Health Insurance Portability andAccountability Act (HIPAA)

Compliance in the University Setting

Speech & Hearing Sciences

HIPAA

• The Health Insurance Portability andAccountability Act of 1996

• Federal law mandates compliance withpatient privacy rules designed to maintainconfidentiality of medical information

• No federal rules to protect privacy of healthinformation existed until Standards for Privacywere published 12/28/2000.

Purposes for HIPAA

1. Make health care more portable for

people changing employment

2. Transmit electronic health data more

efficiently (standardize formats)

3. Create a framework to guard the

privacy of health information.

Who Must Comply with HIPAA Privacy?

• Healthcare Providers who transmit anyhealth information in electronic form.

• “Covered entities” include health careproviders who conduct certain financialand administrative transactions such asbilling electronically.

• Lamar University is a covered entity.

Protected Health Information (PHI)

PHI means health information,in any form, collected or createdas health care is provided. Ifthat information includes anyidentifying factors (birth date,SSN, etc.) it is considered PHI.

PHI

• Social Security Number

• Health plan beneficiary numbersand other identifying information

• Account numbers

• Certificate of license numbers

• Vehicle identifiers and serialnumbers to include license platenumbers

• Device identifiers and serialnumbers

• Web Universal Resource Locators(URLs)

• Internet Protocol (IP) addressnumbers

• Full face photographic images andother comparable images

• Name

• Medical record numbers and clinicfile #s

• Geographic subdivision smaller thana state including street address,city, county, precinct, zip code

• Any and all dates (except the year),including birth date, encounter date,and date of death

• Telephone numbers

• Fax numbers

• E-mail addresses

• Any other unique identifyingnumber, characteristic or codes

• Biometric identifiers, Including fingerprints and voice prints

De-Identified Information is…

… not “protected healthinformation” as defined in theHIPAA Privacy Regulation.Information is consideredde-identified if all of the PHIis removed.

Safeguards

Must reasonably safeguardProtected Health Information(PHI) from an intentional or

unintentional use or disclosurethat is in violation of patient

privacy policies and applicablefederal and state law.

Client/Patient Files

• Clients will receive a copy of the LamarNotice of Privacy Practices (NPP)

• Client will sign the Acknowledgement thatthey have been given a copy of the LamarNotice of Privacy Practices (NPP)

• You must make a reasonable effort to havethe client sign the form. However, Client isnot required to sign the Acknowledgmentform.

Oral communications regarding PHI

• Do not disclose PHI when discussing clientwith caregiver in waiting room

• Do not discuss client outside of clinic

• Do not discuss client with anyone other thansupervisors, unless specified on Authorizationform

• Do not allow telephone calls discussing clientto be overheard by others

• Deidentify client for class discussions.

More information regarding PHI

• Telephone messages– May leave telephone messages and appointment

reminders on client’s answering machine if there isno link to medial information

• May identify clinic name and appointment time

• Exception - if client requested alternate means ofcommunication

• Sign-in Sheets - First Name only

• Cancellation board - Date, Time, Clinician,Supervisor, and Client Initials only

Sign-In Sheets

May SLP clinics and/or Physician offices use patient

sign-in sheets or call out the names of their patients

in their waiting rooms? - YES -

• You may use patient sign-in sheets or call out patient

names in waiting rooms, so long as the information

disclosed is appropriately limited.

• The sign-in sheet may not display medical

information (the type of speech or hearing problem

the patient is going to see the SLP for).

Client Records - Paper

• Do not remove client record from building

• Store record in locked file cabinet in securearea

• Lock record overnight

• Turn record face down when using ondesk/table

• De-identify working files

• Secure test protocols in file immediately afterevaluation session

Video/Audio Recordings

• Mark with client initials and date of

service only

• View or listen only in presence of

treatment team

• Erase tapes or return to clinical facility

E-mails

1. If you need to communicate with a patientand wish to use e-mail, you can send an e-mail asking the individual to contact you byphone at a particular time

2. Your e-mail should be general and notinclude confidential, diagnostic, or treatmentrelated information

3. Do NOT ever use SSN, diagnostic,treatment or any other protected healthinformation in any e-mails.

E-mails

4. Do NOT ever e-mail test results to a patient

5. It is OK to e-mail appointment reminders;

however the e-mail should be general and

should NOT include the patient’s name.

