Basic HIPAA Student Updated

8/2/2019 Basic HIPAA Student Updated

1/103

1/103

The bullet

ripped through the city councilwomans

body, shredding muscles she had proudly

toned in the gym. As the ambulance spedher toward the hospital, word of the gunshot

reached reporters, who gathered in the

emergency room to hunt down informationon the councilwoman.


2/103

2/103

Was it

attempted murder or attempted suicide?

Could it be terrorism?

Nearby, family tearfully awaited news of the

fate of the councilwoman, who was now

unconscious.


3/103

3/103

In addition

to caring for the councilwoman and her

injuries, GW medical staff must also take care to

follow HIPAA regulations to protect the

councilwomans privacy. The following slides willintroduce HIPAA, including the reasons for the

legislation and how it impacts medical care.

At the end of the presentation you will be asked tocomplete several questions to assess yourunderstanding of HIPAA and its impact on day-to-day medical care. You must answer the questionsin order to complete the HIPAA training.


4/103

4/103

By the time

youve completed this slideshow, you

will be able to answer the following

questions:What is HIPAA and to whom does it apply?

What is PHI and how is it protected?

When are additional authorizations required?Am I personally liable if I violate HIPAA?


5/103

The Health Insurance Portability and

Accountability Act (HIPAA)

HIPAA is a law passed by Congress in 1996.Among its goals are:

To reduce health care costs nationwide by

requiring use of electronic data interchange(EDI) for routine health care transactions, forexample, making and paying service claims, and

health insurance transactions

To protect the security and privacy of themedical records used in these EDI transactions

5/103


6/103

HIPAA In Context

HIPAA contains Security and Privacy rules

responding to healthcare concerns: Fears that once patients records are stored

electronically on networks, a couple of clicks can

transmit those records all over the world Loss of personal control over personal

information

Anger at a constant barrage of marketing

messages

6/103


7/103

HIPAA security and privacy

rules Establish federally mandated requirements

for the creation, transmission, receipt,collection, storage, use, and disclosure ofindividually identifiable health information.

Affect anyone who encounters patientinformation (physicians, nurses, healthcarestudents, patient records managers,information systems staff, dieticians, etc.)

HIPAA uses the term protected healthinformation (PHI).

7/103


8/103

Protected Health Information (PHI)

Information relating to an identifiedindividuals

past, present, or future:

Physical or mental health or condition

Provision of health care services

Payment for provision of health care

45 CFR 164.501

8/103


9/103

PHI PHI includes oral or recorded information, maintained or

transmitted in any form or medium (e.g., consultations, paperor electronic history & physical information, patient records,lab data, x-rays, etc.).

PHI information is created, received, collected by any

provider (e.g. office practice, hospital, lab, etc.) thattransmits health information in electronic form,

health plan, or

health care clearinghouse

The law refers to these as HIPAA covered entities and thework that they perform that makes them covered entities isdefined as covered functions.

HIPAA extends to covered entities using and/or disclosing PHI.

9/103


10/103

HIPAA Philosophy: Patient-Consumer:

Is entitled to notice about how their PHI will be used Major exception is an emergency

Must expect that, within a medical care facility, PHI will beshared to facilitate care, payment, business operations

Is entitled to expect that caregivers will be careful about howPHI is used and disclosed

Has a right of access to PHI

Has a right to protest mistakes in PHI (in the designatedrecord set) and have PHI corrected or otherwise amended

Is entitled to control the use of PHI in certain circumstances:Research, Fund-raising, Marketing

Should know that the government can get PHI for lawenforcement and health care oversight

10/103


11/103

HIPAA Business Associate (BA)

HIPAA extends beyond the walls of the covered

entity. For example, under Business Associatecontracts (BACs) , a contract laboratory or a

separate radiology practice that contracts with a

physicians office or hospital will be subject to thesame HIPAA regulations as the physician or

hospital. This means that if, for example, a

hospital cannot disclose a patients HIV status to

an insurance company, the hospitals contractlaboratory -- the hospitals business associate --

also cannot disclose HIV status to the insurance

company.

11/103


12/103

HIPAA Requires That Covered

Entities Give Patients a Notice of

Privacy Practices (NPP) NPP advises the individual about the covered entitys

privacy practices.

Distribution of NPP by doctors and hospitals isusually done at time of first face-to-face meeting. Major exceptions:

Emergencies

Incapacitated patient Doctor or hospital must try to get individuals written

acknowledgement of receipt of NPP, or make awritten record of why the acknowledgement was not

obtained.

