HIPAA Training for the Athens-Limestone Hospital Workforce

This class is required for all employees, volunteers, trainees, onsite contractors, and other to be defined.

Contact your manager or the privacy officer for more information

Athens Limestone Hospital’s goal for data privacy and security is to achieve a fundamental shift in attitudes, awareness, habits, and capabilities of personnel, to create a sense of accountability among staff and management for the safeguarding of patient information and to share information appropriately.

The Notice of Privacy Practices tells our patients how we use their health information. The Notice of Privacy Practices is a brochure that is offered to registering patients. The Notice of Privacy Practices is also posted on the web site and in public areas around Athens-Limestone Hospital facilities.

Patients or authorized representatives must sign an Acknowledgement Statement before treatment begins, or as soon as reasonably possible. If it is not possible to obtain a signed Acknowledgement Statement, staff should document the reason why. The acknowledgement states the patient has received our Notice of Privacy Practices.

The Athens Limestone facility directory contains the name and location of registered patients. Patients are asked during the registration process of they object to being in our facility directory. ALH employees may disclose a patients location and patient’s general condition if someone asks for the patient by name. If the patient objects to being placed in the

facility directory, ALH employees may not acknowledge the patient is in our facility. A plus sign (+) will appear beside the name to identify the patient as confidential.

Persons associated with ALH include members of the workforce (i.e. employees, volunteers, trainees, and contractors), as well as researchers, ALH Medical Staff, teachers and educators, members of the Health Care Authority of City of Athens/Limestone, allied health practitioners and business associates.

Members of the workforce and all those associated with ALH must abide by the ALH Data Privacy and Security Policies.

Protected Health Information (PHI) can be demographic, financial or clinical data. PHI identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual. Some examples of PHI include: name, demographic information, any data that could identify the person, e-mail address, medical record number, social security number, device identifiers and serial numbers, and health plan beneficiary numbers and other like identifiers.

Minimum necessary is using only the PHI you need to complete your job. PHI requested from others should also be limited to minimum necessary to accomplish the task or intended purpose. Minimum necessary does not apply for treatment purposes between health care providers.

Members of the ALH workforce are grated access only to information necessary to complete their job. This includes not only electronic data, but also hard copy records and oral conversations.

Never share your passwords, access badges, or other data access privileges with someone else.

ALH can use or disclose PHI for treatment, payment and health care operations (TPO) and for other purposes such as public health activities without and authorization. For all other reasons, a authorization will need to be obtained from the patient or legal representative. The authorization must have all the necessary elements to be valid. The ALH authorization validation and release of PHI is handled through the Health Information Management Department with the exception of TPO purposes.

You must take reasonable steps to verify the identity of those seeking PHI – if you do not know them. You do not have to verify the identity of individuals you know. If an individual is only asking you for information found in the facility directory verification is not required. Some examples of verification include: patient account number, patients date of birth, patients SS number, and picture ID.

It is always best to ask the patient for permission to share their PHI. However, when the individual is not present or is unable to answer professional judgment and experience with common practice may be used to make reasonable decisions of the individuals best interest. It is best to always document these types of occurrences.

In case of emergency, PHI may be disclosed to notify a

family member without verifying authority.

HIPAA allows the release of PHI when required by law. An authorization is not required in these cases, by the disclosure must be documented.

ALH is required by law to provide various reports of PHI to government agencies. These include:

• Reports of public health information• Reports to the Food and Drug Administration

• Reports of communicable diseases• Reports for employee safety• For purposes of preventing or controlling

disease, injury or disability

Disclosers may be made to law enforcement, only if the official needs the information to identify or locate a suspect, a fugitive, material witness, or missing person. The purpose of the disclosure and the identity of the officer must be documented in the patients chart.

Information that may be released to law enforcement include: patient name and address, patient date and place of birth, patient social security number, patient blood type and RH factor, type of injury, date and time of death, and distinguishing characteristics the patient may have.

PHI may disclosed to our Business Associates. Business Associates are people or entities who provide a service that involves the use of PHI. Examples may include third parties who bill for us, review of medical charts, or collect patient data for studies.

