Upload
mohammed-gibreal
View
224
Download
0
Embed Size (px)
Citation preview
8/2/2019 Basic HIPAA Student Updated
1/103
1/103
The bullet
ripped through the city councilwomans
body, shredding muscles she had proudly
toned in the gym. As the ambulance spedher toward the hospital, word of the gunshot
reached reporters, who gathered in the
emergency room to hunt down informationon the councilwoman.
8/2/2019 Basic HIPAA Student Updated
2/103
2/103
Was it
attempted murder or attempted suicide?
Could it be terrorism?
Nearby, family tearfully awaited news of the
fate of the councilwoman, who was now
unconscious.
8/2/2019 Basic HIPAA Student Updated
3/103
3/103
In addition
to caring for the councilwoman and her
injuries, GW medical staff must also take care to
follow HIPAA regulations to protect the
councilwomans privacy. The following slides willintroduce HIPAA, including the reasons for the
legislation and how it impacts medical care.
At the end of the presentation you will be asked tocomplete several questions to assess yourunderstanding of HIPAA and its impact on day-to-day medical care. You must answer the questionsin order to complete the HIPAA training.
8/2/2019 Basic HIPAA Student Updated
4/103
4/103
By the time
youve completed this slideshow, you
will be able to answer the following
questions:What is HIPAA and to whom does it apply?
What is PHI and how is it protected?
When are additional authorizations required?Am I personally liable if I violate HIPAA?
8/2/2019 Basic HIPAA Student Updated
5/103
The Health Insurance Portability and
Accountability Act (HIPAA)
HIPAA is a law passed by Congress in 1996.Among its goals are:
To reduce health care costs nationwide by
requiring use of electronic data interchange(EDI) for routine health care transactions, forexample, making and paying service claims, and
health insurance transactions
To protect the security and privacy of themedical records used in these EDI transactions
5/103
8/2/2019 Basic HIPAA Student Updated
6/103
HIPAA In Context
HIPAA contains Security and Privacy rules
responding to healthcare concerns: Fears that once patients records are stored
electronically on networks, a couple of clicks can
transmit those records all over the world Loss of personal control over personal
information
Anger at a constant barrage of marketing
messages
6/103
8/2/2019 Basic HIPAA Student Updated
7/103
HIPAA security and privacy
rules Establish federally mandated requirements
for the creation, transmission, receipt,collection, storage, use, and disclosure ofindividually identifiable health information.
Affect anyone who encounters patientinformation (physicians, nurses, healthcarestudents, patient records managers,information systems staff, dieticians, etc.)
HIPAA uses the term protected healthinformation (PHI).
7/103
8/2/2019 Basic HIPAA Student Updated
8/103
Protected Health Information (PHI)
Information relating to an identifiedindividuals
past, present, or future:
Physical or mental health or condition
Provision of health care services
Payment for provision of health care
45 CFR 164.501
8/103
8/2/2019 Basic HIPAA Student Updated
9/103
PHI PHI includes oral or recorded information, maintained or
transmitted in any form or medium (e.g., consultations, paperor electronic history & physical information, patient records,lab data, x-rays, etc.).
PHI information is created, received, collected by any
provider (e.g. office practice, hospital, lab, etc.) thattransmits health information in electronic form,
health plan, or
health care clearinghouse
The law refers to these as HIPAA covered entities and thework that they perform that makes them covered entities isdefined as covered functions.
HIPAA extends to covered entities using and/or disclosing PHI.
9/103
8/2/2019 Basic HIPAA Student Updated
10/103
HIPAA Philosophy: Patient-Consumer:
Is entitled to notice about how their PHI will be used Major exception is an emergency
Must expect that, within a medical care facility, PHI will beshared to facilitate care, payment, business operations
Is entitled to expect that caregivers will be careful about howPHI is used and disclosed
Has a right of access to PHI
Has a right to protest mistakes in PHI (in the designatedrecord set) and have PHI corrected or otherwise amended
Is entitled to control the use of PHI in certain circumstances:Research, Fund-raising, Marketing
Should know that the government can get PHI for lawenforcement and health care oversight
10/103
8/2/2019 Basic HIPAA Student Updated
11/103
HIPAA Business Associate (BA)
HIPAA extends beyond the walls of the covered
entity. For example, under Business Associatecontracts (BACs) , a contract laboratory or a
separate radiology practice that contracts with a
physicians office or hospital will be subject to thesame HIPAA regulations as the physician or
hospital. This means that if, for example, a
hospital cannot disclose a patients HIV status to
an insurance company, the hospitals contractlaboratory -- the hospitals business associate --
also cannot disclose HIV status to the insurance
company.
11/103
8/2/2019 Basic HIPAA Student Updated
12/103
HIPAA Requires That Covered
Entities Give Patients a Notice of
Privacy Practices (NPP) NPP advises the individual about the covered entitys
privacy practices.
Distribution of NPP by doctors and hospitals isusually done at time of first face-to-face meeting. Major exceptions:
Emergencies
Incapacitated patient Doctor or hospital must try to get individuals written
acknowledgement of receipt of NPP, or make awritten record of why the acknowledgement was not
obtained.
