Health Insurance Portability and Accountability Act (HIPAA)

Hospital Privacy Policy Training

*This program has been adapted with permission of the Greater Los Angeles Veterans Administration Medical Center*

Hospital Privacy Policy Training 2006

  • Objectives
  • Course Overview
  • Statues and Policies
  • Use of Information
  • Disclosure to Outside Entities
  • Disclosure of Information
  • Disclosure and Authorization Requirements
  • Patients Rights
  • Operational Privacy Responsibility
  • Complaints
  • Penalties

Objectives

After completing this training you will be able to:

  • Describe applicable privacy and confidentiality statutes
  • Identify patients’ rights granted by privacy Act and HIPAA Privacy Rules
  • List disclosures that do not require authorization from the patient
  • Identify information that can be disclosed
  • List disclosures that require authorization from the patient
  • Describe process for releasing information
  • States penalties for unauthorized disclosure of patient information

Course Overview, Purpose and Target Audience

  • In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA).
  • In December 2000, the Dept of Health and Human Services (HHS) published the final rule for Standards for Privacy of Individually Identifiable Health Information, known as the HIPAA Privacy Rule.
  • The purpose of this training is to provide all nursing students with the required knowledge of the Hospital Privacy Policies, including those resulting from the HIPAA Privacy Rule.

Statutes and Policies

There are six privacy and confidentiality rules and laws that all staff must follow.

The Freedom of Information Act (FOIA), 5 U.S.C. 552

  • FOIA compels disclosure of reasonably described patient records or a reasonably segregated portion of the records to any person, upon written request, unless one or more of nine exemptions apply to the records.
  • Administrative records are made available, upon written request, to the greatest extent possible in keeping with the spirit and intent of the FOIA.
  • All requests must be processed in accordance with the statute and applicable regulations.

The Privacy Act (PA), 5 U.S.C. 552a

This statute provides for the confidentiality of individually identifiable health information (IIHI) of living individuals, where information is maintained in a Privacy Act system of records and permits disclosure of Privacy Act records only when specifically authorized by the statute. Medical records are a Privacy Act system of records.

The Patients' Claims Confidentiality Statute, 38. U.S.C. 5701

This statute provides for the confidentiality of all Healthcare Agency patients and claimant names and home addresses, and the names and home addresses of their dependents, and permits disclosure only when specifically authorized by statute.

Confidentiality of Drug Abuse, Alcoholism and Alcohol Abuse, Infection with the Human Immunodeficiency Virus (HIV), and Sickle Cell Anemia Medical Records, 38 U.S.C. 7332

This statute provides for the confidentiality of certain patient medical record information related to drug and alcohol abuse, HIV infection, and sickle cell anemia and permits disclosure of the protected information only when authorized by the statute.

The Health Insurance Portability and Accountability Act (HIPAA)

This statute provides for improvement of the efficiency and effectiveness of healthcare systems by encouraging the development of health information systems. The statute establishes standards and requirements for the electronic transmission, privacy, and security of health information. Healthcare agencies must comply with the Privacy rules when creating, maintaining, using, and disclosing individually identifiable health information. This statute also protects health insurance coverage for workers and their families when they change or lose their jobs.

Confidentiality of Healthcare Quality Assurance Review Records, 38 U.S.C. 5705

This statute provides that records and documents created by healthcare agencies as a part of a designated medical quality assurance program are confidential and privileged and may not be disclosed to any person or entity except when specifically authorized by statute.

Use of Information

  • Healthcare employees must use or access information only as legally permissible under confidentiality and privacy laws, regulations, and policies.

  • All Healthcare employees can use health information contained in records in the official performance of their duties for treatment, payment, and health care operations purposes only.

  • However, healthcare agencies employees must only access or use the minimum amount of information necessary to fulfill or complete their official duties.

Relase of Information for Purposes Other Than Treatment, Payment, and Healthcare

Contractors / Business Associates

Contractor may be engaged for the design, development, operation, or maintenance of a system of records, or for services on behalf of Hospital where IIHI is provided or accessible. All contractors and business associates and their employees must receive privacy training. In addition, their contracts must specify that the records are protected by confidentially rules and laws that restrict the disclosure of the information and the purposes for which the information may be used.

Contract Nursing Homes

Contract nursing home may be provided IIHI including health information for the purposes of fulfilling contract for providing medical care to patients housed in its facility.

National Cemetery Administration (NCA)

Hospital employees may disclose individually identifiable information to NCA for eligibility for or entitlement to benefits under the laws administered by the Secretary of patient.

Office of General Counsel

Healthcare employees may provide all Hospital information, including individually identifiable information to the Office of General Counsel for any official purpose authorized by law.

Unions

In the course of fulfilling their representational responsibilities, a union may request records that are maintained by a healthcare facility. However, under certain circumstances, unions may not be legally entitled to receive individually identifiable health information, or other information, especially information protected by other statutes, such as the Privacy Act

Compensated Work Therapy Workers (CWT)

Employees may not disclose or release any individually identifiable information without the signed written authorization of the individual to whom the information pertains.

