HIPAA Privacy Training

1
HIPAA Privacy Training

• Health Insurance Portability Accountability Act
  of 1996
• Standards for Privacy of Individually
  Identifiable Health Information
• 45 CFR Parts 160 and 164

THIS INFORMATION MUST BE PRESENTED OR, IF THROUGH
SELF-STUDY, REVIEWED IN ITS ENTIRETY. The Health
Insurance Portability and Accountability Act
(HIPAA) was enacted in 1996 and focused on
improving health insurance accessibility for
persons changing employment or leaving the work
force (portability). HIPAA consists of several
different parts. One part, called the Privacy
Rule, concerns the privacy of health information.
The Privacy Rule includes a requirement that all
members of a health care providers workforce
(including students) must be trained on the
providers policies and procedures relating to
privacy. This training program was developed
through a collaborative effort of representatives
of various Hawaii health care providers. The
collaborative facilities developed and adopted a
standard policy with regard to appropriate uses
of health information for educational purposes.
Although the policies of these facilities may be
similar, specific procedures may vary from
facility to facility. Therefore, when you begin
your training at a facility, you should
familiarize yourself with the specific policies
and procedures of that facility.
2
The Privacy Rule

• Creates national foundation of privacy
• Does not preempt more stringent state laws
• Extends
• Certain individual rights to privacy
• Protection of individuals medical records and
  health information

HIPAA addresses national standards for electronic
data transmission, unique health identifiers,
security standards, and standards for privacy and
confidentiality. Covered Entities were required
to comply with the Privacy Rule by April 14,
2003. The government believes a national
foundation of privacy protections is necessary
because technological advances have resulted in
increasing electronic transmission of health care
data. Standardization of the collection, storage
and transmission of such data has been limited,
while public concern about the privacy and
security of health information have grown. It
is important to note that HIPAA provides a floor
of protection, and does not preempt more
stringent protections provided under state law.
Therefore, a health care provider must be
familiar with both state and federal laws
relating to the use and disclosure of health
information.
3
Whos affected?

• Direct impact
• Health plans
• Health care clearinghouses
• Health care providers
• (who transmit health information electronically)
• Indirect impact
• Business associates
• (vendors, consultants, contracted providers)

All Covered Entities are required to comply with
HIPAA regulations. Covered Entities include
Health Plans that provide or pay the cost of
medical care, including employer plans and
programs, Health Care Providers (doctors, nurses,
hospitals, etc.) who perform electronic
transactions and Health Care Clearinghouses
(entities that process data from non-standard
format to standard format, or vice
versa). Business Associates of a Covered Entity,
including vendors and consultants, are usually
required to comply with HIPAA regulations by
means of a Business Associate Agreement with the
Covered Entity. A Business Associate may or may
not be a Covered Entity.
4
Whats protected?

• Protected health information (PHI) refers to
• Individually identifiable health information
  relating to
• Persons past, present and future health or
  condition
• Provision of health services to the person
• Past, present and future payment of health
  services to the person
• Information transmitted or maintained in any form
• Includes data considered individually
  identifiable

Protected Health Information (PHI) means any
individually identifiable health information
about a person. PHI is protected under HIPAA
and, therefore, cannot be disclosed by a Covered
Entity without the agreement or authorization of
that person, or as allowed by law. This
requirement will be described in more detail
later. PHI includes information about the
persons past, present and future health or
condition provision of health care services to
the person and past, present and future payment
for health services to the person. Information
transmitted or maintained in any form-- verbal,
written (paper) or electronic-- is protected.
5
Whats individually identifiable?

