2. What is the Health Insurance Portability and
Accountability Act (HIPAA)?
It is a federal law created in
1996, enforced by the
Office of Civil Rights which
protects the privacy of
individually identifiable
health information.
3. HIPAA RULES: The Privacy Rule
Provides standards to protect patients medical records
and other personal health information.
Sets limits on uses and disclosures.
Gives patients rights over their health information.
4. HIPAA RULES: The Security Rule
Creates standards to protect patients
electronic personal health
information that is
created, received, used, or maintained
by a health plan, healthcare
clearinghouse or health care provider
requires appropriate
administrative, physical and technical
safeguards to ensure the
confidentiality, integrity, and security of
electronic protected health
information. (Health Information Privacy
2007)
5. HIPAA RULES: The Breach Notification Rule
requires HIPAA covered entities (health plans, healthcare
clearinghouses, healthcare providers) and
their business associates to provide
notification following a breach of
unsecure protected health
information.
7. Information System
Protection of information against threats to its
integrity inadvertent disclosure or availability
Information systems can improve protection for
client information in some ways and endanger it
in others.
The electronic medical record cannot easily be
viewed by anyone who doesn’t have access
code. (Hebda, Czar 2013, p235)
8. Consent
The process by which an individual authorizes healthcare personnel to
process his or her information based on an informed understanding of
how this information will be used.
When obtaining consent the patient should be made aware of any risks
to privacy.
HIPAA has a consent form for the release of health related information
that is intended to protect a patients privacy.
The consent form is based on rules and restrictions on who may see or be
notified of a patients protected health information.
9. What would you do?
You are the nurse for an elderly confused patient. The patient is becoming
increasingly confused and keeps asking for her son Larry. You access her
medical records and find that Larry is not the patients health care proxy but is
listed as one the patient contacts.
You are the nurse for an intubated comatose patient. A woman comes to
visit the patient stating she is the patients sister. You access the patient
records, there is no information about the patient having a sister.
A family member calls and states he is the patients Health Care Proxy and
would like information on the patient, you have never met the him but his
name matches the one on the patients record.
10. System Security
HIPAA PROTECTS THE SECURITY AND PRIVACY OF ALL PERSONAL HEALTH
INFORMATION (PHI) WHICH REFERS TO MEDICAL RECORDS AND OTHER HEALTH
INFORMATION USED OR STORED IN ANY FORM. THIS INCLUDES COMMUNICATION
THAT IS WRITTEN, VERBAL, ELECTRONIC OR NON ELECTRONIC.
11. System Security Compliance
This includes computer screens, white
boards, phone conversations, waste
basket, patient chart, smart
phones, conversation in elevator and
many more.
Compliance with HIPAA is about
people, policies and procedures that
make good sense. Remember that it is
always about what is best for the
patient.
12. The Minimum Necessary Rule
In accordance with the Federal HIPAA law information may
shared with other health care providers for the purpose of TPO:
Treatment
Payment
Healthcare operations
Patient information should only be accessed, used, or disclosed
in the amount that is the MINIMUM NECESSARY in order for an
individual to perform his/her duties. For example: The lab does
not need to know the admitting diagnosis to run an Hepatitis
screen on a patient’s blood.
13. Breaches in Security
According to American Medical News 94% of facilities suffered a breach in
security in the last 2 years. Leaving thousands of Americans at risk of Medical
Identity theft.
An entity regulated by HIPAA must have reasonable administrative, technical and
physical safeguards to protect against intentional or unintentional disclosure of
protected health information. This may include, shredding documents when they
are disposed of and keeping electronic documents under password protected or
key code security.
Entities must have policies and procedures in place to keep employees from
inadvertently sharing private information, such as closing computer screens
before leaving the area and turning computer screens away from an area where
they may be viewed by a family member.
14. Small Scale Snooping
According to a survey by Veriphyr, the majority of HIPAA
violations and security breaches are due to insiders who
are snooping into the medical records of their coworkers, relatives or even looking at their own medical
record.
In this instance the facility must have policies and
procedures in place to ensure all employees understand
the electronic access needed to perform their job and
sanctions in place if inappropriate access is discovered.
15. Penalties for violations of HIPAA
The American Recovery and Reinvestment act of 2009 established civil penalties for
the violation of HIPAA Federal Law.
The penalties for violation of HIPAA laws have a tiered structure which is based on
the nature and extent of the violation.
The Secretary of the Department of Health and Human Resources has the
discretion to determine the amount of the penalty based on the nature of the
violation and the resulting harm.
The Secretary is prohibited from imposing a civil penalty if the violation is corrected
within 30 days except in cases of willful neglect.
17. Case Study
An Arkansas LPN may face 10 years in prison and/or a $250,000 fine.
