HIPAA

Health Information Portability

and Accountability Act

Situations we all need to be reminded of as Patient

Confidentiality is a MUST!

1
 Purpose of Training
• This training is designed to review common
situations we all may have found ourselves in
which could breach patient confidentiality if
we are not careful.
• Objectives:
– Discuss steps we should all take to protect patient
confidentiality
– Understand the rules and guidelines for releasing
patient information
– Identify our Privacy Officer
– Outline steps for reporting a potential HIPAA
violation 2
 Location, Location, Location
• When talking to a patient about their
protected health information you must
make your best effort for only the
appropriate individuals to hear the
conversation.

3
 Location, Location, Location
• Think about where you are when communicating
patient information!
• Appropriate steps to follow include:
– Pull curtains
– Talk in a low voice
– Face the person you are talking to
– In semi-private areas, give the patient the option to
write things down or, if possible, take them to a more
private location.
– If you need a telephone, use one that can not be
overheard by others
– Avoid using the patient’s name or any other identifier
in public areas
4
 Question
• It is okay to discuss patient information
in semi-private areas as long as you take
appropriate steps to protect the
patient’s confidentiality.
• True
• False

5
 Correct Answer: TRUE!

It is okay to discuss patient information in

semi-private areas as long as you take the
appropriate steps to protect the patient’s
confidentially.

6
 Patient Charts
• Charts, both paper and
electronic, should never be left
unattended, exposed and/or
visible to avoid breaching
patient confidentiality.
– Nurses Station
– Patient Room
– WOW (Workstation on Wheels)
7
 PHI Security
• Documents containing PHI should
NEVER be taken off campus without
prior authorization from HIM.
• Printing of PHI should be minimal and
limited to only documents required for
your job function.
– Note: This is not limited to Patient Charts,
but includes any documentation containing
PHI (i.e. emails & screen shots)

8
 Computers
• Monitors/WOWs should be positioned to
avoid unauthorized persons seeing patient
information on the screen.
• When you leave your workstation ALWAYS
ensure you are logged out and patient
information is not left showing on the
screen.
– Per Harnett Health policy, terminals should
be locked when left unattended.
• Never share your passwords/logins.
– Your ID badge is not a password keeper
9
 Question
• If your coworker forgets their Meditech
password, it is okay to let them use
yours until IS can get their password
reset.
– True
– False

10
 Correct Answer—FALSE!

Never share you passwords with your co-

workers.

11
 Faxing PHI
• If faxing PHI is required to perform your job
the following steps MUST be taken to prevent
breaches of confidentiality/privacy:
– Always verify you have the correct fax
number
– Always include a Fax Coversheet
– Double check to ensure the document(s)
being sent contain the correct patient’s
information

12
 My co-worker is now a
patient?
• All patients, including our team members,
deserve privacy.
• Yes we are a family – but remember if your co-
worker wants you to know specifics about them
they will tell you.

13
 Accessing Patient Information
• Always remember, you should never access a
patient’s information unless you are
providing care for the patient or have a
legitimate work related reason to access the
chart.
– This includes accessing your own record or the
records of family members.
• Audit trails are used to monitor all computer
activity performed by employees to ensure
patient confidentiality is not being breached.

14
 Questions in Public?
• Have you ever run into a friend who
says “You know my Aunt Sally was in
the ED last night, does she have
something contagious?”
• You may be tempted to share – but can
you?

15
 Telephone Communication
• Do you really know who you are talking
to on the phone?
– You cannot verify who you are speaking
with on the phone thus no information
should be given over the phone.

• Texting PHI is prohibited per Harnett Health

policy
– This includes texting physicians

16
 Question
• Information cannot be shared with
family members over the telephone.
– True
– False

17
 Correct Answer- TRUE!

We do not share any information over

the phone as we can not verify who we
are speaking with.

18
Photographs/Video Recordings
• The taking of photographs and/or
videos is strictly prohibited
unless there is written consent by
all parties involved.
– This includes photographs/videos taken
using any electronic device (i.e. camera,
cell phone, smart phone, tablet, etc...)
– Please refer to Risk Management Policy,
RSK 200, for Consent and Guidance
19
 Release of Information
• You must always have the patient’s
written consent to release information
to anyone other than the patient.
– Please Note: This includes family members.