12/103
8/2/2019 Basic HIPAA Student Updated
13/103
Notice of Privacy Practices (NPP)
Requirement for simple English (and otherlanguages when appropriate), but the concepts
still can confuse most people.
Rules permit a layered notice, allowing acover page that explains the main points of the
NPP.
Note that the specific policies and proceduresfor administration of the NPP will vary from
one covered entity to another.
13/103
8/2/2019 Basic HIPAA Student Updated
14/103
HIPAA At GW
Covered Entities GW Hospital (operated by District Hospital
Partners, L.L.P.)
Medical Faculty Associates, Inc.
GW itself is not a covered entity Some units of GW are providers, but
None of these units electronically bills a standardtransaction
But GW protects PHI in a variety of settings,including research and medical education,because it gets PHI from covered entities
14/103
8/2/2019 Basic HIPAA Student Updated
15/103
HIPAA Liability
Institutional and Personal
Considerations HIPAA imposes new duties on health care institutions (such as
the GW Hospital) and on health care professionals, including
doctors, nurses, technicians, medical students, and
administrators.
The privacy and security HIPAA statute is shown on the next
slide. Plaintiffs lawyers will argue that, to achieve what is
outlined in the red box, hospitals and health care professionals
must make the effort outlined in the yellow box. As in malpractice litigation, plaintiffs lawyers will assert that
the statute and HHSs interpretation of it require a high
standard of care for privacy and security of patient data.
15/103
8/2/2019 Basic HIPAA Student Updated
16/103
HIPAA - Statutory Standard
Each [covered entity] who maintains or transmits health
information shall maintain reasonable and appropriateadministrative, technical, and physical safeguards --
(A) to ensure the integrity and confidentiality of the
information; and
(B) to protect againstany reasonably anticipated(i) threats or hazards to thesecurity or integrity of the
information; and
(ii) unauthorized uses or disclosures of the information;
and(C) otherwise to ensure compliance with this part by the
officers and employees of such person.
(42 USC 1320d-2(d)(2))
16/103
8/2/2019 Basic HIPAA Student Updated
17/103
HIPAA Liability
Institutional and Personal
Considerations We do not yet know how the courts will
interpret the statute, but there are penalties at
every level for violations.
17/103
8/2/2019 Basic HIPAA Student Updated
18/103
Institutional and Personal Liability
HIPAA criminal violations can be prosecuted against
institutionsand individuals
Patients can bring lawsuits in state court against
institutionsand individuals for wrongful disclosure of
PHI Claims might include: negligent disclosure, disclosure in
breach of patient-physician confidentiality, invasion of
privacy, breach of warranty, etc.
There is the potential forpersonalfinancial liability fordamages (direct and punitiveakin to malpractice)
18/103
8/2/2019 Basic HIPAA Student Updated
19/103
HIPAA Sources of Liability
Note that patients whose PHI (protected health information) isimproperly used or disclosed may file private law suits against a
hospital and against each individual (physician, nurse,
technician, administrator, medical student, or other staff
member) who appears to be involved in the alleged violation.
These lawsuits will resemble malpractice actions.
An individual involved in an improper use or disclosure of PHI
may face individual financial liability as the result of a judges
or a jurys judgment. (This is in addition to liability imposedon the hospital or physician practice institutionally.)
In addition, there is the possibility of criminal charges
(including imprisonment).
19/103
8/2/2019 Basic HIPAA Student Updated
20/103
HIPAA Sources of Liability
Private law suits by patients
Criminal penalties (42 USC 1320d-6) - DOJ/
U.S. Attorney
$50,000-250,000, 1-10 years, depending on motive
Civil penalties (42 USC 1320d-5) - HHS/ OCR
$100 per violation up to an annual limit of $25,000
per individual
20/103
8/2/2019 Basic HIPAA Student Updated
21/103
Disclosure of PHI: The Minimum
Necessary Rule
As a general matter, the amount of PHI used or
disclosed is restricted to the minimum (amount
of information) necessary. Translated, thismeans that healthcare providers and health
plans must make reasonable efforts not to use,
disclose, or request more than the minimum
amount of PHI necessary to accomplish theintended legitimate purpose.
21/103
8/2/2019 Basic HIPAA Student Updated
22/103
Minimum Necessary Rule Exceptions to minimum necessary disclosure:
Disclosure to a provider for treatment (anything andeverything in the medical record may be important)
Release authorized by individual or for individuals
own review
Disclosure to comply with HIPAA requirements(e.g., to HHS Office of Civil Rights or Inspector
General)
Disclosure required by law (e.g., to law enforcement)
Preamble stresses reasonableness and flexibility.
22/103
8/2/2019 Basic HIPAA Student Updated
23/103
Minimum Necessary Rule Applies
Differently to Treatment, Payment, and
Health Care Operations (TPO) Patients must provide consent for use of PHI in treatment, payment and
operations.
Treatment: Provision, coordination, or management of health care andrelated services.
