training on confidentiality mha690 hayden
TRANSCRIPT
Mandatory Training on confidentiality
(HIPPA)
Health Insurance Portability and
Accountability Act
Training on confidentialitySandra Hayden, B.S., R.T.(T)
For MHA690 December 9, 2010
• HIPAA stands for Health Insurance Portability and Accountability Act of 1996 and is composed of three components: Insurance portability, fraud enforcement, and administrative simplification. This session will focus on the Security Rule section of HIPAA and the responsibilities of units or entities to protect and safeguard the confidentiality of PHI that is either created, maintained, and transmitted in electronic form.
Welcome to HIPAA Security Training
The goals for this training session are:• Increase your knowledge and understanding of what is protected
health information (PHI) and how to maintain its security. • Enhance your awareness of your role in assisting in following the
HIPAA Security Rule. • Learn about privacy and the security of information created,
maintained, and transmitted in electronic format. • Inform the workforce about their reporting responsibilities for
HIPAA violations and the possible penalties for violation of HIPAA law for both you and the this hospital.
• Protect the confidentiality and security of PHI.• Not only will the information you learn today help you here in
your job, but it will also help you become an informed consumer of health care services.
Why did the need for accountability and administrative simplification come about?
• The increasing use of the internet,
involving the storing and transferring
of electronic information, advances
in genetic science, and the concern
about WHO would have access to
WHAT information, and HOW it
would be used generated concern.
• Protected Health Information (PHI) is individually identifiable health information that is held or disclosed by a covered entity that can be communicated electronically, verbally, or written.
• Electronic Protected Health Information (EPHI) is protected health information (PHI) that is transmitted by electronic media or maintained by electronic media.
• Sensitive Data is protected health information that can be used to determine the identity of an individual and/or their diagnosis
The Security Rule
• Follow the fundamentals of secure password management • Remember Security impacts privacy • Adhere to Policies and Procedures regarding safeguarding
buildings, systems, and information • Report any suspected violations of policies and procedures
to your Unit Security Officer, and • Employ daily work habits that protect the security and
privacy of information you have access to in your responsibilities
• These are practices that we all can support and implement to safeguard the security and confidentiality of EPHI at our organization.
The following are key practices to remember and implement to do your part in safeguarding the security and confidentiality of Electronic Protected Health Information:
It is YOUR responsibility to safeguard information• We must ALL protect the security and integrity
of PHI information by implementing a process to
assist with anticipating reasonable threats or
hazards and protect against use or disclosure of
EPHI that is not permitted or required under the
Privacy Rule. In addition, we must as an
organization ensure and monitor compliance
with the Security Rule by our faculty, staff, and
students.
What does access mean?
• What does access mean? Access is when someone has the
ability or the means by which to communicate Protected
Health Information (PHI) through the use of a system
resource that creates, maintains, or transmits information
in an electronic format. An example of this would be PHI
that is stored on your local hard drive as an email or in a
local database as well as those stored on a shared system.
Actions you need to take• If you see a medical record in public view where patients or
others can see it, cover the file, turn it over, or find another
way to protect it.
• When you talk about patients, try to prevent others from
overhearing the conversation. Whenever possible, hold
conversations about patients in private areas. Do not discuss
patients while you are in elevators or other public areas.
• When medical records are not in use, store them in offices,
shelves or filing cabinets.
• Remove patient documents from faxes and copiers as soon as
you can.
• When you throw away documents containing PHI, follow the
procedures for disposal of documents with PHI.
Use Only the Minimum Necessary Information
• When you use PHI, you must follow
the Privacy Rule's minimum
necessary requirement by asking
yourself the following question: "Am
I using or accessing more PHI than I
need to?"
• Three employees continued to look at the
confidential records of a celebrity.
• What happened to the employees who violated
the HIPPA? They were either terminated,
suspended and or received warnings/ disciplinary
actions.
• After further investigations all employees found to
have breached patient confidentiality were
disciplined or fired.• Reference: Over 120 UCLA Hospital staff saw celebrity health records. Retrieved July
20, 2010 from http://www.foxnews.com/story/0,2933,398784,00.html.
True Case Scenario: Hospital staff saw celebrity health records.
• According to An, Ranji, and Salganicoff (2008), privacy is a major challenge to consider when adopting broad health IT within the public arena.
• The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established guidelines and regulations for the use and disclosure of information about patients’ records (An, et al., 2008).
• HIPAA also has safeguards for unauthorized access to information. HIPAA also requires that electronic health transactions be standardized to improve the efficiency and effectiveness in the United State’s health care system via strengthening the use of electronic data (An, et al., 2008).
• It is your job to safeguard patient information.Reference: An, J., Ranji, U., & Salganicoff, A. (2008). Health information technology
(Issue Module). Retrieved from The Kaiser Family Foundation website: http://www.kaiseredu.org/ topics_im.asp?id=655&imID=1&parentID=70
Literature Review
Literature Review (continued)• According to Kongstvedt (2007), in 2003 The U.S.
Department of Health and Human Services (HHS) Office
for Civil Rights (OCR) is responsible for enforcing the
Privacy and Security Rules enforcement of HIPAA. The
OCR's enforcement activities have obtained significant
results that have improved the privacy practices of
covered entities. The corrective actions obtained by OCR
from covered entities have resulted in systemic change
that has improved the privacy protection of health
information for all individuals they serve.Reference: Kongstvedt, P. R. (2007). Essentials of managed health care.
Sudbury, MA: Jones and Bartlett.
Ready for the Quiz?
• You overhear two hospital employees discussing a patient in
the elevator. What do you do?
• A. Remind them to respect patient confidentiality and/or
obtain their names from their name badges and inform your
supervisor.
B. Join in the conversation only if you know about the patient.
C. Ignore the employees and forget what you've heard them
talking about.
• Correct answer: A
• You forget your password and need access to patient
information to do your job. What do you do?
A. Call Information Services help desk or your network
administrator to reinstate your password.
B. Share your coworker's password until you have time to
obtain another password.
C. None of the above.
Correct answer: A
• You walk up to a computer workstation and
notice that the previous user has not logged out.
What do you do?
A. Send email from the user's account.
B. Log the user out and sign in your own USER ID
and password.
C. Save time by accessing the information you
need to do your job on the current screen.
Correct answer: B
• You walk away from my computer on your desk
without logging out. Another employee starts
using your computer and, using your access,
inappropriately looks up patient information out
of curiosity. Are you held accountable?
A. Yes.
B. No.
C. Only if the patient complains.
Correct answer: A
• As a health care employee on our team, you
are required to know about the health
information privacy requirements of a
federal law called HIPAA (Health Insurance
Portability and Accountability Act.
• You are covered by the Privacy Rule as a
member of the facility's workforce. You
must follow all policies and procedures,
including those concerning health
information privacy.
• Thank you for taking time to learn about the
HIPAA Privacy Rule.
Summary