2. Who does it Cover?
o Healthcare providers
o Health plans
o Healthcare clearinghouses
o Business associates who have
access to patient records
3. What does HIPAA do?
o Imposes new restrictions on the
use and disclosure of Protected
Health Information (PHI)
o Gives patients greater access
to their medical records
o Gives patients greater
protection of their medical
records
4. What is Protected Health
Information (PHI)?
o Any information about a patient’s physical or mental
health, services rendered or payment for those services.
o Includes verbal, recorded, written, or electronic
information
5. Use and Disclosure
o You are permitted to use and disclose PHI without written
authorization:
• For treatment, payment, and health operations
• With verbal authorization or agreement from the individual
patient
• For disclosure to the specific individual patient
• For incidental uses such as physicians talking to patients in
a semi-private room
6. Use and Disclosure
o You are required to release PHI for use and disclosure
without authorization:
• When requested or authorized by the patient (some
exceptions apply)
• When required by the Department of Health and Human
services (HHS) for compliance or investigation
• When the facility is required by law
7. Authorization
o Written authorization is required:
• For any purposes other than treatment, payment, or
healthcare operations
• For use and disclosure of psychotherapy notes
• For research purposes
• For marketing activities
8. Authorization
o Written authorization is not required:
• To maintain WCMC’s patient directory
• To inform family members or other identified persons
involved in the patient’s care or notify them on patient
location, condition, or death
• To inform appropriate agencies during disaster relief efforts
• Public health activities related to disease prevention or
control
9. Authorization: Continued...
• To report victims of abuse, neglect, or domestic violence
• Health oversight activities such as audits, legal
investigations, licensure or for certain law enforcement
purposes or government functions
• For coroners, medical examiners, funeral directors or
tissue/organ donations
• To avert a serious threat to health and safety
10. Clergy
o Those who have been designated as “clergy” by their
church will be able to view a list of patients in the hospital
who have agreed to be included in the directory and who
have indicated their religious affiliation to be that of the
clergy member reviewing the list
o For example: the Baptist clergy member can only look at
the Baptist list of patients
11. Minimum Necessary Standard
o The use and/or disclosure of PHI is limited to the
minimum amount of health information necessary to get
the job done right.
• WCMC has policies and practices that ensure the least
amount of PHI is shared
• Employees must be identified who regularly access PHI
along with the types of PHI needed and the conditions of
access
12. Notice of Privacy Practices
o The patient has the right to have adequate notice
concerning the use and disclosure of their PHI
o This includes:
• The patient’s rights and WCMC’s legal duties
• Being available in print
• Being displayed at the site of service
13. The Patient’s Privacy Rights
o The Patient has the right to :
• Request restricted uses and disclosures, although the
covered entity is not required to agree
• Have PHI communicated to them by alternate means and at
alternate locations to protect confidentiality
14. The Patient’s Privacy Rights
o The Patient has the right to :
• Inspect and amend PHI, and obtain copies, (with some
exceptions)
• Receive the Notice of Privacy Practices at the time of the
first delivery of service
• Request a history of disclosures for six years prior to the
request, except for disclosures made for
treatment, payment, healthcare operations or with prior
authorization
15. The Patient’s Privacy Rights :
Continued...
• Contact WCMC Privacy Officer regarding any privacy
concern or breach of privacy within the facility or contact
HHS with the information
• Parents have the right to access and control the PHI of their
minor children, except when state law overrides parental
control
16. Non-Compliance
o If you violate the HIPAA Privacy Rule you could
face:
• A civil penalty of up to $50,000 per offense, up to a
maximum of $1.5 Million per year depending on the
type of violation
• A criminal penalty for knowingly disclosing PHI that
may escalate to a maximum of $250,000 for
conspicuously bad offenses and could include up to a
10 year prison term
17. What can you do?
o Make sure you fully understand WCMC’s privacy
practices
o Only use and disclose PHI when you need to do so to
perform your job
o Only use and disclose the minimum amount of PHI
needed to accomplish your job
o Make sure you handout the WCMC Notice of Privacy
Practices to every patient
18. What can you do?
o Ask patients before talking to family members about their condition
o Speak softly when discussing PHI in open areas
o Avoid discussing patient issues in the cafeteria, on elevators, etc.
o Do not leave PHI laying out in open view - such as lab work,
progress notes, or any patient record
o Shred any extra copies of PHI not needed
o Medical records should not be taken off campus
19. What can you do?
o Don’t leave messages concerning a patient’s condition or test
results on any answering machine
o When releasing patient information over the phone, verify the
identity of the caller
o Don’t share your password with anyone
o Log off your computer when you will be away from your work
area
o Report privacy violations to our Compliance Officer, Debbie
Hare,380-1062