12/103


13/103

Notice of Privacy Practices (NPP)

Requirement for simple English (and otherlanguages when appropriate), but the concepts

still can confuse most people.

Rules permit a layered notice, allowing acover page that explains the main points of the

NPP.

Note that the specific policies and proceduresfor administration of the NPP will vary from

one covered entity to another.

13/103


14/103

HIPAA At GW

Covered Entities GW Hospital (operated by District Hospital

Partners, L.L.P.)

Medical Faculty Associates, Inc.

GW itself is not a covered entity Some units of GW are providers, but

None of these units electronically bills a standardtransaction

But GW protects PHI in a variety of settings,including research and medical education,because it gets PHI from covered entities

14/103


15/103

HIPAA Liability

Institutional and Personal

Considerations HIPAA imposes new duties on health care institutions (such as

the GW Hospital) and on health care professionals, including

doctors, nurses, technicians, medical students, and

administrators.

The privacy and security HIPAA statute is shown on the next

slide. Plaintiffs lawyers will argue that, to achieve what is

outlined in the red box, hospitals and health care professionals

must make the effort outlined in the yellow box. As in malpractice litigation, plaintiffs lawyers will assert that

the statute and HHSs interpretation of it require a high

standard of care for privacy and security of patient data.

15/103


16/103

HIPAA - Statutory Standard

Each [covered entity] who maintains or transmits health

information shall maintain reasonable and appropriateadministrative, technical, and physical safeguards --

(A) to ensure the integrity and confidentiality of the

information; and

(B) to protect againstany reasonably anticipated(i) threats or hazards to thesecurity or integrity of the

information; and

(ii) unauthorized uses or disclosures of the information;

and(C) otherwise to ensure compliance with this part by the

officers and employees of such person.

(42 USC 1320d-2(d)(2))

16/103


17/103

HIPAA Liability

Institutional and Personal

Considerations We do not yet know how the courts will

interpret the statute, but there are penalties at

every level for violations.

17/103


18/103

Institutional and Personal Liability

HIPAA criminal violations can be prosecuted against

institutionsand individuals

Patients can bring lawsuits in state court against

institutionsand individuals for wrongful disclosure of

PHI Claims might include: negligent disclosure, disclosure in

breach of patient-physician confidentiality, invasion of

privacy, breach of warranty, etc.

There is the potential forpersonalfinancial liability fordamages (direct and punitiveakin to malpractice)

18/103


19/103

HIPAA Sources of Liability

Note that patients whose PHI (protected health information) isimproperly used or disclosed may file private law suits against a

hospital and against each individual (physician, nurse,

technician, administrator, medical student, or other staff

member) who appears to be involved in the alleged violation.

These lawsuits will resemble malpractice actions.

An individual involved in an improper use or disclosure of PHI

may face individual financial liability as the result of a judges

or a jurys judgment. (This is in addition to liability imposedon the hospital or physician practice institutionally.)

In addition, there is the possibility of criminal charges

(including imprisonment).

19/103


20/103

HIPAA Sources of Liability

Private law suits by patients

Criminal penalties (42 USC 1320d-6) - DOJ/

U.S. Attorney

$50,000-250,000, 1-10 years, depending on motive

Civil penalties (42 USC 1320d-5) - HHS/ OCR

$100 per violation up to an annual limit of $25,000

per individual

20/103


21/103

Disclosure of PHI: The Minimum

Necessary Rule

As a general matter, the amount of PHI used or

disclosed is restricted to the minimum (amount

of information) necessary. Translated, thismeans that healthcare providers and health

plans must make reasonable efforts not to use,

disclose, or request more than the minimum

amount of PHI necessary to accomplish theintended legitimate purpose.

21/103


22/103

Minimum Necessary Rule Exceptions to minimum necessary disclosure:

Disclosure to a provider for treatment (anything andeverything in the medical record may be important)

Release authorized by individual or for individuals

own review

Disclosure to comply with HIPAA requirements(e.g., to HHS Office of Civil Rights or Inspector

General)

Disclosure required by law (e.g., to law enforcement)

Preamble stresses reasonableness and flexibility.

22/103


23/103

Minimum Necessary Rule Applies

Differently to Treatment, Payment, and

Health Care Operations (TPO) Patients must provide consent for use of PHI in treatment, payment and

operations.

