1. HIPAA – Health Insurance Portability and Accountability Act
- Passed 1996, enforced 2003, updated through the years.
- HITECH – Health Information Technology for Economic and Clinical Health Act – part of the American Recovery and Reinvestment Act of 2009 which gave incentives related to implementing and using electronic health records.
- HITECH widens the scope of privacy and security protections available under the original HIPAA rulings and gives specific guidelines health care providers and health plans must abide with.
2. HITECH provisions:
- Changes to our Notice of Privacy
- Need an authorization for marketing purposes
- Need to notify patients if their PHI has been disclosed inappropriately.
- Document that patients have the right to withhold information from Healthcare Plans if they pay in full for services
- No disclosure of genetic information may be made for insurance underwriting purposes.
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, requiring authorization.
- Business Associate agreement changes to make those companies follow HIPAA guidelines as well.
- Changes to the enforcement rules to incorporate increased and tiered civil money penalty structure provided by the HITECH act.
- Breach notification for unsecured protected health information under the HITECH act, replaces the breach notifications rule’s harm threshold with a more objective standard. No longer is it necessary to show a patient experienced harm by the disclosure. Opens the door for litigation when a patients records are released in error, they no longer need to show damage….
- The Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans
- What this means for correspondence when we send records for new insurance applications, we cannot send out patient history forms patients fill out when seeing a new physician or specialist.
- Insurance companies cannot use genetic information or basically family history of certain diseases.
3. Things to remember as you are working:
- No protected health information should be shared or discussed in open areas such as waiting rooms. Lab results, xray reports, diagnosis or referrals should never be discussed outside of an exam room.
- PHI includes patient name, date of birth, social security number along with the actual health information.
- We cannot afford to make a mistake when working with a patient and their privacy. HITECH has taken out the harm clause so if a patient feels their information was disclosed inappropriately; they no longer need to prove they were harmed by it. Civil and criminal charges and fines are extensive and costly. Civil penalties can extend up to $250,000 with repeat or uncorrected violations, extending up to $1.5 million!
- Our email system is not encrypted therefore not considered a secure connection so no patient information should be shared via email. That means within the clinic as well. If you need to share information regarding a patient, we need to use the NextGen tasking function. NextGen tasking is thru a secure network. If you don’t know how to use it, check with a superuser. There is tasking in the EPM side as well as the EHR.
- Blank forms are allowed to be transmitted via email, but completed ones are not.
- If you receive information from outside the clinic regarding patients, ex. work comp or FMLA paperwork, do not email back regarding the patient. Phone calls or fax is the acceptable method.
- If a teacher or other patient representative emails you something regarding a patient, do not reply via email.
- Authenticating callers:
- If a caller asks for information regarding themselves, always verify with date of birth, address, or another piece of information that will verify whom you are speaking to before giving out information.
- If a caller is asking for information regarding another patient, we need to verify the caller has a right to that information, ex. DPR signed giving spouse authority to receive information.
- If the caller claims to be from a law enforcement agency or DSS and there is no way to confirm they are who they claim to be. It is acceptable to ask for a number and call them back or ask for the request in writing on letterhead.
- It is always best to error on the side of caution.
- Leaving messages on phones
- Do not leave PHI on voice mail or answering machines unless a patient has specifically asked you to and that is documented as a request or OK to leave a message.
- Leave a message on voicemail or answering machine asking patient to return a phone call.
- Confirming appointments - ?
4. Logging disclosures of PHI.
- HITECH and HIPAA requires health care providers to keep a log of any disclosures of protected health information. There was a proposed rule that would have required us to keep a log of each disclosure even for payment of a claim! Luckily that did not make it into the final ruling.
- Each time we send medical records to another facility, we need to log that.
- The patient has a right to a listing of disclosures, where his records have been sent or released to. NextGen has a PHI log built into the system. Each time PHI is sent out of YMC/VMC we need to document it.
- PHI Log in the EHR:
- Patient demographics tab at the top of the history bar, near the bottom (3rd from the bottom) is the PHI log.
- Double click to open.
- Double click or right click on the grid to add new.
- Document the reason for disclosure, use the drop down pick list.
- Date the request was made, who requested the disclosure.
- Next section indicates what information is being disclosed.
- Lower section has whom the information is being disclosed to and how, electronic, paper, or other. Medical records staff will indicate in the comments if records mailed, faxed and to what number faxed.
- It is very important to log the disclosures, ex. We fax records to Lewis and Clark Behavioral as a referral. That facility sends our records on to the patients employer which is a hipaa violation if no signed authorization from the patient. The patient is let go from work due to something in his YMC note. Patient wants to know how the employer got those records. Without our record of disclosing to L & C Behavioral, there is no defense that we did not disclose the records inappropriately to the employer.
- Each disclosure of medical records to another facility or entity outside the clinic must be documented. If providers or nurses do not want to take the time to document their disclosures, medical records will log it as long it is clear what information has been disclosed on the fax cover sheet.
- Disability forms do not have to be logged, but the clinic notes, labs, rad reports, etc. do need to be logged.
- The PHI log is a useful tool in seeing if or when records were disclosed.
5. Workstation and computer security
- Lock your computer when not in direct contact with your computer.
- Keep papers and computer secure, if you sit down at a common computer and the last use is still logged in, log them out before logging in with your log in and password.
- Keep your password confidential.
6. Security Committee has been formed and several policies have been documented and procedures will be introduced.
- Risk Analysis and Risk Management, in particular how we can protect patient’s PHI and prevent breaches to our systems and keep patients confidential information safe.
- How Media is destroyed and a log of the destruction; ex hard drives from the computers, and CD’s that have images of protected health information.
- Inventory, computer storage and back up of all the areas PHI is stored:
- EKG Machines
- DR System
- PFT machines
- Auditing of all workforce.
- Audits will look at what records have been accessed and look for trends in access.
- Audits will be done randomly, and the goal will be to audit each staff member each year.
- Audits will also be done as needed when investigating a suspected HIPAA violation.
7. Complaints of possible HIPAA violations will be fielded by the security officer and an investigation will be done with members of the security committee to determine if a violation or breach has occurred.
8. If a patient’s record has been disclosed inappropriately or even accidentally to the wrong facility, we are required to inform the patient and log the disclosure.
9. Breaches of 500 + patients require us to inform state Department of Health and the media!! Ex. Laptop with unencrypted PHI from many many patients was stolen from a parking lot of a restaurant in Minneapolis. That was a costly error and received a lot of media coverage.
10. Confidentiality Agreement
- Disclose Patient Information and/or Confidential Information only if such disclosure complies with our policies and HIPAA and is required for the performance of my job.
- Keep log ins and passwords strictly confidential.
- Do not access or view any information other than what is required to do your job.
- Do not discuss any information pertaining to the clinic or patients in an area where others may hear.
- Do not discuss any clinic or patient information in public areas even if specifics such as a patient’s name are not used.
- Do not make inquiries about any clinic or patient for anyone who does not have proper authorization.
- Do not make any unauthorized transmissions, copies, disclosures, inquiries, modifications, or purging of Patient Information or Confidential Information.
- Once you leave the clinic employment, you must return all clinic property, ex name badge, handbook, etc.
- Obligation under confidentiality agreement continues after you leave the clinic.
- Violation of the confidentiality agreement may result in disciplinary action, up to and including termination, as well as potential personal civil, and criminal legal penalties.
- Confidential Information or Patient Information that is accessed or viewed does not belong to me.
- Sign and date agreement – does not constitute a contract for employment.