Abstract image of a woman sitting on books and studying on a laptop

HIPAA-Privacy-Compliance. IN INFORMATION TECH

Download as PPT, PDF
W
wondimagegndesta

HIPPA

Technology
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
HIPAA Privacy Education for Physicians HIPAA Privacy Education for Physicians The following course may be used to fulfill Lifespan’s The following course may be used to fulfill Lifespan’s HIPAA privacy awareness training requirements by HIPAA privacy awareness training requirements by physicians. Check with your Department Chair to make physicians. Check with your Department Chair to make sure that you have permission to take this course and to sure that you have permission to take this course and to determine if there are additional HIPAA training determine if there are additional HIPAA training requirements you must complete. requirements you must complete. Please note that there is also an Office of Research Please note that there is also an Office of Research Administration training course that may be more Administration training course that may be more applicable for physicians performing research. applicable for physicians performing research. You must take the test accompanying this course You must take the test accompanying this course to fulfill your HIPAA awareness to fulfill your HIPAA awareness training requirement. training requirement.
HIPAA HIPAA The Health Insurance Portability and The Health Insurance Portability and Accountability Act ( Accountability Act (HIPAA HIPAA) was enacted by ) was enacted by Congress in 1996. HIPAA has many components, Congress in 1996. HIPAA has many components, one of which is its one of which is its Privacy Rule Privacy Rule. . After much Congressional delay HHS After much Congressional delay HHS implemented the final implemented the final Privacy Rule Privacy Rule on on April 14, April 14, 2003 2003. It requires that: . It requires that:  Training be tailored to address the specific Training be tailored to address the specific functions that Lifespan physicians perform. functions that Lifespan physicians perform.
HIPAA Expectations of Lifespan HIPAA Expectations of Lifespan Employees Including Physicians Employees Including Physicians ► Use or disclose Protected Health Information Use or disclose Protected Health Information (PHI) (PHI) only for work related purposes only for work related purposes ► Limit uses and disclosures to the “minimum Limit uses and disclosures to the “minimum necessary” to achieve those work purposes necessary” to achieve those work purposes ► Exercise reasonable caution to protect Exercise reasonable caution to protect PHI PHI under under your control your control ► Understand and follow Lifespan’s privacy policies Understand and follow Lifespan’s privacy policies ► Try to remedy any privacy problems or to report Try to remedy any privacy problems or to report them to the Privacy Officer at 401-444-4728 or via them to the Privacy Officer at 401-444-4728 or via a confidential email to privacyofficer@lifespan.org a confidential email to privacyofficer@lifespan.org
HIPAA Expectations of Lifespan HIPAA Expectations of Lifespan Employees Including Physicians Employees Including Physicians ► Note that “incidental uses and disclosures” are Note that “incidental uses and disclosures” are inevitable and do not violate the privacy rule as inevitable and do not violate the privacy rule as long as reasonable precautions are taken long as reasonable precautions are taken ► Understand that reasonable limits and efforts, Understand that reasonable limits and efforts, appropriate to the circumstances are all that appropriate to the circumstances are all that HIPAA requires HIPAA requires ► Recognize that Lifespan will not retaliate or Recognize that Lifespan will not retaliate or discriminate against any patient or worker who discriminate against any patient or worker who express a privacy concern. express a privacy concern.
Key Lifespan HIPAA Documents Key Lifespan HIPAA Documents In addition to the material contained in this In addition to the material contained in this presentation you may want to review the presentation you may want to review the following important HIPAA documents/policies. following important HIPAA documents/policies.  Lifespan Joint Privacy Notice Lifespan Joint Privacy Notice  Incidental Disclosure of Protected Health Incidental Disclosure of Protected Health Information Information  Verifying Identity and Authority of Requestor Verifying Identity and Authority of Requestor  Privacy Related Complaints Privacy Related Complaints  Prohibiting Intimidating or Retaliatory Acts Prohibiting Intimidating or Retaliatory Acts This information is contained on the Compliance This information is contained on the Compliance web page: http://intra.lifespan.org/compliance/ web page: http://intra.lifespan.org/compliance/
The Privacy Rule The Privacy Rule ► Ensures nationwide uniform procedural protection for Ensures nationwide uniform procedural protection for all all health information health information ► Imposes new restrictions on the use and disclosure of Imposes new restrictions on the use and disclosure of protected health information protected health information ( (PHI PHI) ) ► Gives patients greater access to their medical Gives patients greater access to their medical records records ► Provides patients with more control over their Provides patients with more control over their health information health information
What is Protected Health What is Protected Health Information (PHI)? Information (PHI)? When a patient gives personal When a patient gives personal health information to health information to Lifespan, that information Lifespan, that information becomes becomes PHI PHI. .
Examples of PHI Examples of PHI Examples of information that might connect Examples of information that might connect personal health information to the individual personal health information to the individual patient include: patient include:  The individual’s name or The individual’s name or address address  Social Security or other Social Security or other identification number identification number  Physician’s personal notes Physician’s personal notes  Billing information Billing information
What are the Rules for What are the Rules for Use/Disclosure of Protected Health Use/Disclosure of Protected Health Information? Information? HIPAA’s HIPAA’s Privacy Rule Privacy Rule is all about the use and is all about the use and disclosure of disclosure of PHI PHI. PHI can’t be used or disclosed . PHI can’t be used or disclosed by anyone unless it is permitted or required by by anyone unless it is permitted or required by the the Privacy Rule Privacy Rule. . PHI is PHI is used used when: when:  Shared Shared  Examined Examined  Applied Applied  Analyzed Analyzed PHI is PHI is disclosed disclosed when: when:  Released Released  Transferred Transferred  In any way accessed by In any way accessed by anyone outside of the anyone outside of the covered entity covered entity