– Example: “This e-mail is to remind you of your

appointment at the Speech & Language Clinic

on September 5, 2009 at 10:00 am. If you

cannot keep the appointment, please call

880-8171.”

E-mails

6. You can also direct a patient to pick up an itemordered with the following email: “The item that wasordered for you has been received and is availablefor you to pick up at the Speech & Hearing buildingbetween 8:00 - 5:00. Please call 880-8171 if youhave any questions.

7. If a patient sends you an e-mail, it is preferred thatyou call them back. If you need to e-mail a reply,delete the patient’s original message and respondwith general information ONLY.

8. It is also recommended that you include aconfidentiality statement at the end of your e-mails.

Fax

• Use a cover sheet with

confidentiality statement

– Do not state any PHI on cover sheet

(e.g., client name, DOB, medical

record number, etc.)

Fax

• Sending faxes– Ensure correct fax number before transmission

– Call and verify any number in question before sending

– Verify correct fax number has been dialed

– Re-file faced information with fax cover sheet in client’srecord

– Document transmission in client record

• Receiving faxes– Remove transmission from tray immediately upon

completion of transmittal

– Count pages to ensure all have been received

– Place documents containing PHI in a sealed envelope in theappropriate person’s mailbox.

Paperwork & Mail

• PHI destruction– Paper PHI

• Shred all paper documents with PHI

– Electronic PHI

• Overwrite or reformat disk

• De-identify all information

• When writing reports, the client’s name should bereferred to as La. Kri. (Lata Krishnan)

• Mail - Campus & US– Place in sealed envelopes (no open envelopes to mail room)

Passwords

• Include a combination of letters andnumbers

• Do not reveal to anyone

• Do not post on or near workstations

• Change regularly according to securityprocedures

Visitors

• Visitors and clients

– Must be accompanied by members of theworkforce when in areas with PHI

• Parent, guardian, legal representative,or family member

– May observe a session relating only to theparent’s child or family member who isreceiving services.

Simultaneous sessions

• During simultaneous sessions inobservation rooms that allow viewinginto more than one treatment area:

1. These individuals may not observeunless accompanied by students, clinicsupervisors, or members of the treatmentor diagnostic team; and

2. Only one client may be observed during atreatment or diagnostic session.

Authorization Form

The client, parent, guardian, or legalrepresentative must sign theAuthorization for Use and Disclosure ofHealth Information form to allowobservations by individuals who are notuniversity students, clinic supervisors,or members of the treatment ordiagnostic team (i.e., teachers, casemanagers, etc.)

Observations

• Students must have received HIPAA training

– May observe clinic sessions for clinical training

purposes - must be trained in HIPAA

– Must follow procedures as stated in Clinic

Observation Policies

– Must keep observation information confidential

• Information may not be discussed with others who are

not part of the client’s treatment or diagnostic team.

HIPAA Enforcement

• Civil penalties: Up to $100 per violation, up to$25,000 per person, per year for identical violations

• Federal criminal penalties: up to $50,000 and oneyear in prison for obtaining or disclosing PHI, up to$1000,000 and up to 5 years in prison for obtaininghealth information under false pretenses

• Up to $250,000 and up to 10 years in prison forobtaining or disclosing PHI with intent to sell, transfer,or use it for commercial advantage, personal gain, ormalicious harm.

Compliance and Enforcement

• Since the compliance date in April

2003 there have been 27,070

HIPAA Privacy Complaints.

• 3/4 of the complaints have been

resolved

National Provider Identifier

• Unique health identifier for healthcareproviders

• Designed to improve the efficiency andeffectiveness of the healthcare systemand is part of the HIPAA legislation

• Compliance date: May 23, 2007

Who can have an NPI?

• Any healthcare provider

• Healthcare providers are

individuals and organizations

• Numbers will be assigned for life

Do you feel ready to take thequiz?

You must make a 90 to besuccessful on the quiz.

That means you must retakethe quiz if you make below 90.

Speech & Hearing Sciences

______________________________________

Has successfully completed training in theHealth Insurance Portability and

Accountability Act (HIPAA).

___________________ _________________SLP Graduate Student Signature Date

___________________ _________________LU Clinical Supervisor Date

Information about our patientsis strictly confidential and

should not be discussed inpublic places.

Thank you for respecting ourpatient’s privacy!