• Name
• Geographic divisions smaller than State (with
  exceptions)
• All dates (except year)
• Phone fax number
• E-mail address
• SSN
• Medical record
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers

• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Web URLs
• IP address numbers
• Biometric identifiers (including finger, voice
  prints)
• Full face photo and other images
• Any other unique identifier
• 164.514(b)(2)

The Privacy Rule identifies several data elements
which, when used alone or in combination, may
lead to the identification of a specific person.
These data elements are referred to as
individually identifiable health information,
and are listed on this slide.
6
Rules for uses / disclosures of PHI

• Treatment, Payment, Health Care Operations (TPO)
• Opportunity to Object
• Agreement or Authorization not required
  (Exceptions)
• Authorization

• There are four general rules about the use or
  disclosure of PHI
• PHI can be disclosed for the purposes of
  Treatment, Payment or Health Care Operations
  (TPO) without the consent, agreement or
  authorization of the patient.
• The patient has the opportunity to agree or
  object to certain use or disclosure of PHI.
• In some situations-- usually as required under
  existing laws-- PHI may be disclosed without the
  patients authorization or agreement.
• Finally, in any other circumstance not described
  above, the patient will need to provide written
  authorization for the use or disclosure of
  his/her PHI.

7
Permitted Uses of PHI

• Uses/disclosures permitted for
• Treatment
• Some facilities may still require patient
  authorization for release of PHI
• Payment
• Health care operations
• (quality improvement, staff performance review,
  training in areas of health care, accreditation,
  medical review, audits, business planning and
  development, general administration, etc.)

Use or disclosure of PHI is permitted for a
Covered Entitys Treatment, Payment and Health
Care operations. A Covered Entity may also
disclose PHI to a health care provider for
treatment purposes. Many facilities now release
PHI for treatment as long as they receive a
request stating that the provider is involved in
the patients treatment and the PHI is needed for
the patients treatment. It is important to
recognize, though, that a facility can be more
stringent and may still require written
authorization, consent or other verification to
release PHI for treatment. Covered Entities can
also release PHI to each other for for either
Covered Entities payment purposes and certain
health care operations as long as each Covered
Entity has or had a relationship with the patient
who is the subject of the PHI and the information
released is relevant to that relationship.
Examples are provided on slide 26.
8
Opportunity to Object

• Facility directories
• To clergy
• To persons involved in individuals care
• Notification purposes
• Disaster relief purposes

Under the Privacy Rule, a Covered Entity can use
or disclose PHI for certain purposes as long as
the patient verbally agrees, or the patient has
been given an opportunity to object to the
disclosure and has not objected. These purposes
are listed above. Each facility has established
procedures about how these uses or disclosures
are implemented. See the Matrix for information
about each facilitys procedures. Be sure to
review this information before you begin your
training at a facility.
9
Agreement or Authorization Not Required
(Exceptions)

• Required by law
• Public health activities
• Victims of abuse/ neglect/domestic violence
• Health oversight
• Judicial/administrative proceedings
• Limited law enforcement purposes

• Coroners, medical examiners funeral directors
• Organ/tissue donations
• Research purposes
• Serious threat to self/others
• Specialized government functions
• Workers comp

In certain situations, disclosure is permitted
without an authorization or an opportunity to
object. This slide lists the types of
disclosures that are allowed without the
patients authorization or agreement. Many of
these disclosures are to government officials
acting in a professional capacity. In general,
students would not make these types of
disclosures. For each of these types of
disclosures, the Covered Entity must follow
certain rules, in terms of how and what PHI is
released. In addition, the Covered Entity must
track and account for these disclosures.
Therefore if you receive an inquiry that relates
to these types of disclosures, you must check
with the patients attending physician, the
facilitys nursing staff or the facilitys
Privacy Officer before you release any
information.
10
Authorizations

• For all other uses and disclosures of PHI

A valid authorization from the patient is
required for any other disclosure of PHI. For
example, if a patient applies for life insurance,
before the facility can disclose PHI to the life
insurance company, the patient must provide a
signed authorization form to the facility.
11
Notice of Privacy Practices

• Describes to patients how their protected health
  information may be used/disclosed
• Details patients legal rights in regards to
  their PHI and how to exercise these rights
• Details legal obligations of covered entity to
  protect PHI

