HIPAA

Basics:
Privacy
The History of HIPAA
As health care providers, we have always
been called upon to maintain the privacy
and confidentiality of a patient’s health
information.

This is an ethical and legal obligation that

we hold as nurses and as nursing
students.

Until recently, a patient’s medical record

was recorded and maintained primarily on
paper and stored in the offices of
physicians, hospitals, and other health
care professionals.

These records were kept safe in locked

cabinets or closets.

2
HIPAA Basics 2
The History of HIPAA
With the advent of computers and other electronic
technology, we are now able to maintain electronic
files that allows us more flexibility in
communicating information between offices,
hospitals, and clinics, as well as cutting down on
the space requirements for storage. In addition, we
are better able to track and analyze data that helps
us to be more effective in providing care as well as
in controlling costs.

According to the American Health Information

Management Association (AHIMA), an average of
150 people "from nursing staff to x-ray technicians,
to billing clerks" have access to a patient's medical
records during the course of a typical
hospitalization. There are, however, concerns that
the increase in electronic information result in a
loss of privacy and confidentiality.

Because so many people potentially have access to

patient medical information now, we need to do
more to ensure that the only people who do access
the medical information are those who need to
have access in order to provide care.
3
HIPAA Basics 3
The History of HIPAA
The Federal government passed a law in 1996 that creates
national standards to protect patients’ medical records as well as other
personal health information.

This Federal legislation is called the

Health Insurance Portability and Accountability Act (HIPAA).

4
HIPAA Basics 4
The History of HIPAA

 HIPAA became effective on April 14, 2003. It

sets for minimum standards that facilities must
follow to protect patients’ health information.
The key term associated with the privacy rules
is Protected Health Information or PHI. It
covers information that can be found in:
 Information used within the facility

 Verbal or written information

 Information stored in computer files

 Information stored in paper patient files

 Information shared with other health care

providers, payers or third parties

5
HIPAA Basics 5
Failure to Comply
Every health care organization is expected to
develop policies and procedures to guide practices
within their facility. Every person who provides care
or assistance to patients in that facility is expected
to understand and comply with HIPAA regulations.

Each team member’s work is important for patient

care. At the same time, it is essential that all
patients’ health information be kept confidential.

Organizations or individuals that violate the Privacy

rules are subject to monetary fines (up to
$250,000!) and / or civil or criminal charges (up to
10 years in jail!).

Failure to comply may also hurt the reputation of

the facility, put accreditation at risk, and result in
costly lawsuits.

6
HIPAA Basics 6
HIPAA Goal
The goal of the privacy program is to protect
confidential information from improper use or
disclosure.

What does this mean to

you?

7
HIPAA Basics 7
Administrative Requirements
Every agency must:
 Appoint a Privacy Officer.

 Develop policies and procedures that guide HIPAA

implementation, evaluation and revision. These should
include actions taken for people who do not follow the
directives.
 Provide education on HIPAA and organizational policies
and procedures.
 Develop a process for handling privacy related complaints.

 Ensure no retaliation occurs against someone who reports

potential violations in good faith.
 Take appropriate action to minimize any harm that may
result from breach of privacy.
 Ensure processes are in place to demonstrate compliance
with documentation and record keeping.

8
HIPAA Basics 8
YOUR Responsibility
You must respect confidential information about
patients and use information only to perform your
role as student nurse in that agency.

It is your responsibility to be sure patient

information is only given or disclosed to others
who have a legal right to it.

What information needs to be kept private?

 All information that identifies an individual is

considered confidential.
 This includes, but is not limited to name,
address, date of birth, phone/fax numbers,
social security number, medical record
number, and photographs.
 It also includes nursing and physician notes,
as well as billing and other treatment records
used during a patient’s visit in a hospital or
office.

9
HIPAA Basics 9
HIPAA Patient Rights
HIPAA guarantees several rights to patients:
 Right to privacy
 Right to confidential use of their health information for
their treatment, billing process, and other health care
operations (such as quality improvement)
 Right to access and amend their health information upon
request
 Right to provide specific authorization for use of their
health information other than for treatment, billing and
other health care operations
 Right to have their name withheld from our patient
directories
 Right to request that information is not given out
concerning their care to specific individuals including the
right to ‘opt out’ of our patient directory (name not listed
as being present in our facility other than for treatment,
billing, and other health care operations)
 Right to request that individuals are not told of their
presence in our facilities
10
HIPAA Basics 10
HIPAA Patient Rights
Every patient should receive a
document called a Notice and be
asked to sign an Authorization.

This Notice gives patients:

 Information about their rights.

 A description of how their PHI may be used by the facility.
 A comprehensive list of others to whom their health
information may be disclosed.

The Notice must be given to the patient on the first treatment

date or as soon as is practical in an emergent situation.

11
HIPAA Basics 11
HIPAA Patient Rights

 An Authorization is a form signed by the

patient for the use and disclosure of
specific PHI that are not related to
treatment, payment, or health care
operations.
 There are some uses and disclosures
where an authorization is not required.
 When in doubt about what information
is required to have a signed
authorization for release, ask!

