HIPAA Health Insurance Portability and Accountability Act

1
HIPAA
Health Insurance Portability and Accountability
Act
HIPAA is a law that JIRDC staff must follow.
This program will focus on the rights of people
who live at JIRDC and their guardians. As a
consumer of health care, you also have these
rights.
Click to go to the next slide.
2
The Health Insurance Portability and
Accountability Act (HIPAA)

• What is HIPAA?
• What does this mean to us at JIRDC?
• What are the six Privacy Rights?
• What is Protected Health Information (PHI)?
• What do we do with PHI?
• What changes must we make here at JIRDC?
• How long do we have and what if we dont?

Click to go to the next slide.
3
HIPAA - What is it?

• Congress passed a law the Health Insurance
  Portability and Accountability Act (HIPAA) - in
  order to require insurance companies, hospitals,
  and other health care providers to protect
  peoples privacy.

• JIRDC has been classified as a health care
  provider, so we must meet the requirements of
  this law.

Click to go to the next slide.
4
What does it mean to us?

• People who live at JIRDC and their guardians have
  six Privacy Rights.
• We must understand what Protected Health
  Information (PHI) is.
• We must be very careful with PHI and learn to use
  minimum necessary.
• All staff must receive Privacy training.

Click to go to the next slide.
5
Residents Have Six Privacy Rights
Please click to read each of the rights.

1. The right to receive a copy of JIRDCs Notice of
   Privacy Practices
2. The right to inspect and receive a copy of
   information in files we keep
3. The right to request a change in information
4. The right to know who we have shared their
   information with
5. The right to request restrictions on who we share
   information with
6. The right to request an alternative method of
   contact

Because the people living at JIRDC each have a
legal guardian, the guardian will be the person
who exercises these rights.
Click to go to the next slide.
6
Notice of JIRDC Privacy Practices
1

• We have developed a detailed notice of JIRDC
  privacy practices explaining how Protected Health
  Information (PHI) is handled for treatment,
  payment, and health care operations and
  explaining the Privacy Rights.
• The social workers are responsible
  for sending a JIRDC Notice of
  Privacy Practices to each guardian.

Click to go to the next slide.
7
Access of Individuals to PHI
2

• JIRDC residents and their guardians have a right
  to inspect certain records that we keep.
• The request begins with the completion of a
  Request for Consumer Access to Protected
  Information Form.
• If we receive a request by an individual to view
  their record (all or part), we must act on the
  request within 30 days.

Click to go to the next slide.
8
Location of JIRDC Records

• JIRDC has identified certain records that may
  be inspected. The primary records are

• record in the home
• record housed in the Resident Records Department

The log book is an example of a record that may
not be inspected because it contains information
about more than one person.
Click to go to the next slide.
9
Location of Request Form

• Each guardian must sign a form when requesting
  to see the records. The Social Worker or Home
  Coordinator will have this form.
• Although we have 30 days to allow access, it
  should not take long to reply to a request.

Click to go to the next slide.
10
Amending PHI
3

• If a guardian feels that some information in the
  record is not correct, he may ask for a change to
  be made.
• Residents and their guardians have the right to
  request amendments to PHI by completing a
  Request for Amendment of Health Care
  Information form.
• We must respond to requests for amendment within
  60 days.
• If we determine the PHI is accurate and complete,
  it does not have to be amended.

Click to go to the next slide.
11
Accounting of Disclosures of PHI
4

• A guardian may ask to see a record of individuals
  who have seen the residents chart for the 6
  years prior to the request.
• This does not include disclosures for treatment,
  payment, or operations.
• This also does not include disclosures to the
  individual or guardian or to law enforcement.
• No information must be provided
  about disclosures that occurred
  prior to April 14, 2003.

Click to go to the next slide.
12
Requesting Restrictionson Disclosures of PHI
5

• Guardians may request that we limit the use and
  disclosure of health information about residents
  for the purposes of treatment, payment, and
  operations.
• We are not required to agree to their request to
  limit the number of people who view the record.
• If we do agree to it, we must follow the agreed
  restrictions (except for emergency treatment).

Click to go to the next slide.
13
Receiving PHI - Alternative Means or Alternative
Locations
6

• Guardians usually prefer that information be
  mailed to their home addresses and that phone
  calls be made to their home phones. However, a
  guardian may ask JIRDC to use a different
  address, phone number, e-mail, FAX, etc.

Click to go to the next slide.
14
Receiving PHI - Alternative Means or Alternative
Locations
6

• We must provide our guardians with the
  opportunity to receive PHI communications by
  alternative means or at alternative locations
  (such as a work address instead of a home
  address).
• We must oblige all reasonable requests.