Payment: Activities of a health plan to obtain premiums or fulfill coverage
& benefits responsibilities, or obtain reimbursement (provider/health plan).
Health Care Operations: Activities of a covered entity relating to covered
functions including quality assessment, professional qualification review,medical review.
Practitioners must also distinguish activities which fall outside TPO (e.g.
research, fundraising, and marketing) and understand that special
processes that govern these activities.
23/103
8/2/2019 Basic HIPAA Student Updated
24/103
The minimum necessary ruledoes not
restrict the information used or disclosedin treatment.
But minimum necessarydoes apply to
payment and health care operations.
45 CFR 165.502(b)
TPO and Minimum Necessary
24/103
8/2/2019 Basic HIPAA Student Updated
25/103
Minimum Necessary Rule and
Teaching Rounds
During Rounds or Grand Rounds, the
minimum necessary rule does notapply. Under HIPAA, Rounds are
considered part of treatment.
25/103
K i PHI S
8/2/2019 Basic HIPAA Student Updated
26/103
Keeping PHI SecureAchieving appropriate security is a multifaceted task
Initial and on-going risk analysis iterative threat
assessments Enterprise security management process
Computer security (includes monitoring)
Communications security (includes monitoring)
Physical security: access to premises, equipment, people,data
Personnel security
Procedural (business process) security
Includes security awareness training for entire workforce Security rules limit access to information based on ones job
A pervasive security cultureawareness & surveillance
26/103
8/2/2019 Basic HIPAA Student Updated
27/103
Keeping PHI Secure
Several items in the Security Rule are notable:
Computer faxes, but not paper faxes, are considered
electronic transmissions
A call on a standard telephone (non-cell and non-
mobile) is not an electronic transmission
There is no distinction between data moving
externally and internally within an organization.
Computer workstations must be protected from
unauthorized access and improper use.
27/103
8/2/2019 Basic HIPAA Student Updated
28/103
HIPAA Security Ruling
Security defined: controls used to
protect confidential information from
unauthorized persons
Security ruling issued April 2003;
effective April 21, 2005
28/103
8/2/2019 Basic HIPAA Student Updated
29/103
Keeping PHI Secure
HIPAA Security Rules are grouped into four
related categories:
Administrative procedures
Physical safeguards
Protection for data storage
Protection for data in transit
Note: Security policies will differ from oneinstitution to another
29/103
8/2/2019 Basic HIPAA Student Updated
30/103
Administrative Procedures
Covered entities must:
Establish roles and responsibilities for security
Design and implement training and awarenessprograms
Have a security plan
Conduct a risk assessment Create policies and procedures including a
password policy
30/103
8/2/2019 Basic HIPAA Student Updated
31/103
Common Password Procedures
May include:
Password testing program which will not let
you use easy to guess passwordsRequiring an alphanumeric combination
password
Changing passwords at periodic intervalsPenalties for sharing passwords with anyone
31/103
8/2/2019 Basic HIPAA Student Updated
32/103
Physical Safeguards
Covered entities will establish policies to ensureaccess control, e.g.
Locked doors and escorting visitors
Wearing IDs
Secure unattended computer workstations
Password protected screensavers
Govern usage of PDAs Password protected
Stored in secure space
32/103
33/103
8/2/2019 Basic HIPAA Student Updated
33/103
Protection for Data Storage
Covered entities will set policies and
procedures on handling media:
Diskettes
Paper
Magnetic tapes
Confidential trash
33/103
34/103
8/2/2019 Basic HIPAA Student Updated
34/103
Protection for Data in Transit
Covered entities will institute
technical measures including:
Access controls or Encryption
Entity authentication
Audit trail Adverse event reporting
34/103
35/103
8/2/2019 Basic HIPAA Student Updated
35/103
Faxes
Misdirected faxes are a serious problem.
Double-check phone numbers.
HIPAA security regulations currently
govern electronic faxes but not paper-based
faxes.
35/103
36/103
8/2/2019 Basic HIPAA Student Updated
36/103
36/103
Lets look at this in practice...
The elevator door slams shut behind youas you walk into your preceptors office
for your weekly visit.
The waiting room is crowded and theoffice staff are busy dealing with theoverflow of patients.
37/103
8/2/2019 Basic HIPAA Student Updated
37/103
37/103
Youve been following patients
in Dr. Jones office for several weeks
now. Dr. Jones has a well-established and
respected rheumatology practice and getsmore referrals every day. His patients
range from local individuals to
Washington and international VIPs.
38/103
8/2/2019 Basic HIPAA Student Updated
38/103
38/103
Your job
is to escort patients from the waiting room tothe exam room, and then conduct the initialhistory and possibly a physical exam.
As you are escorting your first patient back toexam room two, he mentions that he thought herecognized a patient sitting in the waitingroom. Hes convinced that the guy sitting
opposite him is a basketball player for theWizards and wants to know why he has anappointment with Dr. Jones.
How do you respond?
39/103
8/2/2019 Basic HIPAA Student Updated
39/103
39/103
About 30 minutes later
Dr. Jones calls you into exam room one.