ALH must have a contract with these entities to whom we disclose information.

A Business Associate Agreement or Contract with these entities assures us that they will also protect our patients’ privacy.

Correct ways to release PHI

• For treatment purposes to other caregivers involved in the patient’s care

• To verify payors• To family members and friends involved in the patient’s

care• To quality management of for other operational activities• When required by law or other health agencies• With a valid authorization signed by the patient or

representative• To anyone who asks for the by name, you may disclose

location and general condition.

Incorrect ways to disclose PHI

• To caregivers no involved in the patient’s care nor expecting to be involved in the patient’s care

• To family members you do not know to be involved in the patient’s care

• To others who do not use the data for treatment, payment or operational purposes

• Without valid authorization• If the patient has been assigned “confidential” status,

acknowledgment of the person being a patient in the facility should not be done.

ALH must designate a Privacy Officer who is responsible for the development and implementation of the data Privacy policies and procedures, and responsible for receiving complaints. The Privacy Officer at ALH is Brenda Moody. To contact the Privacy Officer:

• Call 256-233-9539 or 1539• Send forms and correspondence to the Health

Information Management Department – Attn: Brenda Moody

• E-mail brendamo@alhnet.org• Fax 256-233-9266

E-mailing PHI with in the organizational e-mail system is permissible. Use caution when forwarding PHI without the sender’s permission.

Select a secure are for PHI. A secure area is an area that has physical safeguards to eliminate or minimize the possibility of unauthorized access to confidential information. A example of an unsecured area would be any area outside or inside of a department which may be exposed to the public, i.e. waiting rooms, patient rooms, restrooms, and hallways.

Department managers are responsible for designating areas within their department that will be considered secure.

Faxing of PHI for TPO is permissible as long as the rules of verification, authority, and minimum necessary are followed.

Remember to compare the fax number on the display and the intended fax number. The most common error is punching in the wrong key. If you know a fax was sent to an incorrect fax number call the privacy officer at 1539.

You should avoid sending faxes containing drug/alcohol abuse, HIV/AIDS, rape or abuse information.

Athens Limestone Hospital must provide a process for individuals to make complaints and must document all complaints received and their disposition, if any

Any employee who suspects a patient’s data privacy or security has been violated, should report it to their supervisor immediately or call the privacy officer at 256-233-9539 or call 1-800-442-0959

Anyone, not just patients may file a complaint.

It is against the law to take retaliatory action against any individual who exercises his/her data privacy rights.

Entities are required to have a fair sanctions policy and must document the sanctions are applied.

The sanctions policy is located in the Administrative Manual under the HIPAA section

Punishment ranges from oral reprimand to termination

Some violations can result in imprisonment

If is not within the scope of your job at ALH, you are in violation of HIPAA laws and Athens Limestone Hospital policies if you access PHI

Definitions

• Administrative Simplification – the provisions of HIPAA relating to standards for electronic health care transactions, the privacy and security of health information, and the national identifiers

• Authorization – a written authorization by an individual authorizing the use or disclosure of his or her health information

• Business Associate – a person or organization that assists a covered entity with treatment or operations, and generates, receives or has access to protected health information. Covered entities are required to obtain confidentially agreements (called business associate agreements) with their business associates

• Business Associate Agreement (Contract) – an agreement between a covered entity and its business associate in which the business associate agrees to restrict its use and disclosure of the covered entity’s protected health information

• CMS – the Centers for Medicare and Medicaid Services, a department within the U.S. Department of Health and Human Services

• Covered Entity – a health plan, a health care clearing house, or a health care provider that transmits electronic transactions

• Data Aggregation – the combining of such protected health information by a business associate on behalf of more covered entities than one, to permit data analysis relating to the health care operations of the participating covered entities

• Data Use Agreement – a confidentiality agreement between a covered entity and the recipient of health information in a limited data set

• De-Identified Health Information – health information from which individual identifiers have been removed, so it can not be used to identify and individual. De-Identified health information is not protected by HIPAA