• All patient information released must be

tracked, therefore all patient information
that is released is logged into the system
by HIM staff.

20
• This Authorization for
Release of Information
form must be utilized by
nursing staff when
releasing information.
• The most current version
of this form is available in
Access-E and on the
Public Drive.
• Per HIPAA, this form must
be filled out completely
to be valid.
• The completed form
should be placed in the
patient’s chart under the
Consent tab.
21
 Question
• You can use any Authorization for Release
of Information form to release records to a
patient.
– True
– False

22
 Correct Answer- FALSE!

You must use the release form available

in Access-E or the Public Drive.

23
 Question
• All completed authorizations should
be placed under the Consent tab on
the patient’s chart.
– True
– False

24
 Correct Answer-TRUE!
Once an authorization is completed it
should be placed under the consents tab
in the patients chart.

25
 Power of Attorneys (POA)
• Power of Attorneys should be honored
with caution.
• Most general power of attorneys are
typically business/financial in nature
and are not valid/acceptable regarding
healthcare.
– There must be a statement specifically
granting the POA access to healthcare
information for patient information to be
released without the patient’s written
authorization.
26
Healthcare Power of Attorneys
• Healthcare Power of Attorneys are only
allowed to receive information if the
patient is incompetent or incapacitated
unless otherwise specified in the
document.
• Healthcare Power of Attorneys forms
are available at our facility. Please
contact Case Management for further
information.
27
 Privacy Officer
• Dina Williams, Health Information
Management (HIM) Manager, is
our Privacy Officer.
• I can be reached at extension
4126 with any HIPAA related
questions.
• For general inquiries you may also
contact the HIM department at
extension 4129.

28
 HIPAA Notification Procedure

If you receive notification from

another facility/individual indicating that PHI
was received in error, the caller should be
immediately directed to the HIM Manager
(Privacy Officer) at extension 4126 for
assistance.

29
 Reporting HIPAA Violations
• In accordance with Policy CCP 432, any
individual who believes the Hospital’s
confidentially or security policies have been
violated has an obligation to report the
incident:
– In person to Dina Williams, HIM Manager/Privacy
Officer, at ext. 4126 or to Mike Jones, Corporate
Compliance Director, at ext. 4022
– By using the Compliance Hotline 1-866-418-2850
– OR by submission of a Safety Improvement Report
(SIR) in Meditech to Risk Management
30
 Reporting HIPAA Violations
• The Hospital will not retaliate against
any employee who makes a
complaint. However, allegations not
made in good faith may result in
disciplinary actions.

31
EXAMPLES OF
HIPAA
VIOLATIONS

32
Examples of HIPAA Violations
• Faxing patient information to the
wrong number.
– This includes when the number is mis-
keyed and when the wrong number is
provided.
• Providing a patient with another
patient’s information
– Example: Patient A signs patient B
discharge instructions

33
 Examples of HIPAA Violations
• Anytime PHI is compromised.
– Please be aware that PHI includes
demographic information and is not limited
to treatment/health information.
– Examples of Violations:
• Screens of WOWs left up/unattended
• Texting a photograph/screen shot of a patients
chart to a friend or other co-worker
• Posting PHI about a patient on social media

34
 Impact of HIPAA Violations
• Impact of HIPAA Violations on the
Organization:
– Financial Impact
• Impact of HIPAA Violations on You:
– Disciplinary Action per HR Policy 218
• Impact of HIPAA Violations on the
Patient:
– Confidential health and demographic information
compromised

35
 Question
True or False: If you get a call from
another facility stating they received
wrong patient information, the
appropriate process is to tell them to
shred the document.
– True
– False

36
 Correct Answer-FALSE!
If you receive notification from another
facility/individual indicating that PHI
was received in error, the caller should
immediately be directed to the
Manager of Health Information
Management who also serves as the
hospital system’s Privacy Officer
at extension 4126 for assistance.

37
 Question
True or False: If a patient receives another
patients PHI, the correct process is to
obtain the information from the patient
and shred it.
– True
– False

38
 Correct Answer-FALSE!
If a patient receives PHI of another
patient the information should be
obtained from the patient. However,
the instance should be reported
immediately to Dina Williams(Privacy
Officer) at extension 4126 and the
compromised information should be
forwarded to Dina.

39
 THE END
Congratulations!
You have now completed the HIPAA
training.

QUESTIONS?

40