SlideShare a Scribd company logo
1 of 47
Download to read offline
HIPAA BOOT CAMP
WELCOME TO MIAMI VALLEY
HOSPITAL’S HIPAA TRAINING
PURPOSE OF THIS TRAINING
 To introduce you to the basics of HIPAA in




order to understand the rules and regulations.
Review its impact on our Healthcare Network.
Explore practical ways to deal with Protected
Health Information (PHI) on the job.
Help you understand patients’ rights under the
law to protect them, our organization and you.

2
TOPICS
 WHAT IS HIPAA?
 WHO DOES IT AFFECT?
 WHAT IS THE IMPACT OF




HIPAA?
WHEN WILL IT HAPPEN?
WHAT IS MVH DOING?
WHAT IS YOUR ROLE ?

3
WHAT IS HIPAA?
Health Insurance Portability and
Accountability Act of 1996
A Federal law imposed on all health care
organizations including hospitals, physician
offices, home health agencies, nursing homes and
other providers, as well as health plans and
clearinghouses, that protects patient health
information.
4
WHAT IS HIPAA?





Its main purpose is to make sure that Protected Health
Information (PHI) is properly handled.
HIPAA tells us how we must process and protect our
patient information.
It also says that if we transmit PHI electronically, we must
do it in a standard way.
Under HIPAA patients have new rights that we must
inform them about.

HIPAA IS ALL ABOUT DOING WHAT IS RIGHT
FOR OUR PATIENTS.

5
WHO DOES IT AFFECT?
 All organizations that deal with a person’s
health information:
Providers (Hospitals, Clinics and Physicians)
Health Plans
Health Care Clearinghouses

6
WHEN WILL IT HAPPEN?
Privacy: April 14, 2003.
Data Standards (EDI): October 16, 2003.
Security: April 21, 2005.

7
HIPAA FINES & PENALTIES
Non-Compliance with Requirements and Standards
 Penalties for overall non-compliance could reach
millions of dollars per year.
 These penalties can apply to our organization and in
some cases to specific individuals including jail time.
 $100 per violation up to $25,000 limit per year.

8
HIPAA FINES & PENALTIES
Wrongful Disclosure of Protected Health information or
Misuse of Identifiers (directly or indirectly):
 Simple negligence $50,000 fine, one (1) year in prison or both
 Disclosure under false pretenses $100,000 fine, five (5) years in prison or both
 Intent to sell or use information $250,000 fine, ten (10) years in prison or both

Employees will also be held accountable by MVH
if HIPAA policy violations occur
9
WHAT IS MVH DOING?
MVH has been hard at work the past 2 years preparing for
HIPAA and the impact it will have on our organization. Here
are some of the activities:
 The establishment of the HIPAA Steering Committee with
representatives from key departments affected by HIPAA.
 The review and revision of policies and procedures as needed.
 The creation of new policies to support the process changes
needed.
 The education of employees on HIPAA.
 The review of our computer systems to ensure security of
patient information.
 The review of our process for transmitting electronic data
for payment purposes.
10
KEY PATIENT PRIVACY RIGHTS
Patient Privacy rights include:
include
 Access to health information (and restricted access to
information when the patient does not want it disclosed).
 Amendments to PHI when patients make specific
written requests and those requests are granted.
 Accounting of Disclosures (whenever we send patient
information without prior patient approval).
 Restrictions on Uses and Disclosures of PHI (we are
obligated to safeguard patient information and keep it
confidential to protect their right to privacy).
Patients will be given a paper copy of our Notice of
Privacy Practices concerning the above items and will be
asked to sign an acknowledgement of receipt.
11
Notice of Privacy Practices
Provides individual notice of all of the ways the
organization uses and shares a patient’s health
information
Explains a patient’s rights to confidentiality and
access to his/her information
Is posted prominently in the organization and
on the organization’s Web site

12
Notice of Privacy Practices
If a patient has questions about the
organization’s practices or his/her
privacy rights, direct him/her to
the Notice of Privacy Practices,
the Consumer Relations
Department (208-2666) or the
Privacy Officer, Mike Moddeman
(208-8339).
13
PRIVACY SUMMARY
April 14, 2003 is the deadline for implementation of the new
policies and procedures. MVH will be compliant with these
rules. We are performing the necessary training of staff as
required under the regulations.

Under HIPAA we can still use a patient’s name in
the waiting room. We may put a patient’s name
outside their door for identification and patients
may still share rooms. Our obligation and focus is to
SAFEGUARD their individual health information
and to protect their privacy.
14
Safeguarding Patient Information
The Release of Patient Information:
HIPAA allows us to share patient information with
any of the patient’s health care providers without an
authorization from the patient.
If you are presented with an authorization to release
medical information, contact the Health
Information Management Department

15
Releasing Confidential Information
You cannot share information with the patient’s family, friends or
anyone else without written authorization from the patient except:

The patient’s guardian, durable power of attorney for
healthcare, or next of kin (if the patient is incapacitated).
For operations of the hospital (ex. quality assurance, incident
reports, teaching and education of residents and students).
To enable our organization to get paid for services rendered.
When there is a legal duty to report (ex. child abuse,
domestic violence, gunshot or stab wounds).
To another healthcare provider that has treated the patient to
enable that provider to get paid for their services.
16
What is Confidential Information?
Any information about a patient that is written, saved on a
computer, or electronic media (disks, CDs, etc.), or spoken is
Protected Health Information (PHI). PHI includes:
Name
Age
E-Mail
Social Security #
Address
Phone Number
Diagnosis

