HIPAA TRAINING

HIPAA TRAINING

TABLE OF CONTENTS

Course Objectives

Handout on HIPAA required training

Home Health Policy C-383 (Client Privacy Rights)

Home Health Policy C-386 (Consent For Use & disclosure of Protected Health Information)

Policy: Authorization For Release of Medical Records

Home Health Policy C-384 (Notice of Privacy Practices)

Practicum

Practicum answers

HIPAA exam

HIPAA exam answers

COURSE OBJECTIVES:

To educate, inform, and instruct Agency staff members regarding HIPAA and their responsibilities in complying with all aspects of the law.

COURSE METHODOLOGY:

1. Review contents of training material with all Agency staff.

2. Review the HIPAA Practicum as a classroom exercise.

3. Each employee will take the written test.

COURSE GOALS:

1. Employees will pass the written HIPAA test, scoring 80% or higher.

2. Employees will demonstrate compliance with HIPAA in the Agency work setting.

WHY IS PATIENT CONFIDENTIALITY SO IMPORTANT IN A HOME HEALTH AGENCY?

The law entitled the Health Insurance Portability and Accountability Act of 1996, or “HIPAA” for short requires health care providers to keep confidential their client’s health information. Under the HIPAA law agencies are only allowed to share this information with individuals who need the information to do their jobs.

The law, the Health Insurance Portability and Accountability Act of 1996, includes punishments for anyone caught violating client privacy.

Individuals and agencies who compromise client confidentiality intentionally for financial gain can be fined as much as $250,000 or go to jail for up to 10 years. Even accidentally breaking the rules can result in fines. CMS and the SA can also impose penalties.

WHAT IS HIPAA?

HIPAA is a broad law that covers a variety of issues. One of the goals of HIPAA is to enable people to move easily from one health insurance plan to another as they change jobs or become unemployed and allow providers treating clients to share information more easily.

The law requires all health care organizations and payers to utilize standard formats for common transactions such as submitting a claim to a 3rd party payer for reimbursement.

With the technology available in the 21st century; such as, e-mail, internet access, and electronic records, it is much easier for providers to share health records, but is also much easier for individuals to misuse this information.

The HIPAA law contains sections with requirements for protecting client privacy and confidentiality and ensuring security of health information.

Under the HIPAA, it is illegal to release health information without permission, or fail to adequately protect it from unauthorized release.


What are the consequences of breaking the rules?

Violating HIPAA’s privacy or security rules can result in civil or criminal penalties.

The Civil penalties are fines of up to $100/violation of the law per person up to a limit of $25,000 for each identical requirement. An example of this penalty is listed below:

If a home care agency releases 50 client records illegally, it could be fined $100/record, for a total of $5,000.

If the home care agency releases 50 client records illegally to 3 separate marketing companies, the fines would be $15,000

The entities and individuals responsible for the violations are also subject to criminal penalties that can include large fines and jail time. The penalties increase with the seriousness of the offense. Selling client information is a more egregious offense than accidentally exposing the information to the public. These penalties can be as high as $250,000 in fines and/or a prison sentence of 10 years.

Examples of this type of infraction are listed below:

An agency’s marketing staff that knowingly release patient confidential information in violation of HIPAA can result in a one-year jail sentence and a $50,000 fine.

Staff members gaining access to health information under false pretenses can result in a five-year jail sentence and a $100,000 fine.

Releasing client information with harmful intent or selling the information can lead to a 10-year jail sentence and a $250,000 fine.

WHAT IS CONSIDERED CONFIDENTIAL INFORMATION?

Confidential information is identifying information and information about the client’s health care condition, their care needs, treatments, etc.

Listed below are examples of client confidential information:

Client Name

Client Address

Client Age

Client Social Security Number

Client diagnoses

Client medical history

Client medications

Observations of the client’s health status

Client laboratory results, diagnostic testing results, surgical and medical treatment plans, interventions, and outcomes

AS HEALTH CARE STAFF OF AGING & DISABLED HOME HEALTH CARE YOU MUST ALWAYS BE ASKING YOURSELF THE

Doctors, nurses, therapists, dietitians, and other clinicians use the above information to determine how to treat clients.

The billing department uses confidential information to bill clients, their insurance companies, Medicare, or Medicaid for services.

Agency staff performing quality assurance activities reviews confidential information to ensure clients are receiving quality appropriate care.

Uses beyond those listed above are not allowed!


Do I need to know this information to effectively perform my job?

HIPAA requires health care workers to use or share only this “minimum necessary” information they need to do their jobs effectively. For example, a billing clerk may need to look at various documents from a wound care client’s current episode of care to file claims correctly. However, looking at the agency’s documents of the client’s hip fracture care 5 years ago would be unnecessary and inappropriate.