The Covered Entity must give the a Notice of
Privacy Practices, which describes the ways the
Covered Entity could use or disclose PHI. A
health care provider who has a direct treatment
relationship must provide the Notice at the time
of the first service delivery, or in an emergency
situation, as soon as possible. The Covered
Entity must also make a good faith effort to
obtain the patients written acknowledgement of
receipt of the Notice. If the acknowledgement
was not obtained, the Covered Entity must
document the reason why the acknowledgement was
not obtained.
12
Individuals Rights

• To receive Notice of Privacy Practices
• To inspect and/or obtain copy of PHI
• To request to amend PHI
• To request limits on certain uses/disclosures of
  PHI
• To receive accounting of disclosures
• To receive confidential communications
• To file a complaint

HIPAA gives the patient rights to privacy and
accessibility with regard to his/her PHI. These
rights are listed on this slide. Each facility
has procedures about how the patient may exercise
these rights. Refer any patient with questions
about his/her rights under the Privacy Rule to
the facilitys Privacy Officer.
13
Other Requirements

• De-identification of PHI
• Minimum necessary
• Workforce Training
• Verification Process
• Business Associate Contracts

• The Privacy Rule includes several other
  requirements
• De-identification is the process of stripping PHI
  of all individually identifiable elements (see
  slide 5).
• The minimum necessary standard (e.g.
  need-to-know) will be covered later.
• The Covered Entity must train all members of its
  workforce on its policies and procedures related
  to privacy. Students are considered part of the
  facilitys workforce, which is why you are
  completing this training.
• Verification process refers to a requirement that
  a Covered Entity must verify the identity and
  authority of a person who is requesting to have
  access to PHI.
• Finally, a Covered Entity must enter into a
  Business Associate Contract with a person or
  entity who provides certain types of services for
  the Covered Entity and who accesses PHI in the
  course of providing those services.

14
Other Restrictions

• Marketing
• Fundraising
• Specially Protected Health Information
• Additional protections under Hawaii State law
  relating to release of HIV, mental health and
  substance abuse treatment records

The Privacy Rule imposes other restrictions on
the use or disclosure of PHI for marketing and
fundraising. Those restrictions will not be
discussed here. If in the future, you are
involved in marketing or fundraising, you will
need to familiarize yourself with applicable
sections of the Privacy Rule. As stated
previously, the federal Privacy Rule does not
preempt more stringent state law. In Hawaii,
certain information, called specially protected
health information, are afforded more stringent
protection. Under Hawaii State law, release of
specially protected health information requires
the patients consent, including for treatment
and payment purposes.
15
Whats consequenceof non-compliance?

• Penalties
• Civil 100 per violation up to 25,000 per year
• Criminal up to 250,000 and or 10 years in prison

There are penalties for violating or failing to
comply with the Privacy Rule. A Covered Entity
may be subject to civil and criminal sanctions
that include monetary fines and imprisonment.
16
Sanctions

• Facilities required to sanction members of
  workforce (includes students) who violate
  policies and procedures relating to privacy and
  security of health information.
• Student sanctions may include suspension or
  termination of access privileges to PHI and/or
  participation in educational programs at facility.

A Covered Entity is required to have a process
for sanctioning workforce members who violate
privacy policies and procedures. Student
sanctions may be levied by the facility and/or
the educational program with which you
participate.
17
What you need to know to operate in different
facilities

• Facility Directory
• Family Involvement
• Minimum Necessary
• Appropriate Educational Access/Use
• Requesting/Disclosing PHI for treatment
• Request/Disclosures to Govt. agencies
• Patient Requested Restrictions on use/disclosure

As stated previously, privacy training includes
training about the facilitys policies and
procedures. Each facility may implement its
procedures differently. See the Matrix for
information about each facilitys procedures. Be
sure to review this information before you begin
your training at a facility.
18
What is a Facility Directory?

• The information a hospital releases to the media
  or the public when they call to ask about a
  patient
• This information is limited to
• Location
• Condition
• May only release info in the directory to people
  who ask for patient BY NAME

• Facility directory requirements apply to
  hospital inpatients.
• The hospital maintains a list of inpatients. If
  a caller or visitor asks for a patient BY NAME,
  the hospital may
• Acknowledge the patients presence
• Provide the patients room number and
• Provide a one word description of the patients
  condition.
• This is the maximum amount of information that
  may be disclosed for facility directory purposes.
  
