Combined Staff

WUH

WHAT IS HIPAA?(The Health Insurance Portability and

Accountability Act of 1996)

2Combined Staff

WUH HIPAA

• Is a Federal Law;

• Creates uniform standards for certain payment-related transactions (e.g., claims submissions and eligibility verification; and

• Creates minimum standards for the privacy and security of patient information.

3Combined Staff

WUH TRAINING REQUIREMENT

Compliance with the HIPAA regulations is the responsibility of the entire staff. This includes employees, medical staff, volunteers, residents, and students;

• Everyone must take steps to protect the confidentiality and privacy of patient information, and

• Everyone is required to receive HIPAA training.

At the end of this presentation, you will be asked to sign a certification which says you have received this training and agree to abide by the Hospital’s HIPAA policies.

4Combined Staff

WUH

HIPAA PRIVACY BASICS

GENERAL PRIVACY RULE

You may not USE or DISCLOSE Protected Health Information (“PHI”) except as permitted by the privacy regulations.

Combined Staff

WUH

WHAT IS PROTECTED HEALTH INFORMATION OR “PHI?”

PHI is any information relating to a person’s health status, treatment or payment for health services which is created or received by the Hospital and which may identify the individual.

Includes: Oral, written and electronic records and communications.

6Combined Staff

WUH QUESTION

Which of the following is PHI?

• A patient’s address

• A patient’s Medicaid number

• A patient’s date of birth

• All of the above

• A patient’s name

7Combined Staff

WUH

Answer:

Each of those items is considered PHI, or Protected Health Information.

8Combined Staff

WUH

EXAMPLES OF WHERE YOU MIGHT ENCOUNTER PHI:

• A sign-in sheet that includes the patient’s name and reason for her visit

• A code that documents a specific health procedure or test• A patient identification bracelet or band, or an insurance

card• A conversation about a patient’s health over lunch with a

colleague• An appointment reminder message left on an answering

machine

9Combined Staff

WUH

MORE EXAMPLES OF PHI:

• Physician dictation that is yet to be transcribed

• Patient status boards

• A telephone call to verify health insurance coverage

• The OR schedule

PAY CLOSE ATTENTION TO AREAS WHICH LEND THEMSELVES TO PRIVACY VIOLATIONS – DO A WALK-THROUGH OF YOUR FLOOR/DEPARTMENT

10Combined Staff

WUH PRIVACY NOTICE

• Prior to providing services (except in an emergency or if the patient lacks capacity), the Hospital must provide each patient with a privacy notice and make a good faith effort to obtain a written acknowledgment from the patient that he/she has received the Hospital’s privacy notice.

• If the Hospital is unable to obtain the acknowledgment, it must document the attempt that was made, and the reasons why such attempt was not successful.

• The acknowledgement should be kept for at least six years.

11Combined Staff

WUH PRIVACY NOTICE

The Hospital’s privacy notice describes:

• How the Hospital uses and discloses PHI

• The patients’ rights concerning their PHI

• How the patient can make complaints (both to the Hospital and to the Office of Civil Rights) concerning privacy or security issues

• The Hospital’s notice is a “joint notice,” and it covers the Hospital and its medical staff with regard to services rendered at the Hospital

12Combined Staff

WUH

PERMITTED DISCLOSURESFOR THE HOSPITAL’S USE

The Hospital may use and disclose PHI without obtaining a HIPAA-compliant authorization form for the Hospital’s Treatment, Payment and Health Care Operations purposes.

Note: You must still comply with other more stringent laws (e.g., NYS law, HIV law, mental health law, and drug and alcohol laws).

Combined Staff

WUH

The provision, coordination and/or management of health care and related services including consultations and referrals.

Examples: • If a patient receives care at a Hospital, the Hospital

may send the patient’s blood to a reference laboratory for analysis.

• One physician may consult with another physician concerning the care of a particular patient.

• Hospital discharge personnel may provide information to nursing homes/home health agencies who may subsequently treat the patient.

TREATMENT

13

14Combined Staff

WUH

The activities undertaken by a provider to obtain reimbursement for services provided.

Examples:

• The Admitting Office is permitted to contact an insurance company to determine if a patient has insurance coverage.

• The Billing Department is permitted to send a bill to the patient or the patient’s third party payor.