Treatment: Provision, coordination, or management of health care andrelated services.

Payment: Activities of a health plan to obtain premiums or fulfill coverage

& benefits responsibilities, or obtain reimbursement (provider/health plan).

Health Care Operations: Activities of a covered entity relating to covered

functions including quality assessment, professional qualification review,medical review.

Practitioners must also distinguish activities which fall outside TPO (e.g.

research, fundraising, and marketing) and understand that special

processes that govern these activities.

23/103


24/103

The minimum necessary ruledoes not

restrict the information used or disclosedin treatment.

But minimum necessarydoes apply to

payment and health care operations.

45 CFR 165.502(b)

TPO and Minimum Necessary

24/103


25/103

Minimum Necessary Rule and

Teaching Rounds

During Rounds or Grand Rounds, the

minimum necessary rule does notapply. Under HIPAA, Rounds are

considered part of treatment.

25/103

K i PHI S


26/103

Keeping PHI SecureAchieving appropriate security is a multifaceted task

Initial and on-going risk analysis iterative threat

assessments Enterprise security management process

Computer security (includes monitoring)

Communications security (includes monitoring)

Physical security: access to premises, equipment, people,data

Personnel security

Procedural (business process) security

Includes security awareness training for entire workforce Security rules limit access to information based on ones job

A pervasive security cultureawareness & surveillance

26/103


27/103

Keeping PHI Secure

Several items in the Security Rule are notable:

Computer faxes, but not paper faxes, are considered

electronic transmissions

A call on a standard telephone (non-cell and non-

mobile) is not an electronic transmission

There is no distinction between data moving

externally and internally within an organization.

Computer workstations must be protected from

unauthorized access and improper use.

27/103


28/103

HIPAA Security Ruling

Security defined: controls used to

protect confidential information from

unauthorized persons

Security ruling issued April 2003;

effective April 21, 2005

28/103


29/103

Keeping PHI Secure

HIPAA Security Rules are grouped into four

related categories:

Administrative procedures

Physical safeguards

Protection for data storage

Protection for data in transit

Note: Security policies will differ from oneinstitution to another

29/103


30/103

Administrative Procedures

Covered entities must:

Establish roles and responsibilities for security

Design and implement training and awarenessprograms

Have a security plan

Conduct a risk assessment Create policies and procedures including a

password policy

30/103


31/103

Common Password Procedures

May include:

Password testing program which will not let

you use easy to guess passwordsRequiring an alphanumeric combination

password

Changing passwords at periodic intervalsPenalties for sharing passwords with anyone

31/103


32/103

Physical Safeguards

Covered entities will establish policies to ensureaccess control, e.g.

Locked doors and escorting visitors

Wearing IDs

Secure unattended computer workstations

Password protected screensavers

Govern usage of PDAs Password protected

Stored in secure space

32/103

33/103


33/103

Protection for Data Storage

Covered entities will set policies and

procedures on handling media:

Diskettes

Paper

Magnetic tapes

Confidential trash

33/103

34/103


34/103

Protection for Data in Transit

Covered entities will institute

technical measures including:

Access controls or Encryption

Entity authentication

Audit trail Adverse event reporting

34/103

35/103


35/103

Faxes

Misdirected faxes are a serious problem.

Double-check phone numbers.

HIPAA security regulations currently

govern electronic faxes but not paper-based

faxes.

35/103

36/103


36/103

36/103

Lets look at this in practice...

The elevator door slams shut behind youas you walk into your preceptors office

for your weekly visit.

The waiting room is crowded and theoffice staff are busy dealing with theoverflow of patients.

37/103


37/103

37/103

Youve been following patients

in Dr. Jones office for several weeks

now. Dr. Jones has a well-established and

respected rheumatology practice and getsmore referrals every day. His patients

range from local individuals to

Washington and international VIPs.

38/103


38/103

38/103

Your job

is to escort patients from the waiting room tothe exam room, and then conduct the initialhistory and possibly a physical exam.

As you are escorting your first patient back toexam room two, he mentions that he thought herecognized a patient sitting in the waitingroom. Hes convinced that the guy sitting

opposite him is a basketball player for theWizards and wants to know why he has anappointment with Dr. Jones.

How do you respond?

39/103


39/103

39/103

About 30 minutes later

Dr. Jones calls you into exam room one.

