Policy Training 2006
this training you will be able to:
applicable privacy and confidentiality statutes
patients’ rights granted by privacy Act and HIPAA Privacy Rules
that do not require authorization from the patient
information that can be disclosed
that require authorization from the patient
for releasing information
for unauthorized disclosure of patient information
Purpose and Target Audience
Congress passed the Health Insurance Portability and Accountability
2000, the Dept of Health and Human Services (HHS) published the
final rule for Standards for Privacy of Individually Identifiable
Health Information, known as the HIPAA Privacy Rule.
The purpose of
this training is to provide all nursing students with the required
knowledge of the Hospital Privacy Policies, including those
resulting from the HIPAA Privacy Rule.
There are six
privacy and confidentiality rules and laws that all staff must
The Freedom of
Information Act (FOIA), 5 U.S.C. 552
disclosure of reasonably described patient records or a reasonably
segregated portion of the records to any person, upon written
request, unless one or more of nine exemptions apply to the
records are made available, upon written request, to the greatest
extent possible in keeping with the spirit and intent of the FOIA.
must be processed in accordance with the statute and applicable
The Privacy Act
(PA), 5 U.S.C. 552a
provides for the confidentiality of individually identifiable health
information (IIHI) of living individuals, where information is
maintained in a Privacy Act system of records and permits disclosure
of Privacy Act records only when specifically authorized by the
statute. Medical records are a Privacy Act system of records.
Claims Confidentiality Statute, 38. U.S.C. 5701
provides for the confidentiality of all Healthcare Agency patients and
claimant names and home addresses, and the names and home addresses
of their dependents, and permits disclosure only when specifically
authorized by statute.
Drug Abuse, Alcoholism and Alcohol Abuse, Infection with the Human
Immunodeficiency Virus (HIV), and Sickle Cell Anemia Medical Records,
38 U.S.C. 7332
provides for the confidentiality of certain patient medical record
information related to drug and alcohol abuse, HIV infection, and
sickle cell anemia and permits disclosure of the protected
information only when authorized by the statute.
Insurance Portability and Accountability Act (HIPAA)
provides for improvement of the efficiency and effectiveness of
healthcare systems by encouraging the development of health
information systems. The statute establishes standards and
requirements for the electronic transmission, privacy, and security
of health information. Healthcare agencies must comply with the
Privacy rules when creating, maintaining, using, and disclosing
individually identifiable health information. This statute also
protects health insurance coverage for workers and their families
when they change or lose their jobs.
Healthcare Quality Assurance Review Records, 38 U.S.C. 5705
provides that records and documents created by healthcare agencies as
a part of a designated medical quality assurance program are
confidential and privileged and may not be disclosed to any person or
entity except when specifically authorized by statute.
Use of Information
employees must use or access information only as legally
permissible under confidentiality and privacy laws, regulations,
employees can use health information contained in records in the
official performance of their duties for treatment, payment, and
health care operations purposes only.
healthcare agencies employees must only access or use the minimum
amount of information necessary to fulfill or complete their
Relase of Information
for Purposes Other Than Treatment, Payment, and Healthcare
Contractor may be engaged for the design,
development, operation, or maintenance of a system of records, or for
services on behalf of Hospital where IIHI is provided or accessible.
All contractors and business associates and their employees must
receive privacy training. In addition, their contracts must specify
that the records are protected by confidentially rules and laws that
restrict the disclosure of the information and the purposes for which
the information may be used.
Contract Nursing Homes
home may be provided IIHI including health information for the
purposes of fulfilling contract for providing medical care to
patients housed in its facility.
National Cemetery Administration (NCA)
may disclose individually identifiable information to NCA for
eligibility for or entitlement to benefits under
the laws administered by the Secretary of patient.
Office of General
employees may provide all Hospital information, including
individually identifiable information to the Office of General
Counsel for any official purpose authorized by law.
course of fulfilling their representational responsibilities, a union
may request records that are maintained by a healthcare facility.
However, under certain circumstances, unions may not be legally
entitled to receive individually identifiable health information, or
other information, especially information protected by other
statutes, such as the Privacy Act
Therapy Workers (CWT)
Employees may not disclose or release any
individually identifiable information without the signed written
authorization of the individual to whom the information pertains.
Employees may disclose individually identifiable
information to HR as authorized by law.