12
HIPAA Basics 12
HIPAA Patient Rights

What do you need to know?

 Patients have the right to register
complaints with Federal agencies and
with the facility if they feel their rights
have been violated.
 Every facility has a Privacy Officer who
is responsible for overseeing HIPAA
implementation.
 If you are uncertain about what
information may be given out, talk to
your instructor or one of the nurses on
the unit where you are assigned, or
contact the Privacy Officer.
13
HIPAA Basics 13
Review Question
HIPAA’s goal is to catch staff sharing patients’ health
information with those who do not need the
information.

True or False?

To see the correct

answer, click on
NEXT.

14
HIPAA Basics 14
Answer

ANSWER: FALSE

The goal of HIPAA is to protect

confidential patient information from
improper use or disclosure.

If you see an apparent violation, you

should report it to your instructor who
will immediately assist you in
contacting the Privacy Officer.

15
HIPAA Basics 15
Unauthorized Disclosures
Some of the biggest threats to patient privacy is
unintentional disclosure of information:
 Discussing a case where other patients or visitors

may overhear, such as in elevators, hallways or the

cafeteria.
 Leaving sensitive information out where patients or

visitors can see it.

Another threat to patient privacy is when a workforce

member intentionally uses or discloses information in an
unauthorized way:
 Copying information and taking it home.

 Removing medical records from the health facility

and giving them to others who have no legal right

to them.
 Deliberately sharing information with unauthorized

persons (family members, friends, or news

reporters).
 Using confidential information in gossiping about

patients.
16
HIPAAaBasics
 Leaving computer unattended after logging in to 16
Unauthorized Disclosures
It is essential that everyone who provides care
and services to patients be aware of what is
going on in their surroundings to ensure that
confidential information is only shared with those
who need to know, and at the minimum level
necessary to enable them to carry out duties and
responsibilities safely, effectively, and efficiently.

Always be aware of where you are, who is

around you, and what information can be seen or
heard. It may not be possible to ensure absolute
privacy, but reasonable measures need to be
taken to “minimize the chance of incidental
disclosure to others.”

Don’t browse through a patient’s chart or other

files out of curiosity. Access only the portions of
medical record you need to perform your specific
role as a student nurse.

17
HIPAA Basics 17
Review Question
One of the privileges of working in health care is that we
have access to our family and friends’ health information
so we can find out when they have an illness.

True or False?

To see the correct

answer, click on
NEXT.

18
HIPAA Basics 18
Answer
ANSWER: FALSE

We do not have a right to access

anyone’s health information
including family members unless it
is directly needed for the
completion of our job
responsibilities for a patient.

If you accidentally see patient

information that is not directly
needed for you to perform your
job, you cannot share that
information with anyone else.

19
HIPAA Basics 19
Verify Identity

Before you can release information about a patient, you must

first confirm the identity of the person requesting information
about the patient, whether in person, by phone, or in writing.

What methods can be used to verify identity?

 A photo ID

 Information that only the patient would

know, and which you can confirm, such as

the patient’s middle name

20
HIPAA Basics 20
Security Rules
Privacy rules identify what information is protected and
define when and how that information may be used
or disclosed.
Security rules apply to PHI that is sent electronically
from one location to another. Security rules identify
steps to take to secure PHI that is in electronic
format. They also apply to PHI that may be used or
stored by the facility.
There are four key parts which work together to protect
PHI. These are:
4. Physical Security: hands-on access to computer These define the
hardware, systems, areas, and buildings. basic level of
5. Technical Security: the process to identify the
security that
access and type of information individuals may must be in place
access and view on a computer. to comply with
HIPAA
6. Technical Security Mechanisms: processes that
automatically monitor systems activity and report
suspicious activity.
7. Administrative Procedures: policies and procedures
that define steps the facility will take to address the 21
HIPAA Basics 21
above.
Electronic Communication
Part of ensuring the privacy rules is to
understand how information is stored,
transmitted, and accessed by staff.

Faxes, e-mails, and computer printouts may

contain patient information. Take precautions
to ensure that these types of communications
get to their intended destination.

As students, you will likely not be in a position

to fax or email patient information to others.
If you are placed in a situation where this
becomes necessary, talk with your instructor
about the proper procedure.

22
HIPAA Basics 22
Case Scenario
Dr. Williams asks Sue, a nurse, to bring up his patient’s lab
results on the computer screen. Dr. Williams looks around and
does not see any other staff or visitors in the area. He asks Sue
to turn the monitor so he can see the chart. There is no other
person around the desk when the screen is turned towards him.
When Dr. Williams is finished, Sue turns the screen back around
facing away from public view.

Dr. Williams and Sue violated the patient’s privacy by turning

the screen and viewing the lab results.
True or False?

To see the correct

answer, click on
NEXT.

23
HIPAA Basics 23
Case Answer
ANSWER: False

They took the time to examine their surroundings and made certain
that no unauthorized individuals were near. Turning the screen
and then returning it to a secure position is an acceptable practice.

If visitors or others were present, the doctor would need to go

behind the desk and view the screen.