Hes examining the mystery waiting

room patient (who indeed plays for theWizards), and wants you to see the rare

condition he exhibits.

40/103


40/103

40/103

Once the patient has left

Dr. Jones reviews the basketball

players case in detail. Its an unusual

case and he wants to make sure youvepicked up on all the signs and symptoms.

The two of you review the lab results, X-

rays, and patient record in detail.

41/103


41/103

41/103

Later that day

you cross paths with one of your

friends who is also following patients in

Dr. Jones office. Excited about thebasketball players unusual case, you

start telling her a few details about it.

How much are you allowed to saywithout violating the patients right to

privacy?

42/103


42/103

42/103

Although you were discreet

and did not mention his name, your

friends curiosity is piqued. Since she has

access to the records in Dr. Jones office,it would be fairly easy for her to confirm

the patients identity and pull his record.

Would she be violating the patientsprivacy?

43/103


43/103

43/103

Legitimate Need

When you are assigned to a case, you

have access to patient information.

However, like all other employees whohave the minimum necessary access to

perform their job, you cant just access

patient information to satisfy yourcuriosity.

What general information can be 44/103


44/103

What general information can be

disclosed to the public? Facility directory may list the individuals:

name; location in the facility;

health condition expressed in general terms; and

religious affiliation.

The facility may disclose this directory information to members

of the clergy, unless the individual restricts these disclosures. Example: Methodist patients directory information disclosed to

Methodist clergy.

Directory information, except for religious affiliation, may bedisclosed only to other persons who ask for the individual by

name. Individual may restrict or prohibit some or all uses of directory

information. If all uses are prohibited, facility can neither confirmnor deny patients presence. Facility must have policies andprocedures for this purpose, and explain them in its Notice ofPrivacy Practices (NPP).

44/103

45/103


45/103

Incidental Disclosures Examples of incidental disclosures:

A patient subject to observation in a waiting area; ICU monitors observed by visitors;

Conversations between a doctor and a patient in a semi-private room overheard by the rooms other occupant.

General rule: incidental disclosures are not HIPAAviolations if the covered entity has safeguards in placeand the staff observes them. Example: sign-in sheet in a waiting room is permissible, but

not if it asks patient to list medical problems so that otherpeople who sign in can see the problems of earlier arrivals.

Caveat: Be careful! What may appear to be a permissibleincidental violation may still be a HIPAA violation(example: mis-addressed email containing PHI).

45/103

Disclosures Unrelated to 46/103


46/103

Disclosures UnrelatedtoTreatment, Payment, and

Operations (TPO)

Marketing, fund raising, research

HIPAA privacy rules identify these activities assignificant threats to privacy.

Each requires a separate authorization,and

you are required to follow institutional-specificpolicies and procedures.

46/103

47/103


47/103

What is a HIPAA Authorization?

Written permission from the patient (or the patientslegal representative) to use or disclose PHI for specificpurposes (other than TPOi.e. marketing,fundraising, research)

Can be revoked in writing at any time By regulation, must include specified elements

Specific purpose of use or disclosure

Specific description of persons to which disclosure is to be

made Expiration date or event (none or end of study ok for

certain research)

Signature and date

Explanation of how to revoke the authorization

47/103

Typical Uses of HIPAA 48/103


48/103

Typical Uses of HIPAA

Authorization

Research that includes treatment

Release of psychotherapy notes (HIPAA requiresspecial protection for psych notes)

Employment-related exam (allows releasing resultsto employer or prospective employer)

Marketing

Fundraising

Patients request to release PHI (patient can releaseto whomever and for whatever purpose)

As a condition for enrolling in a health plan (butstill does not allow release of psych notes)

48/103

Special Rules for HIPAA 49/103


49/103

Special Rules for HIPAA

Authorizations

Authorization for release of psychotherapy notes cannot becombined with anything else except another authorization foruse or disclosure of psychotherapy notes

Authorization for research can be combined with other types

of written permission for the same research (e.g., informedconsent)

Covered entity generally cant withhold treatment until thepatient signs an authorization, except for:

Research involving treatment Enrolling in a health plan (and no psych notes involved)

A medical exam for an employer or other third party whowill see the results

HIPAA Authorization on

50/103


50/103

HIPAA Authorization onPsychotherapy Notes

Definition: psych notes are recorded:

By a mental health professional who is Documenting or analyzing the contents of a private, joint,

family, or group counseling, AND IF

The notes are kept separate from the rest of the patients

medical record.

