2. Objectives
• Discuss compliance regulations relating to patient privacy and
confidentiality
• Identify HIPAA violations and disciplinary actions
• Identify ways to prevent HIPAA violations
3. • HIPAA is a broad law dealing with the privacy and security of health
information:
• The Privacy Rule tells hospitals and physicians when and how patient
health information can be used or disclosed
• The Security Rule tells hospitals and physicians how to protect health
information from being inappropriately accessed, edited, or destroyed.
3
11/9/2009 3
4. HIPAA is the conscious effort by all Healthcare workers to
keep private all concerning
Patients
Customers
Families
Employees
See how many violations you spot on this you tube
http://www.youtube.com/watch?v=4N5dvGpVUGE&feature=shar
e&list=UL4N5dvGpVUGE
5. Confidentiality includes ?
• The person’s identity
• Physical condition
• Psychological condition
• Emotional status
• Financial situation
• Confidential business information
• Any other personal or private information
6. Who are HIPAA officers?
• HIPAA security officer
– Risk Manager-Tina Welch
– Ext.1234
*Always check with your supervisor if confidentiality
questions arise
7. Need to Know
• If you do not need to know confidential information to provide
care (clinical or financial)
– You are not permitted to access it
– This includes your own information
8. Disciplinary Actions for Violations of HIPAA Policies
• Disciplinary action depends on the violation and previous
violations
• Examples
– Not signing off computer with Protected Health Information (PHI)
when leaving a work area.
– Inadvertent disclosure of PHI to the wrong patient
– Failure to follow appropriate guidelines for the use of fax, mailing, E-
mail, computer or other transmission of patient information causing a
disclosure to an unintended recipient.
9. Disciplinary Actions for Violations of HIPAA Policies
• Examples
– Sharing your password with a co-workers
– Unauthorized access of information on a patient you have no job-
related responsibility for
• This includes friends, family, co-workers, celebrities, and your information
10. Types of Risk
• Nosy!
– A co-worker accesses information
• The only reason was for curiosity regarding:
– Co-worker who is a patient
– Physician who is a patient
– Neighbor who is a patient
– Celebrity who is a patient
There is a “zero tolerance” for workers who
access patient information without
authorization!
11. Actions that could cause a
HIPAA violation
• Taking pictures of any patient’s image, body part or X-ray with
personal cell phone cameras
• Unauthorized access of sensitive health information
– example: (HIV, Abuse)
• Sharing or stealing password for the computer systems
• Not verifying who you disclose patient information to (financial or
clinical) and not confirming that the person requesting the
information is authorized to receive it
11
11/9/2009 11
12. You can protect patient privacy
• Respect the patient’s information and condition the
same way you would expect others to respect and care for yours
• Close treatment room doors or use privacy curtains when
discussing the care of a patient.
• Ensure that medical records are not left where others can see or
gain access to them
• Keep laboratory, radiology and other test results private
• Keep computer screens containing PHI away from individuals not
involved in direct care
12
11/9/2009 12
13. Destruction of paper containing
patient information
• Shred all patient information when it is to be discarded
Do not place anything with a patient’s name or identifiers in
the regular trash.
Patient name bands
Telemetry strips
• What about IV bags with med labels?
If you can, peel off label.
• Label must be shredded or blacked-out with a marker
13
13
14. Identification
• All employees should question visitors or other persons who are
in restricted areas.
• Vendors and contractors will be wearing their company ID in
addition to hospital identification noting that they have
permission to be in the building
• All employees, volunteers, students and other workforce
members must wear their identification badges
14
11/9/2009 14
15. Monitoring Controls
• Audit trails will document who was where in our systems and
will document what the associate was accessing
• Performed by our HIPAA Officers
• Your User ID will link to every item opened, read or printed
16. • Types of information that you are not permitted to
access, acquire, use or disclose without authorization
from the patient include:
– Medical information
– Name, address, phone number
– Social Security Number, date of birth
– Photo of any part of the patient’s body, including X-ray images,
whether or not they contain the patient’s name
– Any information or data that could be used to identify the
patient
16
11/9/2009 16
17. HIPAA enforcement actions
• If you are found to be responsible for any type of a
HIPAA violation the State Attorney General believes
has threatened or in some way harmed a patient and is
a resident of your State, you can be held responsible
for your actions
• The State Attorney General can bring a civil action in
federal court
• Federal Law imposes a maximum fine of $10,000 for
each offense of breaching confidentiality
17
11/9/2009 17
18. Reporting HIPAA violations
• We expect all employees to adhere to the HIPAA policies
• Report violations to your Privacy Officer
– Tina Welch, ext 1234
– You may report anonymously, if you wish
– Compliance Helpline: 1-888-462-0380
• You will not be retaliated against if you report a privacy
violation
• It is your job to report instances where you suspect policies
are being broken
18
11/9/2009 18
19. Notification to Patients
• Federal law now requires us to tell patients if someone
has obtained their protected information
• We must also notify patients any time their protected
health information was inappropriately disclosed outside
of the facility
• We are required to notify the patient in writing and
report all breaches of to the Federal Government.
19
11/9/2009 19
20. HIPAA
• Never discuss Protected Health Information where others
can hear you such as hallways, lunch rooms, or elevators
• You are obligated to protect patient/customer privacy and
any other confidential information when you see or hear a
breach occurring by reporting this to someone who can
advocate for the patient/customer
• This includes unauthorized use, duplication, disclosure, or
dissemination of Protected Health Information.
21. • Your responsibility doesn’t end on your shift
• Don’t divulge patient/customer or employee information at
your church, school, college, home, the shopping mall, or in
other social settings
22. There is an exception for every rule
• Certain situations allow disclosure without prior written consent.
– For example…
• Medical emergencies
• Reporting communicable disease information to the health department
• Reporting child or elderly/vulnerable adult abuse
• For litigation activities
• Always check with your supervisor if you’re not sure
23. Confidentiality Agreement
• I understand that confidential information specifically
includes, but is not limited to, patient and proprietary business
information, whether written or verbal, or computerized
(including password (s)
• I also acknowledge and agree that any disclosure of,
unauthorized use of, or access to confidential information will
cause irreparable harm and loss to the Health System. As a
result, I expressly agree to treat all confidential information in
strict confidence and to undertake the following obligations
with respect to confidential information
• Date________________ Name___________________