Lifespan employees are Lifespan employees are permitted permitted to use or disclose PHI for: to use or disclose PHI for:  Treatment, payment, and Treatment, payment, and healthcare operations healthcare operations  With authorization or With authorization or agreement from the agreement from the individual patient individual patient  For disclosure to the For disclosure to the individual patient individual patient  For incidental use such as For incidental use such as physicians talking to patients physicians talking to patients in a semi-private room in a semi-private room. .
Lifespan’s Joint Privacy Notice Lifespan’s Joint Privacy Notice The The Lifespan Lifespan Joint Joint Privacy Notice Privacy Notice is a required is a required document which is provided to all patients document which is provided to all patients receiving direct care after April 13, 2003. receiving direct care after April 13, 2003.  It describes how PHI may be used and disclosed by It describes how PHI may be used and disclosed by Lifespan and how patients can get access to this Lifespan and how patients can get access to this information. information.  Patient’s must acknowledge receipt Patient’s must acknowledge receipt of the of the Notice Notice in writing, if possible. in writing, if possible.  Copies are kept of all notices and Copies are kept of all notices and acknowledgements. acknowledgements.
Lifespan’s Joint Privacy Notice describes… Lifespan’s Joint Privacy Notice describes… 1.) Who we are 1.) Who we are “ “Lifespan is a single Lifespan is a single covered entity covered entity that can share patient information that can share patient information across affiliates.” across affiliates.” 2.) Our pledge to protect health information 2.) Our pledge to protect health information 3.) How we may use and disclose 3.) How we may use and disclose PHI PHI – For instance, we – For instance, we do not need patient do not need patient authorization authorization to use to use PHI PHI for for treatment, payment and healthcare operations. treatment, payment and healthcare operations. “ “As an example, a doctor treating a patient for a broken leg may need to As an example, a doctor treating a patient for a broken leg may need to know if the patient has diabetes because diabetes may slow the healing know if the patient has diabetes because diabetes may slow the healing process. Different healthcare professionals may share the patient’s process. Different healthcare professionals may share the patient’s medical information in order to coordinate the different medical information in order to coordinate the different treatments/procedures needed, such as, lab work, x-rays and treatments/procedures needed, such as, lab work, x-rays and prescriptions. Also, in order to coordinate the patient’s care the hospital prescriptions. Also, in order to coordinate the patient’s care the hospital may share the patient’s information with a physician to which the patient may share the patient’s information with a physician to which the patient is being referred.” – No is being referred.” – No Authorization Authorization is needed . is needed .
Lifespan’s Privacy Notice describes… Lifespan’s Privacy Notice describes… 4.) When Patient 4.) When Patient Authorizations Authorizations are required or the are required or the patient has an opportunity to object, for example patient has an opportunity to object, for example ► To being placed on the Hospital Directory To being placed on the Hospital Directory ► For marketing, research activities etc. For marketing, research activities etc. 5.) Patients Rights regarding their 5.) Patients Rights regarding their PHI PHI – specifically, – specifically, patients have rights to: patients have rights to: ► Request Restrictions Request Restrictions ► Request confidential communication Request confidential communication ► Inspect and copy their Inspect and copy their PHI PHI ► Amend their Amend their PHI PHI if incorrect if incorrect ► Receive an accounting of non-routine Receive an accounting of non-routine disclosures of disclosures of PHI PHI
Lifespan’s Privacy Notice describes… Lifespan’s Privacy Notice describes… 6.) Who to contact with inquiries or complaints. 6.) Who to contact with inquiries or complaints. In many cases the Privacy protections outlined in the In many cases the Privacy protections outlined in the Privacy Notice Privacy Notice were already in place because RI law is were already in place because RI law is often more stringent than the often more stringent than the Privacy Rule Privacy Rule. . ►The RI State law pre-empts the The RI State law pre-empts the Privacy Rule Privacy Rule
What is Minimum Necessary? What is Minimum Necessary? In general, use/disclosure of In general, use/disclosure of PHI PHI is limited to the is limited to the minimum amount of health information necessary to get minimum amount of health information necessary to get the job done. That means: the job done. That means:  Lifespan has Lifespan has developed policies and practices to make developed policies and practices to make sure the least amount of health information is shared sure the least amount of health information is shared  Employees are identified who regularly access Employees are identified who regularly access PHI PHI  The types of The types of PHI PHI they need and the conditions for they need and the conditions for access are approved access are approved See the policy entitled Minimum Necessary Protected See the policy entitled Minimum Necessary Protected Health Information for more information Health Information for more information General Rule: If you have no need to review the PHI then General Rule: If you have no need to review the PHI then stop! stop!
What is Minimum Necessary? What is Minimum Necessary? The The Minimum Necessary Minimum Necessary Rule Rule does not apply to does not apply to use/disclosure of medical use/disclosure of medical records for treatment, since records for treatment, since healthcare providers need healthcare providers need the entire record to provide the entire record to provide quality care. quality care. Per HHS disclosure of PHI Per HHS disclosure of PHI that exceeds the minimum that exceeds the minimum necessary standard is one of necessary standard is one of the areas receiving the the areas receiving the greatest number of patient greatest number of patient complaints. complaints.
Privacy Practices Designed to Protect PHI: Privacy Practices Designed to Protect PHI: ► All Lifespan professional staff have an obligation to All Lifespan professional staff have an obligation to follow follow these general practices, which are designed to limit these general practices, which are designed to limit inappropriate disclosures. inappropriate disclosures. 1.) Follow IS guidelines designed to minimize access to 1.) Follow IS guidelines designed to minimize access to our computerized systems; specifically, our computerized systems; specifically,  never give out your password; never give out your password;  never post your password where it never post your password where it can be seen by others; can be seen by others;  never use another person’s password; never use another person’s password;  avoid passwords that can be easily avoid passwords that can be easily guessed; guessed;  only access systems when you have a only access systems when you have a legitimate need. legitimate need.