PAYMENT

15Combined Staff

WUH

The Hospital’s routine activities such as quality assurance, case management, credentialing, accreditation, education of staff, business planning and customer service. Examples: • Presenting case studies at a performance improvement

meeting• Sending incident reports to malpractice carriers • Training of staff, residents and interns• Participating in JCAHO accreditation

HEALTH CAREOPERATIONS

16Combined Staff

WUH

PERMITTED DISCLOSURESFOR THE USE OF OTHERS

In addition, the Hospital may disclose PHI without an authorization:

• For other providers’ Treatment, Payment purposes and certain Healthcare Operations;

• To DHHS;• To a patient’s family and personal representatives;• In a facility directory; and• In all other situations authorized by HIPAA.

17Combined Staff

WUH AUTHORIZATIONS• If the Hospital wants to use PHI for purposes other

than treatment, payment or health care operations it must obtain a HIPAA-compliant authorization form.

• The authorization form must be signed by the patient or his/her legal representative

• The authorization form must be detailed and specific to the use or disclosure.

Examples• Research• Marketing• Photographing patients (for other than treatment purposes)

18Combined Staff

WUH

QUESTION

a) Doctors reviewing the treatment plan for elective surgery

b) Billing for elective surgery

c) Sending laboratory results to an outside lab

d) Discussing the patient’s care at a quality assurance meeting

e) All of the above

A patient comes to a hospital. Which of the following can be performed without written authorization from the patient or his/her legal representative?

19Combined Staff

WUH

Answer:

Each of those actions can be performed without written authorization from the patient or his/her legal representative.

Combined Staff

WUH

MINIMUM NECESSARY RULE

You must limit the PHI which you use, disclose or request to the minimum necessary to accomplish your job responsibilities.

20

Combined Staff

WUH

MINIMUM NECESSARY RULEEXAMPLES

Example 1: When PHI is disclosed in response to a request from a health plan, only the information requested should be sent rather than the entire medical record.

Example 2: When PHI is used by health care provider, such as a Physical Therapist to treat a patient, the therapist limits their use of the medical record to those portions that are essential to the treatment of the patient.

21

Combined Staff

WUH

MINIMUM NECESSARY RULE: EXCEPTIONS

The minimum necessary rule does not apply when PHI is disclosed to or requested by the patient himself, or by a provider in order to treat an individual.

22

Combined Staff

WUH

MINIMUM NECESSARY RULE (Cont’d)

If you regularly receive reports containing PHI which you do not need to receive or if you

have greater access to PHI than you need to perform your job, please contact

your Department Manager or

Terry Lillis, our Privacy Officer.

23

24Combined Staff

WUH INDIRECT PROVIDERS

• Deliver care based upon the orders of another health care provider;

• Transmit the results of these services directly to the provider who ordered the service (not to the patient);

• Are not required to obtain a privacy notice acknowledgment prior to providing services; and

• Are not Business Associates.

EXAMPLES: Laboratories, pathologists, radiologists

25Combined Staff

WUH

HIPAA HOT SPOT HIPAA AND OTHER LAWS

• As the Hospital implements HIPAA, it must continue to follow current Hospital policy (which may be based upon other Federal and State law) unless the policy directly conflicts with HIPAA.

• If HIPAA and State law address the same topic, HIPAA applies, unless the State law offers the patient greater rights.

26Combined Staff

WUH HIPAA HOT SPOT HIPAA AND OTHER LAWS

EXAMPLES:

• The Hospital must still follow New York State law relating to patient authorization for release of HIV records, even though these rules may be more strict than HIPAA.

• Although HIPAA does not require a HIPAA specific consent for permitted disclosures of PHI, the Hospital is still required to obtain other types of consents for health care purposes if required by law or Hospital policy (i.e., informed consents and consents for treatment).

Combined Staff

WUH PRIVACY OFFICER

Terry Lillis, at 663-2003,is the hospital’s Privacy Officer and is responsible for ensuring compliance with the HIPAA Privacy Standards. If you have any questions or are aware of any HIPAA violations, contact her immediately.

Nick Casabona at 663-2370, as the Hospital's HIPAA Security Officer, is responsible for overseeing the technical aspects of the security of the electronic information.

27

28Combined Staff

WUH

COMPLAINTS

Jean Zebroski, Director of Patient Relations at 663-2058 is responsible for responding to complaints regarding HIPAA violations.