• Facility directory requirements apply to
  inquiries by members of the media, as well as
  other callers or visitors.

19
Facility Directory

• Patient may ask hospital to NOT release
  information to media or others who call
• Each hospital will have process to identify these
  NO INFORMATION patients
• YOU must be aware of each hospitals codes and
  process to identify these patients
• DO NOT release information in violation of the
  patients information status

The patient has the right to object to
disclosures for facility directory purposes. In
other words, patient may tell the hospital to
disclose no information about him/her to callers
or visitors. The hospital must honor the
patients request for privacy. As a member of
the hospitals workforce, you must not disclose
information about a patient with No Information
status to callers or visitors. Each hospital
has established procedures for honoring patients
request. See Matrix for details.
20
Facility Directory

• NO INFORMATION STATUS
• PATIENTS LOCATION/CONDITION WILL NOT BE
  DISCLOSED TO ANYONE, INCLUDING FAMILY/FRIENDS
• Anyone asking for patient will be told, We have
  no information regarding the individual.

• If patient has requested No Information status,
  the hospital will not
• Acknowledge the patients presence
• Disclose the patients room number
• Describe the patients condition
• Accept flowers, gifts or mail for the patient.
• This restriction applies to family members,
  friends, or any one else who may call or visit
  the hospital. They will be told, We have no
  information about a person by that name.

21
What should I do?

• Scenario 1
• Q I am approached in the hallway by someone who
  asks me if I know what room a patient is in. I
  saw the patients name on the unit I just left.
  What should I do?
• A Refer the person to the nurses station,
  information desk, or hospital operator. You do
  not know whether the patient has requested a NO
  INFORMATION status or other restrictions.

This scenario may present a cultural change, as
most healthcare providers want to be helpful to
visitors, understanding that family members may
be worried about their loved one. However, we
need to be mindful of the patients right to
privacy.
22
Family Involvement

• A patients health information may be disclosed
  to family/others if
• Patient gives verbal agreement,
• Patient has opportunity to object and does not,
  or
• You can infer from circumstances that patient
  does not object
• Emergency/incompetent patients - Release
  information using professional judgement in best
  interests of patient

• Examples of Permitted Disclosures to Family,
  Friends or Others
• Daughter accompanies elderly patient into exam
  room. The patient says, Can you explain it to
  my daughter? You may provide instructions to
  the daughter.
• Wife goes to pharmacy and asks to pick up the
  prescription that Dr. Young called in for her
  husband. You may give the medications to the
  wife.
• Patient tells you that neighbor has been helping
  him with home exercise program. You may speak
  with the neighbor about the patients exercises.
• You knock on the door and enter patients room.
  There are several visitors in the room. You
  dont know who the visitors are. You say to the
  patient, Id like to talk with you about
  discharge planning. Can we talk now? Perhaps
  your visitors would like to have lunch? Or
  should I come back a little later?
• Exception In an emergency, when the patient is
  unable to express his/her wishes, use your
  professional judgment. Ask yourself, Would it be
  in the patients best interest if I disclosed the
  information?

23
Family Involvement

• Information released must be directly relevant to
  that persons involvement in the patients care
  or payment for that care
• A patient has the right to request that you not
  release information to family/others.
• If a patient asks that you not talk with
  family/others, please refer patient to nursing
  staff.

A Permitted Disclosure Friend picks up patient
after procedure. Patient will stay with friend
for a few days. Friend asks, What do I need to
do? You may explain to friend, Here are her
prescriptions. Be sure to keep the site dry.
Sponge bath only. Call the doctor if the site
gets red. No housework or lifting more than ten
pounds. Not A Permitted Disclosure You may not
describe the patients previous episodes of care
to friend-- the Emergency Room visit when she was
a possible DUI results of the biopsy she had two
years ago etc. Responding to Patients
Request Its important that you inform staff of
patients request to limit involvement of family,
friends or others. Staff will know how to
document and follow-up on the request. Each
facility has established procedures for
responding to such a request. See Matrix for
details.
24
What should I do?