Click to go to the next slide.
15
Refraining from Retaliation

• Guardians who want to exercise their rights
  should not receive any negative responses from
  staff.
• JIRDC must not intimidate, threaten, coerce,
  discriminate, or retaliate against any person
  attempting to exercise their rights under the
  privacy regulations.
• All staff must remain neutral toward
  guardians choosing to exercise their rights.

Click to go to the next slide.
16
Protecting Confidential Information Learned at
JIRDC

• ALL information about a person who lives at JIRDC
  which is learned as a result of performing your
  job is confidential information.
• According to state law, all JIRDC employees are
  responsible for assuring confidentiality.
• If you dont protect information about people who
  live at JIRDC, you can be fined, suspended, or
  dismissed from your job.
• The Federal HIPAA law focuses on Protected Health
  Information (PHI).

Click to go to the next slide.
17
What is Protected Health Information (PHI)?

• Any health information that can be identified to
  a person is PHI.
• We are using a very liberal definition of health
  information that includes treatment, care, and
  demographic information.
• The fact that a person lives at JIRDC is PHI.
• PHI can be dates (except just year) record
  number Social Security Number full face
  photographic image or any other unique,
  identifying information.

Click to go to the next slide.
18
Recognizing PHI When You See It

• PHI is not just information in the resident
  record. PHI can look like anything.

PHI can be spoken, such as a conversation or
answering machine message.
PHI can be written, such as on a piece of paper,
a computer monitor, or a chalkboard.
Click to go to the next slide.
19
Recognizing PHI When You See It

• PHI reveals something about a persons past,
  present, or future health or condition.
• PHI is individually identifiable (gives a
  reasonable basis for determining a persons
  identity). PHI is about a specific person. You
  may know the person if you hear their name or if
  you can guess who it is by the information that
  is provided.

Click to go to the next slide.
20
It can look like anything
Rule 1

• Data appearing on computer monitors
• Lab test results
• Resident schedule boards
• A conversation about a residents health
• An appointment reminder left on a guardians
  answering machine
• File server backup tapes
• Financial records

Click to go to the next slide.
21
It reveals something about health
Rule 2

• It does not have to be present health. It
  can also be past or future health.
• It does not have to be about bad health. Joe is
  feeling fine also qualifies as PHI.
• Since knowledge that a person lives
  at JIRDC strongly implies a diagnosis of mental
  retardation, this also qualifies as
  PHI.

Click to go to the next slide.
22
It is individually identifiable
Rule 3

• This means that someone seeing or hearing the
  health information can identify the person its
  about.
• The information must provide a reasonable basis
  for determining the persons identity.
• When health information is paired with unique
  identifiers (like client number or a photograph)
  it is always PHI.

Click to go to the next slide.
23
What do we do with PHI?

• Protect it! Keep it private by not leaving it
  lying around where it can be seen.
• Except for treatment reasons, provide the
  minimum necessary to meet the needs of the
  requestor.
• Minimum necessary means providing just enough
  information to meet the needs of the requestor
  and no more.

Click to go to the next slide.
24
Some things we do to protect PHI

• Pick up all meeting handouts
  and erase blackboards when meetings
  are done.
• Working on PHI? When you leave for lunch, cover
  it up AND lock it up.
• Talking PHI on the phone? Keep your voice low if
  you might be overheard.
• Avoid mentioning PHI at restaurants.

Click to go to the next slide.
25
Dealing with PHI Test Yourself
? ? ? ? ? ? ? ? ?
Five situations related to minimum necessary
follow. Read each situation. Determine if
each situation was handled correctly.
Click to go to the next slide.
26
Dealing with PHI Scenario 1
? ? ? ? ? ? ? ? ?

• Mary is escorting four residents to a movie. As
  they are leaving, Marys supervisor tells her to
  make sure Phil gets to sit very close to the
  screen because he is having some vision problems
  stemming from developing cataracts.

Was this situation handled correctly?
Click to go to the next slide.
27
Dealing with PHI Scenario 1
? ? ? ? ? ? ? ? ?

• Since treatment of Phils cataracts was not
  involved, the minimum necessary rule applies
  here. It was appropriate for Marys supervisor
  to tell her to make sure Phil gets to sit very
  close to the screen because he is having some
  vision problems. It was not necessary to mention
  his cataracts.

This is NOT minimum necessary.
Click to go to the next slide.
28
Dealing with PHI Scenario 2
? ? ? ? ? ? ? ? ?

