Preparation for Clinical Experience - HIPAA

Introduction

Welcome

Welcome and Overview 

Welcome to Preparation for Clinical Experience. This 2-part, self -paced, online course will prepare you for entrance into your upcoming clinical internships. You will work though 2 modules at your own pace, each topic should require approximately 30 minutes to complete. Remember successful completion of this course, and assessments are a requirement for admission into your upcoming clinical experience. Don't hesitate to contact me with any questions or concerns.

Module 1 HIPAA

Within this module you will explore HIPAA rules and regulations as they apply directly to healthcare and your upcoming clinical, examine special considerations such as social media, and learn of possible consequences with HIPAA violations. 


Module 2 OSHA-TB-Bloodborne Pathogens 

Within this module you will explore OSHA, risk within a healthcare setting, Universal Precautions, and Personal Protective Equipment. 


Learning Objectives

Learning Objectives - Upon completion of this module: 

  • You will be able to describe HIPAA and distinguish between different HIPAA laws, within the context of your upcoming clinical experience.
  • You will be able to distinguish between protected health information and that information which is not confidential or protected with 100% accuracy when given examples of medical records.
  • You will be able to recognize compliance violations with social media as related to HIPAA when given common scenarios.
  • You will be able to recognize possible consequences faced if HIPPA violations occur after review of actual case examples.    
  • You will be able to identify actions to take if violations are suspected in a clinical situation.

HIPAA

What is HIPAA

HIPAA 

HIPAA- Health Information Portability and Accountability Act - is a set of broad federal legislation enacted over the course of several years aimed at protecting patients' rights and privacy within healthcare. These regulations include the Privacy Rule, which protects the privacy of health information, the Security Rule, which sets national standards for the security of electronic information, and the Breach Notification Rule, which requires organizations to provide notification following a breach of unsecured Protected Health Information. 

While HIPAA discusses several aspects related to patients’ rights, those which most closely relate to your clinical experience discuss patient privacy standards and Protected Health Information (PHI). 

Please take a few minutes to review the HIPAA website, this site will be the source for most of the information needed to complete the assessments for this course. Additionally, watch the brief video further explaining HIPAA in a healthcare setting.

Video: What is HIPAA 

Please watch this brief video for an overview of HIPAA and how it applies to a healthcare setting. 


HIPAA Laws

Privacy Rule 

The Privacy Rule: addresses the use of, and disclosure of, individuals' health information, otherwise known as Protected Health Information (PHI),  by organizations referred to as Covered Entities, as well as outlining standards for individuals' rights to understand and control how their information is used and shared.

Security Rule 

The Security Rule: establishes a set of minimum security standards for protecting all electronic PHI that a Covered Entity and Business Associate create, receive, maintain, or transmit. 

Breach Notification Rule 

The Breach Notification Rule: sets requirements for which  Covered Entities must notify HIPAA in the event of the loss, theft, impermissible use, or disclosures of unsecured Protected Health Information.

The Privacy Rule is the rule we as healthcare providers are the most concerned with and will be discussed further in the next section. 

Covered Entity and Business Associate

Covered Entity (CE)

A HIPAA covered entity (CE) is any organization or corporation that directly handles Protected Health Information (PHI) or Personal Health Records (PHR)

Business Associate (BA) 

A person or entity, who performs certain functions or activities on  behalf of a CE, or provides certain services to or for you, when the services involve the access to, or the use or disclosure of, PHI

Covered Entity Include:

  • Doctors
  • Clinics
  • Hospitals
  •  Nursing Homes
  • Pharmacies
  • Health plans
  • Healthcare clearinghouses



Business Associates Include: 

  • Health Information Organizations or Exchanges (HIOs/HIEs)

  • E-prescribing gateways

  • Data transmission services

  •  A subcontractor to a BA that creates, receives, maintains, or transmits PHI on behalf of the BA

  •  An entity that a CE contracts with to provide patients with access to a Personal Health Record(PHR) on behalf of a CE

Why is HIPAA Important?

Patient Trust 

One of the greatest reasons why it’s so important for you to ensure the privacy and security of health information. When patients trust you enough to share their health information, you will have a more complete picture of patient's overall health and together, you and your patient can make more-informed decisions. If a patient lacks trust they may not want to disclose health information to you, and withholding their health information could have life-threatening consequences.

Sharing of Information 

The ability for healthcare organizations to securely share information leads a full medical picture of the individual, greater quality of care, and improved patient outcomes.

Knowledge Check

Knowledge Check 

Please complete the following questions to assess your understanding of HIPAA. You will use the information found within this module and the HIPAA website to answer the fill in the blank questions. You will be allowed to have the HIPAA website up on another browser during this activity, please continue to work through the questions until you reach 100% 

Question 1

There are exceptions to the definition of " breach" 

Question 2

The Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information  

Question 3

The HIPAA Privacy Rule establishes national standards to individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. 

Question 4

HIPAA stands for Health Information and Accountability Act. 

Question 5

When a patient knows their information is protected, they will most likely the health care provider and be willing to share all their health concerns. 