Privacy Practices Designed to Protect PHI: Privacy Practices Designed to Protect PHI: 2.) Release 2.) Release PHI PHI only after verifying the identity and authority only after verifying the identity and authority of the requestor. of the requestor. 3.) Ensure that PHI is appropriately discarded by such means 3.) Ensure that PHI is appropriately discarded by such means as shredding. as shredding.  Remove PHI from laptops and home computers. Remove PHI from laptops and home computers. 4.) Limit faxing 4.) Limit faxing PHI PHI, ,  only fax to a designated protected fax machine; only fax to a designated protected fax machine;  confirm the fax number; confirm the fax number;  verify receipt of the fax; verify receipt of the fax;  use a confidential cover sheet. use a confidential cover sheet. 5.) Limit 5.) Limit PHI PHI in E-mails, going out on the internet, unless passwords in E-mails, going out on the internet, unless passwords or other authentication mechanisms are appropriately used. or other authentication mechanisms are appropriately used.
Privacy Practices Designed to Protect PHI: Privacy Practices Designed to Protect PHI: 6.) Transmit 6.) Transmit PHI PHI by telephone only when it can not be by telephone only when it can not be overheard, overheard,  the recipient should be identified the recipient should be identified before before PHI PHI is released; is released;  messages left on a phone should be limited messages left on a phone should be limited to the name of the person, a request that the to the name of the person, a request that the call be returned and the name, and telephone call be returned and the name, and telephone number of the person placing the call. number of the person placing the call. 7.) When performing physical examinations, take steps to 7.) When performing physical examinations, take steps to ensure confidentiality; for example, ask non essential ensure confidentiality; for example, ask non essential persons to step outside. persons to step outside. 8.) Use cell phones in discrete areas; conduct conversations 8.) Use cell phones in discrete areas; conduct conversations in a low voice. in a low voice.
Privacy Practices Designed to Protect PHI: Privacy Practices Designed to Protect PHI: 9.) Don’t discuss 9.) Don’t discuss PHI PHI in public areas such as hallways, in public areas such as hallways, elevators, cafeterias. elevators, cafeterias. 10.) Limit public access to computer monitors which may 10.) Limit public access to computer monitors which may contain contain PHI PHI. . 11.) Keep medical records in a secure location, locked 11.) Keep medical records in a secure location, locked room, room, or locked cabinet. or locked cabinet.
Incidental Use and Disclosure Incidental Use and Disclosure The The Privacy Rule Privacy Rule recognizes that “incidental use and recognizes that “incidental use and disclosure” is inevitable and is not a violation if Lifespan disclosure” is inevitable and is not a violation if Lifespan has implemented reasonable safeguards. has implemented reasonable safeguards. ► Lifespan’s Incidental Disclosure policy describes general privacy describes general privacy practices which are deemed to be reasonable safeguards. practices which are deemed to be reasonable safeguards.
Misuse of PHI Misuse of PHI Misuse of Misuse of PHI PHI can result in civil and criminal can result in civil and criminal sanctions: sanctions: Inadvertent violations up to $25,000 per year per each Inadvertent violations up to $25,000 per year per each violation. violation. Deliberate violations up to $250,000 fine and prison Deliberate violations up to $250,000 fine and prison sentence of up to 10 years. sentence of up to 10 years.
Examples of Misuse of PHI Examples of Misuse of PHI The HIPAA Privacy Rule is designed to minimize careless or unethical disclosures of health information, for example.  A South Dakota medical student took home copies of 125 patients’ psychiatric records to work on a research project. When finished, he disposed of the material in the dumpster of a fast food restaurant, where they were found by a newspaper reporter.  In Florida, several hundred hospital workers browsed through the records of a famous patient that had
Examples of Misuse of PHI Examples of Misuse of PHI  A Montana hospital posted A Montana hospital posted over 400 psychiatric over 400 psychiatric records of 62 children on records of 62 children on its public web site where its public web site where they remained for weeks they remained for weeks until they were discovered until they were discovered by a newspaper reporter. by a newspaper reporter.  A Florida county health A Florida county health department worker copied department worker copied lists of HIV patients, lists of HIV patients, distributed the information distributed the information to his friends and sent the to his friends and sent the information to a local information to a local newspaper. newspaper.
Specific Privacy Risk Area Specific Privacy Risk Area Minors/Emancipated Minors Minors/Emancipated Minors ► Confidentiality depends on competency of Confidentiality depends on competency of person receiving care. If you believe that the person receiving care. If you believe that the minor patient had the right to minor patient had the right to consent consent to to care, it is reasonable to maintain the minor’s care, it is reasonable to maintain the minor’s confidentiality. confidentiality. ► RI Law - under 18 may RI Law - under 18 may consent consent for routine for routine emergency care; testing , examination emergency care; testing , examination and/or treatment for any reportable and/or treatment for any reportable communicable disease - HIV, STD’s, etc. communicable disease - HIV, STD’s, etc. ► Emancipated - any minor who lives away Emancipated - any minor who lives away from home with parent permission but from home with parent permission but without parent support may without parent support may consent consent to to his/her own treatment. his/her own treatment.
Key Points Key Points  No Lifespan patient will be penalized for filing a complaint No Lifespan patient will be penalized for filing a complaint or exercising their rights. or exercising their rights.  No adverse action will be taken against any employee or No adverse action will be taken against any employee or professional staff member who reports to the Privacy professional staff member who reports to the Privacy Officer in good faith, any violation or threatened violation Officer in good faith, any violation or threatened violation of the of the Privacy Rule Privacy Rule or related policies. or related policies.  Lifespan affiliate staff will investigate all patient complaints Lifespan affiliate staff will investigate all patient complaints within a reasonable amount of time. within a reasonable amount of time.  Lifespan employees and professional staff members can Lifespan employees and professional staff members can pose their concerns or questions directly to their supervisor pose their concerns or questions directly to their supervisor or to the or to the Privacy Officer, Tom Igoe, 401-444-4728 Privacy Officer, Tom Igoe, 401-444-4728. . The Privacy Office can be anonymously contacted via the Response Line The Privacy Office can be anonymously contacted via the Response Line 1-888-678-5111 1-888-678-5111 or by using the confidential email site: or by using the confidential email site: http://intra.lifespan.org/compliance/Form.htm