• Mary has been asked to drive Phil to a shoe store
  and help him purchase new shoes. Marys
  supervisor tells her to make sure Phils new
  shoes have good arch support because he has heel
  spurs.

Was this situation handled correctly?
Click to go to the next slide.
29
Dealing with PHI Scenario 2
? ? ? ? ? ? ? ? ?

• Selecting the proper shoes is a big part of the
  treatment of heel spurs. Communicating the fact
  that Phil has heel spurs was for treatment
  reasons, so the minimum necessary rule does not
  apply. It was appropriate for Marys supervisor
  to mention the heel spurs. It would also be
  appropriate for Mary to mention it to the store
  clerk.

This is a treatment situation and minimum
necessary does not apply.
Click to go to the next slide.
30
Dealing with PHI Scenario 3
? ? ? ? ? ? ? ? ?

• A JIRDC advocate is interviewing Mary about a
  bruise that has appeared on Phils arm. Mary
  answers questions about the bruise, but decides
  not to tell the advocate about two other bruises
  on Phils leg since this information does not
  seem to meet the minimum necessary rule.

Was this situation handled correctly?
Click to go to the next slide.
31
Dealing with PHI Scenario 3
? ? ? ? ? ? ? ? ?

• The advocates investigation of possible abuse is
  a part of Phils treatment at JIRDC and the
  minimum necessary rule does not apply. Mary
  should have mentioned the leg bruises to the
  inquiring resident advocate.

Advocates have the right to see all information.
Minimum necessary does not apply.
Click to go to the next slide.
32
Dealing with PHI Scenario 4
? ? ? ? ? ? ? ? ?

• Phils mother shows up unexpectedly with a copy
  of JIRDCs Notice of Privacy Practices in her
  hand. She wants to examine Phils chart. Mary
  remembers this is a new right, takes her to the
  chart, and lets her examine it.

Was this situation handled correctly?
Click to go to the next slide.
33
Dealing with PHI Scenario 4
? ? ? ? ? ? ? ? ?

• Requests to examine records must be handled by
  the Home Coordinator. Mary should have helped
  Phils mother submit her request to the Home
  Coordinator in writing (required) and should not
  have allowed her to examine any records.

A guardian must complete a written request
to see the record.
Click to go to the next slide.
34
Dealing with PHI Scenario 5
? ? ? ? ? ? ? ? ?

• Phil suddenly develops very shallow breathing and
  is taken to Grace Hospitals emergency room.
  Staff take Phils resident record with them. The
  entire record is made available to emergency room
  physicians as they attempt to determine the cause
  of Phils shallow breathing.

Was this situation handled correctly?
Click to go to the next slide.
35
Dealing with PHI Scenario 5
? ? ? ? ? ? ? ? ?

• The sharing of Phils PHI with the staff at Grace
  Hospital was for treatment reasons. The minimum
  necessary rule does not apply.

This is a treatment situation and minimum
necessary does not apply.
Click to go to the next slide.
36
Rules We Must Follow at JIRDC
JIRDC staff have many rules regarding the
handling of PHI. Many of the rules involve how
computers are used. ALL of the rules involve
common sense.
Click to go to the next slide.
37
Some Rules We Must Follow

• PHI must be secured when no one is in the area
  no open log books.
• No PHI should be viewable in public
  areas.
• No PHI should be sent in e-mail
  (except password-protected attachments).
• No PHI should be left at copy machines, fax
  machines, or conference rooms.
• Discarded PHI must be shredded.

Click to go to the next slide.
38
Computer Rules We Must Follow

• Computer monitors showing PHI must be positioned
  for privacy.
• Computer passwords must not be shared and must be
  reasonably un-guessable.
• Computer passwords must not be left visible or
  hidden where they can be found.
• Computer users must log-off the network when
  leaving computers unattended.

Click to go to the next slide.
39
More Rules We Must Follow

• If you notice your login name has been changed
  while you were away from your computer, report it
  to Computer Services.
• If you see an intruder lockout message while
  logging into the network, report it to Computer
  Services.
• Pay attention to any unusual login names that
  show up on your computer. Report what you see to
  Computer Services.

Click to go to the next slide.
40
Even More Rules We Must Follow

• We must not discuss a resident within the hearing
  of other individuals or visitors.
• We must not leave keys unattended.
• When sharing resident health information, we must
  share the minimum necessary (except for
  treatment reasons).
• JIRDC must sanction staff for violations of the
  Privacy rules.