Medical history
Medications
Observations of Health
Medical Record Number
Any Unique Identifier
The fact that the patient is in the hospital

17
Confidential Information

HIPAA DON’TS
Don’t tell anyone what you may overhear regarding a patient.
Don’t discuss a patient in public areas such as elevators,
hallways, or cafeterias.
Don’t look at information about a patient unless you need to
as part of your job.
Don’t look up information about friends or relatives unless
you need to to perform your work.
18
Confidential Information

HIPAA DO’S
Do keep all information you hear about a patient to yourself.
Do dispose of patient information by placing in properly designated
shredder bins for destruction.
Do notify security if you see an unescorted visitor in a non-public
area of the hospital.
Do contact the Privacy Officer, Mike Moddeman (208-8339), if you
have any questions.

19
SECURITY
 Print-based medical records need to be kept in a
secure area or in a safe location with access to
authorized people only. (These areas should be
locked when not in use).
 Access to those locations needs to be controlled so
that we can maintain the security of records
containing PHI.
 If you use a workstation as part of your job, a
password (not to be shared) should be used to
control access to PHI.
 If a workstation is available/viewable by nonauthorized people, use a screensaver or reposition
to protect the viewing of PHI.
 Lock cabinets that contain PHI when you leave your
area.
20
The Privacy Officer


Manages the development of the organizations
privacy
standards, policies and procedures.

Oversees the education and training of the
workforce.

Investigates suspected violations and complaints.

Facilitates the enforcement of HIPAA within the
organization

The Privacy Officer for Miami Valley Hospital
is Mike Moddeman @ 208-8339

21
What do you need to know?
HIPAA requires health care workers to use the
minimum amount of patient information they need
to do their jobs efficiently and effectively.
Ask yourself:


Do I need this information to do my job?



What is the least amount of information I need to
do my job?

22
What do you need to know?
Environmental Services staff do not need to look
at patient records
Professional health care workforce members such
as doctors, nurses, and therapists need to look at
their patients’ records to care for them
Coders and billers need to look at certain portions
of records to code and bill correctly

23
WHAT SHOULD YOU DO?
Let’s look at some situations that may
occur as you deal with patients.
Apply the idea that we should use
common sense and reasonable
judgment in deciding what to do.

24
WHAT SHOULD YOU DO?
A patient comes to Registration requesting a copy
of the Notice of Privacy Practices. The patient
admits having been given one several times, but
keeps misplacing it. Should Registration give the
patient a copy of the Notice of Privacy Practices?


 Yes

 No

 Uncertain

25
WHAT SHOULD YOU DO?
A patient comes into the hospital for the first time.
Where will the Notice of Privacy Practices
be found?



A.
B.
C.
D.
E.

Copies in Registration
Posted throughout the hospital
On our web site
A and B
All of the above

26
WHAT SHOULD YOU DO?
The insurance company, forgetting to ask the
discharge planner for the history and physical,
figures that it would be easier to just ask for the
patient’s complete medical record and leaf
through the information to get what they need,
even though they know they will not need
everything in the medical record for payment
purposes. Is the discharge planner allowed to
release the entire medical record in this case?

 Yes


 No
27

 Uncertain
WHAT SHOULD YOU DO?
Your sister’s close friend is having surgery at the
organization where you work. She asks you to find
out what you can about the friend’s condition.
Should you call and ask around to the nurses you
know? Should you look up the friend’s medical
record?

 Yes


 No
28

 Uncertain
WHAT SHOULD YOU DO?
No. Even if you and your sister have the best intentions, you
have no right to look at private information about her friend’s
health. Suggest to your sister that she call or visit the
information desk. If the patient has agreed to have her
information available, the staff at the information desk can
give it to your sister.
Do not seek out confidential patient information unless you
need it to do your job. If you happen to hear confidential
information, do not repeat it to anyone.
Looking at patient records for any non-business reason can
be cause for disciplinary and legal action.
29
WHAT SHOULD YOU DO?
You are working in the emergency department
when you see that a neighbor has arrived for
treatment after a car crash. You hear someone
saying he will be taken to surgery soon. Your
neighbor’s wife works in another part of the
organization. Should you notify her that her
husband is in the emergency department?

 Yes


 No
30

 Uncertain
WHAT SHOULD YOU DO?
No. Tell the nursing staff that you know the patient and his
wife. Tell them that if they need to locate her, you can help.
Your neighbor has a right to privacy and may not want to
notify his family of the accident. If he is conscious, the
emergency department staff will allow him to decide whom to
notify.
If he is unconscious, the doctors and nurses will decide
whether to notify his wife. Leave the decision up to the
emergency department staff. They will let you know whether
they need your help to find the patient’s wife.

31
WHAT SHOULD YOU DO?

You pass by a nurses’ station where patients
names are listed on a white board. You spot the
name of a close friend. Should you stop by her
room?

 Yes


 No
32

 Uncertain
WHAT SHOULD YOU DO?
No. If you learned of your friend’s stay only by looking at the
white board, you should not go to her room unless your job
responsibilities take you there.

If you find out from the patient or her family member that she
is staying here, feel free to visit her. But be sure to follow the
visitor policies.

 

33
WHAT SHOULD YOU DO?
A co-worker is having trouble logging in to the
organization’s system. She asks for your login
name and password so she can try them. Should
you share them with her?

