain a
  copy of their medical or billing information
• We must act upon their request within 30 days
• We may deny a patients request in some
  circumstances

27
Access to Information

• Does the Privacy Rule require us to provide
  private rooms and soundproof walls to avoid any
  possibility that a conversation is overheard?
• No, the Privacy Rule does not require these
  types of structural changes
• However, we must have in place appropriate
  administrative, technical and physical
  safeguards to protect the privacy of health
  information

28
Access to Information

• Reasonable safeguards mean that we must make
  reasonable efforts to prevent uses and
  disclosures not permitted by the rule.

29
Access to Information

• Does HIPAA force us to isolate X-ray view boxes?
• No, HIPAA standards do not require that we take
  this specific measure. However, we must take
  reasonable precautions to prevent inadvertent or
  unnecessary disclosures. While the Privacy Rule
  does not require that we totally isolate view
  boxes, it does require that we take reasonable
  precautions to protect X-rays from being
  accessible to the public.

30
Access to Information

• If health care providers engage in confidential
  conversations with other providers or patients,
  have they violated HIPAA if there is a
  possibility that they could be overheard?
• As long as reasonable precautions are taken to
  minimize the chance of inadvertent disclosures to
  others who may be nearby (such as using lowered
  voices, talking apart, etc.), health care staff
  may discuss a patients condition at nurses
  stations, over the phone with the patient, a
  provider, or a family member, or during training
  rounds in an academic or training institution.

31
Access to Information

• Can we FAX patient medical information to a
  physicians office?
• The Privacy Rule permits the disclosure of
  protected health information to another health
  care provider for treatment purposes. This can
  be done by fax or other means. Health care
  providers must have in place reasonable
  safeguards to protect the privacy of the
  protected health information such as confirming
  that the fax number to be used is correct and
  placing fax machines in secure locations to
  prevent unauthorized access to the information.

32
Access to Information

• Can we use patient sign-in sheets or call out the
  names of patients in their waiting rooms?
• Yes, patient sign-in sheets and calling out names
  in waiting rooms may be used as long as the
  information disclosed is appropriately limited.
  The Privacy Rule explicitly permits certain
  incidental disclosures that occur as a
  by-product of an otherwise permitted
  disclosure-for example, the disclosure to other
  patients in a waiting room the identity of the
  person whose name is called however, it is only
  permitted if reasonable and appropriate
  safeguards are utilized to limit confidential
  patient information such as the diagnosis or
  history of the patient.

33
Business Associates

• What happens when the radiologist dictates a
  report that is transcribed by an outside
  transcription agency?
• The transcription company is a business associate
  because they are interacting with health
  information and performing the service on our
  behalf. A Business Associate Agreement with the
  company that meets HIPAA standards is required.

34
Complaints

• Can patients complain to us?
• Patients have always had the right to complain to
  us or any of our state, federal, or accrediting
  bodies.
• Under HIPAA, we have to tell patients that they
  can complain to us, or the Department of Health
  and Human Services, Office of Civil Rights. This
  is outlined in our Notice of Privacy Practices.
• If a patient wants to file a complaint with IURA,
  contact the HIPAA liaison.

35
Complaints

• If a patient wants to file a complaint with the
  Department of Health and Human Services, it must
  meet the following requirements
• A complaint must be filed in writing
• The person must name the facility where the
  violation occurred and describe what happened
• The complaint must be filed within 180 days of
  occurrence

36
Complaints

• Can employees report possible violations of the
  privacy rule to us?
• Employees are encouraged to report possible
  violations of the privacy rule to us. If theres
  a problem, we want to fix it. Employees should
  feel comfortable to know that we will not take
  any retaliatory action when employees file
  complaints
• Employees should submit their complaint to the
  Radiology HIPAA Liaison
• Employees may also use the IU Compliance
  Notification Line (877) 526-6759

37
Amendment to Record

• What if the patient disagrees with the
  information in his medical record?
• An individual has a right to request an amendment
• We can require a written request with reason for
  the change
• We have 60 days to act
• We must notify the individual if the amendment
  was accepted and inform relevant persons
  identified by the individual
• We can never delete the original information-the
  amendment allows the patient to supply a written
  supplement to their medical record

38
Amendment to Record

• Can we deny the patients request to amend his
  medical record?
• We may deny the request if the health
  information
• Was not created by us
• Is not part of their medical or billing records
• Was not available for inspection
• Is accurate and complete

39
Amendment to Record

• What happens if we deny the request for
  amendment?
• We must provide timely, written notice to the
  individual
• The notice must explain the reason for denial,
  the right to submit a written statement of
  disagreement, and the individuals right to
  complain to us or directly to the government
• We may prepare a rebuttal statement and give a
  copy to the individual
• We must include request and denial with future
  disclosures

40
Authorization

• What happens if the patients spouse wants a copy
  of his/her record?
• PATIENT authorization is REQUIRED
• Valid authorization must be in writing

41
Consent

• What happens when a patient comes into our
  facilities after April 14, 2003?
• Healthcare Providers are required to have a
  Privacy Notice
• At registration, patients will be given a copy of
  IURAs Notice of Privacy Practices
• There will be a written acknowledgement from the
  patient that theyve been given a copy of this
  notice
• We are also required to post the Privacy Notice
  in the waiting rooms and on our website

42
Dont see the answer to your question here?

• Try looking at the HIPAA website
• http//www.hhs.gov/ocr/hipaa/privacy.html
• http//www.hhs.gov/ocr/hipaa/whatsnew.html
• http//www.hhs.gov/ocr/index.html

43
Dont see the answer to your question here?

• Or contact the following
• IURA HIPAA Liaison-Rita McFarland
• Phone number 274-4328
• E-mail rimcfarl_at_iupui.edu
• Office of Compliance Services
• Phone number (317) 278-4891
• Website www.medicine.iu.edu/wecomply
• IU Compliance Notification Line
• Phone number (877) 526-6759

44
Conclusion

• After reviewing the study packet, complete the
  attached short quiz to receive credit for this
  training. Please print out the completed quiz
  and training form and forward to
• Rita McFarland
• Radiology Department
• UH 0663C