HIPPA

• HIPAA's main goal is to assure that a person's health information is properly protected - while still allowing the flow of health information needed to provide high-quality healthcare and to protect the public's health and well-being. According to HIPAA, all "Covered Entities" must comply with privacy and security rules. "Covered Entities" include: o 1. Healthcare providers (including doctors, nurses, hospitals, dentists, nursing homes, and pharmacies). Under HIPAA, a healthcare provider is defined as: • Any person or organization that furnishes, bills, or is paid for healthcare services in the normal course of business, and transmits and stores that healthcare information • o A person or organization that engages a third party to process, transmit, and store claims • 2. Health plans (insurance companies) • 3. Healthcare clearinghouses, which are entities that process certain information, such as: • o Billing services o Repricing companies o Community health management information systems As a healthcare worker, you are part of the "healthcare provider" network and therefore are required to comply with HIPAA rules and regulations regarding Protected Health Information (PHI). Workers in dietary, engineering, housekeeping, etc. may have access to PHI and also are required to comply with HIPAA regulations.

WHAT IS PROTECTED HEALTH INFORMATION (PHI)? Protected Health Information (PHI) is: • Individually identifiable health information • Information that is linked to a patient PHI relates to: • A person's past, present, or future physical or mental health or condition • The provision of healthcare to a person • The past, present, or future payment for the provision of healthcare to the person Individually identifiable health information is either: • Health information that specifically identifies a person, or • Information that could reasonably be expected to identify a person, even if that person is not named

• Patient's name • Patient's address • Dates directly related to a person, such as birth date, admission date, discharge date, death date • Telephone number, fax number, email address • Social security number, medical record number, account number • The individual's e-mail, URL, or IP address • Health plan beneficiary number (insurance number) • Certificate/license number • Vehicle identifier and serial number, including license plate number • Biometric identifier, including fingerprints and voice prints • Full-face photographs and any comparable images • Any other unique identifying number, characteristic, or code

• As a healthcare worker, if you are involved in the gathering, storing, and transmission of patient information, you MUST comply with HIPAA. • Failure to follow HIPAA regulations could result in fines for you and/or your employer. • However, PHI can be used and disclosed without a signed or verbal authorization from the patient when it is a necessary part of treatment, payment, or healthcare operations.

1. For treatment 2. For payment 3. For healthcare operations 4. When authorized by the individual 5. When required by law

• Healthcare organizations MUST obtain permission or authorization from a patient for the purpose of marketing, advertising, and other purposes. • Healthcare organizations must establish written privacy policies and procedures regarding protected health information. • Caregivers should refer to their facility's health information policies and procedures regarding the use and disclosure of PHI.

1. Disclosures to or requests by a healthcare provider for treatment purposes (such as communication hand-offs) 2. Disclosures to the patient 3. Uses or disclosures made with a patient's authorization 4. Uses or disclosures required for compliance with HIPAA Rules 5. Disclosures to the U.S. Department of Health and Human Services when disclosure of information is required under HIPAA for enforcement purposes 6. Uses or disclosures that are required by other laws

HIPAA PRIVACY AND SECURITY RULES The Privacy Rule -Under HIPAA, the Privacy Rule protects the privacy of all Protected Health Information (PHI), which is individually identifiable health information that is gathered, stored, or transmitted on paper, orally, or by electronic or any other media.

• Apply to most healthcare providers • Set a federal standard for protecting individually identifiable health information across all mediums (electronic, paper, and oral) • Limit how Covered Entities may use and disclose individually identifiable health information they receive or create • Give individuals rights with respect to their PHI, including: o The right to examine and obtain a copy of information in their medical records o The right to ask Covered Entities to amend their medical record if information is inaccurate or incomplete • Impose administrative requirements for Covered Entities; and establish civil penalties

• All patients MUST receive a healthcare organization's Notice of Privacy Practices. • Patients may give a verbal authorization to provide PHI to family members and friends. • Patients are notified of their rights to complain about an organization's compliance with the Privacy Rule. • Patients have the right to access and amend their own Personal Health Information.