Hes examining the mystery waiting
room patient (who indeed plays for theWizards), and wants you to see the rare
condition he exhibits.
40/103
8/2/2019 Basic HIPAA Student Updated
40/103
40/103
Once the patient has left
Dr. Jones reviews the basketball
players case in detail. Its an unusual
case and he wants to make sure youvepicked up on all the signs and symptoms.
The two of you review the lab results, X-
rays, and patient record in detail.
41/103
8/2/2019 Basic HIPAA Student Updated
41/103
41/103
Later that day
you cross paths with one of your
friends who is also following patients in
Dr. Jones office. Excited about thebasketball players unusual case, you
start telling her a few details about it.
How much are you allowed to saywithout violating the patients right to
privacy?
42/103
8/2/2019 Basic HIPAA Student Updated
42/103
42/103
Although you were discreet
and did not mention his name, your
friends curiosity is piqued. Since she has
access to the records in Dr. Jones office,it would be fairly easy for her to confirm
the patients identity and pull his record.
Would she be violating the patientsprivacy?
43/103
8/2/2019 Basic HIPAA Student Updated
43/103
43/103
Legitimate Need
When you are assigned to a case, you
have access to patient information.
However, like all other employees whohave the minimum necessary access to
perform their job, you cant just access
patient information to satisfy yourcuriosity.
What general information can be 44/103
8/2/2019 Basic HIPAA Student Updated
44/103
What general information can be
disclosed to the public? Facility directory may list the individuals:
name; location in the facility;
health condition expressed in general terms; and
religious affiliation.
The facility may disclose this directory information to members
of the clergy, unless the individual restricts these disclosures. Example: Methodist patients directory information disclosed to
Methodist clergy.
Directory information, except for religious affiliation, may bedisclosed only to other persons who ask for the individual by
name. Individual may restrict or prohibit some or all uses of directory
information. If all uses are prohibited, facility can neither confirmnor deny patients presence. Facility must have policies andprocedures for this purpose, and explain them in its Notice ofPrivacy Practices (NPP).
44/103
45/103
8/2/2019 Basic HIPAA Student Updated
45/103
Incidental Disclosures Examples of incidental disclosures:
A patient subject to observation in a waiting area; ICU monitors observed by visitors;
Conversations between a doctor and a patient in a semi-private room overheard by the rooms other occupant.
General rule: incidental disclosures are not HIPAAviolations if the covered entity has safeguards in placeand the staff observes them. Example: sign-in sheet in a waiting room is permissible, but
not if it asks patient to list medical problems so that otherpeople who sign in can see the problems of earlier arrivals.
Caveat: Be careful! What may appear to be a permissibleincidental violation may still be a HIPAA violation(example: mis-addressed email containing PHI).
45/103
Disclosures Unrelated to 46/103
8/2/2019 Basic HIPAA Student Updated
46/103
Disclosures UnrelatedtoTreatment, Payment, and
Operations (TPO)
Marketing, fund raising, research
HIPAA privacy rules identify these activities assignificant threats to privacy.
Each requires a separate authorization,and
you are required to follow institutional-specificpolicies and procedures.
46/103
47/103
8/2/2019 Basic HIPAA Student Updated
47/103
What is a HIPAA Authorization?
Written permission from the patient (or the patientslegal representative) to use or disclose PHI for specificpurposes (other than TPOi.e. marketing,fundraising, research)
Can be revoked in writing at any time By regulation, must include specified elements
Specific purpose of use or disclosure
Specific description of persons to which disclosure is to be
made Expiration date or event (none or end of study ok for
certain research)
Signature and date
Explanation of how to revoke the authorization
47/103
Typical Uses of HIPAA 48/103
8/2/2019 Basic HIPAA Student Updated
48/103
Typical Uses of HIPAA
Authorization
Research that includes treatment
Release of psychotherapy notes (HIPAA requiresspecial protection for psych notes)
Employment-related exam (allows releasing resultsto employer or prospective employer)
Marketing
Fundraising
Patients request to release PHI (patient can releaseto whomever and for whatever purpose)
As a condition for enrolling in a health plan (butstill does not allow release of psych notes)
48/103
Special Rules for HIPAA 49/103
8/2/2019 Basic HIPAA Student Updated
49/103
Special Rules for HIPAA
Authorizations
Authorization for release of psychotherapy notes cannot becombined with anything else except another authorization foruse or disclosure of psychotherapy notes
Authorization for research can be combined with other types
of written permission for the same research (e.g., informedconsent)
Covered entity generally cant withhold treatment until thepatient signs an authorization, except for:
Research involving treatment Enrolling in a health plan (and no psych notes involved)
A medical exam for an employer or other third party whowill see the results
HIPAA Authorization on
50/103
8/2/2019 Basic HIPAA Student Updated
50/103
HIPAA Authorization onPsychotherapy Notes
Definition: psych notes are recorded:
By a mental health professional who is Documenting or analyzing the contents of a private, joint,
family, or group counseling, AND IF
The notes are kept separate from the rest of the patients
medical record.