More Related Content

PDF
Dustin HIPAA
Dustin Kinzinger
 
PPTX
Health Insurance and Portability and Accountability Act
সারন দাস
 
PPT
Mha 690 week one discussion ii
beleza1669
 
PPT
Mha 690 week one discussion ii
beleza1669
 
PPSX
HIPAA HITECH training 7-9-12
O2 TESTING SERVICES
 
DOCX
Health information confidentiality
James Noon
 
PPT
HIPAA
Chesapeake Medical Staffing
 
PPTX
medical proffessionalism
mitepajoseph
 
Dustin HIPAA
Dustin Kinzinger
 
Health Insurance and Portability and Accountability Act
সারন দাস
 
Mha 690 week one discussion ii
beleza1669
 
Mha 690 week one discussion ii
beleza1669
 
HIPAA HITECH training 7-9-12
O2 TESTING SERVICES
 
Health information confidentiality
James Noon
 
HIPAA
Chesapeake Medical Staffing
 
medical proffessionalism
mitepajoseph
 

Similar to HIPAA-Privacy-Compliance. IN INFORMATION TECH (20)

PPTX
Lecture 13 privacy, confidentiality and medical records
Dr Ghaiath Hussein
 
PPTX
Lecture 13 privacy, confidentiality and medical records
Dr Ghaiath Hussein
 
PPTX
Marc etienne week1 discussion2 presentation
MarcEtienne6
 
PPT
Hipaa inservice
Kelly Snyder
 
PDF
Health Insurance Portability and Accountability Act
Sukeshbhardwaj1
 
PPT
Hipaa.ppt1
akwei2
 
PPT
Hipaa.ppt2
akwei2
 
PPT
Hipaa.ppt3
akwei2
 
PPT
Hipaa.ppt4
akwei2
 
PPT
Hipaa.ppt5
akwei2
 
PPT
Hipaa.ppt6
akwei2
 
PPTX
HIPAA Course University of Iowa 2020.pptx
thedentallabinc
 
PPT
The importance of confidentiality
swilson0050
 
PPTX
Patient confidentiality training
twhit0623
 
PPT
Confidentiality
mccleso1
 
PPTX
Mandatory hippa and information security
Higgi123
 
PPTX
Mandatory hippa and information security
Higgi123
 
PPT
Sylvia hipaa powerpoint presentation 2010(2)
bholmes
 
PPTX
Hipaa training
schmoikel987
 
DOCX
Chapter 5HIPAA and HITECHLearning ObjectivesUnde
WilheminaRossi174
 
Lecture 13 privacy, confidentiality and medical records
Dr Ghaiath Hussein
 
Lecture 13 privacy, confidentiality and medical records
Dr Ghaiath Hussein
 
Marc etienne week1 discussion2 presentation
MarcEtienne6
 
Hipaa inservice
Kelly Snyder
 
Health Insurance Portability and Accountability Act
Sukeshbhardwaj1
 
Hipaa.ppt1
akwei2
 
Hipaa.ppt2
akwei2
 
Hipaa.ppt3
akwei2
 
Hipaa.ppt4
akwei2
 
Hipaa.ppt5
akwei2
 
Hipaa.ppt6
akwei2
 
HIPAA Course University of Iowa 2020.pptx
thedentallabinc
 
The importance of confidentiality
swilson0050
 
Patient confidentiality training
twhit0623
 
Confidentiality
mccleso1
 
Mandatory hippa and information security
Higgi123
 
Mandatory hippa and information security
Higgi123
 
Sylvia hipaa powerpoint presentation 2010(2)
bholmes
 
Hipaa training
schmoikel987
 
Chapter 5HIPAA and HITECHLearning ObjectivesUnde
WilheminaRossi174
 
Ad

More from wondimagegndesta (20)

PPTX
determinebestfittopology2011-190116125805.pptx
wondimagegndesta
 
PPT
Anatomy teaching learning materials its good for
wondimagegndesta
 
DOCX
TRANSLATED DOCUMENT IN COLLAGE MANGEMENT
wondimagegndesta
 
PPT
indentify and resolve network IT indentify and resolve network p
wondimagegndesta
 