NOTE: Its the therapists choice whether to keep therecords separate, although the practice or institution mayhave policies to guide that choice.

Psych notes exclude:

Medication prescription and monitoring,

Session start and stop times,

Modalities and frequencies of treatment,

Results of clinical tests, and

Any summary of diagnosis, functional status, treatment

plan, symptoms, prognosis, and progress to date.

Special Rules Regarding HIPAA 51/103


51/103

Special Rules Regarding HIPAA

Authorization Generally, a HIPAA authorization is required for use

of psych notes. Exceptions:

Use of the notes by the originator for treatment,

Use by the covered entity for its own training programs

under appropriate supervision,

Use in defense of a legal action,

Disclosure to HHS for HIPAA enforcement, and

Certain coroners/ medical examiners or other

governmental health oversight activities.

The institution will have policies and procedures to

control the use and disclosure of psych notes.

M k ti52/103


52/103

Marketing

Definition: Communication about a product or service toencourage its purchase or use

Covered entity does not need authorization to use PHI formarketing when it observes these procedures

Face-to-face encounter:

Products or services of nominal value; or

Concerns health-related products and services of thecovered entity or a third party, and

Allows patient to opt out of future communications; and

Entity determines that the communication may bebeneficial to health of type or class targeted

F d i i53/103


53/103

Fundraising

General rule: A HIPAA authorization isrequired to use or disclose any PHI for anyfundraising purpose.

Limited exception: A covered entity, for

fundraisingon its own behalf only, may usedemographic information and dates of healthcare service (and no other PHI), or disclosethose limited categories of PHI to: a business associate performing fund raising for the

covered entity, or

an institutionally related foundation.

F d i i54/103


54/103

Fundraising

Covered entitys notice of privacy practices (NPP)

should include a statement that it may contact the

individual for its fundraising.

Patients can decide they dont want to be subject to

fundraising (OPT-OUT), and the covered entity andits workforce must respect those wishes.

Covered entitys fundraising materials must explain

to the individual how to OPT-OUT of fundraising.

Covered entity must reasonably ensure that a patient

or other individual who OPTS-OUT receives no more

fundraising communications.

55/103


55/103

Research Under HIPAA

Each institution will modify its InstitutionalReview Board rules to include new HIPAA

requirements.

At GW, these modifications are in process. The GW research community, including the

MFA and the GW Hospital, will cooperate in

implementing these new research rules and

accompanying policies and procedures.

56/103


56/103

HIPAA and Research

HIPAA applies to all human subject research involving the creation, use, ordisclosure of PHI (e.g. clinical trials, medical record/chart reviews,epidemiological studies, and social/behavioral studies)

Principal Investigators (PIs) proposing to create, use and

/or disclose PHI for research purposes must now receiveHIPAA research approval and then human subjectprotections approval from the GW Institutional ReviewBoard (IRB).

Under GWs implementation of HIPAA, all PIs proposing

to create, use, or disclose PHI for research purposes mustnow complete this general HIPAA training program and

a more specific HIPAA research-related training program.

HIPAA and Research57/103


57/103

HIPAA and ResearchResearchers may create, use, and/or disclose PHI for research

purposes: With an individual study specific research authorization

(similar to study specific informed consent form (ICF)) or

Without a research authorization, as follows: With an Approved Waiver of Research Authorization issued by the

GW Privacy Board (PB); With complete de-identification of PHI;

Note: Just removing a patients name does not sufficiently disguise theindividuals identity. There are up to 18 identifiers involved in the de-identification process.

Limited Data Set Information (with a Data Use Agreement);

Preparatory to Research; or

Research on Decedents

Caveat: Decedent research is not covered under human subjectprotection regulations, but is covered under HIPAA researchregulations.

Privacy Rule and Research Databases58/103


58/103

Privacy Rule and Research Databases

When you come upon a research database keep in

mind that it may be subject to HIPAA. Considerthe following:

Does a database contain PHI?

Where did the PHI come from?

Where is it going?

Who has access? At GW? Elsewhere?

What security safeguards follow the PHI?

What liability if the data are misused? For GW?

For other institutions?

For me (and co-workers) personally?

59/103


59/103

Dr. Jones recently

joined efforts with GW to participate in anew arthritis study sponsored by a largepharmaceutical company. Dr. Smith is the

principal investigator on the trial. The clinicaltrial will compare the effectiveness and GIimpact of NSAIDs vs. a new medication inindividuals with arthritis symptoms.