24
HIPAA Basics 24
Paper Communication
You will find during your clinical experiences that there is a lot
of paper that contains confidential patient information. Make
sure you keep this paper out of the public view.

Do not leave documents where the public can easily access

them, even accidentally. Many of you may use visitors’ lounges
for conferences. Do not leave your papers or any medical
record information where it can be seen by others.

When documents containing patient

information are no longer needed, shred
them or dispose in designated containers.

25
HIPAA Basics 25
Case Question
Julie is a nurse entering notes into a patient chart at the nurse’s
station where visitors come to ask questions. Jeff, another nurse,
steps out of a patient’s room and asks Julie for help. Julie leaves
the chart open on the desk, then goes to assist Jeff in the
patient’s room.

Q: Leaving the chart open on the desk when the nurse leaves the
area is OK because she will be right back and trying to find her
place would take too much time.

True or False?

To see the correct

answer, click on
NEXT.

26
HIPAA Basics 26
Case Answer
ANSWER: False

The best way to maintain patient confidentiality is to never leave

records unattended in public places. Closing the chart is a good
first step. In a non-emergency situation, return the chart to its
designated location before leaving the area. In an emergency
situation, secure the chart using your professional judgment,
then proceed to assist with the emergency.

27
HIPAA Basics 27
Verbal Communication
Nursing is never practiced in isolation. It is a collaborative team
operation. As a result, there are many times when you will need
to discuss patient information with colleagues.

In doing so, remember you must:

 Only discuss information relevant to the patient’s care.

 Only include those involved in the patient’s care.

 Select an area that is as private as possible, and check the

surroundings to ensure no one will overhear confidential

information who shouldn’t.

28
HIPAA Basics 28
Case Scenario
Jennifer, a nurse, and Tom, a physical therapist, are
eating lunch together in the cafeteria. They begin
discussing a patient that they are both treating. The
cafeteria is crowded and others around them can hear
them referring to the patient’s name and other
confidential information.

Q: They are violating the patient’s privacy in this

situation.

True or False?

To see the correct

answer, click on
NEXT.

29
HIPAA Basics 29
Case Answer
ANSWER: True

Never discuss a patient’s health information in areas

where there are others that don’t need to know
about it. If you need to discuss a patient’s care with
a co-worker, speak softly in an area away from the
public.

30
HIPAA Basics 30
Case and Question
An adult daughter of an elderly patient is present in the room
when his doctor enters to speak with the patient about test
results. The patient introduces his daughter to the doctor, and
then asks the doctor if the test results are back. The doctor
begins to explain the results to the patient.

Q: The doctor violated the patient’s privacy by

talking about the test results with the daughter
present in the room.

True or False?

To see the correct

answer, click on
NEXT.

31
HIPAA Basics 31
Case Answer
ANSWER: False

Since the patient asked about the results with his daughter in the
room, the doctor can assume that it is appropriate to share the
results at that time.

32
HIPAA Basics 32
Case Question
In a Radiology waiting room, an x-ray technologist calls the next
patient by name saying “Jane Smith, we are ready for your to get
your sonogram now.”

Q: The x-ray technologist violated

the patient’s privacy by calling out
her name and test to be
performed.

True or
False?

To see the correct

answer, click on
NEXT.

33
HIPAA Basics 33
Case Answer
ANSWER: True

Employees in doctor’s offices and waiting rooms are allowed to

publicly call a patient’s name. However, care should be taken to
limit any other information communicated.

The x-ray technologist should not have mentioned the test to be

performed. Stating that the patient is having a sonogram is
unacceptable. “Jane Smith, we are ready for you now.” is
acceptable.

34
HIPAA Basics 34
Non-Retaliation Policy

 There should also be a policy in place to safeguard the

rights of a person who, in good faith, reports a privacy
violation.
 Action should not be taken against anyone who, in good
faith:
 Exercises her or his rights, including filing a
complaint.
 Contacts or sends a complaint to the Department of
Health and Human Services.
 Testifies, assists, or participates in an investigation,
compliance review, proceeding, or hearing.
 Believes that an act or practice is against the law.

 The person reporting the violation must have a

reason to believe that there is a problem and may
not use or disclose PHI to address her or his concern.

35
HIPAA Basics 35
Complaints
If you feel there has been a privacy
violation, inform your instructor who
will immediately assist you in
contacting the Privacy Officer.

Refer patients who have a privacy

concern or complaint to the nurse in
charge of the unit.

36
HIPAA Basics 36
Summary
 All health information that
specifically identifies an individual
is considered confidential.
 Protecting the privacy of patient
information is everyone’s
responsibility.
 Even though you are a student
nurse, you are an active part of
this program. Use patient
information only to perform your
responsibilities as assigned.
 Be aware! Don’t intentionally or
unintentionally disclose patient
information. Help others to do the
same.
 If you suspect any privacy
violations or concerns, notify your
instructor who will immediately
assist you in contacting the
Privacy Office.
37
HIPAA Basics 37
Thank You!

 We are
HIPAA
compliant...

 Are You?

38
HIPAA Basics 38