PPTX
indentify and resolve network problems.pptx
wondimagegndesta
 
PPTX
Developing System Infrastructure Design Plan.pptx
wondimagegndesta
 
PPTX
irbmed_3hipaa.pptxirbmed_3hipaa.pptxirbmed_3hipaa.pptx
wondimagegndesta
 
PPT
Identifying and Using Network Hand Tools
wondimagegndesta
 
DOC
Identifying and Using Network Hand Tools.DOC
wondimagegndesta
 
PPT
HIPAA PowerPoint Training.HIPAA PowerPoint Training
wondimagegndesta
 
PPTX
Hard ware and Networking Level-III chapter Two.pptx
wondimagegndesta
 
PPTX
chpater 4 FOR Information techonogy students
wondimagegndesta
 
PPT
how to develop HIPAA POLICES DEVELOPMENT
wondimagegndesta
 
PPTX
residents-2020-orientation-hipaa-highlights.pptx
wondimagegndesta
 
PPTX
UNIT ONE HANDOUT FOR Tvet student in 1.pptx
wondimagegndesta
 
PPTX
Presentation NOTES AT INFORMATION TECHONOGY DEPARTMENT OF IT
wondimagegndesta
 
PPTX
Wolaita Sodo University department of information technology school of infor...
wondimagegndesta
 
PPTX
Presentation notes for information technology department at wolaita sodo univ...
wondimagegndesta
 
PPTX
Wolaita Sodo University to prsentaton is info deparment ion
wondimagegndesta
 
PDF
web development materials enhancement as computer technician
wondimagegndesta
 
determinebestfittopology2011-190116125805.pptx
wondimagegndesta
 
Anatomy teaching learning materials its good for
wondimagegndesta
 
TRANSLATED DOCUMENT IN COLLAGE MANGEMENT
wondimagegndesta
 
indentify and resolve network IT indentify and resolve network p
wondimagegndesta
 
indentify and resolve network problems.pptx
wondimagegndesta
 
Developing System Infrastructure Design Plan.pptx
wondimagegndesta
 
irbmed_3hipaa.pptxirbmed_3hipaa.pptxirbmed_3hipaa.pptx
wondimagegndesta
 
Identifying and Using Network Hand Tools
wondimagegndesta
 
Identifying and Using Network Hand Tools.DOC
wondimagegndesta
 
HIPAA PowerPoint Training.HIPAA PowerPoint Training
wondimagegndesta
 
Hard ware and Networking Level-III chapter Two.pptx
wondimagegndesta
 
chpater 4 FOR Information techonogy students
wondimagegndesta
 
how to develop HIPAA POLICES DEVELOPMENT
wondimagegndesta
 
residents-2020-orientation-hipaa-highlights.pptx
wondimagegndesta
 
UNIT ONE HANDOUT FOR Tvet student in 1.pptx
wondimagegndesta
 
Presentation NOTES AT INFORMATION TECHONOGY DEPARTMENT OF IT
wondimagegndesta
 
Wolaita Sodo University department of information technology school of infor...
wondimagegndesta
 
Presentation notes for information technology department at wolaita sodo univ...
wondimagegndesta
 
Wolaita Sodo University to prsentaton is info deparment ion
wondimagegndesta
 
web development materials enhancement as computer technician
wondimagegndesta
 
Ad

Recently uploaded (20)

PDF
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
yatharthjutt100311
 
PDF
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
PDF
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Kalilur Rahman
 
PPTX
Module 1 Introduction to Web Programming .pptx
kamleshkc191
 
PDF
Decision Optimization - From Theory to Practice
Eray Cakici
 
PDF
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
PDF
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
substrate PowerPoint Presentation basic one
jwaite4
 
PDF
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
Kalilur Rahman
 
PDF
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
PDF
Electrocardiogram sequences data analytics and classification using unsupervi...
IAESIJAI
 
PPTX
Build automations faster and more reliably with UiPath ScreenPlay
AndreeaTom
 
PDF
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
PDF
Examining Bias in AI Generated News Content.pdf
Government
 
PDF
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
PDF
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
PDF
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
yatharthjutt100311
 
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Kalilur Rahman
 
Module 1 Introduction to Web Programming .pptx
kamleshkc191
 
Decision Optimization - From Theory to Practice
Eray Cakici
 
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
substrate PowerPoint Presentation basic one
jwaite4
 
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
Kalilur Rahman
 
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
Electrocardiogram sequences data analytics and classification using unsupervi...
IAESIJAI
 
Build automations faster and more reliably with UiPath ScreenPlay
AndreeaTom
 
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
Examining Bias in AI Generated News Content.pdf
Government
 