Human Resources Services (HR)

Employees may disclose individually identifiable information to HR as authorized by law.

Police and Security Services

Disclosure of individually identifiable information from Police and Security Records must be made in accordance with federal privacy and confidentiality statutes and regulations.

Research

Agency Research and Development Committees must approve all research activities conducted by Investigators. Information involving non-employee research subjects may be used by Investigators for research purposes provided there is prior written authorization signed by the research subject. The authorization may be part of the informed consent for participation.

Disclosure to Outside Entities

Before making a disclosure of individually identifiable healthcare information to an outside entity, without an individual’s authorization, the employee should determine:

  • The type of information involved, and
  • Whether legal authority exists under the statutes and regulations to permit the disclosure

There is no obligation to release information. The regulations that give healthcare providers the “key” to enable them to release information must be in accordance with all the applicable laws, but they are not required to release it.

Refer requests to Release of Information Officer or to your Privacy Officer

Disclosure of Information

Employees can disclose individually identifiable information from official Healthcare Agency records only when:

  • The Healthcare Agency has first obtained the prior written authorization of the individual to whom the information pertains; or
  • Other legal authority permits the disclosure without written authorization.

Incidental disclosures are those made in the presence of others during treatment, payment and/or healthcare operations that cannot be reasonably prevented. Examples are:

  • patient names outside rooms
  • patient names (only) for overhead paging
  • patient names on sign-in sheets
  • visitors overhearing or seeing patient names or information

Disclosure of Information to Non-patient Entities

Courts, Quasi-Judicial Bodies and Attorneys

Employees may disclose individually identifiable healthcare information pursuant to a court order. A subpoena is not a court order. Discuss any subpoenas for information with your facility’s Privacy Officer.

Law Enforcement

Individually identifiable information (excluding U.S.C. 7332 protected information of drug abuse, alcoholism, and alcohol abuse, HIV and sickle cell anemia records) may be disclosed to officials of any criminal or civil law enforcement governmental agency. The facility Director will acknowledge the receipt of an agency’s standing request, and advise the agency of the penalties regarding the misuse of the information. Standing requests must be updated.

Next-of-Kin, Family and Significant Others

Employees may disclose the following information without prior written authorization:

  • General information on the individuals’ condition and location if in the Facility Directory (UNLESS patient has opted-out of the facility inpatient directory).
  • Health information when in the presence of the individual if the patient does not object.
  • Health information outside the presence of the individual when it is determined the disclosure is in the best interest of the individual
  • HIV status may be disclosed to the individuals’ spouse or sexual partner if certain conditions are met. Before any patient gives authorization to be tested for HIV, as part of the pre-test counseling, the patient must be informed fully about this notification provision.

Public Health Authorities

Hospital employees may disclose individually identifiable information, excluding 38 U.S.C. 7332 protected information; to Federal, State, and/or local public health authorities charged with the protection of the public health or safety pursuant to a standing request or other applicable legal authority. An individual’s infection with HIV may be disclosed from a record to Federal, State, or local public health authority that is charged under Federal or State law with the protection of the public health.

Healthcare Providers

Hospital may disclose individually identifiable health information to another healthcare provider (physician, hospital, nursing home) for the purpose of: referring patients for outside care, treatment by other providers, payment to the other provider for care rendered, and under emergent situations for the benefit of the veteran. Other disclosures to non-patient providers may require an authorization.

Medical Care Cost Recovery

To recover or collect the cost of medical care from third-party health plan contracts, individually identifiable healthcare information that is required by the health plan contract may be disclosed to the insurance carrier. A written authorization is required to disclose 38 U.S.C. 7332 information for billing.

Disclosure and Authorization Requirements

  • Authorizations may be required when using individually identifiable healthcare information for a purpose other than treatment, payment, and/or health care operations.
  • All authorizations MUST contain an expiration date, event or condition, and be signed by the patient and must be returned to the requestor.
  • Research Authorizations DO NOT require an expiration DATE. The statements “end of research study,” “none,” or similar language may be sufficient.
  • Authorization Forms

Unless it is explicitly covered in the authorization, information regarding HIV, sickle cell anemia, or drug/alcohol treatment must not be disclosed.

Patients Rights

Notice of Privacy Policy

The Notice of Privacy must be publicly posted in the agency includes the uses and disclosures of protected health information that may be made at the agency, as well as the individual’s right and the institution's legal duties.

Right to Access and Copy

Patients have the right to obtain a copy of their own record. The request must in writing, signed, and submitted to the facility. Except in rare circumstances, patients may gain access to any information pertaining to them that is contained in any system of records. The patient does not need to give a reason for wanting to see or obtain a copy of the records.

Requests for copies should be reviewed by the facility Privacy Officer or designee. Any denial or refusal to provide a patient a copy of his/her record must be stated in a signed letter to the patient that provides the patient the appeal rights to the Office of General Counsel.