Please refer any complaint relating to HIPAA directly to Jean.

Combined Staff

WUH HIPAA HOT SPOTPATIENT DIRECTORY

INFORMATION

HIPAA allows Hospitals to provide directory information to the public, but patients may request to opt out of being included in such directory. If they opt out, our Secured Patient Policy will be used to safeguard all of their information.

29

30Combined Staff

WUH PATIENT RIGHTS

Under HIPAA, patients have the following rights:• To request that the Hospital limit its use and

disclosure of their PHI;• To receive communications by alternative means

(e.g., e-mail or fax) or to alternative locations (the Hospital must accommodate all “reasonable” requests);

• To access their PHI;• To request amendments to their PHI, and• To receive an accounting of certain disclosures of

their PHI.

31Combined Staff

WUH IMPLEMENTING PATIENTS’ RIGHTS

Example: A patient requests that PHI not be disclosed to any person other than his son.

• The Hospital is not required to agree to such a request, but if it does, it must modify the uses and disclosures it and its staff typically make.

32Combined Staff

WUHACCOUNTINGS

• HIPAA requires the Hospital to provide patients, upon request, with an accounting of certain disclosures of their PHI.

• The following disclosures do not need to be included on the accounting if performed in accordance with the HIPAA regulations:

– Disclosures of PHI that were made for purposes of Treatment, Payment or Health Care Operations.

– Disclosures to the patient requesting the accounting;

– Disclosures that are incidental to a permitted or required use of PHI;

Combined Staff

WUH

• Disclosures pursuant to a valid HIPAA authorization;

• Disclosures to the Hospital’s patient directory;

• Disclosures to persons involved in the patient’s care and notices to family members or friends regarding the patient’s location, general condition and/or death;

• Disclosures for national security or intelligence purposes;

• Disclosures to correctional institutions or law enforcement officials, if involving criminal conduct that occurred on the Hospital’s premises;

• Disclosures of a limited data set; and

• Disclosures made prior to April 14, 2003.

ACCOUNTINGS (Cont’d)

33

Combined Staff

WUH ACCOUNTINGS (Cont’d)

The following are examples of disclosures that are required to be included in an accounting:

• Disclosures in response to a subpoena, without a HIPAA authorization;

• Infection control disclosures; and

• Disclosures to regulatory agencies such as the department of health.

34

35Combined Staff

WUHDISCUSSIONS WITH PATIENT’S FAMILY

AND FRIENDS

In general, the Hospital may disclose to a family member, relative, or close personal friend of the patient, or any other person designated by the patient, patient information directly relevant to the person’s involvement with or payment for the person’s care (except HIV-related information, alcohol and/or substance abuse or mental health treatment).

36Combined Staff

WUHDISCUSSIONS WITH

PATIENT’S FAMILY AND FRIENDS (Cont’d)

• If the patient is present, PHI may be disclosed with patient’s agreement. If the patient is given the opportunity to object and does not object or if the Hospital reasonably infers from the circumstances that the patient does not object to the disclosure, then Hospital may disclose the information to the family member or friend.

• If the patient is not present, or the opportunity to agree or object cannot practically be provided (incapacity or emergency), the Hospital may determine disclosure is in the patient’s best interest.

• Disclose only the information directly relevant to the person’s involvement with the patient’s health care.

37Combined Staff

WUH

HIPAA HOT SPOTTHE MEDIA

Unless a patient requests otherwise, if a caller asks for information on a particular patient, HIPAA permits the Hospital to release one-word condition information and location information without obtaining prior authorization.

At Winthrop, ALL communication with the Media are to be directed to the Vice President of External Affairs.

REMEMBER: Other laws may be more stringent (e.g., laws regarding HIV, mental hygiene, and substance abuse).

38Combined Staff

WUH

THE MEDIA (Cont’d)

• The media should not contact patients directly – they should request an interview through the External Affairs Department at ext. 663-2706. During off-hours, the operator will contact the Vice President of External Affairs for you.

• The Hospital may deny the media access to the patient if it would aggravate the patient’s condition or interfere with patient care.

39Combined Staff

WUH FINAL MEDIA TIPS

The following activities require written authorization from the patient:

• Drafting a detailed statement (i.e., anything beyond one-word condition) for approval by the patient’s legal representative

• Taking photographs of patients

• Interviewing patients

In general, if the patient is a minor, permission for any of these activities must be obtained from a parent or legally authorized representative.