The minimum necessary requirement does not apply to uses and disclosures for treatment. Clinical staff is allowed to look at their client’s entire record and share information freely with other clinicians directly caring for that client.

WHO IS AUTHORIZED TO SEE INFORMATION?

All agency employees and volunteers contribute in some manner to the quality of care received by the client.

Does this mean everyone is allowed to see health information regarding the clients? NO

Many employees and volunteers have no access to client information either computerized or on paper; because they do not need this information to perform their jobs.

One example of this would be a volunteer who works in the agency office 4 hours a week making copies of blank forms for the clinicians to use to document their client visits.

Another example is a receptionist who is only employed to answer the phones.

A third example is a clerk who is employed to order office supplies.

Neither volunteer, receptionist, nor clerk should have a password for access to computerized medical records.

REMEMBER: IF YOU DO NOT NEED TO KNOW CONFIDENTIAL CLIENT INFORMATION, YOU SHOULD NOT LOOK AT CLIENT MEDICAL FILES.

HIPAA requires each organization to appoint a privacy officer to make sure no one violates the Privacy Rule. This staff member is responsible for developing the agency’s privacy policies and enforcing them.

Even if you do not have access to client medical files yourself, it is part of your job to assist the agency keep its commitment to client confidentiality. If you spot violations, report them either to your supervisor or directly to the Privacy Officer.

WHAT TO DO IF OR WHEN YOU OVERHEAR CLIENT CONFIDENTIAL INFORMATION?

Even if you do not need to use client information in your job there still may be occasions when you overhear or see confidential information. When that happens, remember that the information is private and you are not allowed to repeat it or share it with others. This rule applies even when you no longer work at this agency

You may also find that clients speak with you about their health condition even though you do not need to know all the information to do your job. There is nothing wrong with this, but remember that the client trusts you to keep that information confidential.

QUESTION:

What should you do when you overhear other employees discussing client care around individuals who do not have a right to hear this information?

ANSWER:

Remind the employees of the agency’s policy and let them know that they can be overheard.

HOW CAN I PROTECT CLIENT CONFIDENTIALITY?

Even when providing care in the privacy of a client’s home, we have to be diligent regarding the protection of confidentiality. Do not assume that your client is comfortable with you discussing his or her condition in front of or within earshot of family members or friends.

Instead, ask the client whether he or she wants you to share information with specific individuals and obtain permission to do so. Likewise, before leaving copies of the client’s chart or other health information in the home, obtain the client’s agreement.

Do not leave client records-including any piece of paper, computer, or handheld device containing client health information where others can see and read them. That means not leaving client files on your car seat or in a bag at the front door while you are inside another client’s home. It also means not leaving client information around your own home where your family members or guests might see it

When rushing from one visit to the next, remember that you do not want to interfere with client privacy or jeopardize the confidentiality of client information in the process.

HOW AGING & DISABLED HOME HEALTH CARE STAFF CAN ASSIST CLIENTS IN UNDERSTANDING THEIR RIGHTS UNDER HIPAA:

It is important that clients understand how they can protect their own health information and how providers protect their information. The HIPAA rule requires health care providers to have notices that tell clients how they will use their information.

This notice also tells clients that they have the right to access their own records and request amendments to them.

New clients should receive the Notice of Privacy Practices before they begin receiving care from the Agency.

If clients have questions about how the Agency uses information, direct them to this Notice of Privacy Practices or to the agency’s privacy officer for answers to their questions.

HIPAA requires Agency’s to make “good-faith efforts” to obtain clients’ written acknowledgement that they received a copy of the Notice of Privacy Practices.

o The Notice is posted in a clear and prominent location within the Agency office.

o Clients will receive a copy of the notice of privacy practices in their Home Health Admission packet at time of admission to the Agency.

o The admitting clinician reviews the Notice of Privacy Practices with all clients at time of admission to home care.

CAN AGING & DISABLED HOME HEALTH CARE UTILIZE THE CLIENT SPECIFIC INFORMATION PROTECTED BY HIPAA FOR REASONS OTHER THAN TREATMENT, PAYMENT OR ROUTINE OPERATIONS?

The answer is yes; however, the Agency must obtain an authorization from the patient prior to utilizing the information. For example, your Agency must get authorization to sell mailing lists to marketing companies. With the authorization, which must be in writing, the client is voluntarily agreeing to let your Agency utilized the information only for the specific authorized purpose.

The Agency may not require clients to sign authorizations. The Agency must provide care regardless of whether the client agrees to allow the Agency to use or disclose his/her health information beyond the scope of treatment, payment, and routine operations.

HOW DOES THE AGING & DISABLED HOME HEALTH CARE PROTECT CLIENT PRIVACY?

The Agency enforces rules, policies and utilizes various tools to ensure employees protect the confidentiality of client information.