Right to Request an Amendment

The patient has a right to request an amendment to any information in his/her record. The request must be in writing and adequately describe the specific information the patient believes to be inaccurate, incomplete, irrelevant, or untimely; and the reason for this belief. The facility Privacy Officer will review and process the request.

Accounting of Disclosures

A patient may request a list of all disclosures of information, both written and oral, from records pertaining to the individual. Facilities and programs are required to keep an accurate accounting for each disclosure of a record to any person or to another agency.

An accounting is not required in certain circumstance, including when disclosure is to the agencies employees who have a need for the information to perform their duties for treatment, payment, and health care operations.

Confidential Communications

The patient has a right to request and receive communications confidentially from the healthcare agency by an alternative means or at an alternative location. A facility can consider an alternative means to be an in-person request, and an alternative location to be an address.

Right to Request Restriction and to Opt-Out of the Facility Inpatient Directory

The patient has the right to request the facility to restrict:

  • Its use or disclosure of IIHI to carry out treatment, payment, or health care operations.
  • The disclosure of IIHI to the next-of-kin, family, or significant others involved in the individual’s care.

The request must be in writing and signed by the patient.

All requests for restrictions should be referred to the facility Privacy Officer.

Operational Privacy Responsibility

Faxes

  • Faxes should only be used in urgent situations or when there is no other means to provide information in a timely manner.
  • Employees must take reasonable steps to ensure the fax is sent to the correct place (e.g., call the requestor to ensure receipt).
  • A confidentiality statement should be on the cover page when faxing individually identifiable information. The statement should instruct the recipient of the fax to notify the facility if it was received in error.

Email

  • Outlook Email messages must contain only non-individually identifiable information unless the data and accompanying passwords or other authentication mechanisms are appropriately secured.
  • Security of email should be discussed with the facility Information Security Officer (ISO).
  • Discuss what options are available to protect documents with the ISO in your facility.

Verbal Communication

  • Use care when discussing patient information in public areas.
  • Make an effort to keep all patient communications confidential.
  • Ask the patient if he/she objects to discussing protected health information in the current setting.
  • Ask patients to confirm demographic information on paper, instead of stating aloud. Give the patient the printout of current information to review.

Safeguards

  • Each healthcare facility must ensure that appropriate administrative, technical, and physical safeguards are established to protect Individually Identifiable Health Information (IIHI) and Protected Health Information (PHI).
  • Protect IIHI and PHI against any anticipated threats or hazards to their security or integrity.
  • Avoid leaving PHI on printers or copiers.

Commitment to Patient Privacy

  • No unattended computers (logged-on) with patient information visible.
  • No unattended medical charts with patient information.
  • No unattended office documents with patient information.
  • No unsecured shredding containers with patient information.
  • No unattended fax machines with patient information.
  • No overhead pages with patient clinic information.
  • No patient information in wastebaskets.
  • No sign-in sheets with patient health information.
  • No discussions of patient information other than for treatment, payment or healthcare operations.

Training

All Hospital personnel including employees, contractors, volunteers, and students must be trained in privacy policies, information laws, regulations and policies on an ongoing basis.

Complaints

Individuals have the right to file a complaint regarding the facility privacy practices. The complaint does not have to be in writing, although it is recommended.

  • Complaints should be made to the Agency Privacy Officer, or the health care facility Privacy Officer, or designee.
  • All privacy complaints must be investigated and a written response provided to the complaintant.
  • The Privacy Officer must enter the complaint into the agency system.

Penalties

  • Individuals who are convicted of knowingly and willfully violating the penalty provisions of the Privacy Act shall be guilty of a misdemeanor and fined not more than $5,000.

  • Any person who violates any provision of 38 U.S.C. 7332 shall be fined not more than $5,000 in the case of a first offense, and not more than $20,000 in each subsequent offense.

  • Tort Claims (lawsuits) may result from illegal disclosures on behalf of agency.

  • A facility employee who knowingly violates the provisions of HIPAA by disclosing individually identifiable health information shall be fined not more than $50,000, imprisoned not more than one year, or both.

  • For offenses committed under false pretenses, the employee may be fined $100,000 and/or imprisoned for not more than 5 years.

  • If the offense pertains to selling, transferring, or using individually identifiable health information for commercial advantage, personal gain, or malicious harm, there are more stringent penalties ($250,000 and/or 10 yrs).

  • In addition to the statutory penalties for the violations described above, administrative, disciplinary or other adverse actions (e.g., admonishment, reprimand, and/or termination) may be taken against employees who violate the statutory provisions.

Click Here to Take the Quiz

 

  

**This program has been adapted with permission of the Greater Los Angeles Veterans Administration Medical Center**

California State University, Dominguez Hills • 1000 E. Victoria Street • Carson, California 90747 • (310) 243-3696. If any of the material is in violation of a copyright, please contact copyright@csudh.edu. Designed by Webmanager Reza Boroon