HIPAA Privacy Standards

What is HIPAA?
HIPAA is a law. It is a law that must be followed by all Health Care personnel at every level, both professional and nonprofessional. HIPAA is a set of basic national privacy standards and fair information practices. The purpose of HIPAA is to protect the privacy of all patients and residents of the United States who receive any kind of health care services. Because of HIPAA, Americans can enjoy a basic level of protection and peace of mind about their health care information.

What does HIPAA stand for?
HIPAA stands for. The Health Insurance Portability and Accountability Act. On December 20, 2000 the Department of Health and Human Services published the final privacy regulations and standards that are now known as HIPPA. The original act was passed in 1996.

What does HIPAA provide?

1. Standardized patient health, administrative, and financial information.
2. Creation of unique health identifiers in computer systems for e-records.
3. Protection and security of confidential patient health information.

What information is protected by HIPAA?
HIPAA requires that information in any format (oral, written, and/or electronic) be protected. This includes medical record information and any information that personally identifies a person.

What is Protected Health Information?
1. Protected Health Information is any information that can identify a person. Examples include: name, address, birth date, phone and fax numbers, driver’s license numbers, photographs, etc.
NOTE: Protected Health Information (PHI) cannot be used or disclosed to anyone, unless the patient or resident gives authorization in writing.
2. Most hospitals and skilled nursing facilities have some or all of this information in a computerized system to help visitors locate a patient. When patients sign the Notice of Privacy Practices, they usually give permission to have this computerized information about their location made available to visitors.
3. Many hospitals, skilled nursing facilities and retirement communities have directories with some PHI listed. When the listing is in a retirement community directory, it needs to be approved by the resident prior to the printing of the directory. When the listing is in an acute care setting or skilled nursing facility, it will usually be computerized for daily updates, but not printed in a directory.

When can Protected Health Information be used?
Healthcare providers may use and disclose health information for the purpose of treatment, payment, or healthcare operations. To better understand this statement, please review the following definitions:

The definition of Treatment includes:
1. Providing actual health care services
2. Coordinating and managing care for a patient or resident
3. Providing referrals and referral sources.
This includes any call you make for Doctor’s orders, to schedule any lab tests or other diagnostic studies and to facilitate the smooth transition of information for any care your patient needs. For example: If you work for a physician treating a slow-healing wound on a patient, the physician will need to know if the patient has diabetes, which could slow the healing process. You may also need to tell the dietitian, as the client’s diet will have an impact on the healing process.

The definition of Payment includes:
1. Payment for services
2, Eligibility determinations, including Medicare and Medicaid
3. Determining resident services and certifications
4. Activities related to utilization review
5. This also includes any type of productivity reports with patient information on them.
For example: This especially applies to HMOs that require pre-authorization prior to treatment or testing, or seeing a specialist or provider outside of the plan.

The definition of Health Care Operations includes:
1. Quality assurance issues
2. Efficiency and cost of care
3. Training
4. Accreditation
5. Evaluating the skills, performance and qualifications of healthcare providers
6. Medical review
7. Auditing
8. Cooperating with outside organizations that evaluate or certify healthcare organizations
9. Business planning
For example: In many hospitals, nursing homes and home health agencies, other professionals such as physical therapists, occupational therapists, speech pathologists and medical social workers (MSWs) are expected to audit charts with nursing and medical records personnel. If the therapists or MSWs are contract personnel, it is clearly written in their contracts that confidentiality will be maintained.

When do I need to be concerned about Protected Health Information?
You should always be concerned about PHI. For instance, you need to be careful with this information:
1. When you use it
2. When you provide care to your patient
3. When you tell someone about it
4. When you store it
5. When you see it on the computer
6. When it is on your desk
7. When you give a patient report to your colleagues
8. When you provide it to another healthcare provider

Remember, you should only discuss a resident’s health information when it is for treatment, payment, or health care operations. You CANNOT give information about one patient/resident to another patient/resident.

In acute care settings and skilled nursing facilities {where patients share a room) it is human nature to ask about the patient in “the next bed” out of genuine concern.
Though it might be tempting to “reassure” the patient asking the question, it is never allowed and it is against the law.

How does HIPAA affect my job?
HIPAA affects the way you communicate on the job. It also affects the way you use patient health care information while performing your job duties. You also must be aware of the specific communication standards, policies and procedures of the facility or agency where you work.

The Accounting of Disclosures (AOD) provision under HIPAA outlines the type of disclosures you can and cannot reveal while performing your job.

Items specifically excluded from ADD are:
1. Disclosures made for treatment, payment and healthcare operations
2. Disclosures made to the individual
3. Disclosures made for directory purposes
4. Disclosures made to persons involved in the individual’s care
5. Disclosures made for national security or intelligence purposes
6. Disclosures made to correctional institutions
7. Disclosures made prior to the date of compliance with the privacy standards
8. Disclosures made to business associates for purposes of TPO
9. Authorization-based disclosures

What do I need to do to be in compliance with HIPAA?
Act responsibly with protected health information. You are a licensed professional and entrusted with patient information necessary to properly care for your patient.
Do not share information about any patients or residents with friends, family, other employees, volunteers or other patients and their families.
When you need to talk about information for healthcare purposes, check your surroundings and make sure others are not listening. Do not discuss a resident’s medical or health information in an elevator or in the dining room in front of other patients or co-workers.

If you are receiving a report at the change of shift, make sure you are speaking in a secure location where you will not be overheard by visitors or other staff not involved in the care of your patients.

If you need to send patient information to an Emergency Room, call the ER from a phone that is not within hearing range of anyone else. Identify the person in the Emergency Room to whom you are giving the information.

Do not give confidential or sensitive information to anyone.
The definition of Confidential or Sensitive Information is:
1. Any information that identifies a person
2. Information about your employer’s business operation, such as instructional manuals and all other legally owned information
3. Financial and operational information.