At last weeks staff meeting Dr. Jonesdescribed the study criteria and asked everyoneto keep an eye out for possible participants.

60/103


60/103

Youre feeling very well-connected,

not only are you working in Dr. Jones

office, but you also recently spoke with Dr.

Smith. He was a guest lecturer in one ofyour classes.

61/103


61/103

Patient Follow-Up Visit

Another patient youve been following returnsfor a follow-up visit. The arthritis in his wristhas increased and doesnt seem to respond toibuprofen anymore. He is an ardentracquetball player and the pain is interferingwith his game. Since his early retirement, hesbeen able to play a lot more and the pain hasbecome problematic.

This patient seems like a perfect candidate forthe study. How do you proceed? Since youvealready met Dr. Smith, can you contact himdirectly?

62/103


62/103

HIPAA and Clinical Trials

No, you cannot contact Dr. Smith directly. You

must follow the research policies and

procedures of the specific institution.

Administrative Requirements for 63/103


63/103

Administrative Requirements for

HIPAA Compliance

Each hospital or physician practice will have its ownset of policies for documenting HIPAA compliance

and imposing sanctions.

At each different facility or practice, expect to be briefed on

HIPAA policies before you start work. If you arent briefed, ask to be briefed. Otherwise, you

have no way to control your personal HIPAA litigation

risk.

Document all complaints received Sanction members of workforce who fail to comply

(how stringent determined by institutional policy)

64/103


64/103

HIPAAs Relationship to State Law

Generally

preempts

less stringent

state law

Seeks to enforce

more stringentstate law

Gray areaswhen

is state law more

stringent? (Not

always obvious.)

Disclosures to Local State and65/103


65/103

Disclosures to Local, State, and

Federal Government

HIPAA permits disclosures to all levels of government

for health oversight such as mandatory reporting of

infectious disease.

Disclosures of PHI are also permitted for lawenforcement and national security purposes.

Rules are complicated.

Covered entities need policies and procedures to guide staff,

plus careful training.

When a government official or agent seeks PHI, follow the

covered entitys policies and procedures.

If in doubt, check with privacy officer or counsel.

Disclos res to the Press66/103


66/103

Disclosures to the Press There is no obligation to disclose PHI to the press.

There is no obligation to answer the press questionsabout patients.

A patient has the right not to be listed in the hospitalsdirectory. In that case the hospital and staff can

neither confirm nor deny the patients presence! Answering press questions about a patient or

disclosing PHI to the press can be a HIPAA violationwith criminal and civil liability consequences,

personally and institutionally.

Follow the institutions press relations policies to theletterlet the public relations office answer thepresss questions.

67/103


67/103

Back to the councilwoman in the ER...

Councilwoman presents as:

56 yo F with single gunshot wound to the

torso and loss of consciousness The ER staff work to stabilize her vital

signs.

How does HIPAA apply in this situation?

68/103


68/103

HIPAA and the ER

Who are the covered entities in this case?

the ambulance service

the hospital the ER physicians

69/103


69/103

HIPAA and the ER

Provide the patient with the hospitals NPP

statement and obtain her signature upon receipt.

Obtain the patients consent to use her PHI for

treatment, payment, and health care operations. Since she is unconscious, the emergency situation

exception applies, and these signatures can be obtained

later when the patient is conscious.

In this case, another law (EMTALA, the EmergencyTreatment and Active Labor Medical Act) takes

precedence and requires treatment without authorization.

70/103


70/103

Her family arrives.

and disclose their fear that the

councilwoman shot herself due to her

long-running private battle withdepression. The hospital treatment team

wants to see her psychiatric treatment

records and psychotherapy notes. How

does HIPAA impact these requests?

71/103


71/103

HIPAA and Medical Records

Psychotherapy notes are off-limits without patientauthorization.

Patient record information (i.e. her use of anti-

depressant medication) may be available withoutpatient authorization if the mental health providerbelieves in good faith that the information isnecessary in order to prevent or lessen a serious

threat to her health. If not, the councilwoman must provide authorization

to have these medical records released to the hospitaland ER physicians.

72/103


72/103

The ER nurse

wants to access the hospital

information system to view medical

records from the councilwomans priorvisits. How does HIPAA impact the

hospitals electronic patient record

system?