• Scenario 2
• Q The spouse of a patient I am seeing approaches
  me in the hallway and begins asking me questions
  about the patient. During my assessment visit,
  the patient indicated that she did not want
  information shared with her spouse.
• What should I do?
• A Patients have a right to not involve family
  members and others in their care. You should not
  share any information with the spouse per the
  patients request and you should alert the
  nursing staff about the patients request.

The patient explicitly stated that she did not
want her health information to be shared with her
husband. As difficult as it may seem, you must
honor her request. It is also important for you
to promptly notify staff about patients request.
They will know how to document and respond to
patients request. Once a facility has agreed
to a patients restriction request, everyone--
including students-- must abide by it.
25
Minimum Necessary

• Need-to-Know Rule
• Access is a privilege. Individuals with access
  privileges have an obligation to limit access and
  use to the minimum necessary to perform their
  duties and responsibilities.

A key element of the Privacy Rule is the minimum
necessary standard. This is the need-to-know
rule. You are only permitted to access and use
the minimum necessary amount of PHI for your
specific duty, responsibility or purpose. In
terms of educational uses of PHI, you must limit
your access and use to the minimum amount of
information required for your specific
educational activity. Example You would like
to review records of ER patients admitted for
near drowning for a presentation or paper.
First, you must obtain the required approvals and
determine the types of information or data that
you will need to collect. Then, you must limit
your access to only the episodes of care that
relate to the study topic and record only the
data elements that are necessary to prepare your
presentation or paper.
26
Request/Disclose PHI for Treatment Purposes

• May request/disclose PHI for treatment where
• Request is from a provider to whom you referred
  the patient for treatment or provider involvement
  in patients treatment is documented in medical
  record, or
• Patient has signed an authorization or release
  for the disclosure to the provider, or
• Provider has requested, in writing, the PHI for
  treatment purposes

• As a student, you may be asked to release PHI to
  another health care provider who is involved in
  the patients care. Under HIPAA, a health care
  provider may release PHI to another provider for
  treatment purposes without the patients
  authorization however, this disclosure is
  subject to verification of the identity and
  authority of the requestor. At most facilities
  (see Matrix), you may disclose PHI to another
  health care provider for treatment purposes if
• The provider referred the patient to you
• You referred the patient to the provider
• The medical record contains documentation of the
  providers treatment relationship with the
  patient
• The provider requests the information for
  treatment purposes and the request is made in
  writing
• The patient has signed an authorization or other
  form for the disclosure of the PHI to that
  provider

27
Request/Disclosure of PHI to/from government
agencies

• Refer to Nursing Staff/Attending
  Physician/Privacy Officer
• Only minimum necessary may be released
• Must do an accounting for the disclosure

Hospitals are required to disclose PHI to
government agencies for many reasons. Examples
include reports of child abuse or neglect,
infectious disease reporting, reports of
unattended deaths to the Medical Examiner, etc.
Most students will not be involved in reporting
PHI to government officials. However, you may
encounter a situation in which reporting is
mandatory, or a government official, such as a
police officer, asks you for information. Please
consult with the facilitys nursing staff, your
supervisor or the facilitys Privacy Officer
before making such a report or releasing
information to any person who is not a health
care provider. Such disclosures must follow
the minimum necessary rule. Additionally, the
facility must track or account for such
disclosures. Therefore, it is important that you
know and follow the appropriate procedures before
you release any information to a government
official.
28
Patient Requested Restrictions on Use/Disclosure
of PHI

• Facility may have agreed to patient requested
  restrictions on use/disclosures of PHI for
  treatment, payment or health care operations
• YOU must be aware of each facilitys practice in
  this regards and where such restrictions would be
  documented

Under HIPAA, a patient has the right to request
restrictions on the facilitys use or disclosure
of PHI for treatment, payment or health care
operations. The facility is not required to
agree to the patients request. For example, a
patient may not want students to be involved in
his/her care or to access his/her health
information. The facility will determine whether
or not it will honor the patients request.
Review the Matrix to familiarize yourself with
each facilitys procedures with regard to such
requests. Be aware that when a facility has
agreed to a patients restriction request, as a
student, you are obligated to honor the request.