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 

HIPAA-Privacy-Compliance. IN INFORMATION TECH

  • 1. HIPAA Privacy Education for Physicians HIPAA Privacy Education for Physicians The following course may be used to fulfill Lifespan’s The following course may be used to fulfill Lifespan’s HIPAA privacy awareness training requirements by HIPAA privacy awareness training requirements by physicians. Check with your Department Chair to make physicians. Check with your Department Chair to make sure that you have permission to take this course and to sure that you have permission to take this course and to determine if there are additional HIPAA training determine if there are additional HIPAA training requirements you must complete. requirements you must complete. Please note that there is also an Office of Research Please note that there is also an Office of Research Administration training course that may be more Administration training course that may be more applicable for physicians performing research. applicable for physicians performing research. You must take the test accompanying this course You must take the test accompanying this course to fulfill your HIPAA awareness to fulfill your HIPAA awareness training requirement. training requirement.
  • 2. HIPAA HIPAA The Health Insurance Portability and The Health Insurance Portability and Accountability Act ( Accountability Act (HIPAA HIPAA) was enacted by ) was enacted by Congress in 1996. HIPAA has many components, Congress in 1996. HIPAA has many components, one of which is its one of which is its Privacy Rule Privacy Rule. . After much Congressional delay HHS After much Congressional delay HHS implemented the final implemented the final Privacy Rule Privacy Rule on on April 14, April 14, 2003 2003. It requires that: . It requires that:  Training be tailored to address the specific Training be tailored to address the specific functions that Lifespan physicians perform. functions that Lifespan physicians perform.
  • 3. HIPAA Expectations of Lifespan HIPAA Expectations of Lifespan Employees Including Physicians Employees Including Physicians ► Use or disclose Protected Health Information Use or disclose Protected Health Information (PHI) (PHI) only for work related purposes only for work related purposes ► Limit uses and disclosures to the “minimum Limit uses and disclosures to the “minimum necessary” to achieve those work purposes necessary” to achieve those work purposes ► Exercise reasonable caution to protect Exercise reasonable caution to protect PHI PHI under under your control your control ► Understand and follow Lifespan’s privacy policies Understand and follow Lifespan’s privacy policies ► Try to remedy any privacy problems or to report Try to remedy any privacy problems or to report them to the Privacy Officer at 401-444-4728 or via them to the Privacy Officer at 401-444-4728 or via a confidential email to [email protected] a confidential email to [email protected]
  • 4. HIPAA Expectations of Lifespan HIPAA Expectations of Lifespan Employees Including Physicians Employees Including Physicians ► Note that “incidental uses and disclosures” are Note that “incidental uses and disclosures” are inevitable and do not violate the privacy rule as inevitable and do not violate the privacy rule as long as reasonable precautions are taken long as reasonable precautions are taken ► Understand that reasonable limits and efforts, Understand that reasonable limits and efforts, appropriate to the circumstances are all that appropriate to the circumstances are all that HIPAA requires HIPAA requires ► Recognize that Lifespan will not retaliate or Recognize that Lifespan will not retaliate or discriminate against any patient or worker who discriminate against any patient or worker who express a privacy concern. express a privacy concern.
  • 5. Key Lifespan HIPAA Documents Key Lifespan HIPAA Documents In addition to the material contained in this In addition to the material contained in this presentation you may want to review the presentation you may want to review the following important HIPAA documents/policies. following important HIPAA documents/policies.  Lifespan Joint Privacy Notice Lifespan Joint Privacy Notice  Incidental Disclosure of Protected Health Incidental Disclosure of Protected Health Information Information  Verifying Identity and Authority of Requestor Verifying Identity and Authority of Requestor  Privacy Related Complaints Privacy Related Complaints  Prohibiting Intimidating or Retaliatory Acts Prohibiting Intimidating or Retaliatory Acts This information is contained on the Compliance This information is contained on the Compliance web page: http://intra.lifespan.org/compliance/ web page: http://intra.lifespan.org/compliance/
  • 6. The Privacy Rule The Privacy Rule ► Ensures nationwide uniform procedural protection for Ensures nationwide uniform procedural protection for all all health information health information ► Imposes new restrictions on the use and disclosure of Imposes new restrictions on the use and disclosure of protected health information protected health information ( (PHI PHI) ) ► Gives patients greater access to their medical Gives patients greater access to their medical records records ► Provides patients with more control over their Provides patients with more control over their health information health information
  • 7. What is Protected Health What is Protected Health Information (PHI)? Information (PHI)? When a patient gives personal When a patient gives personal health information to health information to Lifespan, that information Lifespan, that information becomes becomes PHI PHI. .
  • 8. Examples of PHI Examples of PHI Examples of information that might connect Examples of information that might connect personal health information to the individual personal health information to the individual patient include: patient include:  The individual’s name or The individual’s name or address address  Social Security or other Social Security or other identification number identification number  Physician’s personal notes Physician’s personal notes  Billing information Billing information
  • 9. What are the Rules for What are the Rules for Use/Disclosure of Protected Health Use/Disclosure of Protected Health Information? Information? HIPAA’s HIPAA’s Privacy Rule Privacy Rule is all about the use and is all about the use and disclosure of disclosure of PHI PHI. PHI can’t be used or disclosed . PHI can’t be used or disclosed by anyone unless it is permitted or required by by anyone unless it is permitted or required by the the Privacy Rule Privacy Rule. . PHI is PHI is used used when: when:  Shared Shared  Examined Examined  Applied Applied  Analyzed Analyzed PHI is PHI is disclosed disclosed when: when:  Released Released  Transferred Transferred  In any way accessed by In any way accessed by anyone outside of the anyone outside of the covered entity covered entity
  • 10. Lifespan employees are Lifespan employees are permitted permitted to use or disclose PHI for: to use or disclose PHI for:  Treatment, payment, and Treatment, payment, and healthcare operations healthcare operations  With authorization or With authorization or agreement from the agreement from the individual patient individual patient  For disclosure to the For disclosure to the individual patient individual patient  For incidental use such as For incidental use such as physicians talking to patients physicians talking to patients in a semi-private room in a semi-private room. .
