Privacy HIPAA Division of Public Health HIPAA The purpose for HIPAA (Health Insurance Portability & Accountability Act) is to protect the confidentiality, integrity, and availability of an individual’s medical information. Objective Enhance your understanding of the HIPAA Privacy Rule. Hybrid Entity Division of Public Health (DPH) is considered to be a hybrid entity. DPH has activities that are covered and other activities not covered by HIPAA. Privacy * Privacy -an individual’s right to control access and disclosure of their medical information. * Security -an organization’s responsibility to control the means by which such information remains confidential. General Rule Public Health Workforce may not use or share sensitive medical information, except as permitted or required by the Privacy Rule. Permitted sharing of Medical Information * Reporting of disease, injury, and vital events (e.g., birth or death) * Conducting Public Health surveillance, investigations and interventions. Example: a person who may have been exposed to a communicable disease or may be at risk for contracting or spreading a disease or condition. Sharing Information With Persons Not Involved in Care Shelia, a clinic employee, was in a car accident and brought by ambulance to the emergency department (ED). Her doctors discovered that she is pregnant. Shelia’s co-worker, Becky, found out and called to ask about her condition. Becky was told that Shelia suffered minor bruises but was stable. Did the ED staff follow proper procedures in releasing information to Becky? Sharing Information With Persons Not Involved in Care No. The ED should have first checked to see if Shelia had requested additional privacy (“opt-out”) and if not, only have answered “Shelia is in fair condition.” Accessing Information Becky went to the ED, picked up Shelia’s medical chart and read it. Becky then went to see Shelia and said, “I’m so happy that you and the baby are ok.” Should Becky have read Shelia’s medical chart? Accessing Information No. Becky was not directly involved in Shelia’s care and she had no business looking at her medical chart. Sharing Information with Family and Friends Mary Lou, has been admitted to the ED for treatment. She “opted out”of communication with family and friends and stressed NOTHING about her medical treatment was to be discussed with her parents. Sharing Information with Family and Friends When her parents were unable to learn what was happening with their daughter, Mary Lou’s mother asked her neighbor, Dr. Bill, who is not involved in Mary Lou’s care, to review her medical chart. Dr. Bill reviews her chart and informs her parents that she is being treated for an STD. Sharing Information with Family and Friends Were proper procedures followed when sharing information with Mary Lou’s parents? Sharing Information with Family and Friends No. Mary Lou’s parents needed to be informed by the staff that she “opted out”of sharing information with family and friends. Dr. Bill should not have reviewed Mary Lou’s medical records since he was not directly involved in her care. Entertainment - Dear Abby HOSPITALS MUST FOLLOW WISHES OF PATIENTS WHO WANT PRIVACY Tue Mar 1, 8:00 PM ET By Abigail Van Buren DEAR ABBY: I am a nursing supervisor in a large hospital. There is a policy in hospitals that the public does not understand, and it has caused more than a few problems. Because of privacy laws, all patients admitted to the hospital must be asked if they want to be a "privacy patient" or a "no publicity patient." If they answer yes to that question, it means that if anyone calls, or comes to the hospital, we cannot even acknowledge that the patient is here. We must say, "I don't have a patient listed by that name." Not surprisingly, this often upsets friends and family members. So please, Abby, remind your readers about the privacy laws. We are not purposely lying to anyone; we are just following the patient's instructions and obeying the rules. Thank you. --FRUSTRATED NURSE IN IRONTON, OHIO DEAR FRUSTRATED: Thank YOU for injecting an important dose of reality. While some patients may welcome visitors, many more do not. One solution isto assign a particular relative or friend to be the "minister of information." That way, there is less emotional wear and tear on all concerned. Inappropriate Disclosure Passing through a busy clinic area, Social Worker Jennifer overhears Karen telling a patient on the phone that she needs to make a follow-up appointment since her HIV test was positive. Jennifer notices that clients are able to hear the entire conversation. Inappropriate Disclosure Is Karen taking reasonable and appropriate stepsfor proper precautions? No. What could Karen have done differently? Inappropriate Disclosure Karen should have done at least one of the following: * Spoken in a lower voice, * Waited until the clinic was less crowded, and * Made the call in another location. Inappropriate Use & Disposal Mary receives Protected Health Information (PHI) from the treating physician. She notices that she has duplicates and throws the information in the trash can located in a common area. What should Mary have done differently? Inappropriate Use & Disposal Mary should have properly disposed of the sensitive information by: * Placing it in a locked disposal bin, and * Shred it by using a cross-cut shredder. News Flash News team discovers documents containing PHI near dumpster On the ground behind a dumpster at Guadalupe Medical Center, a Las Vegas news team discovered 40 pages worth of documents containing PHI of the center's patients, according to klas-tv.com. The documents had information such as patient names, Social Security numbers, and procedures. The medical center claims this was a "huge misunderstanding" and an isolated incident. According to an attorney for Guadalupe Medical Center, a courier transporting the documents from another office operated by the same company dropped the files. The medical center, which asked the news team to return the files, plans to shred them properly as it does all its documents. Inappropriate Disclosure in a Common Area Mike, a Social Service Technician, steps onto an elevator and is surprised to overhear Nurse Vince and Social Worker Jennifer discussing the treatment of Joe Compliant for gonorrhea. What should Mike do? Inappropriate Disclosure in a Common Area Mike needs to remind them that this information is confidental and should not be discussed in a public area. If you don't feel comfortable confronting the person directly, then notify your HIPAA liaison or DPH HIPAA Coordinator. Lost PHI and Inappropriate Access Crystal, an administrative assistant, in the hallway, sees a piece of paper lying on the floor. She discovers that it is a lab report containing the name of her favorite NASCAR driver, so she calls her husband and shares it with him. Lost PHI and Inappropriate Access What is wrong with this scenario and how could Crystal have handle it differently? Lost PHI and Inappropriate Access * Crystal should not have shared the information with her husband, * The lab report was not secure, and * Crystal should have returned it to the lab supervisor or appropriate person. Incidental Disclosure Nurse Spam needed to have a confidential conversation with Mr. Laptop, who was in a semi-private room. After checking that the roommate was not present, Nurse Spam pulled the curtain and quietly had a conversation regarding his treatment. Unfortunately, his roommate returned and heard some of their conversation. Incidental Disclosure Mr. Laptop became very upset. Did Nurse Spam handle the situation correctly? Incidental Disclosure Yes. Nurse Spam took reasonable and appropriate steps to safeguard the information. The roommate’s overhearing was an “incidental disclosure”. Even with appropriate measures, disclosure can not always be prevented. Summary * ALL sensitive medical information needs to be treated as confidential, * Information should only be accessed and shared by authorized staff, and * It is your responsibility to protect all information and report any misuse of protected health information. Thank you for your cooperation!! Questions??? Contact: HIPAA Coordinator Division of Public Health 302.744.4702