HIPAA Awareness Training - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

HIPAA Awareness Training

Description:

What are IURA's policies and procedures regarding patient information and confidentiality ... No, it's not short for hippopotamus! What is HIPAA? ... – PowerPoint PPT presentation

Number of Views:2809
Avg rating:3.0/5.0
Slides: 45
Provided by: rickymc
Category:

less

Transcript and Presenter's Notes

Title: HIPAA Awareness Training


1
HIPAA Awareness Training
  • Self-study training module

2
HIPAA Training Module
  • This module features the following lessons
  • What is HIPAA?
  • Why do I need to take this training?
  • What are IURAs policies and procedures regarding
    patient information and confidentiality
  • FAQs Frequently asked questions

3
HIPAA
  • Recently there has been a great deal of talk
    about HIPAA and what it means to healthcare.
    Many people have suggested that the changes that
    HIPAA brings to healthcare will be monumental.

4
HIPAA
  • Overview
  • Privacy Confidentiality
  • Compliance with the Privacy Rules requires
    cooperation among the medical center affiliates
    (IUSM, Clarian, VA, Wishard, practice plans,
    School of Nursing, all must comply)
  • Everyone at IUSM must comply

5
What is HIPAA?
  • HIPAA stands for
  • Health
  • Insurance
  • Portability and
  • Accountability
  • Act of 1996
  • No, its not short for hippopotamus!

6
What is HIPAA?
  • HIPAA is a federal regulation that most
    healthcare providers have to comply with that
    protects the privacy, security and
    confidentiality of a patients health information.

7
What is HIPAA?
  • With HIPAA, the government mandates that IURA
    protect the privacy, security and confidentiality
    of our patients.

8
What is HIPAA?
  • What is protected?
  • Protected health information (PHI) is
  • Individually identifiable health information
  • Identifies the individual where there is a
    reasonable basis to believe that the information
    can be used to identify the individual (ex name,
    social security number, demographic information)
  • Transmitted or maintained in any form or medium

9
What is HIPAA?
  • De-Identified Information
  • PHI is de-identified by removing, coding,
    encryption, or otherwise eliminating or
    concealing individually identifiable information
  • Regulations do not apply to de-identified
    information
  • May be used or disclosed freely as long as the
    code to re-identify the information is not
    accessible

10
HIPAA
  • HIPAA requires that all health care
    organizations have a privacy officer.
  • Our Privacy Officer is Marcia Gonzales in
    the IUSM Office of Compliance Services
  • 278-4891
  • The HIPAA liaison for the Radiology Department
    is
  • Rita McFarland
  • UH 0663C
  • 274-4328

11
HIPAA
  • Their roles are to provide in house reference and
    guidance for the processes established to comply
    with the HIPAA privacy regulations.

12
HIPAA Why is training necessary?
  • The Privacy, Security and Confidentiality of
    patient information is important to IURA.
  • and its important that you know the rules
    regarding patient confidentiality.

13
HIPAA Why is training necessary?
  • Confidentiality is so important, that IURA
    requires that
  • All employees and workforce members be informed
    of their responsibility to protect
    confidentiality.
  • Proven violation of the confidentiality of
    patient information shall include immediate
    disciplinary action up to and including
    termination.

14
HIPAA Policy
  • What is Indiana University Radiology Associates
    policy?
  • Our policy states that patient information will
    be kept private and confidential
  • Our policy also guides us on who should have
    access to patient information
  • Direct access to patient information shall only
    be permitted to those employees who have a need
    to know to perform their job functions

15
HIPAA - Policy
  • What patient information does IURA require me to
    keep confidential?
  • Demographic information
  • Examples Name, social security number, date of
    birth, address, etc.
  • Information about injury, illness or condition
    including symptoms, diagnosis or treatment
  • Conversations between the patient and health care
    workers

16
HIPAA - Policy
  • In regard to HIPAA
  • The need to know is defined as
  • Minimum Necessary Information.

17
HIPAA - Policy
  • When do I need to know?
  • Need to Know is when you need information to
  • Document the patients treatment
  • Facilitate communication between physicians and
    other professionals contributing to the patients
    care
  • Provide continuity of patient care
  • Provide a basis for review, study, and evaluation
    of patient care processes
  • Provide clinical data for approved research,
    study, and education and for legitimate business
    purposes.

18
HIPAA - Policy
  • What are legitimate business purposes?
  • Legitimate business purposes include provision
    of
  • Statistical data for decision making and planning
  • Data to third parties as specified by law (e.g.
    communicable diseases, coroners cases, burns,
    cancer registry reporting, etc.)
  • Documentation for billing and insurance claims
    processing
  • Appropriate access to medical records and data as
    required for licensing and accreditation purposes.