Smith pleaded guilty to wrongfully disclosing individually identifiable health
information for personal gain and malicious harm
According to the associated press, the nurse obtained private medical
information on a patient while working at clinic in Arkansas.
She then shared the information with her husband who contacted the
patient and threatened to use the information against him in a court
proceeding the two were involved in,
The patient contacted the states attorney’s office and charges were filed
against the nurse and her husband.
18. Case Study
An HIV positive patient relocating to another city asks his existing physician to
fax his medical records to his new doctor.
The busy office manager mistakenly faxed the records to the patient’s new
employer. The fax did not have a cover sheet that indicated that the content
was confidential.
The patient was very upset that his new employer had private information
about health. He contacted the US Department of Health and Human
Services, who referred the case to the Office of Civil Rights (OCS).
The physician’s office was investigated and the staff underwent voluntary
HIPAA privacy training.
20. Policy and Procedure
Administrative – Responsible for creating and managing an
infrastructure which protects client privacy and confidentiality. This
involves:
Developing a Plan
Policies designated structure for implementation
User access levels
Adequate budget
21. Administration – Centralized Security Function
Comprehensive Security Plan
Accurate and complete information
Information asset ownership and sensitivity classifications
Identification of a comprehensive security program
Information security training and user support
Awareness program
22. Administration – Centralized Security Function
Infrastructure consist of:
Comprehensive Security Plan:
Defines security responsibilities for
each level of personnel as well as a
timeline for the development and
implementation of
policies, procedures and physical
infrastructure.
Accurate and Complete
Information: Publishing should be
online for easy access with email
notification of employees as new
policies arises.
23. Administration – Centralized Security Function
Information asset ownership and sensitivity classifications
Ownership: Who is responsible for the
information, including security
Sensitivity Classification: determination of how
damaging an item of information might be if it were
disclosed inappropriately. Determines what
information should be encrypted
Identification of a comprehensive security program:
Security plan can avert and minimized threats by the
Identification of responsibility for :
Information integrity
Privacy
Confidentiality
24. Administration – Centralized Security Function
Information security
training and user
support: Important
component in fostering
a proper system is by
incorporating education
and proper training.
Awareness program:
Remind user of the need
to protect information
25. Level of Access
Strictly granted on a need-to-know basis
Access Limitation: On dependence to personnel levels
or “user classification,” area in the system are
accessible.
Example: Nursing Assistant would only have access
to the documentation of hygiene, dietary
intakes, vital signs, input and output but no other
area in the patients records
User Authentications: Authentication of the user through
passwords, smartcards, fingerprint, voice recognition or
a even third authentication system such as Kerberos and
Sesame can be used
26. Personal Issues
Policies and procedures must be established and communicated to all personnel who handle
Information.
Key element include:
Information Ethics training Including:
Audit Trails- Records of IS (Personnel) activity.
Acceptable Computer users- includes authorization access and only authorized
and legal copies of software.
Collect only required Data – Limiting the collection of information to what is
needed.
Encourage client review of file for accuracy and error correction - Ensuring
accuracy
Establish controls for the use of information after hours and off-site – Policy limiting
usage of accessing patient information after hours.
27. Personal Issues
Key elements include:
Access control
System monitoring
Data Entry
Backup procedures
Responsibilities for the use of information on mobile devices
Exchange of client information
29. HIPAA Education for Employees
Institutions should:
Administer a HIPAA Policy handbook
for new hires with privacy and
confidentiality measures.
Have all staff read and sign a
confidentiality statement which is to
be stored in the employees file.
Implement required online training
modules for all staff to complete.
Require annual mandatory re-training
modules.
Offer advanced HIPAA training
appropriate to each individuals
responsibilities at their institution.
30. HIPAA Education for Patients
It is required by law that all patients
receive a Notice of Privacy Practices
from a doctor, hospital, or any other
health care provider that they see in
person.
This form tells patients how the health
care provider may use and share their
health information and how the patient
can exercise their health privacy rights.
It is also required by law for each patient
to sign a form stating they received a
copy of the notice of privacy practices.
The notice must describe:
ways that the Privacy Rule allows the
covered entity to use and disclose
protected health information. It must also
explain that the entity will get patient’s
permission, or authorization, before using
their health records for any other reason.
the covered entity’s duties to protect
health information privacy.
privacy rights, including the right to
complain to Health and Human Services
(HHS) and to the covered entity if you
believe your privacy rights have been
violated.
31. HIPAA Education
Starts in the
Classroom
HIPAA education and training should
be implemented in the curriculum of all
studies affiliated with the medical field.
Early education allows for full
understanding of privacy and
confidentiality policies prior to entering
the clinical field.