NOTE: Its the therapists choice whether to keep therecords separate, although the practice or institution mayhave policies to guide that choice.
Psych notes exclude:
Medication prescription and monitoring,
Session start and stop times,
Modalities and frequencies of treatment,
Results of clinical tests, and
Any summary of diagnosis, functional status, treatment
plan, symptoms, prognosis, and progress to date.
Special Rules Regarding HIPAA 51/103
8/2/2019 Basic HIPAA Student Updated
51/103
Special Rules Regarding HIPAA
Authorization Generally, a HIPAA authorization is required for use
of psych notes. Exceptions:
Use of the notes by the originator for treatment,
Use by the covered entity for its own training programs
under appropriate supervision,
Use in defense of a legal action,
Disclosure to HHS for HIPAA enforcement, and
Certain coroners/ medical examiners or other
governmental health oversight activities.
The institution will have policies and procedures to
control the use and disclosure of psych notes.
M k ti52/103
8/2/2019 Basic HIPAA Student Updated
52/103
Marketing
Definition: Communication about a product or service toencourage its purchase or use
Covered entity does not need authorization to use PHI formarketing when it observes these procedures
Face-to-face encounter:
Products or services of nominal value; or
Concerns health-related products and services of thecovered entity or a third party, and
Allows patient to opt out of future communications; and
Entity determines that the communication may bebeneficial to health of type or class targeted
F d i i53/103
8/2/2019 Basic HIPAA Student Updated
53/103
Fundraising
General rule: A HIPAA authorization isrequired to use or disclose any PHI for anyfundraising purpose.
Limited exception: A covered entity, for
fundraisingon its own behalf only, may usedemographic information and dates of healthcare service (and no other PHI), or disclosethose limited categories of PHI to: a business associate performing fund raising for the
covered entity, or
an institutionally related foundation.
F d i i54/103
8/2/2019 Basic HIPAA Student Updated
54/103
Fundraising
Covered entitys notice of privacy practices (NPP)
should include a statement that it may contact the
individual for its fundraising.
Patients can decide they dont want to be subject to
fundraising (OPT-OUT), and the covered entity andits workforce must respect those wishes.
Covered entitys fundraising materials must explain
to the individual how to OPT-OUT of fundraising.
Covered entity must reasonably ensure that a patient
or other individual who OPTS-OUT receives no more
fundraising communications.
55/103
8/2/2019 Basic HIPAA Student Updated
55/103
Research Under HIPAA
Each institution will modify its InstitutionalReview Board rules to include new HIPAA
requirements.
At GW, these modifications are in process. The GW research community, including the
MFA and the GW Hospital, will cooperate in
implementing these new research rules and
accompanying policies and procedures.
56/103
8/2/2019 Basic HIPAA Student Updated
56/103
HIPAA and Research
HIPAA applies to all human subject research involving the creation, use, ordisclosure of PHI (e.g. clinical trials, medical record/chart reviews,epidemiological studies, and social/behavioral studies)
Principal Investigators (PIs) proposing to create, use and
/or disclose PHI for research purposes must now receiveHIPAA research approval and then human subjectprotections approval from the GW Institutional ReviewBoard (IRB).
Under GWs implementation of HIPAA, all PIs proposing
to create, use, or disclose PHI for research purposes mustnow complete this general HIPAA training program and
a more specific HIPAA research-related training program.
HIPAA and Research57/103
8/2/2019 Basic HIPAA Student Updated
57/103
HIPAA and ResearchResearchers may create, use, and/or disclose PHI for research
purposes: With an individual study specific research authorization
(similar to study specific informed consent form (ICF)) or
Without a research authorization, as follows: With an Approved Waiver of Research Authorization issued by the
GW Privacy Board (PB); With complete de-identification of PHI;
Note: Just removing a patients name does not sufficiently disguise theindividuals identity. There are up to 18 identifiers involved in the de-identification process.
Limited Data Set Information (with a Data Use Agreement);
Preparatory to Research; or
Research on Decedents
Caveat: Decedent research is not covered under human subjectprotection regulations, but is covered under HIPAA researchregulations.
Privacy Rule and Research Databases58/103
8/2/2019 Basic HIPAA Student Updated
58/103
Privacy Rule and Research Databases
When you come upon a research database keep in
mind that it may be subject to HIPAA. Considerthe following:
Does a database contain PHI?
Where did the PHI come from?
Where is it going?
Who has access? At GW? Elsewhere?
What security safeguards follow the PHI?
What liability if the data are misused? For GW?
For other institutions?
For me (and co-workers) personally?
59/103
8/2/2019 Basic HIPAA Student Updated
59/103
Dr. Jones recently
joined efforts with GW to participate in anew arthritis study sponsored by a largepharmaceutical company. Dr. Smith is the
principal investigator on the trial. The clinicaltrial will compare the effectiveness and GIimpact of NSAIDs vs. a new medication inindividuals with arthritis symptoms.
At last weeks staff meeting Dr. Jonesdescribed the study criteria and asked everyoneto keep an eye out for possible participants.