  • 11. Lifespan’s Joint Privacy Notice Lifespan’s Joint Privacy Notice The The Lifespan Lifespan Joint Joint Privacy Notice Privacy Notice is a required is a required document which is provided to all patients document which is provided to all patients receiving direct care after April 13, 2003. receiving direct care after April 13, 2003.  It describes how PHI may be used and disclosed by It describes how PHI may be used and disclosed by Lifespan and how patients can get access to this Lifespan and how patients can get access to this information. information.  Patient’s must acknowledge receipt Patient’s must acknowledge receipt of the of the Notice Notice in writing, if possible. in writing, if possible.  Copies are kept of all notices and Copies are kept of all notices and acknowledgements. acknowledgements.
  • 12. Lifespan’s Joint Privacy Notice describes… Lifespan’s Joint Privacy Notice describes… 1.) Who we are 1.) Who we are “ “Lifespan is a single Lifespan is a single covered entity covered entity that can share patient information that can share patient information across affiliates.” across affiliates.” 2.) Our pledge to protect health information 2.) Our pledge to protect health information 3.) How we may use and disclose 3.) How we may use and disclose PHI PHI – For instance, we – For instance, we do not need patient do not need patient authorization authorization to use to use PHI PHI for for treatment, payment and healthcare operations. treatment, payment and healthcare operations. “ “As an example, a doctor treating a patient for a broken leg may need to As an example, a doctor treating a patient for a broken leg may need to know if the patient has diabetes because diabetes may slow the healing know if the patient has diabetes because diabetes may slow the healing process. Different healthcare professionals may share the patient’s process. Different healthcare professionals may share the patient’s medical information in order to coordinate the different medical information in order to coordinate the different treatments/procedures needed, such as, lab work, x-rays and treatments/procedures needed, such as, lab work, x-rays and prescriptions. Also, in order to coordinate the patient’s care the hospital prescriptions. Also, in order to coordinate the patient’s care the hospital may share the patient’s information with a physician to which the patient may share the patient’s information with a physician to which the patient is being referred.” – No is being referred.” – No Authorization Authorization is needed . is needed .
  • 13. Lifespan’s Privacy Notice describes… Lifespan’s Privacy Notice describes… 4.) When Patient 4.) When Patient Authorizations Authorizations are required or the are required or the patient has an opportunity to object, for example patient has an opportunity to object, for example ► To being placed on the Hospital Directory To being placed on the Hospital Directory ► For marketing, research activities etc. For marketing, research activities etc. 5.) Patients Rights regarding their 5.) Patients Rights regarding their PHI PHI – specifically, – specifically, patients have rights to: patients have rights to: ► Request Restrictions Request Restrictions ► Request confidential communication Request confidential communication ► Inspect and copy their Inspect and copy their PHI PHI ► Amend their Amend their PHI PHI if incorrect if incorrect ► Receive an accounting of non-routine Receive an accounting of non-routine disclosures of disclosures of PHI PHI
  • 14. Lifespan’s Privacy Notice describes… Lifespan’s Privacy Notice describes… 6.) Who to contact with inquiries or complaints. 6.) Who to contact with inquiries or complaints. In many cases the Privacy protections outlined in the In many cases the Privacy protections outlined in the Privacy Notice Privacy Notice were already in place because RI law is were already in place because RI law is often more stringent than the often more stringent than the Privacy Rule Privacy Rule. . ►The RI State law pre-empts the The RI State law pre-empts the Privacy Rule Privacy Rule
  • 15. What is Minimum Necessary? What is Minimum Necessary? In general, use/disclosure of In general, use/disclosure of PHI PHI is limited to the is limited to the minimum amount of health information necessary to get minimum amount of health information necessary to get the job done. That means: the job done. That means:  Lifespan has Lifespan has developed policies and practices to make developed policies and practices to make sure the least amount of health information is shared sure the least amount of health information is shared  Employees are identified who regularly access Employees are identified who regularly access PHI PHI  The types of The types of PHI PHI they need and the conditions for they need and the conditions for access are approved access are approved See the policy entitled Minimum Necessary Protected See the policy entitled Minimum Necessary Protected Health Information for more information Health Information for more information General Rule: If you have no need to review the PHI then General Rule: If you have no need to review the PHI then stop! stop!
  • 16. What is Minimum Necessary? What is Minimum Necessary? The The Minimum Necessary Minimum Necessary Rule Rule does not apply to does not apply to use/disclosure of medical use/disclosure of medical records for treatment, since records for treatment, since healthcare providers need healthcare providers need the entire record to provide the entire record to provide quality care. quality care. Per HHS disclosure of PHI Per HHS disclosure of PHI that exceeds the minimum that exceeds the minimum necessary standard is one of necessary standard is one of the areas receiving the the areas receiving the greatest number of patient greatest number of patient complaints. complaints.
  • 17. Privacy Practices Designed to Protect PHI: Privacy Practices Designed to Protect PHI: ► All Lifespan professional staff have an obligation to All Lifespan professional staff have an obligation to follow follow these general practices, which are designed to limit these general practices, which are designed to limit inappropriate disclosures. inappropriate disclosures. 1.) Follow IS guidelines designed to minimize access to 1.) Follow IS guidelines designed to minimize access to our computerized systems; specifically, our computerized systems; specifically,  never give out your password; never give out your password;  never post your password where it never post your password where it can be seen by others; can be seen by others;  never use another person’s password; never use another person’s password;  avoid passwords that can be easily avoid passwords that can be easily guessed; guessed;  only access systems when you have a only access systems when you have a legitimate need. legitimate need.