 Yes


 No
34

 Uncertain
WHAT SHOULD YOU DO?
No. HIPAA requires the use of individual passwords for each
person with access to health information stored in the
computer system. The organization keeps track of the
records you access based on the login name and password
you use. If you let others use your name and password, you
are breaking HIPAA’s rules and our policy. You may be held
responsible if the co-worker gains access to patient
information inappropriately.
Each person must keep the system secure by using only their
login name and password to gain access to the system.
Never share your login name or password.

35
WHAT SHOULD YOU DO?
A woman provides the name of a patient and asks
for information about his condition. What can you
tell her?

  A.
B.
C.
D.
E.

The patient’s diagnosis
The patient’s general condition
The patient’s location in the hospital
B and C
All of the above

36
WHAT SHOULD YOU DO?
B and C. Check the facility directory. If the patient is listed in
the directory (and are not listed as Do Not Admit or No
Information), you can tell the woman the patient’s location
(room number and telephone number) and his general
condition (good, fair, serious, critical).
If the patient is not included in the directory, you can not give
out any information about him to anyone, regardless of the
person’s relationship to the patient.  

37
WHAT SHOULD YOU DO?
A billing representative is missing the authorization
number for an outpatient surgery. The representative
calls the physician’s office to ask for the authorization.
The representative also asks about the patients recovery
from the surgery.

Is the representative acting appropriately?

 Yes


 No
38

 Uncertain
WHAT SHOULD YOU DO?
You happen to see a friend (who is a patient) in the
hospital. Later while talking to a family member
you say: “Guess who I saw today in the hospital?”
Have you violated your friend’s privacy rights?


 Yes

 No

 Uncertain

39
WHAT SHOULD YOU DO?
You happen to be walking by a trash bin and you
notice a stack of medical records laying on the
floor next to the trash. What should you do?



A.
B.
C.
D.

Throw the records in the trash
Deposit the records in a container to be shredded
Bring the records to your supervisor or the Privacy
Officer
Ignore the situation since you are not authorized to
look at these records

40
WHAT SHOULD YOU DO?
A minor is concerned about the possibility of
having contracted a sexually transmitted disease.
She requests to have a private conversation with
the physician. Can the parent receive
documentation related to this discussion at a later
date without authorization of the minor?

 Yes


 No

 Uncertain

41
WHAT SHOULD YOU DO?
An ICU nurse who just returned from vacation today is
caring for a patient who has been in the ICU for four
days. The nurse wants to review all progress notes
and physician orders in the medical record for the
patient’s ICU stay. Does the nurse have the right to
access the progress notes and physician orders?


 Yes

 No

 Uncertain

42
WHAT SHOULD YOU DO?
A patient asks you how they can get their confidential
information sent to their workplace instead of their home.
What should the clerk do?
A. Politely tell the patient that we don’t provide this type of
service
B. Ask the patient why they want their confidential
information sent somewhere else, then get advice from
your supervisor
 C. Contact the HIM department for assistance
D. Tell the patient that we can’t do this until we receive
permission from their employer

43
WHAT SHOULD YOU DO?
Ms. White asks you for an accounting of disclosures of
her child’s PHI. You direct her to the HIM department
Did the employee act properly?


 Yes

 No

 Uncertain

44
WHAT SHOULD YOU DO?
A person performing discharge planning is
coordinating the transfer of a patient to a skilled
nursing facility. The discharge planner has never
worked with this patient before and needs to review
the medical record to appropriately prepare for the
transfer. Does the discharge planner have access to
the medical record to conduct this task?

 Yes

 No

 Uncertain

45
Questions?

If you have questions about privacy matters
or wish to report a concern,
contact Mike Moddeman at
208-8339
46
MIAMI VALLEY HOSPITAL
Thank You
Copyright 2003 The Gates-Brewer Group, LLC

More Related Content

More from Atlantic Training, LLC.

Stress and Worker Safety by Pennsylvania L&I
Stress and Worker Safety by Pennsylvania L&IStress and Worker Safety by Pennsylvania L&I
Stress and Worker Safety by Pennsylvania L&IAtlantic Training, LLC.
 
Workplace Harassment Prevention by UT EAP
Workplace Harassment Prevention by  UT EAPWorkplace Harassment Prevention by  UT EAP
Workplace Harassment Prevention by UT EAPAtlantic Training, LLC.
 
Preventing Falls, Slips and Trips by MGSU
Preventing Falls, Slips and Trips by MGSUPreventing Falls, Slips and Trips by MGSU
Preventing Falls, Slips and Trips by MGSUAtlantic Training, LLC.
 
Preventing Workplace Harassment by Pennsylvania L&I
Preventing Workplace Harassment by Pennsylvania L&IPreventing Workplace Harassment by Pennsylvania L&I
Preventing Workplace Harassment by Pennsylvania L&IAtlantic Training, LLC.
 
Warehouses In Emergencies by WFP Logistics
Warehouses In Emergencies by WFP LogisticsWarehouses In Emergencies by WFP Logistics
Warehouses In Emergencies by WFP LogisticsAtlantic Training, LLC.
 
Sexual Harassment in the Workplace Training by Shumaker
Sexual Harassment in the Workplace Training by ShumakerSexual Harassment in the Workplace Training by Shumaker
Sexual Harassment in the Workplace Training by ShumakerAtlantic Training, LLC.
 