73/103


73/103

HIPAA and Electronic Patient Records

Access to prior records is appropriate if she has

been admitted or is being treated in the ER.

Access to relevant past records is only availableto those team members directly involved in her

care (i.e. Need to know rule).

Access is limited to appropriate individuals via an

access control system. Nurses must be authenticated by the system and

only able to view records on a need-to-know basis.

74/103


74/103

Workstations must be in secure locations

or otherwise protected from

unauthorized access. Hospital must have a data back-up and

disaster recovery plan.

HIPAA and Electronic Patient Records

75/103


75/103

The police

have already started investigating the

councilwomans possible attack. They have a

suspect in custody, but need additional

information to add to the police investigation.

A detective calls the hospital to get details on

the type of gunshot wound suffered by the

councilwoman. How does HIPAA affectdisclosure of a patients PHI to police?

76/103


76/103

HIPAA and PHI Disclosure to Police

The hospital may disclose a patients PHI to the

police without consent only if:

The police suspect she is a crime victim

The doctor cant obtain authorization at the

moment (in this case because she is unconscious)

The police state that, if the law was broken, it was

not broken by the councilwoman; the information is

needed immediately and will not be held against the

councilwoman

77/103


77/103

HIPAA and PHI Disclosure to Police

In the physicians best judgment, disclosure topolice is in the councilwomans best interest.

Note: The physician can still opt to refuse disclosure if s/he

feels it is not in the patients best interest.

Exception:

HIPAA also permits PHI disclosure without authorization

if it is required, due to legal mandatory reportingrequirements (e.g., gunshots must be reported in somestates) or public health monitoring activities (e.g., anthrax).

78/103


78/103

The councilwomans condition

has improved. She is stable and has

regained consciousness. Her conscious

state allows the hospital to collect neededHIPAA information. What is collected?

79/103


79/103

First

Present the hospital NPP (Notice of PrivacyPractices).If the physicians and hospital have declared

themselves an organized health carearrangement (OHCA) under HIPAA, then theycan use a joint NPP; otherwise the treatingattending physicians must also present their own

NPPs separately. Obtain her written acknowledgement that

shes received and read the NPP.

80/103


80/103

Then

Inform her that her name and basic facts

about her condition and hospital location

will be added to the hospitals directory,unless she objects.

Advise her of her options not to be listed

in the directory at all, and not to have areligious preference listed in the

directory.

81/103


81/103

Several hours have passed

and her family and the media are

pressing for information on her condition

and prognosis. What level of disclosure ispermitted to these groups under HIPAA?

82/103


82/103

HIPAA and PHI Disclosure

Family-- the physician is required to ask the

councilwoman if she objects to sharing PHI

with family. If she were still unconscious, the

physician must use his/her best judgment.

At all times the physician must be discreet and

avoid talking loudly about patient conditions inpublic areas (hallways, waiting rooms, elevators).

83/103


83/103

HIPAA and PHI Disclosure Pressif the councilwoman has agreed to

be added to the hospitals directory, the

general disclosure rule applies.

Therefore, the following information canbe released to the press

Name

Location in the facilityHealth condition expressed in general terms

Religious affiliation

butonly if the patient is asked about by name.

84/103


84/103

The ERs screening software

has flagged the councilwoman as a

candidate for an ongoing research study

on female gunshot victims. The researchcoordinator appears at the

councilwomans bedside, obtains

informed consent, and then begins the

research protocol. Is this consistent with

HIPAA regulations?

85/103


85/103

HIPAA and Research Studies

Yes, but only if the researcher has

followed GWs procedures for reviews

preparatory to research.

86/103


86/103

In between cases,

the ER physician who treated the

councilwoman dictates his notes, which

are then sent to a transcriptionist. Thehospital has a contract with an outside

company to provide transcription

services. Does HIPAA affect this business

relationship?

87/103


87/103

HIPAA and Business Associates

Yes, all outside vendors who come in

contact with PHI must be covered by

business associate contracts asrequired by HIPAA.

88/103


88/103

The councilwoman recovers

enough from her injury to be

discharged from the hospital.

Some time later the she visits her doctorfor a follow-up visit. She is prescribed a

new medication and given some samples

to take with her. How does HIPAA affectthis follow-up visit?

89/103


89/103

HIPAA and Follow-up Visits

Although providing free samples is considered amarketing activity, since it is face-to-face, it isapproved by HIPAA.