40Combined Staff

WUH

HIPAA HOT SPOTFAXING

If you are faxing documents that contain PHI be sure to take the following steps:

• Include a fax cover sheet with the approved HIPAA confidentiality statement on it.

• Perform random audits of sent faxes to ensure receipt by the correct party.

• Pre-program fax numbers.

• Routinely update fax number listings.

• Maintain the fax machine in a secure location.

Combined Staff

WUH

HIPAA HOT SPOTPUBLIC CONVERSATIONS

• Avoid holding conversations about PHI in public areas such as lobbies, elevators, cafeterias and hallways. If you must do so, keep your voice low and be aware of people who may overhear your conversation.

• Note: Conversations between providers, and between providers and patients, are permissible, even if incidentally overheard, as long as reasonable precautions were taken.

42Combined Staff

WUH HIPAA HOT SPOTSREASONABLE SAFEGUARDS

Do not leave PHI in public view (e.g., lying around on desks or nurses stations or unattended on a fax machine), and take care when disposing of PHI (e.g., shred paper when feasible or place paper in locked confidential waste baskets).

Never place PHI in an unsecured waste basket, including the BLUE recycling bin.

43Combined Staff

WUH MARKETING/FUNDRAISING

HIPAA allows the Hospital to use PHI for certain limited marketing and fundraising, provided that

specific requirements are met. If you wish to use PHI for marketing or fundraising contact

John Broder,Vice President of External Affairs

at 663-2706 for guidance.

44Combined Staff

WUH RESEARCH

There are several rules related to the use or disclosure of PHI for research purposes. These rules include:

• Creation of a Privacy Review Board (which can be the current IRB) to review all use or disclosure of PHI for research purposes

• Use of HIPAA authorizations

• Use of Limited Data Set/Data Use Agreements

• De-identification of PHI

If you participate in research activities, contact the Director of IRB, at 663-2552 for a detailed

description of HIPAA research requirements.

45Combined Staff

WUH REMEMBER:

When you:

• Limit your own use and disclosure of or requests for information to the minimum necessary to perform the assigned task and

• Verify that information is being properly provided to an authorized person,

You will:

• Avoid the harmful effects of HIPAA violations.

46Combined Staff

WUH

HIPAA SECURITY BASICS

Security of PHI must be an ongoing and comprehensive process, not an event.

47Combined Staff

WUH

SECURITY RISKS

1. Human error

2. Nature (fire, earthquake, flood)

3. Technology failures

4. Deliberate security breaches (internal and external threats)

48Combined Staff

WUH

MANAGE YOUR PASSWORD

• Use letters and numbers to create passwords (e.g., axw49).

• Avoid common selections (e.g., your name, pet’s name, child’s name, etc.).

• Do not post your password on your computer or near your work area.

• Do not share passwords. If you forget you password, call the HELP Desk (663-4357).

49Combined Staff

WUH

PROTECT YOUR WORK AREA

• Avoid having PHI in public view.

• Do not leave unattended PHI on your computer screen or work station.

• Sign off when you are finished using a computer.

• Turn computer screen away from public view.

50Combined Staff

WUHBEWARE OF VIRUSES AND OTHER HARMFUL

SOFTWARE

• Do not load information from outside on your computer without authorization

• Do not download information from the Internet without the express authorization of your Department Manager

• Do not open e-mails from unknown sendersThe Hospital will send you routine alerts when threats of new viruses become known.

Viruses and other malicious software are a serious threat to the Hospital. To protect against them:

Combined Staff

WUH

FOLLOW HOSPITAL POLICY REGARDING REMOVAL AND

INSTALLATION OF HARDWARE AND SOFTWARE

You may not install new hardware/software on the Hospital systems or remove hardware/software from the Hospital premises unless expressly authorized to do so by the Director of MIS or his designee.

51

52Combined Staff

WUH

REPORT INCIDENTS

It is your responsibility to report:

• Unauthorized successful or unsuccessful log-in to the system

• Any breaches in the security of PHI of which you become aware

• Sharing of passwords

Incidents can be reported to Nick Casabona, our Security Officer at 663- 2370.