New Employee Safety Orientation by Oregon State University
New Employee Safety Orientation by Oregon State UniversityNew Employee Safety Orientation by Oregon State University
New Employee Safety Orientation by Oregon State UniversityAtlantic Training, LLC.
 

More from Atlantic Training, LLC. (20)

Stress Management Training by SW
Stress Management Training by SWStress Management Training by SW
Stress Management Training by SW
 
Stress and Worker Safety by Pennsylvania L&I
Stress and Worker Safety by Pennsylvania L&IStress and Worker Safety by Pennsylvania L&I
Stress and Worker Safety by Pennsylvania L&I
 
Respectful Workplace by RDTC
Respectful Workplace by RDTCRespectful Workplace by RDTC
Respectful Workplace by RDTC
 
Workplace Harassment by CLGW
Workplace Harassment by CLGWWorkplace Harassment by CLGW
Workplace Harassment by CLGW
 
Workplace Harassment Prevention by UT EAP
Workplace Harassment Prevention by  UT EAPWorkplace Harassment Prevention by  UT EAP
Workplace Harassment Prevention by UT EAP
 
Welding Safety by Pennsylvania L&I
Welding Safety by Pennsylvania L&IWelding Safety by Pennsylvania L&I
Welding Safety by Pennsylvania L&I
 
Slips Trips & Falls Training by Signal
Slips Trips & Falls Training by SignalSlips Trips & Falls Training by Signal
Slips Trips & Falls Training by Signal
 
Preventing Falls, Slips and Trips by MGSU
Preventing Falls, Slips and Trips by MGSUPreventing Falls, Slips and Trips by MGSU
Preventing Falls, Slips and Trips by MGSU
 
Preventing Workplace Harassment by Pennsylvania L&I
Preventing Workplace Harassment by Pennsylvania L&IPreventing Workplace Harassment by Pennsylvania L&I
Preventing Workplace Harassment by Pennsylvania L&I
 
Warehouses In Emergencies by WFP Logistics
Warehouses In Emergencies by WFP LogisticsWarehouses In Emergencies by WFP Logistics
Warehouses In Emergencies by WFP Logistics
 
Prevention of Sexual Harassment by USMC
Prevention of Sexual Harassment by USMCPrevention of Sexual Harassment by USMC
Prevention of Sexual Harassment by USMC
 
Sexual Harassment by DEOMI
Sexual Harassment by DEOMISexual Harassment by DEOMI
Sexual Harassment by DEOMI
 
Sexual Harassment in the Workplace Training by Shumaker
Sexual Harassment in the Workplace Training by ShumakerSexual Harassment in the Workplace Training by Shumaker
Sexual Harassment in the Workplace Training by Shumaker
 
Sexual Harassment Training by NAP
Sexual Harassment Training by NAPSexual Harassment Training by NAP
Sexual Harassment Training by NAP
 
Scaffolds Training by Pennsylvania L&I
Scaffolds Training by Pennsylvania L&IScaffolds Training by Pennsylvania L&I
Scaffolds Training by Pennsylvania L&I
 
Supervision
SupervisionSupervision
Supervision
 
New Employee Safety Orientation by Oregon State University
New Employee Safety Orientation by Oregon State UniversityNew Employee Safety Orientation by Oregon State University
New Employee Safety Orientation by Oregon State University
 
Lifting & Rigging by NEIS
Lifting & Rigging by NEISLifting & Rigging by NEIS
Lifting & Rigging by NEIS
 
Crane Rigging Safety by HF & C
Crane Rigging Safety by HF & CCrane Rigging Safety by HF & C
Crane Rigging Safety by HF & C
 
Slips Trips and Falls
Slips Trips and FallsSlips Trips and Falls
Slips Trips and Falls
 

Recently uploaded

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 

Recently uploaded (20)