Agency privacy practices include the following:

Employees who use computerized records must not leave their computers logged in to the client information systems while they are not using them.

Computer screens containing client information must be turned away from the view of the public or people passing by

Discussions about client care must be kept private so that visitors and others do not overhear the discussions.

The Agency must monitor who gains access to records to ensure that they are being used appropriately.

Paper records that are no longer needed must always be shredded or placed in closed receptacles for delivery to a recycling company that will shred them. PAPER RECORDS MUST NEVER BE LEFT IN THE TRASH CAN.

IS IT OK FOR THE EMPLOYEE TO ACCESS THEIR PERSONAL E-MAIL ACCOUNT FROM THE AGENCY’S COMPUTER?

Follow Agency policy.

These policies will protect both the confidentiality of information and the computers from viruses that can harm them.

Remember that work e-mail is not meant for personal use.

Sharing opening attached files from unknown sources can open the door to viruses and hackers.

It is also important to keep in mind that you can never be sure who will have access to your message on the receiving end.

Never send confidential information regarding a client in an e-mail over a public network unless the Agency’s policy allows it. If it does, make sure the use of e- mail meets the criteria of Agency policy, and follow the procedures established to protect the message from being intercepted.

When you send e-mail, always double-check the address line just before sending the message to be sure that your e-mail doesn’t go to the wrong person or list by mistake.

HOW SHOULD AGENCY EMPLOYEES PROTECT INFORMATION ON THEIR COMPUTERS?

Review the Agency’s computer use policies.

Never use company e-mail for personal messages.

Never open or share attached files from an unknown source.

Never send confidential patient information by e-mail unless the message is encrypted.

Passwords and other security features help prevent unauthorized access to the computer system.

Never share your computer password with another employee or log in to the health information system using someone else’s password. It is essential that the Agency be able to tell who looks at what records.

Do not write passwords down, post them, or keep them where others can find them.

Always keep computer screens pointed away from the public.

Do not let others use the laptop or handheld device you use for work.

WHAT SHOULD THE EMPLOYEE DO IF THEY OBSERVE A CO- WORKER BREAKING THE HIPAA RULES?

As an employee of the Agency, part of your job is to help maintain privacy for clients as they receive care.

This Agency’s administration expects all employees to adhere to privacy and confidentiality policies, but knows there may be times when employees do not follow the rules.

Employees are encouraged to report violations to the Agency’s Privacy Officer. The report may be made anonymously. However, the employee should not fear any retaliation if the employee reports a privacy violations.

It is a part of all employees’ job descriptions to report violations of Privacy Practices.

EXCEPTIONS TO THE RULES
6 REASONS TO RELEASE CONFIDENTIAL INFORMATION WITHOUT AUTHORIZATION:

1. State health agencies require providers to report to them when clients have certain communicable diseases, even if the client does not want the information reported.

2. The Food and Drug Administration (FDA) requires the Agency to report certain information about medical devices that break or malfunction.

3. The State requires physicians and other caregivers who suspect child or adult abuse or domestic violence to report it to the police.

4. Police have the right to request certain information about clients to determine whether they are suspects in a criminal investigation.

5. The courts have the right to order the Agency to release client information.

6. The Agency must report cases of suspicious deaths or suspected crime victims to the police.

In all of the above situations the Agency complies with the law and reports information when necessary. It will be the responsibility of the Privacy Officer or Administrator to report the information.

PRACTICUM

SCENARIO # 1

Question: An elderly woman who lives in an independent living facility is receiving services from the Agency. Several of her neighbors notice the home care nurse making her visit and ask the nurse how ill the woman is. They want to know if she is going to get better, what her problem is, and do her children know she is ill.

Should the nurse tell the neighbors anything about the client’s condition?

SCENARIO # 2

Question: The home health aide arrives at a client’s home for a regularly scheduled visit and there is no response to the door. The neighbor in the next apartment informs the home health aide that the ambulance came and took the client to the hospital. The home health aide has the phone number of the client’s adult daughter. Should the home health aide call the daughter?

SCENARIO # 3

Question: An Agency employee walks by a trash can in the office and notices a pile of photocopied client records on top of the trash. How should the employee handle this situation?

SCENARIO # 4

Question: The Agency billing clerk is working on the monthly billing and notices the name of a friend on one of the bills. Should the billing clerk read the friend’s record to find out why she’s receiving home health services? Should the billing clerk call her friend?

SCENARIO # 5

Question: A man comes into the reception area and informs the receptionist that he is here to work on the computer system and asks the receptionist to open the door for him and to point the way to the system. How should the receptionist respond?

SCENARIO # 6

Question: The medical records specialist has access to the Agency’s computerized medical record system. A field nurse asks the specialist to use their password to log into the system to check the vital signs documented on the last home visit. Should the medical records specialist share the login information and password?