19
HIPAA - Policy
  • Our policy also guides us on when and where we
    can discuss patient information.
  • Discuss patient information privately never in
    elevators, lobbies, cafeterias, or corridors
  • Make sure requisitions, forms, and computer
    screens with patient names and information are
    not easily viewed by others
  • Dispose of unnecessary patient information in
    proper receptacles for shredding, not ordinary
    trash bins

20
HIPAA
  • And remember.
  • Co-workers can be patients, too. They have every
    right to expect the same level of privacy
  • Just like you do whenever youre a patient!

21
HIPAA
  • HOW do I protect the privacy of my co-workers?
  • Take special care to respect the privacy of
    co-workers and colleagues who are patients.
  • Do NOT discuss the health care services of your
    co-workers with anyone who is not directly
    involved in their care.
  • Do NOT ask co-workers why they are a patient, or
    their reasons for accessing health services.
  • Do NOT access their private health information
    unless it is for patient care purposes

22
HIPAA Privacy, Security, and Confidentiality
  • There will be a few changes brought about by
    HIPAA. These are summarized below
  • We are required to provide a Notice of Privacy
    Practices to all patients that describes their
    rights over their PHI
  • Patients will sign an acknowledgement form
    stating that they received a copy of the Privacy
    Notice
  • We are required to make a good faith effort to
    obtain this acknowledgement (Verbal
    acknowledgement is not enough, must be in writing)

23
HIPAA Privacy, Security, and Confidentiality
  • There will be a formal process for patients to
  • Request copies of their medical record
  • Obtain a list of who has accessed their
    information
  • Make amendments to their medical records
  • Complain to our HIPAA liaison or privacy officer
    about our privacy practices

24
Security Safeguards
  • Passwords-dont share and dont post
  • Workstations-secure your workstation, use screen
    savers, lock your computer if unattended, log off
    when not in use, log off at night
  • E-mail-avoid sending sensitive/confidential
    patient information, Outlook is not currently
    encrypted
  • Removable media (disks, CDs,)-lock up and store,
    dispose/destroy properly
  • Internet-VPN, firewalls, monitor and audit usage,
    utilize virus protection

25
FAQs
  • The following pages provide answers to some
    Frequently Asked Questions about HIPAA.
  • Read them to learn more about how HIPAA will (and
    wont) change the way you work..

26
Access to Information
  • What happens when the patient wants to know what
    is in his/her medical record?
  • Patients have the right to access and obtain a
    copy of their medical or billing information
  • We must act upon their request within 30 days
  • We may deny a patients request in some
    circumstances

27
Access to Information
  • Does the Privacy Rule require us to provide
    private rooms and soundproof walls to avoid any
    possibility that a conversation is overheard?
  • No, the Privacy Rule does not require these
    types of structural changes
  • However, we must have in place appropriate
    administrative, technical and physical
    safeguards to protect the privacy of health
    information

28
Access to Information
  • Reasonable safeguards mean that we must make
    reasonable efforts to prevent uses and
    disclosures not permitted by the rule.

29
Access to Information
  • Does HIPAA force us to isolate X-ray view boxes?
  • No, HIPAA standards do not require that we take
    this specific measure. However, we must take
    reasonable precautions to prevent inadvertent or
    unnecessary disclosures. While the Privacy Rule
    does not require that we totally isolate view
    boxes, it does require that we take reasonable
    precautions to protect X-rays from being
    accessible to the public.

30
Access to Information
  • If health care providers engage in confidential
    conversations with other providers or patients,
    have they violated HIPAA if there is a
    possibility that they could be overheard?
  • As long as reasonable precautions are taken to
    minimize the chance of inadvertent disclosures to
    others who may be nearby (such as using lowered
    voices, talking apart, etc.), health care staff
    may discuss a patients condition at nurses
    stations, over the phone with the patient, a
    provider, or a family member, or during training
    rounds in an academic or training institution.

31
Access to Information
  • Can we FAX patient medical information to a
    physicians office?
  • The Privacy Rule permits the disclosure of
    protected health information to another health
    care provider for treatment purposes. This can
    be done by fax or other means. Health care
    providers must have in place reasonable
    safeguards to protect the privacy of the
    protected health information such as confirming
    that the fax number to be used is correct and
    placing fax machines in secure locations to
    prevent unauthorized access to the information.