29
Use of PHI for educational purposes

• Allowed without patient consent or authorization
• Parameters of use/disclosure of PHI for
  educational purposes
• Appropriate access
• Minimum necessary for the purpose
• Protect/safeguard PHI
• Appropriate disposal upon completion

• Use or disclosure of PHI for educational purposes
  is considered one of the facilitys health care
  operations. Therefore, PHI can be used by and
  disclosed to health care students without the
  patients consent, agreement or authorization.
  However, HIPAA does place certain limitations on
  the use of PHI for educational purposes.
• The facility must establish appropriate controls
  on the students access to PHI
• PHI disclosed should be limited to the minimum
  necessary for the particular educational use or
  purpose
• The student who accesses PHI is responsible for
  protecting and safeguarding that information and
  to properly dispose of any notes or class
  documents that contain PHI upon completion of the
  use or purpose.
• The student must be aware of and honor any
  agreed-upon restriction.

30
Facially de-identified information

• Policy permits use of PHI that is facially
  de-identified for educational purposes.
• Remove same identifiers as in de-identified
  information, except may leave in
• Patient medical record number
• Dates of Service
• Zip codes
• This information is still identifiable under
  HIPAA and remains under federal privacy
  protections.

The collaborative facilities permit a student to
use PHI that has been facially de-identified
for his/her educational purposes. The only
difference between de-identified information and
facially de-identified information is that
facially de-identified information can include
the patients medical record number, dates of
service and zip code. All other individual
identifiers (see slide 5) must be removed from
the information. Under HIPAA, facially
de-identified information is still considered
PHI. You must protect facially de-identified
information in compliance with the Privacy Rule.

31
Facially de-identified means removing

• Name
• Address
• Phone fax number
• E-mail address
• SSN
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Web URLs

• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• IP address numbers
• Biometric identifiers (including finger, voice
  prints)
• Full face photo and other images
• Any other unique identifier

This slide lists the identifiers which must be
removed from the PHI in order for the information
to be considered facially de-identified.
32
Allowable educational access/use

• Treatment
• Observation
• Teaching Rounds
• Retrospective Record/Data Reviews
• Research (with IRB approval)
• Case Presentations
• Patient Logs

This slide lists the types of educational uses or
activities for which a student may access
PHI. Access to PHI or an attempt to access PHI by
a student for a use or activity other than what
is listed above would be considered a violation
of the facilitys policies and could result in
sanctions against the student.
33
Is this okay?

• Scenario 3
• Q I heard about a very unusual case in the OR.
  As a medical student I am here to learn. I need
  to know more about the details so that I may gain
  a better understanding of the clinical course. I
  plan to review the records before I leave for the
  day. Is this okay?
• A No. While it might be argued that educational
  benefit can be gained by reviewing unusual cases,
  such review should be formally approved and
  presented. Individual access to patients
  records in this type of situation is not
  appropriate. Electronic records and systems are
  monitored for inappropriate access.

In this scenario, access may seem to fit under
one of the allowable educational uses or
activities. What do you think? The bottom
line is that the case may indeed have educational
value to you. But such review must be organized
and approved by the appropriate individuals. Do
not access patient information just because you
personally believe it might be educational. Work
through your instructors and the facility.
34
Some Dos and DontsTreatment and Observation

• Can Do
• Access medical records of the patients you are
  treating/caring for
• Prepare class work with patient identifiers
  removed
• Observe patient care with approval from
  department manager/ supervising faculty

