Health Information Privacy Division of Public Health Objective To enhance your understanding of Health Information Privacy Core Competencies and Essential Services Public Health Core Competencies • Analytic/Assessment Skills, • Policy Development/Program Planning Skills, and • Communication Skills. Essential Public Health Services • # 3 Inform, educate, and empower people about health issues and • # 8 Assure a competent public health and personal health care workforce. HIPAA The purpose for HIPAA (Health Insurance Portability & Accountability Act) is to protect the confidentiality, integrity, and availability of an individual’s protected health information. What is Protected Health Information? Protected Health Information (PHI) is information that is oral, recorded on paper, or sent electronically about an individual’s physical or mental health, services rendered or payment for services. Hybrid Entity The Division of Public Health (DPH) is considered to be a hybrid entity. DPH has activities that are covered and other activities not covered by the privacy rule. Other Regulations/Rules • Always keep in mind Delaware Code • Federal Regulations > HIV/AIDS > Mental Health > STD > Drug and Alcohol > Public Health Activity > Surveillance > Emergency Preparedness Minimum Necessary Standard Only access and use the client information that you need to do your job. Permitted Use or Disclosure • Treatment • Payment • Healthcare operations Permitted Use • A laboratory may fax, or communicate over the phone, a client’s medical test results to a provider and/or Public Health • A physician may mail or fax a copy of a client’s medical record to a specialist who intends to treat the client Notice of Privacy Practices (NPP) Notice of Privacy Practices (NPP) summarizes the privacy policies and procedures. The NPP informs clients of their rights and the Division’s requirements for the protection of personal information. Clients’ Rights Clients are entitled to adequate notice about how their information will be routinely used, stored and disclosed such as – Written notice of information practices – Access for inspection and copying – Accounting of disclosures – Amendment and correction – Right to request their PHI not be shared Inappropriate Disclosure Passing through a busy clinic area, Social Worker Jennifer overhears Sherry telling a client on the phone that she needs to make a follow-up appointment since her HIV test was positive. Jennifer notices that clients are able to hear the entire conversation. Inappropriate Disclosure Now, what could Sherry have done differently? Inappropriate Disclosure Sherry should have done at least one of the following > Spoken in a lower voice, > Waited until the clinic was less crowded, or > Made the call in another location. Inappropriate Disposal Jose receives Protected Health Information (PHI) from the treating physician. He notices that he has duplicates and throws the information in the trash can located in a common area. Inappropriate Disposal Jose should have properly disposed of the medical information by > Placing it in a locked disposal bin, and/or > Disposing of it using a cross-cut shredder. News Flash News team discovers documents containing Public Health Information (PHI) near dumpster On the ground behind a dumpster at Guadalupe Medical Center, a Las Vegas news team discovered 40 pages worth of documents containing PHI of the center's patients, according to klas-tv.com. The documents had information such as patient names, Social Security numbers, and procedures. The medical center claims this was a "huge misunderstanding" and an isolated incident. According to an attorney for Guadalupe Medical Center, a courier transporting the documents from another office operated by the same company dropped the files. The medical center, which asked the news team to return the files, plans to shred them properly as it does all its documents. Inappropriate Disclosure in a Common Area Armon, a Social Service Technician, steps onto an elevator and is surprised to overhear Nurse Vince and Social Worker Jennifer discussing the treatment of Joe Compliant for gonorrhea. Inappropriate Disclosure in a Common Area Armon needs to remind them that this information is confidential and should not be discussed in a public area. Lost PHI and Inappropriate Access Joel, a DPH employee, in the hallway, sees a piece of paper lying on the floor. He discovers that it is a lab report containing the name of his favorite NASCAR driver, so he calls his wife and shares it with her. Lost PHI and Inappropriate Access > Joel should not have shared the information with his wife, > The lab report was not secure, and > Joel should have returned it to the lab supervisor or appropriate person. Safeguarding PHI • USB flash drives • Hard drives • PDA’s • Wireless Laptops • Files What are the Penalties? HIPAA calls for severe civil and criminal penalties for noncompliance, including • Misuse of personally identifiable health information carries a penalty with fines up to $50,000/imprisonment for a term of up to one year. • Misuse under false pretenses carries a penalty with fines up to $100,000/imprisonment for a term of up to five years • Misuse with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm carries a penalty with fines up to $250,000/imprisonment for a term of up to 10 years Summary > ALL information needs to be treated as confidential, > Information should only be accessed on a need to know basis and shared by authorized staff, and > It is your responsibility to protect all information and report any misuse of protected health information. For further questions contact the HIPAA Coordinator HIPAA Coordinator Division of Public Health 302.744.4702 Review Questions Now let’s test your retention of these HIPAA concepts! True or False? 1 The Privacy Rule protects a Client’s right to privacy and confidentiality. Answer • True True or False? 2 Protected Health Information is anything that connects a client to his or her health information. Answer • True True or False? 3 You are permitted to use and/or disclose protected health information PHI for treatment, payment and health care operations. Answer • True True or False? 4 You must obtain a release of authorization to use /disclose confidentiality information for public health activities related to surveillance and disease prevention. Answer • False True or False? 5 To protect health information’s privacy, learn about the Division’s privacy policies, and encourage your co- workers to do the same. Answer • True True or False 6 You can use/disclose confidentiality information without client permission for public health activities related to disease control and prevention. Answer • True Session Completed Thank you for your cooperation!!