53Combined Staff

WUH

QUESTION

Are any of the following HIPAA violations?

1. A social worker posts her password on the side of her computer.

2. Jane has a friend who forgot her password and wants Jane to “lend” her Jane’s password.

3. A physician is sitting at a computer terminal and reviewing a patient’s information. The physician then gets an emergency call to assist with a patient. The physician leaves the computer terminal on showing the information.

54Combined Staff

WUH

Answer:

Answer: Each of those actions would be a violation of HIPAA.

Combined Staff

WUH

AUDIT TRAILS

The Hospital is required to maintain records and review its employees’ use and access to information on the Hospital computer network.

55

56Combined Staff

WUHOTHER SUGGESTED

SECURITY PRACTICES

• ALWAYS wear your name tag.

• Ensure that all vendors are properly supervised and log in and out of the Hospital.

• Shred or discard PHI in secure trash bins.

Combined Staff

WUH

HIPAA HOT SPOTE-MAIL

Communications sent over an open network (which includes e-mail over the internet) must have certain safeguards, which might include encryption. Review the Hospital’s security policies to determine the steps that must be taken in relation to e-mail and the Hospital's policy on sending/receiving PHI by e-mail.

58Combined Staff

WUH SUMMARY

• Do not discuss patient information at home or at social gatherings.

Protection of PHI is everyone’s responsibility. Here is a summary of a few topics that were discussed in this presentation:

• Do not discuss patient information in public areas of the Hospital (e.g., cafeteria, lobby).

• Do not share your password.

• Do not leave PHI lying around unattended.

• Do not send PHI over the internet unless authorized to do so.

• Do inform the Privacy or Security Officer about any concerns you may have about release of PHI.

59Combined Staff

WUHELECTRONIC

TRANSACTION STANDARDS GENERAL RULE

If a provider (either itself or through an agent, (e.g., billing company)), conducts a payment-related transaction electronically, the transaction must be conducted using the HIPAA format.

Note: If a payor still accepts covered transactions in paper format (e.g., paper claims), then such paper transactions do not necessarily have to conform to the new HIPAA formats.

Those involved in Electronic Transaction Standards will be contacted directly and trained as appropriate.

60Combined Staff

WUH WHAT DOES IT MEAN TO STANDARDIZE A TRANSACTION?

• Standardized Formats

• Standard Data Content: A new Federal definition of “clean claim.”

• Standard Codes: ICD-9-CM, CPT-4, HCPCS, CDT-3, and HCPCS “J” codes.

61Combined Staff

WUH HOW DOES HIPAA AFFECT YOUR RELATIONSHIP WITH THE HOSPITAL

If you are an employee, student or volunteer :• You are part of the Hospital’s workforce

• You must comply with the Hospital’s HIPAA compliance program

• Failure to comply will result in disciplinary action

• Failure to comply could trigger individual liability with penalties

Combined Staff

WUH INTERNAL SANCTIONS

• The Hospital is required to have policies regarding the disciplinary actions which may be taken if an employee fails to comply with these HIPAA policies.

• An employee who violates the Hospital’s HIPAA policies may be subject to various sanctions including written censure, suspension or termination.

• Medical Staff Members who violate these HIPAA policies may be subject to disciplinary action under the Medical Staff By Laws.

Combined Staff

WUH

FEDERAL SANCTIONS

Under HIPAA, violations may result in the Hospital and the employee being subject to civil monetary penalties and criminal actions, depending on the nature and extent of the HIPAA violation.

64Combined Staff

WUH

CIVIL FINES

Civil Fines of no more than $100 per violation with a maximum of $25,000 in each calendar year for violations of an identical requirement.

Enforcer: Office of Civil Rights

65Combined Staff

WUHCRIMINAL PENALTIES FOR

“KNOWING MISUSE” OF PHI: - THREE DEGREES

• Simple violations – up to $50,000 plus up to 1 year in prison.

• Violation committed under false pretenses – up to $100,000 plus up to 5 years in prison.

• Violation committed for gain or harm – up to $250,000 plus up to 10 years in prison.

Enforcer: OIG/Department of Justice

66Combined Staff

WUH

DISCUSSION/QUESTIONS

67Combined Staff

WUH

REVIEW CODE OF CONDUCT AND SIGN

YOUR TRAINING ACKNOWLEDGEMENT

FORM!