Note: It would be inappropriate (and not proper underHIPAA) for the physician to give a pharmaceuticalcompany the councilwomans name, even if the company

manufactures her medication(s). The hospital would needa signed authorization from the patient before it couldgive that information to the pharmaceutical company.

90/103


90/103

The following month,

the councilwoman is contacted by the

hospital foundation, soliciting a donation.

Have her privacy rights under HIPAAbeen violated?

91/103


91/103

HIPAA and Fundraising

No, as long as the NPP stated that her

PHI might be used for fundraisingand

the foundation is related to, and supports,the hospital.

The fundraising request must be specific

and must give the councilwoman a way toopt out of future solicitations.

92/103


92/103

The medical students

who participated in the councilwomans

care at the teaching hospital are writing up

her case for next months grand roundspresentation. How does HIPAA affect the

amount or type of information that can be

included in the presentation?

93/103


93/103

HIPAA and Training

Because healthcare operations include training ofhealth care students, trainees or practitioners, theminimum necessary rule applies. So does the security

rule. Prudent application of these rules according tothe institutions policies and procedures will requireomitting her name and other identifying informationthat is unnecessary for teaching purposes.

She can be referred to by name during rounds orother teaching situations at the discretion of theattending physician/faculty member.

94/103


94/103

The councilwoman

is organizing her healthcare paperwork

and returns to the hospital to get a copy

of her medical record. Does HIPAAprovide the councilwoman with complete

access to her medical records?

95/103


95/103

HIPAA and Patient Record Access

No, patients are only entitled to thedesignated record set (PHI used by thecovered entity to make decisions aboutpatients).Care Providers--designated record set is

medical and billing records

Health Plans--designated record set isenrollment, payment, claims adjudication,case management records.

96/103


96/103


There is no automatic access to

psychotherapy notes, or certain other

information involved in litigation.

97/103


97/103


A patients request for records may be rejected incertain, narrowly defined circumstances, and anexplanation must be provided. For example, disclosing

the PHI may pose a danger to the patient.Perhaps the councilwomans distraught daughter, inspeculating why her mother was shot, blurted out all kinds offamily secrets to the ER doctor, who included them in therecord. The councilwoman was unconscious and is unaware oftheir inclusion. The hospital decides these notes are not relevantto the councilwomans treatment and withholds them.

98/103


98/103

Once she obtains

her designated record set and reads

it, the councilwoman realizes that it states

she takes Lipitor to lower her cholesterol.She stopped taking the medication

several years ago and wants to have her

record corrected. How does HIPAA

affect patient-initiated changes to medical

records?

99/103


99/103

HIPAA and Patient Record Changes

If the hospital agrees to update the record, it must notify

her (and anyone else she specifies) that her amendment

was accepted.

However, the hospital can deny a request to amend the

record (i.e., if the data are accurate and complete), but

the councilwoman may appeal.

If the hospital rejects her appeal, she can add a notice ofdisagreement to her designated record set (DRS). That

notice of disagreement stays with her DRS.

100/103


100/103

Finally, the councilwoman

would like to know with whom the

hospital has shared her PHI, so she

requests an accounting of her PHIdisclosures. Is this permissible under

HIPAA?

101/103


101/103

HIPAA and PHI Accounting

Yes, the hospital must provide an

accounting of PHI disclosures, but there

are exceptions to the listing (e.g.,payment, treatment, operations (TPO),

disclosures pursuant to patient

authorizations, certain disclosures to law

enforcement or national security

officials).

102/103


102/103

Congratulations

You have successfully completed the GW HIPAAoverview.

REMEMBER, you must complete and comply withany additional HIPAA instruction or compliance

programs at each institution (or office) where youhave a clinical rotation.

Be alert to the fact that HIPAA policies andprocedures will vary from institution to institution,

and you must comply with the requirements asimplemented at each institution.

If you have any questions about HIPAA, contact theprivacy officer at the institution(s).

103/103


103/103

Now

click on the Quiz section of the Prometheuscourse to complete the brief quiz on the HIPAAinformation youve just learned.

After youve taken the quiz, we suggest youprint out your quiz score by going to the GradeBook section of Prometheus, and then selecting

the Print option under your browsers Filemenu. You may need to use this printout todocument your completion of the program for

Date post:	05-Apr-2018
Category:	Documents
Upload:	mohammed-gibreal
View:	222 times
Download:	0 times

Basic HIPAA Student Updated

Documents