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 

HIPAA Training by Miami Valley Hospital's HIPAA Training

  • 1. HIPAA BOOT CAMP WELCOME TO MIAMI VALLEY HOSPITAL’S HIPAA TRAINING
  • 2. PURPOSE OF THIS TRAINING  To introduce you to the basics of HIPAA in    order to understand the rules and regulations. Review its impact on our Healthcare Network. Explore practical ways to deal with Protected Health Information (PHI) on the job. Help you understand patients’ rights under the law to protect them, our organization and you. 2
  • 3. TOPICS  WHAT IS HIPAA?  WHO DOES IT AFFECT?  WHAT IS THE IMPACT OF    HIPAA? WHEN WILL IT HAPPEN? WHAT IS MVH DOING? WHAT IS YOUR ROLE ? 3
  • 4. WHAT IS HIPAA? Health Insurance Portability and Accountability Act of 1996 A Federal law imposed on all health care organizations including hospitals, physician offices, home health agencies, nursing homes and other providers, as well as health plans and clearinghouses, that protects patient health information. 4
  • 5. WHAT IS HIPAA?     Its main purpose is to make sure that Protected Health Information (PHI) is properly handled. HIPAA tells us how we must process and protect our patient information. It also says that if we transmit PHI electronically, we must do it in a standard way. Under HIPAA patients have new rights that we must inform them about. HIPAA IS ALL ABOUT DOING WHAT IS RIGHT FOR OUR PATIENTS. 5
  • 6. WHO DOES IT AFFECT?  All organizations that deal with a person’s health information: Providers (Hospitals, Clinics and Physicians) Health Plans Health Care Clearinghouses 6
  • 7. WHEN WILL IT HAPPEN? Privacy: April 14, 2003. Data Standards (EDI): October 16, 2003. Security: April 21, 2005. 7
  • 8. HIPAA FINES & PENALTIES Non-Compliance with Requirements and Standards  Penalties for overall non-compliance could reach millions of dollars per year.  These penalties can apply to our organization and in some cases to specific individuals including jail time.  $100 per violation up to $25,000 limit per year. 8
  • 9. HIPAA FINES & PENALTIES Wrongful Disclosure of Protected Health information or Misuse of Identifiers (directly or indirectly):  Simple negligence $50,000 fine, one (1) year in prison or both  Disclosure under false pretenses $100,000 fine, five (5) years in prison or both  Intent to sell or use information $250,000 fine, ten (10) years in prison or both Employees will also be held accountable by MVH if HIPAA policy violations occur 9
  • 10. WHAT IS MVH DOING? MVH has been hard at work the past 2 years preparing for HIPAA and the impact it will have on our organization. Here are some of the activities:  The establishment of the HIPAA Steering Committee with representatives from key departments affected by HIPAA.  The review and revision of policies and procedures as needed.  The creation of new policies to support the process changes needed.  The education of employees on HIPAA.  The review of our computer systems to ensure security of patient information.  The review of our process for transmitting electronic data for payment purposes. 10
  • 11. KEY PATIENT PRIVACY RIGHTS Patient Privacy rights include: include  Access to health information (and restricted access to information when the patient does not want it disclosed).  Amendments to PHI when patients make specific written requests and those requests are granted.  Accounting of Disclosures (whenever we send patient information without prior patient approval).  Restrictions on Uses and Disclosures of PHI (we are obligated to safeguard patient information and keep it confidential to protect their right to privacy). Patients will be given a paper copy of our Notice of Privacy Practices concerning the above items and will be asked to sign an acknowledgement of receipt. 11
  • 12. Notice of Privacy Practices Provides individual notice of all of the ways the organization uses and shares a patient’s health information Explains a patient’s rights to confidentiality and access to his/her information Is posted prominently in the organization and on the organization’s Web site 12
  • 13. Notice of Privacy Practices If a patient has questions about the organization’s practices or his/her privacy rights, direct him/her to the Notice of Privacy Practices, the Consumer Relations Department (208-2666) or the Privacy Officer, Mike Moddeman (208-8339). 13
  • 14. PRIVACY SUMMARY April 14, 2003 is the deadline for implementation of the new policies and procedures. MVH will be compliant with these rules. We are performing the necessary training of staff as required under the regulations. Under HIPAA we can still use a patient’s name in the waiting room. We may put a patient’s name outside their door for identification and patients may still share rooms. Our obligation and focus is to SAFEGUARD their individual health information and to protect their privacy. 14
  • 15. Safeguarding Patient Information The Release of Patient Information: HIPAA allows us to share patient information with any of the patient’s health care providers without an authorization from the patient. If you are presented with an authorization to release medical information, contact the Health Information Management Department 15
  • 16. Releasing Confidential Information You cannot share information with the patient’s family, friends or anyone else without written authorization from the patient except: The patient’s guardian, durable power of attorney for healthcare, or next of kin (if the patient is incapacitated). For operations of the hospital (ex. quality assurance, incident reports, teaching and education of residents and students). To enable our organization to get paid for services rendered. When there is a legal duty to report (ex. child abuse, domestic violence, gunshot or stab wounds). To another healthcare provider that has treated the patient to enable that provider to get paid for their services. 16
  • 17. What is Confidential Information? Any information about a patient that is written, saved on a computer, or electronic media (disks, CDs, etc.), or spoken is Protected Health Information (PHI). PHI includes: Name Age E-Mail Social Security # Address Phone Number Diagnosis Medical history Medications Observations of Health Medical Record Number Any Unique Identifier The fact that the patient is in the hospital 17
  • 18. Confidential Information HIPAA DON’TS Don’t tell anyone what you may overhear regarding a patient. Don’t discuss a patient in public areas such as elevators, hallways, or cafeterias. Don’t look at information about a patient unless you need to as part of your job. Don’t look up information about friends or relatives unless you need to to perform your work. 18
  • 19. Confidential Information HIPAA DO’S Do keep all information you hear about a patient to yourself. Do dispose of patient information by placing in properly designated shredder bins for destruction. Do notify security if you see an unescorted visitor in a non-public area of the hospital. Do contact the Privacy Officer, Mike Moddeman (208-8339), if you have any questions. 19
  • 20. SECURITY  Print-based medical records need to be kept in a secure area or in a safe location with access to authorized people only. (These areas should be locked when not in use).  Access to those locations needs to be controlled so that we can maintain the security of records containing PHI.  If you use a workstation as part of your job, a password (not to be shared) should be used to control access to PHI.  If a workstation is available/viewable by nonauthorized people, use a screensaver or reposition to protect the viewing of PHI.  Lock cabinets that contain PHI when you leave your area. 20
  • 21. The Privacy Officer  Manages the development of the organizations privacy standards, policies and procedures.  Oversees the education and training of the workforce.  Investigates suspected violations and complaints.  Facilitates the enforcement of HIPAA within the organization The Privacy Officer for Miami Valley Hospital is Mike Moddeman @ 208-8339 21
  • 22. What do you need to know? HIPAA requires health care workers to use the minimum amount of patient information they need to do their jobs efficiently and effectively. Ask yourself:  Do I need this information to do my job?  What is the least amount of information I need to do my job? 22