Disclosure of individually identifiable
information from Police and Security Records must be made in
accordance with federal privacy and confidentiality statutes and
Research and Development Committees must approve all research
activities conducted by Investigators. Information involving
non-employee research subjects may be used by Investigators for
research purposes provided there is prior written authorization
signed by the research subject. The authorization may be part of
the informed consent for participation.
Before making a
disclosure of individually identifiable healthcare information to an
outside entity, without an individual’s authorization, the employee
- The type of
information involved, and
- Whether legal
authority exists under the statutes and regulations to permit the
There is no
obligation to release information. The regulations that give
healthcare providers the “key” to enable them to release information
must be in accordance with all the applicable laws, but they are not
required to release it.
Refer requests to
Release of Information Officer or to your Privacy Officer
disclose individually identifiable information from official Healthcare Agency
records only when:
Agency has first obtained the prior written authorization of the
individual to whom the information pertains; or
authority permits the disclosure without written authorization.
Incidental disclosures are those made in the presence of others
during treatment, payment and/or healthcare operations that cannot be
reasonably prevented. Examples are:
- patient names
- patient names
(only) for overhead paging
- patient names on
overhearing or seeing patient names or information
Disclosure of Information to Non-patient Entities
Quasi-Judicial Bodies and Attorneys
disclose individually identifiable healthcare information pursuant to
a court order. A subpoena is not a court order. Discuss any subpoenas
for information with your facility’s Privacy Officer.
identifiable information (excluding U.S.C. 7332 protected information
of drug abuse, alcoholism, and alcohol abuse, HIV and sickle cell
anemia records) may be disclosed to officials of any criminal or
civil law enforcement governmental agency. The facility Director will
acknowledge the receipt of an agency’s standing request, and advise
the agency of the penalties regarding the misuse of the information.
Standing requests must be updated.
Family and Significant Others
disclose the following information without prior written
information on the individuals’ condition and location if in the
Facility Directory (UNLESS patient has opted-out of the facility
information when in the presence of the individual if the patient
does not object.
information outside the presence of the individual when it is
determined the disclosure is in the best interest of the individual
- HIV status may
be disclosed to the individuals’ spouse or sexual partner if
certain conditions are met. Before any patient gives authorization
to be tested for HIV, as part of the pre-test counseling, the
patient must be informed fully about this notification provision.
may disclose individually identifiable information, excluding 38
U.S.C. 7332 protected information; to Federal, State, and/or local
public health authorities charged with the protection of the public
health or safety pursuant to a standing request or other applicable
legal authority. An individual’s infection with HIV may be disclosed
from a record to Federal, State, or local public health authority
that is charged under Federal or State law with the protection of the
disclose individually identifiable health information to another
healthcare provider (physician, hospital, nursing home) for the
purpose of: referring patients for outside care, treatment by other
providers, payment to the other provider for care rendered, and under
emergent situations for the benefit of the veteran. Other disclosures
to non-patient providers may require an authorization.
Medical Care Cost
To recover or
collect the cost of medical care from third-party health plan
contracts, individually identifiable healthcare information that is
required by the health plan contract may be disclosed to the
insurance carrier. A written authorization is required to disclose 38
U.S.C. 7332 information for billing.
may be required when using individually identifiable healthcare
information for a purpose other than treatment, payment, and/or
health care operations.
authorizations MUST contain an expiration date, event or condition,
and be signed by the patient and must be returned to the requestor.
Authorizations DO NOT require an expiration DATE. The statements
“end of research study,” “none,” or similar language may be
Unless it is
explicitly covered in the authorization, information regarding HIV,
sickle cell anemia, or drug/alcohol treatment must not be disclosed.
Notice of Privacy
The Notice of
Privacy must be publicly posted in the agency includes the uses and
disclosures of protected health information that may be made at the
agency, as well as the individual’s right and the institution's legal
Right to Access
Patients have the
right to obtain a copy of their own record. The request must in
writing, signed, and submitted to the facility. Except in rare
circumstances, patients may gain access to any information pertaining
to them that is contained in any system of records. The patient does
not need to give a reason for wanting to see or obtain a copy of the
copies should be reviewed by the facility Privacy Officer or
designee. Any denial or refusal to provide a patient a copy of
his/her record must be stated in a signed letter to the patient that
provides the patient the appeal rights to the Office of General
Right to Request
The patient has a
right to request an amendment to any information in his/her record.
