What does the HIPAA Privacy Rule do?
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
- Gives patients more control over their health information.
- Sets boundaries on the use and release of health records.
- Establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
- Holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
- And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.
For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
- It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
- It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
- It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
- It empowers individuals to control certain uses and disclosures of their health information.
Who may access confidential information?
Only those individuals that require access for business reasons or in the coordination of treatment of a mutual patient may access the information.
What is meant by having access to the “minimum necessary” information to do our jobs?
We have access to all information that we need to do our jobs, but we should not have access to unnecessary information.
What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?
The Privacy Rule permits, but does not require a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs. An “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization.
Who is our privacy officer? Who is our security officer?
Privacy Officer: A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity. Security Officer: Identify the security official who is responsible for the development and implementation of the policies and procedures required by [the Security Rule] for the entity.
Why do we need privacy and security officers?
They are responsible for the overall protection of patient privacy and the security of all our information, whether on paper, in the computer, or in conversation.
Who is responsible for maintaining a secure environment and patient privacy?
Everyone.
May I discuss patients with my spouse if he/she doesn’t work here and promises to keep it secret?
No.
Am I permitted to look up my sick father’s medical record?
No. You are not permitted to look at your father's record unless your father has informed the hospital that it is okay in writing. While parents usually want family involvement in their treatment, it shouldn't be assumed. Sometimes an individual does not want family members to know the details.
Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?
Yes. The HIPAA Privacy Rule specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:
- A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from a hospital stay/procedure.
- A hospital may discuss a patient’s payment options with her adult daughter.
- A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
- A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.
If I have access to to view my own medical record electronically is that considered a HIPAA violation?
No. It is not a HIPAA violation to view your own medical record, however it might violate your organization's policy.
We know that diagnoses and test results are confidential. What other information about a patient is confidential? What about billing records?
Essentially any information that is patient-identifiable, even the patient's address, is confidential and must be protected. Only when the patient has agreed may it be used or disclosed for specific purposes. Also, removal of the patient's name does not mean the patient's identity is protected; other information such as a medical record number, a zip code, or a date of birth could still be used for identification.
What could happen to me if I talked about patients even though I no longer worked here?
You are required to keep patient information confidential "forever". A privacy breach could result in legal penalties even if you no longer work for the organization.
We know that medical records whether paper or electronic are confidential. What about handwritten notes and phone calls?
All forms of information written, spoken, or electronic are confidential and must be protected.
What should you do if another organization asks for access to patient information in your computer system?
Forward the request to your privacy or security officer. This access must be closely scrutinized first.
Who is responsible if I “lend” my password to my co-worker and she uses it to look up information on a friend she’s concerned about?
Both you ans your co-worker have violated HIPAA policy but as the one who shared the responsiblity you are liable.
Why does everyone have his or her own unique user ID (i.e., log-on ID, etc.)?
Each person must have his or her own user ID so that he or she can be held accountable for activity connected to that ID.
What are some important rules for making up “good” passwords, ones that are hard for someone else to guess?
They should be at least six characters long; contain both numbers and letters; never be a real word or a significant number string; never be the name of a fictional character, a car model, or such.
Is it okay to hide your password under your mouse pad or keyboard tray?
No. Passwords "hidden" this way can be easily found. This is not taking reasonable care to keep your password secret.
What should you do if your computer access doesn’t let you see information you need? Is it all right to ask a co-worker to share her password when the need is legitimate?
You should talk to your manager and arrange for the necessary access. It is never permissible to use someone else's password.
Why is it important to log off when you leave your PC, even if no one else is around?
Even at the end of the day, housecleaning crews and others may be in the area and use your access - for which you can be held responsible!
Can you identify two ways to protect the information on your computer screen?
Turn the screen away from public view. Use a password protected screen saver that pops up after a few minutes of idle time and hides the information. Log off when you leave the area.