  • 23. What do you need to know? Environmental Services staff do not need to look at patient records Professional health care workforce members such as doctors, nurses, and therapists need to look at their patients’ records to care for them Coders and billers need to look at certain portions of records to code and bill correctly 23
  • 24. WHAT SHOULD YOU DO? Let’s look at some situations that may occur as you deal with patients. Apply the idea that we should use common sense and reasonable judgment in deciding what to do. 24
  • 25. WHAT SHOULD YOU DO? A patient comes to Registration requesting a copy of the Notice of Privacy Practices. The patient admits having been given one several times, but keeps misplacing it. Should Registration give the patient a copy of the Notice of Privacy Practices?   Yes  No  Uncertain 25
  • 26. WHAT SHOULD YOU DO? A patient comes into the hospital for the first time. Where will the Notice of Privacy Practices be found?  A. B. C. D. E. Copies in Registration Posted throughout the hospital On our web site A and B All of the above 26
  • 27. WHAT SHOULD YOU DO? The insurance company, forgetting to ask the discharge planner for the history and physical, figures that it would be easier to just ask for the patient’s complete medical record and leaf through the information to get what they need, even though they know they will not need everything in the medical record for payment purposes. Is the discharge planner allowed to release the entire medical record in this case?  Yes   No 27  Uncertain
  • 28. WHAT SHOULD YOU DO? Your sister’s close friend is having surgery at the organization where you work. She asks you to find out what you can about the friend’s condition. Should you call and ask around to the nurses you know? Should you look up the friend’s medical record?  Yes   No 28  Uncertain
  • 29. WHAT SHOULD YOU DO? No. Even if you and your sister have the best intentions, you have no right to look at private information about her friend’s health. Suggest to your sister that she call or visit the information desk. If the patient has agreed to have her information available, the staff at the information desk can give it to your sister. Do not seek out confidential patient information unless you need it to do your job. If you happen to hear confidential information, do not repeat it to anyone. Looking at patient records for any non-business reason can be cause for disciplinary and legal action. 29
  • 30. WHAT SHOULD YOU DO? You are working in the emergency department when you see that a neighbor has arrived for treatment after a car crash. You hear someone saying he will be taken to surgery soon. Your neighbor’s wife works in another part of the organization. Should you notify her that her husband is in the emergency department?  Yes   No 30  Uncertain
  • 31. WHAT SHOULD YOU DO? No. Tell the nursing staff that you know the patient and his wife. Tell them that if they need to locate her, you can help. Your neighbor has a right to privacy and may not want to notify his family of the accident. If he is conscious, the emergency department staff will allow him to decide whom to notify. If he is unconscious, the doctors and nurses will decide whether to notify his wife. Leave the decision up to the emergency department staff. They will let you know whether they need your help to find the patient’s wife. 31
  • 32. WHAT SHOULD YOU DO? You pass by a nurses’ station where patients names are listed on a white board. You spot the name of a close friend. Should you stop by her room?  Yes   No 32  Uncertain
  • 33. WHAT SHOULD YOU DO? No. If you learned of your friend’s stay only by looking at the white board, you should not go to her room unless your job responsibilities take you there. If you find out from the patient or her family member that she is staying here, feel free to visit her. But be sure to follow the visitor policies.   33
  • 34. WHAT SHOULD YOU DO? A co-worker is having trouble logging in to the organization’s system. She asks for your login name and password so she can try them. Should you share them with her?  Yes   No 34  Uncertain
  • 35. WHAT SHOULD YOU DO? No. HIPAA requires the use of individual passwords for each person with access to health information stored in the computer system. The organization keeps track of the records you access based on the login name and password you use. If you let others use your name and password, you are breaking HIPAA’s rules and our policy. You may be held responsible if the co-worker gains access to patient information inappropriately. Each person must keep the system secure by using only their login name and password to gain access to the system. Never share your login name or password. 35
  • 36. WHAT SHOULD YOU DO? A woman provides the name of a patient and asks for information about his condition. What can you tell her?   A. B. C. D. E. The patient’s diagnosis The patient’s general condition The patient’s location in the hospital B and C All of the above 36
  • 37. WHAT SHOULD YOU DO? B and C. Check the facility directory. If the patient is listed in the directory (and are not listed as Do Not Admit or No Information), you can tell the woman the patient’s location (room number and telephone number) and his general condition (good, fair, serious, critical). If the patient is not included in the directory, you can not give out any information about him to anyone, regardless of the person’s relationship to the patient.   37
  • 38. WHAT SHOULD YOU DO? A billing representative is missing the authorization number for an outpatient surgery. The representative calls the physician’s office to ask for the authorization. The representative also asks about the patients recovery from the surgery. Is the representative acting appropriately?  Yes   No 38  Uncertain
  • 39. WHAT SHOULD YOU DO? You happen to see a friend (who is a patient) in the hospital. Later while talking to a family member you say: “Guess who I saw today in the hospital?” Have you violated your friend’s privacy rights?   Yes  No  Uncertain 39
  • 40. WHAT SHOULD YOU DO? You happen to be walking by a trash bin and you notice a stack of medical records laying on the floor next to the trash. What should you do?  A. B. C. D. Throw the records in the trash Deposit the records in a container to be shredded Bring the records to your supervisor or the Privacy Officer Ignore the situation since you are not authorized to look at these records 40
  • 41. WHAT SHOULD YOU DO? A minor is concerned about the possibility of having contracted a sexually transmitted disease. She requests to have a private conversation with the physician. Can the parent receive documentation related to this discussion at a later date without authorization of the minor?  Yes   No  Uncertain 41
  • 42. WHAT SHOULD YOU DO? An ICU nurse who just returned from vacation today is caring for a patient who has been in the ICU for four days. The nurse wants to review all progress notes and physician orders in the medical record for the patient’s ICU stay. Does the nurse have the right to access the progress notes and physician orders?   Yes  No  Uncertain 42
  • 43. WHAT SHOULD YOU DO? A patient asks you how they can get their confidential information sent to their workplace instead of their home. What should the clerk do? A. Politely tell the patient that we don’t provide this type of service B. Ask the patient why they want their confidential information sent somewhere else, then get advice from your supervisor  C. Contact the HIM department for assistance D. Tell the patient that we can’t do this until we receive permission from their employer 43
  • 44. WHAT SHOULD YOU DO? Ms. White asks you for an accounting of disclosures of her child’s PHI. You direct her to the HIM department Did the employee act properly?   Yes  No  Uncertain 44
  • 45. WHAT SHOULD YOU DO? A person performing discharge planning is coordinating the transfer of a patient to a skilled nursing facility. The discharge planner has never worked with this patient before and needs to review the medical record to appropriately prepare for the transfer. Does the discharge planner have access to the medical record to conduct this task?   Yes  No  Uncertain 45
  • 46. Questions? If you have questions about privacy matters or wish to report a concern, contact Mike Moddeman at 208-8339 46