• Cannot Do
• Obtain medical records of patients you are not
  treating/caring for
• Use data obtained from your cases with patient
  identifiers such as name, address, birth date
  left in
• Observe patient care without appropriate approval
  or where the patient objects

Here are some dos and donts relating to
appropriate use/access of PHI for treatment and
observation. This is not a complete list but
will provide you with some general guidelines.
35
Some Dos and DontsTeaching Rounds

• Can Do
• Share patient information during teaching rounds
• Prepare class work using data from your cases
  with patient identifiers removed

• Cannot Do
• Discuss patients in public areas with no
  consideration to surroundings
• Include family members in rounds, unless patient
  has agreed or determination has been made by
  physician that inclusion is in patients best
  interest

Here are some dos and donts for participation
in teaching rounds. One important point must be
emphasized. Always use discretion and common
sense when discussing cases in public areas. Do
not verbalize details that would inappropriately
disclose patient information.
36
Some Dos and DontsRetrospective Reviews

• Can Do
• Access medical records with written approval of
  supervising faculty member
• Prepare class work using collected data with
  patient identifiers removed
• Use aggregate or de-identified patient information

• Cannot Do
• Use information collected for research without
  IRB approval
• Publish or publicly present findings without IRB
  approval or waiver of authorization
• Contact the patient or the patients physician
• Abstract patient identifiers

Here are some dos and donts for retrospective
reviews. If you are thinking of publishing your
findings or making a public presentation, you
must obtain the approval of the facilitys
Institutional Review Board (IRB) before accessing
or collecting patient information from medical
records. See the Matrix for information about
each facilitys procedures.
37
Some Dos and DontsResearch

• Can Do
• With IRB approval
• Build a database of patient information
• Access and use patient identifiable information
  as approved by IRB
• Do a public presentation or publish findings
  using aggregate or de-identified information

• Cannot Do
• Any research without IRB approval or waiver
• Publish or publicly present findings that
  identify the patient without patient
  authorization
• Access and collect patient data in preparation
  for a research project without IRB waiver or
  approval

• There are a number of regulatory requirements for
  research, and the requirements are quite complex.
  As a student, the key points to remember are
• Under the HIPAA Privacy Rule, the creation of a
  database or repository of patient information may
  be considered research
• You should contact the facilitys Institutional
  Review Board (IRB) if you intend to review and
  collect patient information for research
  purposes. It is prudent to seek guidance from
  the IRB if you consider publication or public
  presentation to be future possibilities.

38
What should I do?

• Scenario 4
• Q My supervising faculty member has asked me to
  review 100 charts of newborn babies to determine
  whether or not the delivery room temperature has
  an effect on babies. Do I need IRB approval?
• A Maybe. If the intent is purely for quality
  improvement without intent to publish findings
  and you will destroy the database upon
  completion, then you do not need an IRB approval
  or waiver. But, if you intend to publicize,
  publish or use the data you collected for any
  other purpose and do not get a patient
  authorization or an IRB approval or waiver you
  would be violating the patients rights.

It is sometimes difficult to distinguish between
quality improvement activities and research. If
the patient information you are collecting might
be considered for use in a future research
project, it is best to obtain IRB approval. See
the facilitys IRB for information about its
application, review and approval procedures.
39
Some Dos and DontsCase Presentations/Grand
Rounds

• Can Do
• Access medical records with written approval of
  supervising faculty member
• Prepare for presentation using facially
  de-identified, aggregate or de-identified
  information
• Limit audience to healthcare students/professional
  s if presentation might inadvertently reveal
  patients identity

• Cannot Do
• Leave/show the following in your presentation
• Patient Name
• Medical Record Number
• Openly present a high profile or unusual case
  where patients privacy may be compromised
  without patients written authorization for
  disclosure

Here are some dos and donts for case
presentations or grand rounds. Although you
are permitted to retain the patients medical
record number for certain educational purposes,
this information should not be displayed or
revealed during your presentation. If the case
you plan to present is high-profile or extremely
rare, obtain the patients authorization before
you use his/her PHI in the presentation or, at
minimum, ensure that the audience is limited to
healthcare students or professionals.
40
Patient Logs