32
Access to Information
  • Can we use patient sign-in sheets or call out the
    names of patients in their waiting rooms?
  • Yes, patient sign-in sheets and calling out names
    in waiting rooms may be used as long as the
    information disclosed is appropriately limited.
    The Privacy Rule explicitly permits certain
    incidental disclosures that occur as a
    by-product of an otherwise permitted
    disclosure-for example, the disclosure to other
    patients in a waiting room the identity of the
    person whose name is called however, it is only
    permitted if reasonable and appropriate
    safeguards are utilized to limit confidential
    patient information such as the diagnosis or
    history of the patient.

33
Business Associates
  • What happens when the radiologist dictates a
    report that is transcribed by an outside
    transcription agency?
  • The transcription company is a business associate
    because they are interacting with health
    information and performing the service on our
    behalf. A Business Associate Agreement with the
    company that meets HIPAA standards is required.

34
Complaints
  • Can patients complain to us?
  • Patients have always had the right to complain to
    us or any of our state, federal, or accrediting
    bodies.
  • Under HIPAA, we have to tell patients that they
    can complain to us, or the Department of Health
    and Human Services, Office of Civil Rights. This
    is outlined in our Notice of Privacy Practices.
  • If a patient wants to file a complaint with IURA,
    contact the HIPAA liaison.

35
Complaints
  • If a patient wants to file a complaint with the
    Department of Health and Human Services, it must
    meet the following requirements
  • A complaint must be filed in writing
  • The person must name the facility where the
    violation occurred and describe what happened
  • The complaint must be filed within 180 days of
    occurrence

36
Complaints
  • Can employees report possible violations of the
    privacy rule to us?
  • Employees are encouraged to report possible
    violations of the privacy rule to us. If theres
    a problem, we want to fix it. Employees should
    feel comfortable to know that we will not take
    any retaliatory action when employees file
    complaints
  • Employees should submit their complaint to the
    Radiology HIPAA Liaison
  • Employees may also use the IU Compliance
    Notification Line (877) 526-6759

37
Amendment to Record
  • What if the patient disagrees with the
    information in his medical record?
  • An individual has a right to request an amendment
  • We can require a written request with reason for
    the change
  • We have 60 days to act
  • We must notify the individual if the amendment
    was accepted and inform relevant persons
    identified by the individual
  • We can never delete the original information-the
    amendment allows the patient to supply a written
    supplement to their medical record

38
Amendment to Record
  • Can we deny the patients request to amend his
    medical record?
  • We may deny the request if the health
    information
  • Was not created by us
  • Is not part of their medical or billing records
  • Was not available for inspection
  • Is accurate and complete

39
Amendment to Record
  • What happens if we deny the request for
    amendment?
  • We must provide timely, written notice to the
    individual
  • The notice must explain the reason for denial,
    the right to submit a written statement of
    disagreement, and the individuals right to
    complain to us or directly to the government
  • We may prepare a rebuttal statement and give a
    copy to the individual
  • We must include request and denial with future
    disclosures

40
Authorization
  • What happens if the patients spouse wants a copy
    of his/her record?
  • PATIENT authorization is REQUIRED
  • Valid authorization must be in writing

41
Consent
  • What happens when a patient comes into our
    facilities after April 14, 2003?
  • Healthcare Providers are required to have a
    Privacy Notice
  • At registration, patients will be given a copy of
    IURAs Notice of Privacy Practices
  • There will be a written acknowledgement from the
    patient that theyve been given a copy of this
    notice
  • We are also required to post the Privacy Notice
    in the waiting rooms and on our website

42
Dont see the answer to your question here?
  • Try looking at the HIPAA website
  • http//www.hhs.gov/ocr/hipaa/privacy.html
  • http//www.hhs.gov/ocr/hipaa/whatsnew.html
  • http//www.hhs.gov/ocr/index.html

43
Dont see the answer to your question here?
  • Or contact the following
  • IURA HIPAA Liaison-Rita McFarland
  • Phone number 274-4328
  • E-mail rimcfarl_at_iupui.edu
  • Office of Compliance Services
  • Phone number (317) 278-4891
  • Website www.medicine.iu.edu/wecomply
  • IU Compliance Notification Line
  • Phone number (877) 526-6759

44
Conclusion
  • After reviewing the study packet, complete the
    attached short quiz to receive credit for this
    training. Please print out the completed quiz
    and training form and forward to
  • Rita McFarland
  • Radiology Department
  • UH 0663C
Write a Comment
User Comments (0)
About PowerShow.com