Concordia Home Care and Nursing Services LLC Concordia Health Mobile Lab
Participants will be able to:
• Uphold the privacy, confidentiality, and security of patients’ protected information
• Summarize the critical components of the Health Insurance Portability and Accountability Act (HIPAA)
• Define consent and authorization
HIPAA History and Overview
Congress passed HIPAA to require the security, confidentiality, and privacy of every person’s health information. Privacy is about who should and should not have access to health information. Patients have the right to privacy, meaning that information about them should be available only to people who need it to provide care. Confidentiality is about preventing someone from hearing or seeing a person’s private health records and information unless they have the proper authorization.
All health information is confidential. Anyone who possesses personal health information (PHI) is responsible for protecting it. Security is the means used to provide privacy and confidentiality. The purpose of security is to ensure that only those persons having authorization may access PHI. Frontline staff should remember the general HIPAA rule of thumb: the right information, to the right person, for the right reasons.
The American Recovery and Reinvestment Act of 2009 and HITECH
On February 17, 2009, the American Recovery and Reinvestment Act of 2009 became federal law. A subset of that law, called the HITECH Act, enhances and expands the HIPAA Privacy and Security Rules and adds requirements for breach notification. The HITECH Act not only makes privacy regulations more strict, but it gives more power to federal and state authorities to enforce privacy and security protections for patient data, and it raises fines for noncompliance.
The 2013 Omnibus Privacy, Security, Enforcement, and Breach Notification Rule (Omnibus Rule) implement many of the HITECH Act provisions for PHI protection.
Why Do We Need HIPAA?
More and more health information is in the form of electronic data, either instead of or in addition to paper files. We must protect data in any form. Federal laws make sure every state and every provider follows the same rules for privacy, confidentiality, and security.
Who Has to Follow the HIPAA Rules?
The following public and private organizations must follow the HIPAA rules:
• Health plans and health insurance companies, such as health maintenance organizations (HMO) and preferred provider organizations (PPO)
• A healthcare clearinghouse, such as a billing service
• Healthcare providers, such as doctors, dentists, chiropractors, therapists, hospitals, nursing facilities, clinics, pharmacies, home health agencies, hospices, and long-term care or personal care facilities of any type or size
The HIPAA rules call these organizations covered entities.
What Else Are Covered Entities Required to Do?
Covered entities are required to communicate how HIPAA is implemented to both patients and frontline staff. They must:
• Notify patients about their privacy rights and give a clear, written explanations of how the provider may use and disclose the patient’s health information. This notifies patients of their right to view their own records, obtain copies, have copies sent to another person or organization, request restrictions on how their PHI is used and disclosed, receive confidential communications, receive a report of certain disclosures of their PHI, and request amendments to their information. The privacy notice must also let patients know how to file a complaint with the entity or with the OCR.
• Adopt written privacy procedures that define who has access to protected information, how the entity will use the information, and when the entity might disclose the information to others.
• Train employees in the privacy procedures.
• Implement safeguards to prevent intentional or accidental misuse of PHI.
• Appoint an individual to make sure that employees follow the privacy procedures.
• Give an accounting of instances where the entity has disclosed PHI for purposes other than treatment, payment, or healthcare operations.
Information Protected Under HIPAA
The privacy protections of HIPAA apply to PHI. PHI is information:
• Created or received by a covered entity or an employer that relates to a person’s past, present, or future health condition, health treatment, or payment for healthcare services
• That could identify an individual, such as name, address, telephone number, date of birth, diagnosis, medical record number, Social Security number, employer, position, or other identifying data
PHI can be in any format: paper, electronic, or oral. The most common example of PHI is the patient record.
Protecting Patient Records
If a provider wants to disclose a person’s PHI for purposes of providing care, the provider needs that person’s consent. These purposes include routine healthcare-related uses of the information, such as when a doctor consults with another doctor in order to provide better care for an individual. If a covered entity wants to disclose a person’s PHI for purposes other than providing care, the covered entity needs that person’s specific authorization. Only authorized personnel should enter confidential medical information into a computer-based patient record. Computer systems should be password protected to help guard against unauthorized access and use.
What is the difference between consent and authorization?
To give consent, a patient must sign a consent form. The patient needs to sign the consent only one time for each provider. The consent will apply whenever that provider discloses the person’s PHI for purposes of providing healthcare.
Specific authorization is required when a covered entity wants to use or disclose a person’s PHI for purposes not related to providing healthcare. The person must sign an authorization form for each specific instance.
May a person see his or her personal PHI and make changes?
A covered entity must allow a person to view and photocopy his or her PHI if the person submits a request. The organization may charge for copies of these records. In a few special circumstances, such as when a covered entity has compiled information for use in a civil, criminal, or administrative proceeding, that entity does not have to give a person access to his or her PHI.
A covered entity may deny a person access to his or her PHI if they have reason to believe that access would create a risk of danger to that person’s health.
If a person believes that his or her PHI contains information that is incorrect, the person may ask the covered entity to make changes. The covered entity may deny the request if they believe the current information is accurate and complete, or if the entity did not create the information.
Exceptions to the HIPAA Privacy Rule
The HIPAA Privacy Rule permits covered entities to disclose healthcare information without a person’s specific authorization in certain situations, depending upon state or local law, such as:
• Public health needs (such as infectious disease registries)
• Mandatory reporting of a child or elder abuse and neglect
• Judicial and administrative proceedings
• When there are substantial communication barriers
If there is no state or local law specifically requiring disclosure of information in the instances listed above, covered entities are required to use “professional judgment” in deciding whether to disclose information and how much to disclose.
Protection of Patient Privacy and Confidentiality
Quality patient care requires communication between care workers. Computers, the internet, emails, and faxes make it easier to share patient records. However, this information is often readily available to anyone who walks by a fax machine or logs on to a computer. Some people fear that the exposure of their PHI could result in job discrimination, personal embarrassment, or the loss or denial of health insurance.
Mobile and Online Considerations
Properly managing your electronic passwords, preventing the spread of viruses, logging off your computer, protecting your tablet and smartphone (if used for care), and being aware of and responsible for any patient information taken or accessed off-site are important ways you can contribute to information security. You should know and understand your agency’s policy on which devices can be used for work and in what manner.
Remember that HIPAA applies to all communication. This includes any and all types of social media: Facebook, Twitter, LinkedIn, Instagram, etc., are no places to share any kind of patient information. This includes text and pictures.
Before quickly sharing information you might think is innocent on your smartphone at lunch, realize that if you are in any way identifying a patient’s health information, you could find yourself in serious trouble.
Covered entities are required to have a sanctions policy covering employees and other workforce members who violate HIPAA privacy and security regulations. Violating HIPAA’s Privacy, Security, or Breach Notification Rules can result in civil or criminal penalties for an individual or group of individuals, and your agency will also encounter severe consequences.