  • 18. Privacy Practices Designed to Protect PHI: Privacy Practices Designed to Protect PHI: 2.) Release 2.) Release PHI PHI only after verifying the identity and authority only after verifying the identity and authority of the requestor. of the requestor. 3.) Ensure that PHI is appropriately discarded by such means 3.) Ensure that PHI is appropriately discarded by such means as shredding. as shredding.  Remove PHI from laptops and home computers. Remove PHI from laptops and home computers. 4.) Limit faxing 4.) Limit faxing PHI PHI, ,  only fax to a designated protected fax machine; only fax to a designated protected fax machine;  confirm the fax number; confirm the fax number;  verify receipt of the fax; verify receipt of the fax;  use a confidential cover sheet. use a confidential cover sheet. 5.) Limit 5.) Limit PHI PHI in E-mails, going out on the internet, unless passwords in E-mails, going out on the internet, unless passwords or other authentication mechanisms are appropriately used. or other authentication mechanisms are appropriately used.
  • 19. Privacy Practices Designed to Protect PHI: Privacy Practices Designed to Protect PHI: 6.) Transmit 6.) Transmit PHI PHI by telephone only when it can not be by telephone only when it can not be overheard, overheard,  the recipient should be identified the recipient should be identified before before PHI PHI is released; is released;  messages left on a phone should be limited messages left on a phone should be limited to the name of the person, a request that the to the name of the person, a request that the call be returned and the name, and telephone call be returned and the name, and telephone number of the person placing the call. number of the person placing the call. 7.) When performing physical examinations, take steps to 7.) When performing physical examinations, take steps to ensure confidentiality; for example, ask non essential ensure confidentiality; for example, ask non essential persons to step outside. persons to step outside. 8.) Use cell phones in discrete areas; conduct conversations 8.) Use cell phones in discrete areas; conduct conversations in a low voice. in a low voice.
  • 20. Privacy Practices Designed to Protect PHI: Privacy Practices Designed to Protect PHI: 9.) Don’t discuss 9.) Don’t discuss PHI PHI in public areas such as hallways, in public areas such as hallways, elevators, cafeterias. elevators, cafeterias. 10.) Limit public access to computer monitors which may 10.) Limit public access to computer monitors which may contain contain PHI PHI. . 11.) Keep medical records in a secure location, locked 11.) Keep medical records in a secure location, locked room, room, or locked cabinet. or locked cabinet.
  • 21. Incidental Use and Disclosure Incidental Use and Disclosure The The Privacy Rule Privacy Rule recognizes that “incidental use and recognizes that “incidental use and disclosure” is inevitable and is not a violation if Lifespan disclosure” is inevitable and is not a violation if Lifespan has implemented reasonable safeguards. has implemented reasonable safeguards. ► Lifespan’s Incidental Disclosure policy describes general privacy describes general privacy practices which are deemed to be reasonable safeguards. practices which are deemed to be reasonable safeguards.
  • 22. Misuse of PHI Misuse of PHI Misuse of Misuse of PHI PHI can result in civil and criminal can result in civil and criminal sanctions: sanctions: Inadvertent violations up to $25,000 per year per each Inadvertent violations up to $25,000 per year per each violation. violation. Deliberate violations up to $250,000 fine and prison Deliberate violations up to $250,000 fine and prison sentence of up to 10 years. sentence of up to 10 years.
  • 23. Examples of Misuse of PHI Examples of Misuse of PHI The HIPAA Privacy Rule is designed to minimize careless or unethical disclosures of health information, for example.  A South Dakota medical student took home copies of 125 patients’ psychiatric records to work on a research project. When finished, he disposed of the material in the dumpster of a fast food restaurant, where they were found by a newspaper reporter.  In Florida, several hundred hospital workers browsed through the records of a famous patient that had
  • 24. Examples of Misuse of PHI Examples of Misuse of PHI  A Montana hospital posted A Montana hospital posted over 400 psychiatric over 400 psychiatric records of 62 children on records of 62 children on its public web site where its public web site where they remained for weeks they remained for weeks until they were discovered until they were discovered by a newspaper reporter. by a newspaper reporter.  A Florida county health A Florida county health department worker copied department worker copied lists of HIV patients, lists of HIV patients, distributed the information distributed the information to his friends and sent the to his friends and sent the information to a local information to a local newspaper. newspaper.
  • 25. Specific Privacy Risk Area Specific Privacy Risk Area Minors/Emancipated Minors Minors/Emancipated Minors ► Confidentiality depends on competency of Confidentiality depends on competency of person receiving care. If you believe that the person receiving care. If you believe that the minor patient had the right to minor patient had the right to consent consent to to care, it is reasonable to maintain the minor’s care, it is reasonable to maintain the minor’s confidentiality. confidentiality. ► RI Law - under 18 may RI Law - under 18 may consent consent for routine for routine emergency care; testing , examination emergency care; testing , examination and/or treatment for any reportable and/or treatment for any reportable communicable disease - HIV, STD’s, etc. communicable disease - HIV, STD’s, etc. ► Emancipated - any minor who lives away Emancipated - any minor who lives away from home with parent permission but from home with parent permission but without parent support may without parent support may consent consent to to his/her own treatment. his/her own treatment.
  • 26. Key Points Key Points  No Lifespan patient will be penalized for filing a complaint No Lifespan patient will be penalized for filing a complaint or exercising their rights. or exercising their rights.  No adverse action will be taken against any employee or No adverse action will be taken against any employee or professional staff member who reports to the Privacy professional staff member who reports to the Privacy Officer in good faith, any violation or threatened violation Officer in good faith, any violation or threatened violation of the of the Privacy Rule Privacy Rule or related policies. or related policies.  Lifespan affiliate staff will investigate all patient complaints Lifespan affiliate staff will investigate all patient complaints within a reasonable amount of time. within a reasonable amount of time.  Lifespan employees and professional staff members can Lifespan employees and professional staff members can pose their concerns or questions directly to their supervisor pose their concerns or questions directly to their supervisor or to the or to the Privacy Officer, Tom Igoe, 401-444-4728 Privacy Officer, Tom Igoe, 401-444-4728. . The Privacy Office can be anonymously contacted via the Response Line The Privacy Office can be anonymously contacted via the Response Line 1-888-678-5111 1-888-678-5111 or by using the confidential email site: or by using the confidential email site: http://intra.lifespan.org/compliance/Form.htm