Click to go to the next slide.
41
Security Awareness at JIRDC
All JIRDC staff are responsible for keeping data
secure. Computer data should be kept safe by the
person who created the disk, CD, or printout. All
security incidents must be reported as soon as
possible.
Click to go to the next slide.
42
Security Awareness

• JIRDC data must be kept secure at all times.
  Staff who use computers and staff who do not use
  computers are responsible for protecting
  information.
• Information created on JIRDC computers is
  considered property of JIRDC and the State of NC
  regardless of how information is stored.

Click to go to the next slide.
43
Security Awareness Continued

• Computer printouts, floppy disks, or CDs which
  are found not under direct observation of a
  responsible data owner should be picked up by the
  person who finds them and turned in
  to their supervisor.

Click to go to the next slide.
44
Security Awareness Continued

• A security incident is a violation, or imminent
  threat of violation, of computer security
  policies. Notify your supervisor or the
  JIRDC Computer Help Desk as soon as
  possible if you suspect a security incident has
  occurred.

Click to go to the next slide.
45
Workforce Privacy Sanctions
If staff break the rules, there are 3
levels of violations and punishments.
The 1st level is accidental.
The 2nd level is purposeful.
The 3rd level is malicious.
Malicious violations are the most serious
and can result in loss of jobs and
criminal prosecution.
Click to go to the next slide.
46
Workforce Privacy Sanctions- Accidental
Violations -

• This violation occurs when an employee
  unintentionally or carelessly accesses or reveals
  resident information to others without a
  legitimate need to know.
• Examples Discussing a resident
  in a public area without discretion
  sharing your network password.
• Sanctions include verbal counseling and training
  or written counseling and training.

Click to go to the next slide.
47
Workforce Privacy Sanctions- Purposeful
Violations -

• This violation occurs when an employee accesses
  or discusses information about a resident for
  purposes other than the care of the resident or
  to perform one's specific job
  responsibilities.
• Examples Using another employees
  login name and password
  looking up resident information
  out of curiosity.
• Sanctions include written counseling and training
  or suspension and training.

Click to go to the next slide.
48
Workforce Privacy Sanctions- Malicious
Violations -

• This violation occurs when an employee accesses
  or reveals resident information to others for
  personal gain or with malicious intent.
• Examples Destroying or altering
  data intentionally releasing information
  in an attempt to harm a resident
  or JIRDC.
• Sanctions include written counseling and
  training, termination, and prosecution.

Click to go to the next slide.
49
Failure to Comply Penalties
JIRDC and the employee can be punished for
violations. The following fine is for JIRDC

• 100/violation/person,
  up to 25,000 per person
  per year per
  standard violated

Click to go to the next slide.
50
Failure to Comply Penalties
The remaining fines and jail time apply to the
employee

• Up to 50,000 and 1 year in prison
  for inappropriate use of PHI
• Up to 100,000 and 5 years in prison
  for using PHI under false pretenses
• Up to 250,000 and 10 years
  for intent to sell or use PHI
  for personal gain or
  malicious harm

Click to go to the next slide.
51
Lets Review!Residents Have Six Privacy Rights

1. The right to receive a copy of JIRDCs Notice of
   Privacy Practices
2. The right to inspect and receive a copy of
   information in files we keep
3. The right to request a change in information
4. The right to know who we have shared their
   information with
5. The right to request restrictions on who we share
   information with
6. The right to request an alternative method of
   contact

Click to go to the next slide.
52
Lets Review!Three Rules for Recognizing PHI

• PHI can look like anything.
• PHI reveals something about health.
• PHI can be identified to an individual.

Click to go to the next slide.
53
Lets Review!PHI Must be Protected

• We must not leave it lying around where it can
  be seen.
• We must not post it
  in public places.
• We must be careful
  what we say when
  we can be overheard.

Click to go to the next slide.
54
Lets Review!What is Minimum Necessary?

• Except for treatment reasons, when sharing health
  information about a resident you should share the
  minimum necessary amount of information.
• That means what it takes to
  get the job done and no more.
• There should be no gossiping
  about resident health matters.

Click to go to the next slide.
55
Lets Review!Violations MUST be Punished

• Violations of HIPAA Privacy rules MUST be
  punished by JIRDC Administration.
• Minor violations will be viewed as training
  opportunities.
• There are some very severe penalties for
  violating the privacy rights of
  JIRDC residents.
• How severe? Up to 10 years in jail and a
  250,000 fine.

Click to go to the next slide.
56
How much have you learned?
You have finished the HIPAA slide show. Tell the
LRC Instructor that you are ready to take the
quiz.
Click to end the slide show.