60/103
8/2/2019 Basic HIPAA Student Updated
60/103
Youre feeling very well-connected,
not only are you working in Dr. Jones
office, but you also recently spoke with Dr.
Smith. He was a guest lecturer in one ofyour classes.
61/103
8/2/2019 Basic HIPAA Student Updated
61/103
Patient Follow-Up Visit
Another patient youve been following returnsfor a follow-up visit. The arthritis in his wristhas increased and doesnt seem to respond toibuprofen anymore. He is an ardentracquetball player and the pain is interferingwith his game. Since his early retirement, hesbeen able to play a lot more and the pain hasbecome problematic.
This patient seems like a perfect candidate forthe study. How do you proceed? Since youvealready met Dr. Smith, can you contact himdirectly?
62/103
8/2/2019 Basic HIPAA Student Updated
62/103
HIPAA and Clinical Trials
No, you cannot contact Dr. Smith directly. You
must follow the research policies and
procedures of the specific institution.
Administrative Requirements for 63/103
8/2/2019 Basic HIPAA Student Updated
63/103
Administrative Requirements for
HIPAA Compliance
Each hospital or physician practice will have its ownset of policies for documenting HIPAA compliance
and imposing sanctions.
At each different facility or practice, expect to be briefed on
HIPAA policies before you start work. If you arent briefed, ask to be briefed. Otherwise, you
have no way to control your personal HIPAA litigation
risk.
Document all complaints received Sanction members of workforce who fail to comply
(how stringent determined by institutional policy)
64/103
8/2/2019 Basic HIPAA Student Updated
64/103
HIPAAs Relationship to State Law
Generally
preempts
less stringent
state law
Seeks to enforce
more stringentstate law
Gray areaswhen
is state law more
stringent? (Not
always obvious.)
Disclosures to Local State and65/103
8/2/2019 Basic HIPAA Student Updated
65/103
Disclosures to Local, State, and
Federal Government
HIPAA permits disclosures to all levels of government
for health oversight such as mandatory reporting of
infectious disease.
Disclosures of PHI are also permitted for lawenforcement and national security purposes.
Rules are complicated.
Covered entities need policies and procedures to guide staff,
plus careful training.
When a government official or agent seeks PHI, follow the
covered entitys policies and procedures.
If in doubt, check with privacy officer or counsel.
Disclos res to the Press66/103
8/2/2019 Basic HIPAA Student Updated
66/103
Disclosures to the Press There is no obligation to disclose PHI to the press.
There is no obligation to answer the press questionsabout patients.
A patient has the right not to be listed in the hospitalsdirectory. In that case the hospital and staff can
neither confirm nor deny the patients presence! Answering press questions about a patient or
disclosing PHI to the press can be a HIPAA violationwith criminal and civil liability consequences,
personally and institutionally.
Follow the institutions press relations policies to theletterlet the public relations office answer thepresss questions.
67/103
8/2/2019 Basic HIPAA Student Updated
67/103
Back to the councilwoman in the ER...
Councilwoman presents as:
56 yo F with single gunshot wound to the
torso and loss of consciousness The ER staff work to stabilize her vital
signs.
How does HIPAA apply in this situation?
68/103
8/2/2019 Basic HIPAA Student Updated
68/103
HIPAA and the ER
Who are the covered entities in this case?
the ambulance service
the hospital the ER physicians
69/103
8/2/2019 Basic HIPAA Student Updated
69/103
HIPAA and the ER
Provide the patient with the hospitals NPP
statement and obtain her signature upon receipt.
Obtain the patients consent to use her PHI for
treatment, payment, and health care operations. Since she is unconscious, the emergency situation
exception applies, and these signatures can be obtained
later when the patient is conscious.
In this case, another law (EMTALA, the EmergencyTreatment and Active Labor Medical Act) takes
precedence and requires treatment without authorization.
70/103
8/2/2019 Basic HIPAA Student Updated
70/103
Her family arrives.
and disclose their fear that the
councilwoman shot herself due to her
long-running private battle withdepression. The hospital treatment team
wants to see her psychiatric treatment
records and psychotherapy notes. How
does HIPAA impact these requests?
71/103
8/2/2019 Basic HIPAA Student Updated
71/103
HIPAA and Medical Records
Psychotherapy notes are off-limits without patientauthorization.
Patient record information (i.e. her use of anti-
depressant medication) may be available withoutpatient authorization if the mental health providerbelieves in good faith that the information isnecessary in order to prevent or lessen a serious
threat to her health. If not, the councilwoman must provide authorization
to have these medical records released to the hospitaland ER physicians.
72/103
8/2/2019 Basic HIPAA Student Updated
72/103
The ER nurse
wants to access the hospital
information system to view medical
records from the councilwomans priorvisits. How does HIPAA impact the
hospitals electronic patient record
system?
73/103
8/2/2019 Basic HIPAA Student Updated
73/103
HIPAA and Electronic Patient Records
Access to prior records is appropriate if she has
been admitted or is being treated in the ER.
Access to relevant past records is only availableto those team members directly involved in her
care (i.e. Need to know rule).
