2. UCLA Hospital HIPAA training requires a great deal of training and education for staff Staff should be aware of the rules and possible penalties for violating policy A similar training session to the following should benefit the organization through education, then awareness of penalties, and follow up on what has been learned.
3. Privacy Rule Established to protect individuals’ medical records and personal health information (PHI) (HHS.gov, 2011)
4. Breach A “breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual” (HHS, 2011) Exceptions: Unintentional acquisition, access or use of PHI by an employee or individuals acting under the authority of the covered entity or “Business Associate.” Inadvertent disclosures between authorized persons at the covered entity or “Business Associate.” Unauthorized disclosures in which the unauthorized person would not reasonably have been able to retain the information. (HHS, 2011)
5. Breach Notification RuleIt is everyone’s responsibility to report violations and protect our patients! Prevention is the goal In the case of a breach the breach must be reported to the assigned Privacy Official immediately Individuals involved in the breach must be notified in written form via first class mail within 60 days (HHS, 2011) Department of Health and Human Services must be notified of all breaches annually (HHS, 2011) Breaches involving more than 500 individuals require notification to prominent local media (HHS, 2011)
6. Penalties This organization has a zero tolerance policy for breaches with penalties up to and including employment termination strictly enforced. In addition to company policies, the organization and individual may be subject to civil and criminal penalties as follows $100 to $50,000 per violation. $25,000 to $1.5 million if several similar violations occur in a calendar year. Penalties will be applied using a tiered approach: Person did not know or would not have known about the violation ($100/violation). Violation due to reasonable cause and not to willful neglect ($1,000/violation). Violation due to willful neglect that was corrected ($10,000/violation). Violation due to willful neglect that was not corrected ($50,000/violation) (HHS, 2011)
7. Scenerio When scrolling through a patient roster to find the name of the next patient, you come across the name of the state’s governor. The name sparks your interest. Is it appropriate to open the record to see why this individual is being seen or if it is indeed the governor coming into your local office? Answer: No, you should proceed through the roster to acquire the data necessary to perform the job function.
8. Scenerio A co-worker tells you that they saw a prominent movie star in the clinic yesterdayas a patient. The co-worker perused the medical records and the patient apparently presented with signs of a disease. What do you do? Ask if the patient is ok? Tell the co-worker that they had read in the tabloids information that should be told to the patient’s provider that may help in treatment. Report the confidentiality breach to the Privacy Officer immediately. (correct answer)
9. References U.S Department of Health and Human Service (2011). Health Information Privacy. Retrieved September 15, 2011 from http://www.hhs.gov/ocr/privacy/index.html