• Information collected and submitted on a patient
  log of your educational activities must be
  facially de-identified

Your educational program may require you to keep
a Patient Log, a list of patients to whom you
have been assigned, and to conduct follow-up
reviews. As you keep your Patient Log, please
follow the rules for facially de-identifying
patient information.
41
Some Dos and DontsFacially De-identifying
Patient Data

• Can Do
• Use generic terms to describe a patient
• 36 year old
• white male
• living in Arizona
• Admitted in October 2002
• Construction worker
• Black out/delete/cut out patient identifiers on
  hard copy

• Cannot Do
• Leave patient identifiers in information
  used/removed
• Patient/Relatives Name
• Birth dates
• Address
• Employer
• Take copies of dictated reports home with you
  (unless facially de-identified)

Here are some examples about how to facially
de-identify patient information. Remember that
you are only permitted to retain the patients
medical record number, dates of service, and zip
code for certain educational purposes.
42
Some Dos and DontsAccessing PHI

• Can Do
• Request access to PHI through appropriate
  channels
• Request access to medical records through Medical
  Records
• Submit completed appropriate data request form
  for data reports

• Cannot Do
• Remove medical records from facility
• Leave patient records/data in break room or other
  areas where they are unattended
• Out of curiosity, access the records of the
  celebrity who was admitted last week or the
  records of a patient with an unusual medical
  condition

Each facility has established procedures for
obtaining access to PHI. See the Matrix for more
information. If you are assigned to a
facility that has implemented an electronic
medical record, you will probably be able to
access information about patients with whom you
do not have a treatment relationship. Keep in
mind that simply because you are able to access
the information does not mean you have permission
to do so. Each facility has implemented audit
trails to monitor users who have accessed a
patients electronic medical records. If a
facility discovered that you accessed a patients
record and you had no legitimate reason for doing
so, you could be subject to sanctions.
43
Is it okay?

• Scenario 5
• Q My friend was admitted yesterday after
  collapsing during a bike ride. I am very
  concerned about her progress and would like to
  visit her but I dont know which room she is in.
  Is it okay if I look up the information in the
  computer system?
• A No. Using your access privileges to look up
  any information for any patient when there is no
  need to know based on your responsibilities in
  the hospital is a violation of patient
  confidentiality.

Unless you are directly involved in providing
health care for your friend, it is not
appropriate for you to access her electronic
medical record. Your friend is entitled to
privacy, as are all patients. As discussed on
the Facility Directory slides, please ask for
your friend by name at the nurses station or
information desk. As long as your friend has not
requested No Information status, staff will be
able to tell you her room number and you will be
able to visit.
44
Some Dos and DontsSafeguarding Information

• Must Do
• Password protect laptops/PDAs
• Shred facially de-identified papers when you are
  done with them
• Insure memory/hard drive has been wiped clean
  when selling/ disposing of a PC, laptop or PDA
• Encrypt any PHI sent over Internet

• Cannot Do
• Leave information in open or other public areas
• Discuss patients in elevator, hallways or the
  cafeteria
• Dispose of facially de-identified information in
  your trash can (it is still identifiable under
  HIPAA!)
• Share your access codes/cards

• Remember that under HIPAA, facially
  de-identified information is still Protected
  Health Information (PHI). You are responsible
  for keeping the information confidential and
  secure. Here are some examples of safeguards you
  should follow
• Maintain control over your PDA, class work and
  other documents that contain patient information.
  Know where they are at all times.
• Do not let a friend borrow or share your access
  codes (log-in) or cards for any reason. You are
  responsible for inappropriate access to data or
  secured areas that occurs under your
  identification.
• When you no longer need health information you
  have collected, dispose of it appropriately. Do
  not throw it away in your trash can!
• Do not send PHI over an open network unless the
  information is encrypted.
• Always use discretion and common sense. Consider
  how you would want others to protect your
  personal health information.

45
Questions?

• For further information or questions, please
  contact the facilitys privacy officer.