Editor's Notes

  1. Opening Screen
  2. HIPAA was designed by the industry and government in collaboration to achieve administrative simplification. Standardization of identifiers, code sets, data transaction formats, and the issues addressed in security and privacy are motivated by administrative simplification and the potential for cost savings. Investments will be required to achieve this standardization and for those who fail to comply there is the possibility of significant fines and jail time. The key strategic decision for physician practices and all Covered Entities at this time is to decide whether HIPAA will be addressed as a compliance program only, or the organization will also attempt to identify and take advantage of the potential benefits. (Source: hipaainfo.net) HIPAA implementation will be a multi-year, large cost, institution-wide effort that will be required by Federal law, Federal regulation, and related regulatory and accreditation bodies within the next 2-4 years. Failure to implement HIPAA will result in significant monetary penalties. The consequences of knowingly disclosing individually identifiable patient information are criminal penalties. Implementing HIPAA will affect how healthcare entities organize and staff to achieve and monitor implementation with patient privacy/confidentiality needs. HIPAA implementation is better focused as a business issue than as an Information Technology issue, although IT will play a major role in creating compliant systems. HIPAA will affect how independent providers deal with managing both electronic transactions (claims, referrals, remittance) and medical records. Large and medium sized organizations will need executive sponsorship and dedicated resources to lead the HIPAA implementation effort. Implementation-related activities may compete with other major projects. HIPAA's requirements may cause significant changes in process, organization, and/or staffing in the area of claims management. HIPAA's requirements are meant to encourage healthcare organizations to move patient information handling activities from manual to electronic systems in order to improve security, lower costs, and lower the error rate. These resources need to be planned for. HIPAA mandates will require substantial changes in the policies, processes and administration governing patient specific health information. Similarly, it will require updates of all information systems that use or collect patient data, and will require the introduction of new features and functions. Implementing HIPAA will improve security of healthcare information. Patient privacy and the security of all medical records will be more routinely assured. Information systems will have an improved general resistance to operational disruptions. It may be useful to consolidate off-network medical record information to a secure network. Because HIPAA covers all healthcare organizations, implementation itself is substantially a non-competitive issue. Coordinating and co-implementing HIPAA mandated changes among providers, payers, and IT vendors (especially in claims management) will minimize the cost, confusion and disruption involved in the transition. Preemption- HIPAA Regulations to serve as a FLOOR. State and Federal Law intersection requires careful legal evaluation. 
  3. We will answer these important questions: WHAT IS HIPAA? WHO DOES IT AFFECT? WHAT ARE SOME IMPACTS OF HIPAA? WHEN WILL IT HAPPEN? WHAT IS CMH DOING? WHAT IS YOUR ROLE? We’ll end our session with questions and answers
  4. HIPAA was designed by the industry and government in collaboration to achieve administrative simplification. Standardization of identifiers, code sets, data transaction formats, and the issues addressed in security and privacy are motivated by administrative simplification and the potential for cost savings. Investments will be required to achieve this standardization and for those who fail to comply there is the possibility of significant fines and jail time. The key strategic decision for all Covered Entities at this time is to decide whether HIPAA will be addressed as a compliance program only, or the organization will also attempt to identify and take advantage of the potential benefits. (Source: hipaainfo.net) HIPAA implementation will be a multi-year, large cost, institution-wide effort that will be required by Federal law, Federal regulation, and related regulatory and accreditation bodies within the next 2-4 years. Failure to implement HIPAA will result in significant monetary penalties. The consequences of knowingly disclosing individually identifiable patient information are criminal penalties. Implementing HIPAA will affect how healthcare entities organize and staff to achieve and monitor implementation with patient privacy/confidentiality needs. HIPAA implementation is better focused as a business issue than as an Information Technology issue, although IT will play a major role in creating compliant systems. HIPAA will affect how independent providers deal with managing both electronic transactions (claims, referrals, remittance) and medical records. Large and medium sized organizations will need executive sponsorship and dedicated resources to lead the HIPAA implementation effort. Implementation-related activities may compete with other major projects. HIPAA's requirements may cause significant changes in process, organization, and/or staffing in the area of claims management. HIPAA's requirements are meant to encourage healthcare organizations to move patient information handling activities from manual to electronic systems in order to improve security, lower costs, and lower the error rate. These resources need to be planned for. HIPAA mandates will require substantial changes in the policies, processes and administration governing patient specific health information. Similarly, it will require updates of all information systems that use or collect patient data, and will require the introduction of new features and functions. Implementing HIPAA will improve security of healthcare information. Patient privacy and the security of all medical records will be more routinely assured. Information systems will have an improved general resistance to operational disruptions. It may be useful to consolidate off-network medical record information to a secure network. Because HIPAA covers all healthcare organizations, implementation itself is substantially a non-competitive issue. Coordinating and co-implementing HIPAA mandated changes among providers, payers, and IT vendors (especially in claims management) will minimize the cost, confusion and disruption involved in the transition. Preemption - HIPAA Regulations to serve as a FLOOR. State and Federal Law intersection requires careful legal evaluation. 