Access is limited to appropriate individuals via an
access control system. Nurses must be authenticated by the system and
only able to view records on a need-to-know basis.
74/103
8/2/2019 Basic HIPAA Student Updated
74/103
Workstations must be in secure locations
or otherwise protected from
unauthorized access. Hospital must have a data back-up and
disaster recovery plan.
HIPAA and Electronic Patient Records
75/103
8/2/2019 Basic HIPAA Student Updated
75/103
The police
have already started investigating the
councilwomans possible attack. They have a
suspect in custody, but need additional
information to add to the police investigation.
A detective calls the hospital to get details on
the type of gunshot wound suffered by the
councilwoman. How does HIPAA affectdisclosure of a patients PHI to police?
76/103
8/2/2019 Basic HIPAA Student Updated
76/103
HIPAA and PHI Disclosure to Police
The hospital may disclose a patients PHI to the
police without consent only if:
The police suspect she is a crime victim
The doctor cant obtain authorization at the
moment (in this case because she is unconscious)
The police state that, if the law was broken, it was
not broken by the councilwoman; the information is
needed immediately and will not be held against the
councilwoman
77/103
8/2/2019 Basic HIPAA Student Updated
77/103
HIPAA and PHI Disclosure to Police
In the physicians best judgment, disclosure topolice is in the councilwomans best interest.
Note: The physician can still opt to refuse disclosure if s/he
feels it is not in the patients best interest.
Exception:
HIPAA also permits PHI disclosure without authorization
if it is required, due to legal mandatory reportingrequirements (e.g., gunshots must be reported in somestates) or public health monitoring activities (e.g., anthrax).
78/103
8/2/2019 Basic HIPAA Student Updated
78/103
The councilwomans condition
has improved. She is stable and has
regained consciousness. Her conscious
state allows the hospital to collect neededHIPAA information. What is collected?
79/103
8/2/2019 Basic HIPAA Student Updated
79/103
First
Present the hospital NPP (Notice of PrivacyPractices).If the physicians and hospital have declared
themselves an organized health carearrangement (OHCA) under HIPAA, then theycan use a joint NPP; otherwise the treatingattending physicians must also present their own
NPPs separately. Obtain her written acknowledgement that
shes received and read the NPP.
80/103
8/2/2019 Basic HIPAA Student Updated
80/103
Then
Inform her that her name and basic facts
about her condition and hospital location
will be added to the hospitals directory,unless she objects.
Advise her of her options not to be listed
in the directory at all, and not to have areligious preference listed in the
directory.
81/103
8/2/2019 Basic HIPAA Student Updated
81/103
Several hours have passed
and her family and the media are
pressing for information on her condition
and prognosis. What level of disclosure ispermitted to these groups under HIPAA?
82/103
8/2/2019 Basic HIPAA Student Updated
82/103
HIPAA and PHI Disclosure
Family-- the physician is required to ask the
councilwoman if she objects to sharing PHI
with family. If she were still unconscious, the
physician must use his/her best judgment.
At all times the physician must be discreet and
avoid talking loudly about patient conditions inpublic areas (hallways, waiting rooms, elevators).
83/103
8/2/2019 Basic HIPAA Student Updated
83/103
HIPAA and PHI Disclosure Pressif the councilwoman has agreed to
be added to the hospitals directory, the
general disclosure rule applies.
Therefore, the following information canbe released to the press
Name
Location in the facilityHealth condition expressed in general terms
Religious affiliation
butonly if the patient is asked about by name.
84/103
8/2/2019 Basic HIPAA Student Updated
84/103
The ERs screening software
has flagged the councilwoman as a
candidate for an ongoing research study
on female gunshot victims. The researchcoordinator appears at the
councilwomans bedside, obtains
informed consent, and then begins the
research protocol. Is this consistent with
HIPAA regulations?
85/103
8/2/2019 Basic HIPAA Student Updated
85/103
HIPAA and Research Studies
Yes, but only if the researcher has
followed GWs procedures for reviews
preparatory to research.
86/103
8/2/2019 Basic HIPAA Student Updated
86/103
In between cases,
the ER physician who treated the
councilwoman dictates his notes, which
are then sent to a transcriptionist. Thehospital has a contract with an outside
company to provide transcription
services. Does HIPAA affect this business
relationship?
87/103
8/2/2019 Basic HIPAA Student Updated
87/103
HIPAA and Business Associates
Yes, all outside vendors who come in
contact with PHI must be covered by
business associate contracts asrequired by HIPAA.
88/103
8/2/2019 Basic HIPAA Student Updated
88/103
The councilwoman recovers
enough from her injury to be
discharged from the hospital.
Some time later the she visits her doctorfor a follow-up visit. She is prescribed a
new medication and given some samples
to take with her. How does HIPAA affectthis follow-up visit?
89/103
8/2/2019 Basic HIPAA Student Updated
89/103
HIPAA and Follow-up Visits
Although providing free samples is considered amarketing activity, since it is face-to-face, it isapproved by HIPAA.