The request must be in writing and adequately describe the specific
information the patient believes to be inaccurate, incomplete,
irrelevant, or untimely; and the reason for this belief. The facility
Privacy Officer will review and process the request.
Accounting of Disclosures
A patient may
request a list of all disclosures of information, both written and
oral, from records pertaining to the individual. Facilities and
programs are required to keep an accurate accounting for each
disclosure of a record to any person or to another agency.
An accounting is
not required in certain circumstance, including when disclosure is
to the agencies
employees who have a need for the information to perform their
duties for treatment, payment, and health care operations.
The patient has a
right to request and receive communications confidentially from the
healthcare agency by an alternative means or at an alternative
location. A facility can consider an alternative means to be an
in-person request, and an alternative location to be an address.
Right to Request
Restriction and to Opt-Out of the Facility Inpatient Directory
The patient has
the right to request the facility to restrict:
- Its use or
disclosure of IIHI to carry out treatment, payment, or health care
- The disclosure
of IIHI to the next-of-kin, family, or significant others involved
in the individual’s care.
The request must
be in writing and signed by the patient.
All requests for
restrictions should be referred to the
facility Privacy Officer.
- Faxes should
only be used in urgent situations or when there is no other means
to provide information in a timely manner.
- Employees must
take reasonable steps to ensure the fax is sent to the correct
place (e.g., call the requestor to ensure receipt).
confidentiality statement should be on the cover page when faxing
individually identifiable information. The statement should
instruct the recipient of the fax to notify the facility if it was
received in error.
- Outlook Email
messages must contain only non-individually identifiable
information unless the data and accompanying passwords or other
authentication mechanisms are appropriately secured.
- Security of
email should be discussed with the facility Information Security
- Discuss what
options are available to protect documents with the ISO in your facility.
- Use care when
discussing patient information in public areas.
- Make an effort
to keep all patient communications confidential.
- Ask the patient
if he/she objects to discussing protected health information in the
- Ask patients to
confirm demographic information on paper, instead of stating aloud.
Give the patient the printout of current information to review.
- Each healthcare
facility must ensure that appropriate administrative, technical,
and physical safeguards are established to protect Individually
Identifiable Health Information (IIHI) and Protected Health
- Protect IIHI and
PHI against any anticipated threats or hazards to their security or
- Avoid leaving
PHI on printers or copiers.
- No unattended
computers (logged-on) with patient information visible.
- No unattended
medical charts with patient information.
- No unattended
office documents with patient information.
- No unsecured
shredding containers with patient information.
- No unattended
fax machines with patient information.
- No overhead
pages with patient clinic information.
- No patient
information in wastebaskets.
- No sign-in
sheets with patient health information.
- No discussions
of patient information other than for treatment, payment or
personnel including employees, contractors, volunteers, and students
must be trained in privacy policies, information laws, regulations
and policies on an ongoing basis.
the right to file a complaint regarding the facility privacy
practices. The complaint does not have to be in writing, although it is
be made to the Agency Privacy Officer, or the health care facility
Privacy Officer, or designee.
complaints must be investigated and a written response provided to
Officer must enter the complaint into the agency system.
are convicted of knowingly and willfully violating the penalty
provisions of the Privacy Act shall be guilty of a misdemeanor and
fined not more than $5,000.
Any person who
violates any provision of 38 U.S.C. 7332 shall be fined not more
than $5,000 in the case of a first offense, and not more than
$20,000 in each subsequent offense.
(lawsuits) may result from illegal disclosures on behalf of agency.
employee who knowingly violates the provisions of HIPAA by
disclosing individually identifiable health information shall be
fined not more than $50,000, imprisoned not more than one year, or
committed under false pretenses, the employee may be fined $100,000
and/or imprisoned for not more than 5 years.
If the offense
pertains to selling, transferring, or using individually
identifiable health information for commercial advantage, personal
gain, or malicious harm, there are more stringent penalties
($250,000 and/or 10 yrs).
In addition to
the statutory penalties for the violations described above,
administrative, disciplinary or other adverse actions (e.g.,
admonishment, reprimand, and/or termination) may be taken against
employees who violate the statutory provisions.