SCENARIO # 7

Question: A nurse enters an unattended work area at the Agency office and notices a password for the computer system written on a post-it note and attached to the wall above the computer system. What should the nurse do?

SCENARIO # 8

Question: The DON of the Agency receives a call from one of the client’s physicians. The physician asks the DON to send the client’s medical information via e-mail to his home personal computer as he is going to work from home and he needs this information to complete his review of the client’s plan of care. What should the DON do?

HIPPA PRACTICUM ANSWERS

Question # 1:

The answer is no. The nurse does not have the right to tell the neighbors anything about the woman’s condition.

Looking at client records for any non-business reason is cause for immediatedismissal and can have possible legal consequences. As an employee, if you share or repeat confidential information, either deliberately or by accident, you can lose your job.

It is important to understand that protecting confidential information is a responsibility the entire work force share, regardless of whether they directly care for clients or perform clerical work in the office.

Question # 2:

The answer is no.

The hospital employees will be contacting the client’s family.

Question # 3:

The employee should gather the photocopied records and take them to their supervisor or the Agency Privacy Officer.

Question # 4:

The answer is no. If the billing clerk learned of her friend’s condition only because she happened to see her name in some of her paperwork, the billing clerk should not call her friend, nor should she read any more of the record than needed to complete her billing task.

Question # 5:

The receptionist should ask the man who at the Agency contacted him. The receptionist should find that individual and he or she can take the man to the appropriate work area. If the man cannot tell the receptionist who his contact is, the receptionist should contact the supervisor

Question # 6:

The answer is no. The HIPAA security standards require individual passwords for each employee with access to electronic versions of protected health information stored in an Agency’s computer system. They also require that all employees keep their access secure by using only their own login name and password. Employees cannot share passwords and should change them frequently, according to the Agency’s policy and procedure.

Question # 7:

The nurse should notify the supervisor that a password appears to be publicly available.

Question # 8:

The answer is no. Electronically transmitting protected health information to an unsecured e-mail address is not allowed.

HIPAA COMPETENCY EXAM QUESTIONS

1. T F The criminal penalties for improperly disclosing client health information can include fines of up to $250,000 and prison sentences of up to 10 years.

2. T F Privacy laws do not allow health care providers to report suspected abuse and certain public health information to authorities, even when other laws require it.

3. T F It is acceptable to dispose of photocopies of client medical records in the trash can.

4. T F While a client’s health-related information is covered under the confidentiality protections other information such as the clients address, age, phone number, etc. are not protected.

5. T F Any employee who violates the Agency privacy policy may be subject to discipline and termination of employment with the Agency.

6. The medical records clerk of the Agency receives a phone call from one of her friends inquiring about the condition of one of the Agency clients. What should the medical records clerk do?

a. Tell the friend how the client is responding to treatment.

b. Ask the friend if she is a close friend of the client and then decide how much information to share.

c. Explain that it is a violation of the client’s privacy to discuss the client’s condition.

d. None of the above

7. The home health aide overhears the nurses discussing the decline in health status of a particular client and that the client is close to death. When is it acceptable for the home health aide to repeat to others this private health information she heard while on the job?

a. When the home health aide has resigned employment with the Agency

b. Following the client’s death

c. Only if the home health aide knows the client well

d. When the home health aide’s job requires it

8. Which of the following are common features designed to protect confidentiality of health information contained in patient medical records?

a. Locks on medical records rooms

b. Passwords to access computerized records

c. Rules that prohibit employees from looking at records unless they have a need to know

d. All of the above

9. T F As an Agency employee you should not send medical record information via the e-mail unless the Agency has a process in place to protect the message from being intercepted or altered during transmission.

10. T F It is ok to share computer passwords in the work setting.

11. T F It is acceptable to release confidential information to the police without client authorization when there is suspected domestic violence.

12. T F Only employees who need to access to client records have to worry about protecting client privacy and confidentiality.

13. T F Clients are provided a copy and an explanation of the Agency’s policy of Privacy Practices at time of admission to service


15. T F As an employee of the Agency it is acceptable to take the Agency’s laptop computer with client health information home at the end of the work day as the employee will need the laptop to make a home visit on her way to the office the next day. It is acceptable for the employee to allow her child to utilize the laptop to research schoolwork on the internet.

HIPAA COMPETENCY EXAM ANSWERS

1. True

2. False

3. False

4. False

5. True

6. C

7. D

8. D

9. Ture

10. Flase

11. Ture

12. Flase

13. Ture

14. Health Insurance Portability & Accountability Act

15. False

HAVE ALL AGENCY STAFF READ THE FOLLOWING AGENCY POLICIES:

1. CLIENT PRIVACY RIGHTS

2. CONSENT FOR USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION

3. NOTICE OF PRIVACY PRACTICES