Protected Health Information

Protected Health Information

Protected Health Information 

Individually identifiable health information is referred to by HIPAA as Protected Heath Information (PHI) and includes any information that can identify an individual and can include, but is not limited to:

  • Names/Initials
  • Date of Birth 
  • Medical #'s (Medical Record #, SS #, Insurance #)
  • Relative Names
  • Employer Name
  • Address/Phone #'s
  • Photos
  • Facility Name/Employees Working with Individual Names 


The Privacy Rule  

The Privacy Rule protects PHI held or transmitted, in any form or media, whether electronic, paper, or oral. PHI includes not only current information, but the individual’s past, or future physical or mental health or conditions. Individually identifiable health information not only includes information that identifies the individual but also information for which there is a reasonable basis to believe it can identify the individual. 

It is important to remember, what can identify a patient is different in different settings. For example, a patient's weight, if  abnormal, maybe an obvious identifier in a small town, may not be PHI in a large city. 


Disclosure

HIPAA allows for the transfer of PHI, while also placing restrictions on what PHI can be disclosed and to whom. 

Disclosure of PHI 

Under the Privacy Rule, a covered entity may not use or disclose protected health information except when: it is permitted or required by the Privacy Rule and when the individual has authorized the disclosure in writing. Authorization is usually not required when sharing PHI for three types of reasons: for treatment, payment, or health care operations. Disclosure is also allowed in some emergency situations, or when public health is at risk. 

Minimum Necessary 

A Covered Entity must make reasonable efforts to use, disclose and request only the minimum amount of PHI needed to accomplish the purpose of use. This also includes only the PHI we need to know. For example, you are not allowed to look up patient information you have no need to know, out of curiosity or for any other reason. There will be an example of this in the Violations Section. 

Confidential Areas 

Disclosure of PHI should only take place in confidential area such as staff office and nurses stations. 

Never discuss patients in a public area. 

Students are allowed to discuss clinical experiences within the classroom if attempts are made to de-identify the individual and the discussion is for learning purposes. 

Remember: Do not share any information discussed outside of the classroom environment. 

Patient Rights

Patient Access to Information 

Patients have the right to inspect and receive a copy of their PHI in a designated record set, which includes information about them in both medical and billing records.

Amending Patient Information 

Under the HIPAA Rules, patients have the right to request that your practice amend their PHI in a medical record.

Accounting of Disclosures 

Individuals have a right to receive an accounting of disclosures of their PHI made by your practice to a person or organization outside of your practice.

Right to Restrict Information 

Individuals have the right to request that your practice restrict disclosures including disclosures of PHI for treatment, payment, and health care operations, disclosures to persons involved in the individual’s health care or payment for health care, and disclosures to notify family members or others about the individual’s general condition, location, or death.

Right to Confidential Communication 

Patients have a right to request how they receive information and  practices must accommodate reasonable requests by patients to receive communications by the means or at the locations they specify.

De-indentify Patient Information

De-Identification of PHI 

There are no restrictions on the use of or disclosure of de-identified health information.

2 ways to de-identify information allowed by HIPAA:

1) a formal determination by a qualified expert

 2) the removal of 18 specified individual identifiers as well as absence of actual knowledge by the Covered Entity that the remaining information could be used alone or in combination with other information to identify the individual. 


De-Identification is used in research. You will become more familiar with this process as you learn and conduct more research. 

Video 

Please watch the brief video on      
de-identification and then proceed to the knowledge check for this section

Knowledge Check

Identifying PHI

In the following 2 examples you will identify PHI and that information which is not PHI and label by dropping and dragging to the correct section of the medical record. You will be able to retry until you have completed without error. 

Knowledge Check - Electronic Medical Record

  • PHI
  • PHI
  • PHI
  • PHI
  • Non PHI
  • Non PHI

Knowledge Check-  Medical Record Chart

  • PHI
  • PHI
  • PHI
  • PHI
  • Non PHI
  • Non PHI
  • Non PHI
  • Non PHI

HIPAA and Social Media

Social Media

Social Media 

Social Media presents with a new danger and potential for violation in relation to HIPAA. As more individuals are using various forms of social media, the concerns with HIPAA and PHI increase. It is important that you understand your school’s policy, your workplace policy as well as government rules on the use of HIPAA. Always comply to the strictest rules. Exercise common sense if considering the use of social media.

IF IN DOUBT, DON'T POST!!

Videos

Please review the next two videos regarding the use of social media and HIPAA. While the first examples may seem extreme is some cases, the videos provide a good examples of both ill intent and how easily it is for good intentions to causes major problems. Additionally, although the second video is geared towards nursing, all aspects of the video apply to you as a student in a healthcare setting. 

Remember:  If in doubt, don’t post.

HIPAA and Social Media 

Social Media Guidelines for Nurses  


Social Media Resources

Policies and Considerations

Review the following links for more information on the use of Social Media and considerations with HIPAA and the Privacy Rule.

Email and Text

Email and Texting 

Patients are increasingly wanting to communicate electronically with their providers through email or texting. The Security Rule requires that when you send PHI to your patient, you must send it through a secure method and that you have a reasonable belief that it will be delivered to the intended recipient.