  5. Its main purpose is to make sure that Protected Health Information (PHI) is properly handled HIPAA tells us how we must process and protect our patient and member Information It also says that if we transmit PHI electronically, we must do it in a standard way Future rules will include how we must handle the physical and electronic security of PHI Under HIPAA patients and members have new rights that we must inform them about
  6. Ask for a show of hands for each organization listed. Point: There probably is no one here who is not affected by HIPAA
  7. Privacy practices Ref. Access to health information Patients have the right to receive a copy or inspect much of the PHI we retain. A patient will be required to submit a signed written request in order to receive a copy. Amendments Patients may request an amendment to their PHI by requesting and filling our a form from the CMH Privacy Officer. Accounting of Disclosures Patients may request that we provide them with an accounting of the disclosures of PHI made by us unrelated to to TPO. The request must be submitted on a form that is available from the CMH Privacy Officer. Confidential Communications Patients may request that we limit the release of PHI. Again, the request must be submitted on a form that is available from the CMH Privacy Officer. It will be up to us to decide whether to agree to the restriction. Patients will receive a paper copy of the notice and will be required to sign an acknowledgement of receipt.
  8. The 'final' revisions to Privacy Regulations were released on Friday, August 9, 2002. These revisions were recorded in the Federal Register on August 14, 2002. The final Security regulations are also due “soon.” Senator Kennedy and others will introduce new legislation to replace the pieces removed from the just released 'final' Privacy regulations. Privacy Standards (Final)The Privacy Rule, effective April 14, 2001, requires compliance by April 14, 2003 for most covered entities. Small health plans have an additional 12 months in which to comply.
  9. EDI mainly through vendors
  10. The security standards in HIPAA address administrative procedures, physical safeguards, technical security services, and technical security mechanisms to guard data integrity, confidentiality, and availability. Small to mid-size physician practices have the flexibility to choose security strategies appropriate for their size and available resources. This scalability provision is addressed in the HIPAA Security NPRM (Notices of Proposed Rule Making)
  11. Scenario is presented on the screen “Participants” are polled for an indication of their choices Presenter asks for evidence for each possible response Most correct response is revealed Example: Correct answer is Yes 164.520 (a) Standard: Notice of Privacy Practices 164.520 (b) Implementation Specifications: Content of Notice 164.520 (c) Implementation Specifications: Provision of Notice
  12. Correct answer is E. 164.520 (a) Standard: Notice of Privacy Practices 164.520 (b) Implementation Specifications: Content of Notice 164.520 (c) Implementation Specifications: Provision of Notice
  13. Even if this person is seen when the healthcare worker is not on duty, it would be prudent not to reveal this information. The law is directed toward EDI, but common courtesy should prevail. Strictly speaking, this would most likely not be a violation under HIPAA.
  14. 164.502(g) Uses and Disclosures of Protected Health Information to Personal Representatives
  15.  164.502(b) Minimum Necessary  164.514(d) Minimum Necessary Requirements
  16. 164.502(h) Confidential Communications 164.522(b) Confidential Communications Requirements
  17. 164.528 (a) -- Right to Accounting of Disclosures of Protected Health Information NO. The patient is entitled to a written report of accounting of disclosures. HIPAA includes requirements on what information must be included for disclosures CMH should provide a patient with a list of times confidential healthcare information had been released over the last six (6) years.   The organization does not have to comply with this policy if the information was:                     Used to provide patient care, payment for services or healthcare operations,                      Provided to the patient,                      Provided to family members or friends involved in patient care,                      Used for the organization’s directory,                        Provided to employees responsible for the patient’s care,                        Provided to national security or intelligence,   If provided to correctional facilities or law enforcement officials When a patient makes an accounting request, you should contact all business associates to whom we have disclosed the patient’s PHI and have them give an accounting of the disclosures they have made regarding that patient’s PHI. The organization must provide the patient with the first request for a list in any 12-month period with no charge. The organization may charge the patient a reasonable, cost-based fee for each future request within the 12-month period provided that the organization informs the patient in advance of the fee and offers the patient the chance to withdraw or modify the request to avoid or reduce the fee. The organization must document the patient’s request for a list, a copy of the information provided to the patient and the titles of the persons or offices responsible for receiving and processing the request by the patient. This documentation must be retained for six (6) years from the date of the last accounting request.