• Designated Record Set – a health care provider’s medical records and billing records about individuals, a health plan’s enrollment, payment, claims adjudication, and case or medical management records, and any other records used by a covered entity to make decisions about individuals

• Direct Treatment Relationship – a treatment relationship between an individual and a health care provider that is not an indirect treatment relationship

• Disclosure – the release, transfer, provision of access to, or divulging in any other manner of information outside the covered entity holding the information

• Group Health Plan – an employee welfare benefit plan that provides medical care

• HHS – the U.S. Department of Health and Human Services

Health Care Clearinghouse – an organization that processes health information received from another entity in a nonstandard format or containing nonstandard data content and converts into standard data elements or a standard transaction, or vice versa

Health Care Operations – business management and operations, including quality assessment and improvement, peer review, underwriting, medical review and audits, and business planning, management and development

Health Care Provider – a person or organization who furnishes, bills, or is paid for health care in the normal course of business

Health Information – any information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, empower, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual

Health Insurance Issuer – a company that is licensed to engage in the business of

insurance in a State and is subject to State Law that regulates insurance Health Maintenance Organization (HMO) – a federally qualified HMO, or an

organization regulated by State law as a health maintenance organization Health Oversight Agency – a governmental agency that is authorized by law to

oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant

Health Plan – an organization that provides, or pays the cost of, medical care. Employee health benefit plans are health plans, unless they are self-administered, and have fewer than 50 participants. Government-funded programs whose principal function is providing direct health care services are not health plans.

Individual Identifiable Health Information – information that relates to an individual’s physical or mental health; the provision of health care to an individual; or the payment for health care provided to an individual, that identifies the individual or could be used to identify the individual

Indirect Treatment Relationship – the provider delivers health care to the individual based on the orders of another health care provider; and the health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual

Law Enforcement Official – an officer or employee of any governmental agency who is empowered by law to investigate or prosecute violations of law

Limited Data Set – health information from which specified identifiers have been removed. Information in a limited data set is protected, but may be used for research, health care operations and public health activities without the individual’s authorization

Marketing – a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. It does not include communications for treatment, case management or care coordination

Minimum Necessary – this applies when using or disclosing protected health information or when requesting protected health information from another covered entity. A covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request

Organized Health Care Arrangement – an organized system of health care in which more that one covered entity participates, and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement; and participate in joint utilization review, quality assurance or financial risk for health care services

Payment – the activities of a health care provider to obtain payment for health care services, or of a health plan to obtain premiums, or to adjudicate and pay claims

PHI (Protected Health Information) – individually identifiable health information in any form

Public Health Activities – the activities of public health authorities to collect information for the purpose of preventing or controlling disease, illness or injury

Public Interest Disclosures – disclosure for a variety of public interest-related purposes, which HIPAA permits without the individual’s authorization

Research – a systematic investigation, including research development, testing, and evaluation designed to develop or contribute to knowledge

Secretary – the Secretary of Health and Human Services

Secure Area – an area that has physical safeguards to eliminate or minimize the possibility of unauthorized access to confidential information, for example, a locked room or an area that is attended by authorized employees. Department managers are responsible for designating the area within their department that will be considered secure. All trash receptacles within designated secure areas will be considered secure and will be disposed of in a secure manner

Transaction – the transmission of information between two parties to carry out financial or administrative activities related to health care. HIPAA sets standards for the following electronic transactions: Health care claims or equivalent encounter information, Health care payment and remittance advice, Coordination of benefits, Health care claim status, Enrollment and de-enrollment in a health plan, Eligibility for a health plan, Health plan premium payments, Referral certification and authorization

Treatment – the provision, coordination, or management of health care related services by a health care provider

Unsecured Area – areas outside or inside of the department that are exposed to the public, i.e. public areas, waiting rooms, patient rooms, restrooms, etc

Use – the sharing, employment, application, utilization, examination, or analysis of information within the entity that maintains such information

Workforce – employees, volunteers, trainees, and other persons under the direct control of the company