This allows for staff at clinical sites to
act as role models for students and aid
in educating about HIPAA rules and
regulations.
32. Proper Disposal of PHI
(Protected Health
Information)
MANDATED THROUGH HIPAA
33. PHI DEFINED
PHI stands for Protected Health Information and is used within HIPAA to
describe the type of information that must never be seen by
unauthorized individuals.
PHI can come in many forms whether it be paper or electronic and can
involve patient demographic information, diagnostic study
results, treatment records, billing information, and any other form of
information pertaining to the patients stay at any type of medical
institution.
34. Required Proper PHI Disposal
The HIPAA Privacy Rule requires that covered entities apply appropriate
administrative, technical, and physical safeguards to protect the privacy
of protected health information (PHI), in any form.
Improper disposal of PHI can result in a mandatory fine of up $1,500,000 as
well a an investigation enforced by the State Attorney General and the
Health and Human Services (HHS).
Under the HIPAA Privacy Rule institutions are not authorized to dispose of
PHI in any containers that could be potentially accessible to the public.
35. Paper PHI Disposal
Paper forms of PHI are to disposed
through, shredding, burning, pulping,
or pulverizing.
Once disposed of the PHI must be
rendered unreadable without the
possibility of being reconstructed.
Many institutions use secure document
disposal receptacles throughout the
facility designated strictly for PHI paper
records. A vendor then removes the
paper PHI from the receptacle to be
properly shredded and disposed of.
36. Electronic and Pharmaceutical PHI Disposal
Electronic Disposal
PHI is automatically stored on the hard
drives of computers therefore in order to
properly dispose of the record:
The system could be cleared through
software that will overwrite the recorded
data.
Purging the system by disrupting the
recorded magnetic domains
Complete destruction of the system to
destroy any material that may be stored.
Labeled Medication Disposal
Pharmaceuticals are always labeled
with patient demographic information
and must be properly disposed of.
Most institutions use opaque bags to
store disposed labeled medication.
Vendors will then take the bags from
the facility and properly dispose of the
labeled medications without
breaching privacy regulations.
37. Ensure Proper Disposing
Proper HIPAA education of all staff is
very important to ensure privacy and
confidentiality regulations are being
followed. In order to be sure all staff
are up to date on HIPAA regulations it
is important to re-educate annually.
Patients should be educated on their
rights as well and should always
receive a Notice of Privacy Practices
upon admission. Educating all staff
(including students) will ensure proper
handling and disposing of all PHI
information.
39. References
PHI Disposal. (2011) Welcome to Proper PHI Disposal. Retrieved from
http://www.properphidisposal.net/
University of California. (2008). Privacy Training. HIPAA checklist for new hires:
UCSF staff employee/postdocs. Retrieved from
http://hipaa.ucsf.edu/education/staff/default.html
U.S. Department of Health and Human Services. (2009). Frequently Asked
Questions About the Disposal of Protected Health Information. The HIPAA
Privacy and Security Rule. Retrieved from www.hhs.gov/ocr/.../disposalfaqs.pdf
Wimberley, P., Isaacson, J., & Walden, D. (2005). HIPAA and Nursing Education:
How to Teach in a Paranoid Health Care Environment. Journal Of Nursing
Education, 44(11), 489-492.
Czar. P, & Hebda, T. (2013) Handbook of informatics for nurses and healthcare
professionals. Upper Saddle River, New Jersey
US Department of Health and Human Services
40. References
US Department of Health and Human Services (2010, July) http://www.hrsa.gov
American Medical Association. (2014). HIPAA Violations and Enforcement. HIPAA Violations
and Enforcement. Retrieved February 02, 2014, from http://www.amaassn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billinginsurance/hipaahealth-insurance-portability-accountability-act/hipaa-violationsenforcement.page
Associated press. (2008, April 17). Nurse admits to privacy violation in HIPAA case. Healthcare
Business News, Research and Events from Modern Healthcare. Retrieved February
1, 2014, fromhttp://www.modernhealthcare.com/article/20080417/NEWS/621626204
Gungor, F. (2013, June 09). Resources. 10 Examples of HIPAA Violations. Retrieved January
31, 2014, from http://www.onesourcedoc.com/blog/bid/95168/10-Examples-of-HIPAAViolations
Dept of Health and Human Resources. (2003). Office of Civil Rights Privacy brief [Brochure].
Author. Retrieved February 02, 2014, from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
Latner, A. (2013, June). Fax Sent to Wrong Number Results in HIPAA Violation. - Renal and
Urology News. Retrieved February 2, 2014, from http://www.renalandurologynews.com/faxsent-to-wrong-number-results-in-hipaa-violation/article/305022/