The Security Rule, however, does not apply to the patient. A patient may send health information to you using email or texting that is not secure. That health information becomes protected by HIPAA Rules once you receive it.

Facebook Scenario

These real-world scenarios will assess your understanding of Social Media considerations. Please work through the following activities until you have successfully completed each scenario. 

Instagram Scenario

These real-world scenarios will assess your understanding of Social Media considerations. Please work through the following activities until you have successfully completed each scenario. 

HIPAA Violations

Consequences of HIPAA Violations

Consequences of Violations 

For an Organization: 

Fines

Loss of Medical Licenses

Closure

 For an Individual: 

Fines

Loss of Job

Loss of License

Jail Time

Loss of Clinical Placement

 Withdrawal from Program

What is a Breach?

Breach 

A breach is generally defined as an impermissible use of, or disclosure of PHI that compromises one or more individuals’ security or privacy. An impermissible use or disclosure of unsecured PHI is presumed to be a breach unless the Covered Entity or Business Associate demonstrates that, based on a risk assessment, there is a low probability that the PHI has truly been compromised. If a breach of unsecured PHI occurs, the Breach Notification Rule requires your practice to notify affected individuals, the Secretary of Health and Human Services (HHS), and, in some cases, the media.

Examples of Violations

Please follow the link provided and review at least 5 case examples from 5 different categories. These can either be issues or healthcare settings. This will give you a feel for possible breaches or violations. 

Read the examples of HIPAA violations provided in the following presentation. These provide both violations from individuals and organizations, as well as give some examples of fines imposed. 

Knowledge Check

Please complete the following questions to check you understanding of HIPPA violations and potential fines and penalties. Please continue to work through the questions until you achieve 100%.

Consequences of HIPAA violations include all of the following except:

  • Loss of license
  • Monetary fines
  • Loss of employment
  • Dismissal from the program
  • Jail
  • All are possible consequences

As a student, you cannot be held responsible for a HIPAA violation, that risk falls on your supervisor

  • True, you are not responsible until you have a license
  • False, even students can be help responsible

If you breach PHI, but no one accesses it, there will be no fines or penalties

  • True, penalties only occur when someone accesses or uses the information
  • False, penalties will be issued even with the potential for PHI to be used

In the case of files left on a subway, the hospital had to eventually pay a fine of

  • 100,000 dollars
  • 1,000,000 dollars
  • No fines were issued to the hospital, only the employee who was responsible
  • 1,000 dollars per patient breach for each of the 192 patients

The nurse who posted photos of a patient with a knife in their skull

  • Was never caught
  • Was fired, but later found a job with a competing hospital
  • Faced 1 year in jail and 50,000 dollars in fines
  • Was fired and the hospital was fined 100,000 dollars

Untitled multiple choice question

  • Put your answer option here
  • Put your answer option here

What is Your Responsibility

What isYour Role and Responsibility in HIPAA Compliance?

What is Your Role and Responsibility in HIPAA Compliance?

Everyone has a role to play in the privacy and security of  health information and maintaining HIPAA rules and regulations. Let's review your roles and responsibility in HIPAA compliance. 

  • Do not discuss patients outside of the classroom or workplace
  • Do not share PHI with anyone who does not have a need to know or who has not been authorized to have the information
  • Be mindful of your access to medical records, only access files that you have a need to know
  • Do not take files or records outside of the workplace, if your work does require you to take patient files on a computer outside of the workplace assure it is password protected 
  • Report any potential breaches such as a lost or stolen computer or other device immediately 
  • Avoid texting or emailing patients unless data is encrypted or password protected 
  • Be extremely mindful of post on social media, or avoid social media all together regarding patients 
  • If you know of or suspect a breach from a co-worker or organization, report it immediately
  • Obtain written authorization or consent for any use of PHI
  • Keep aware of rules, regulations and maintain required training for HIPAA compliance 

Reporting a Breach or Violation

Reporting a Breach or Violation 

If you know of, or suspect a HIPAA violation or breach of PHI, start by contacting your supervisor and follow the chain of command at your workplace. If you do not get results, or if the company is at fault and does not respond you can file with the US Department of Health and Human Services. 

Knowledge Check

Please complete the following questions to check you understanding of your roles responsibility in preventing HIPAA violations and breaches and reporting them. Again, continue to work through the questions until you are confident in the correct answers. 

Someone misinterpreting my intentions with a Facebook post

  • My Role/Responsibility
  • Not My Role/Responsibility

Other people overhearing when I discuss my patient with the next therapist in the hospital cafeteria

  • My Role/Responsibility
  • Not My Role/Responsibility

The security of the hospitals electronic medical record system

  • My Role/Responsibility
  • Not My Role/Responsibility

Enforcing penalties if a breach has occurred in your workplace

  • My Role/Responsibility
  • Not My Role/Responsibility

The security of charts that I am required to take home in order to complete paperwork

  • My Role/Responsibility
  • Not My Role/Responsibility

Resources

Resources

Resources 

Feel free to take advantage of the resources provide if you would like further information or have any additional questions. Do not hesitate to contact me or someone within the program if you have any questions following this module