The Health Insurance

Portability and Accountability

Act of 1996 (HIPAA) Privacy
and Security Rule
Objective

 Define HIPAA
 Explain Protected Health Information
 Highlight Scribe’s Risk Factors
 Scenarios
 Consequences For Violating HIPAA
 Conclusion
US Department of Health and Human Services (DHHS) and the
Office of Civil Rights (OCR)

 Federal civil rights laws and the Health Insurance Portability

and Accountability Act (HIPAA) Privacy Rule, together protect
your fundamental rights of nondiscrimination and health
information privacy. Civil Rights help to protect you from
unfair treatment or discrimination, because of your race, color,
national origin, disability, age, sex (gender), or religion.
Federal laws also provide conscience protections for health
care providers.
The Privacy Rule

 The Privacy Rule protects the privacy of your health

information; it says who can look at and receive your health
information, and also gives you specific rights over that
information.  In addition, the Patient Safety Act and Rule
establish a voluntary reporting system to enhance the data
available to assess and resolve patient safety and health care
quality issues and provides confidentiality protections for
patient safety concerns.
Minimum Necessary Rule

 States that only the minimal amount of Protected Health

Information necessary to carry out the job is given.
 Unless the use is for medical treatment or payment.
 If medical information is to be used for other purposes, then a
separate signature from the patient is required.
Your Hospital or Doctor’s Office May
NOT Divulge Protected Health
Information (PHI)

 Unless a Notice of Privacy Practices is

given to the patient and signed and describes
 How the health information will be utilized and divulged, and
 Explains the patient’s privacy rights.

 Unless a medical emergency situation exists,

but even still, the patient’s signature must be
attempted, or a reason documented for why it
wasn’t obtained.
HIPAA Requirements

 To protect the privacy and security of a patient’s Protected

Health Information
 To apply the Minimum Necessary Rule
 To preserve the rights of the patient concerning the specific use
of his/her medical information i.e., PHI.
 For example, it is a serious violation to access a patient record, if it
is not directly necessary to perform your scribe job.
Forms of Protected Health
Information (State and Federal)

 Written

 Electronic

 Spoken

 Any form of medical information is protected!

Types of Confidential Information

 Financial

 Personal

 Medical

 Any type of information is confidential to the patient!

Scribes, are they a risk to PHI?

 Scribes are typically young healthy individuals

who may entertain feelings of immortality.
Their discomfort with illness and the
impermanence of life may manifest itself
through undeveloped decisions to make
insensitive remarks or actions related to a
patient’s medical visit.
Scribes, are they a risk to PHI? Risk
Factors

 Informal behavior
 Healthy, feelings of immortality
 Access to PHI
 Technologically savvy
 Frequent Social Media Sites
 Transitional Employees
Why should a scribe care about protecting
someone else’s privacy and security?

What’s the Big Deal?

 It’s how You would want to be treated
 It’s practice policy everywhere
 You will be terminated if in violation
 It’s a Federal and State Law
 It’s a Really, Really BIG DEAL
When should a scribe look up or
share a patient’s PHI?

 Only when your licensed medical

provider asks you to AND it’s
absolutely required as a part of
your documentation responsibility
regarding a patient that your
provider is actively treating.
HIPAA Test #1
“Starstruck Down”

Your doctor treats a super famous

sports star. You can’t believe you
were in the room with that celebrity
and you want to share it with your
best friend.
Is it ok to tell?
 Ask yourself this…

 Is it part of your job scribing

duties to tell your friend?
 Does your friend need to know?
 Is it worth violating federal and
state law and getting fired?
 How will you get a letter of
recommendation if you get fired?
Media (Survival) Skills

There are 3 actions you should take if the media ever puts a
microphone to your face.
1. “I have no comment.”
2. Refer to the “Hospital’s Media Relations Department”
3. Say nothing and keep walking away
HIPAA Test #2
“Too Fast, Too Dubious”

Your Doctor isYour

realDoctor
busy andis real busy and asks you to
asks you to loglogonontotothe
the computer with his username
computer withand his password
username in order to print out specific
and password discharge
in order toinstructions.
print
out specific discharge
Is it ok to do it?
instructions.

Is it ok to do it?
Hospital Computer Policy

Your username and password are confidential.

Using someone else's login to access data is a violation of Hospital Policy.

If you suspect that someone may have obtained your password, change it
immediately.

Violations may result in immediate loss of computer access privileges and

disciplinary action by Hospital.

Suspected criminal violations shall be reported to the appropriate regulatory

and/or law enforcement agencies.
The Health Information Technology
for Economic and Clinical Health
(HITECH) Act

Enhances HIPAA Obligating

1. Mandatory Sanctions for “Willful
Neglect”
2. Requirement to Notify the Patient
of Any Breach of PHI
3. Civil Penalties
HIPAA Test #3
“Abandoned Computer”

 You need to look up patient information for

your doctor but the nurse stepped away and did
not log off. All of the other computers are
being used. How should you proceed?
Log off the nurse and log
back on the computer
using your own username
and password.
Don’t look up patient
information using
someone else’s
credentials…ever.
Violating HIPAA –Serious Consequences
(Breaks Federal And State Law)

You Will Be Terminated

Face Civil and Criminal Penalties
Have Large Legal Bills
Face Up To 10 Years In Prison
Be Fined Up To $250,000
Jeopardize Your Career Goals
Just Don’t Do It!
“Doom and Gloom”, Really? Who Is
Going To Find Out?

 Hospital Compliance Officers crawl social media

sites
 Scribes are monitored
 “Friend” requests sent on FB to keep watch
 Automatic alerts are sent to Administration
 Random medical records are flagged
 Actors may be hired as patients
100% HIPAA
Compliance
Scribe employees are bright,
mature and principled. It’s
extremely rare for an
employee to violate HIPAA.
However, since the
repercussions are so severe for
everyone involved, there needs
to be 100% compliance at all
times.