• The Security Rule establishes national standards to protect certain health information that is held or transferred in electronic form. • The Security Rule requires appropriate safeguards to ensure the confidentiality, integrity, and security of electronic Protected Health Information (PHI). • The U.S. Office of Civil Rights, in conjunction with the federal Department of Justice, is responsible for enforcing this rule and imposing criminal penalties of imprisonment and fines for HIPAA violations involving PHI.

• Face-to-face conversations • Telephone or dictated conversations • On unprotected computer hard drives or on copy machines • Via fax transmissions • Through mobile devices, laptops, flash drives, CDs • Via cell phones or PDAs (personal digital assistants that function as electronic organizers) • Through email, text messages, or social media posts • By disposing PHI in the trash • Having unsecured PHI (no data encryption, unsecured networks, unlocked file cabinets) • Through inappropriate access, such as a caregiver accessing the PHI of a patient they are not caring for

• Patients have the right to request, inspect, and receive a copy of their own PHI, including electronic records. • A response to such a request must be made within 30 days. An exception of this would be psychotherapy notes and information that has been gathered in anticipation of civil, criminal, or administrative action. • Patients also have the right to amend their Protected Health Information. An organization can require that these requests are in writing and that the individual explains the reason for the change. • Patients also have a right to know the identities of individuals or agencies that have accessed their PHI for the past six years.

• Protecting public health - such as through public health surveillance, program evaluation, terrorism preparedness, outbreak investigations, and other public health activities - often requires access to or the reporting of Protected Health Information. • HIPAA permits Covered Entities to disclose protected health information without authorization for specified public health purposes. There may be more rigorous state laws regarding special circumstances, so it is important for you as a healthcare worker to know about the policies and procedures in place for your organization.

• A HIPAA violation is the use or disclosure of Protected Health Information (PHI) in a way that compromises an individual's right to privacy or security and poses a significant risk of financial, reputational, or other harm. The HIPAA Breach Notification Rule requires Covered Entities to promptly notify the affected person as well as the U.S. Secretary of Health and Human Services of the loss, theft, or certain other impermissible uses or disclosures of PHI. As a healthcare worker, you must report any knowledge of potential or actual violations immediately to your supervisor.

• Is responsible for administering and enforcing the HIPAA Privacy and Security Rules • Conducts associated complaint investigations, compliance reviews, and audits • May impose fines on covered providers for failure to comply with the HIPAA Rules The State Attorney General may also enforce provisions of the HIPAA Rules. Failure to comply with the HIPAA Rules can result in the following civil and criminal penalties:

• Ensure conversations regarding patients, such as hand-off communications, are done in a confidential area. • Avoid discussing a patient's condition in front of other patients, visitors, or family members in a hallway. • Lower your voice when discussing patient information in person and/or over the phone. • Avoid having conversations about patients in public places, such as elevators, public hallways, or the cafeteria. • Ensure that patient-related information is not visible to the public, such as on computer screens. • Sign off of computers when not in use. • Use passwords on desktop and portable media devices, and change them as often as your organization's policy allows. • Never share your password. • Ensure data-encrypted computers are used for Protected Health Information (PHI).

• Avoid sending PHI by email if at all possible. • Do not post patient information or photos on social media (such as Facebook, Twitter, Instagram, etc.). • Use a fax cover sheet when faxing PHI and double-check the fax number to be sure it is correct

HITECH ACT REGARDING ELECTRONIC HEALTH RECORDS • The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was created in 2009 to stimulate the adoption of electronic health records (EHR) while addressing the privacy and security of electronically transmitted health information. • An EHR is an electronic version of a patient's medical history and is maintained by the provider. • The EHR is a means to automate access to personal health information and improve clinical workflow processes. The EHR may include clinical data such as: • Demographics • Progress notes • Problems • Medications • Vital signs • Past medical history • Immunizations • Laboratory data • Radiology reports

The HITECH Act requires: • Increased development and use of EHR in the workplace • Increased development and monitoring of EHR security in the workplace; in other words, who is accessing EHR and do they have a "need to know" • Immediate reporting of any and all EHR security breaches • Increased penalties for HIPAA breaches • Periodic audits by the U.S. Department of Health and Human Services • Mandatory penalties imposed for "willful neglect"

Relias