Note: It would be inappropriate (and not proper underHIPAA) for the physician to give a pharmaceuticalcompany the councilwomans name, even if the company
manufactures her medication(s). The hospital would needa signed authorization from the patient before it couldgive that information to the pharmaceutical company.
90/103
8/2/2019 Basic HIPAA Student Updated
90/103
The following month,
the councilwoman is contacted by the
hospital foundation, soliciting a donation.
Have her privacy rights under HIPAAbeen violated?
91/103
8/2/2019 Basic HIPAA Student Updated
91/103
HIPAA and Fundraising
No, as long as the NPP stated that her
PHI might be used for fundraisingand
the foundation is related to, and supports,the hospital.
The fundraising request must be specific
and must give the councilwoman a way toopt out of future solicitations.
92/103
8/2/2019 Basic HIPAA Student Updated
92/103
The medical students
who participated in the councilwomans
care at the teaching hospital are writing up
her case for next months grand roundspresentation. How does HIPAA affect the
amount or type of information that can be
included in the presentation?
93/103
8/2/2019 Basic HIPAA Student Updated
93/103
HIPAA and Training
Because healthcare operations include training ofhealth care students, trainees or practitioners, theminimum necessary rule applies. So does the security
rule. Prudent application of these rules according tothe institutions policies and procedures will requireomitting her name and other identifying informationthat is unnecessary for teaching purposes.
She can be referred to by name during rounds orother teaching situations at the discretion of theattending physician/faculty member.
94/103
8/2/2019 Basic HIPAA Student Updated
94/103
The councilwoman
is organizing her healthcare paperwork
and returns to the hospital to get a copy
of her medical record. Does HIPAAprovide the councilwoman with complete
access to her medical records?
95/103
8/2/2019 Basic HIPAA Student Updated
95/103
HIPAA and Patient Record Access
No, patients are only entitled to thedesignated record set (PHI used by thecovered entity to make decisions aboutpatients).Care Providers--designated record set is
medical and billing records
Health Plans--designated record set isenrollment, payment, claims adjudication,case management records.
96/103
8/2/2019 Basic HIPAA Student Updated
96/103
HIPAA and Patient Record Access
There is no automatic access to
psychotherapy notes, or certain other
information involved in litigation.
97/103
8/2/2019 Basic HIPAA Student Updated
97/103
HIPAA and Patient Record Access
A patients request for records may be rejected incertain, narrowly defined circumstances, and anexplanation must be provided. For example, disclosing
the PHI may pose a danger to the patient.Perhaps the councilwomans distraught daughter, inspeculating why her mother was shot, blurted out all kinds offamily secrets to the ER doctor, who included them in therecord. The councilwoman was unconscious and is unaware oftheir inclusion. The hospital decides these notes are not relevantto the councilwomans treatment and withholds them.
98/103
8/2/2019 Basic HIPAA Student Updated
98/103
Once she obtains
her designated record set and reads
it, the councilwoman realizes that it states
she takes Lipitor to lower her cholesterol.She stopped taking the medication
several years ago and wants to have her
record corrected. How does HIPAA
affect patient-initiated changes to medical
records?
99/103
8/2/2019 Basic HIPAA Student Updated
99/103
HIPAA and Patient Record Changes
If the hospital agrees to update the record, it must notify
her (and anyone else she specifies) that her amendment
was accepted.
However, the hospital can deny a request to amend the
record (i.e., if the data are accurate and complete), but
the councilwoman may appeal.
If the hospital rejects her appeal, she can add a notice ofdisagreement to her designated record set (DRS). That
notice of disagreement stays with her DRS.
100/103
8/2/2019 Basic HIPAA Student Updated
100/103
Finally, the councilwoman
would like to know with whom the
hospital has shared her PHI, so she
requests an accounting of her PHIdisclosures. Is this permissible under
HIPAA?
101/103
8/2/2019 Basic HIPAA Student Updated
101/103
HIPAA and PHI Accounting
Yes, the hospital must provide an
accounting of PHI disclosures, but there
are exceptions to the listing (e.g.,payment, treatment, operations (TPO),
disclosures pursuant to patient
authorizations, certain disclosures to law
enforcement or national security
officials).
102/103
8/2/2019 Basic HIPAA Student Updated
102/103
Congratulations
You have successfully completed the GW HIPAAoverview.
REMEMBER, you must complete and comply withany additional HIPAA instruction or compliance
programs at each institution (or office) where youhave a clinical rotation.
Be alert to the fact that HIPAA policies andprocedures will vary from institution to institution,
and you must comply with the requirements asimplemented at each institution.
If you have any questions about HIPAA, contact theprivacy officer at the institution(s).
103/103
8/2/2019 Basic HIPAA Student Updated
103/103
Now
click on the Quiz section of the Prometheuscourse to complete the brief quiz on the HIPAAinformation youve just learned.
After youve taken the quiz, we suggest youprint out your quiz score by going to the GradeBook section of Prometheus, and then selecting
the Print option under your browsers Filemenu. You may need to use this printout todocument your completion of the program for