HIPAA  

Marietta Memorial Hospital 

Memorial Health System

Health Insurance Portability & Accountability of 1996

HIPAA stands for the Health insurance Portability and Accountability Act. Passed in 1996, HIPAA was designed as part of an effort to reduce high administrative overhead, provide better access to health insurance, reduce health care fraud, enforce standards for health information & guarantee security & privacy for personal health information. 

A major part of the HIPAA guidelines is the privacy and security rules. HIPAA creates the first comprehensive federal rules that give patients protection over the privacy of their health information and provides guidance to hospitals concerning health information in verbal, hard copy and electronic formats.

PROTECTED HEALTH INFORMATION 

Under HIPAA, Protected Health Information or PHI, is defined as all medical information that can be identified with a particular individual. Elements that make information individually identifiable include things like: 

Name

Address

Employer

Relatives’ names

Date of birth

Telephone or fax number

E-mail address

It doesn’t matter what form this information is in: written, spoken, or electronic. The most obvious example would be a patient’s chart but PHI can include patient specific information that is being discussed where it can be overheard or fax & other forms of communication. The key concept is that patient’s have the right to have their personal health information kept confidential. All of this is in keeping with the confidentiality policy that MMH already has in place.

NOTICE OF PRIVACY PRACTICE 

One of the features of HIPAA is the Notice of Privacy Practice. The regulations require that patients be given a clear written explanation of the allowable uses of their personal health information. This document is referred to as a Notice of Privacy Practice. Every patient at MMH is given a copy of our Notice of Privacy Practice at the time of initial registration. This notice is given to them before they receive any services from MMH. The hospital will make a good faith effort to get written acknowledgement that the client has received a copy of the notice. The Notice of Privacy Practice also covers some of the following items:

1. The ways personal health information may be used by the hospital.

2. The hospital’s general obligations to maintain confidentiality.

3. It explains the complaint process (who to contact) and the right to contact the Office of Civil Rights if the client feels there is a problem.

4. Other rights the patient may have:

a. The right to see all their health information.

b. The right to access their personal medical records and request changes to correct errors.

c. The right to ask whether there have been any non-routine uses and disclosures of their health information.

Below are some terms & concepts you might hear in relation to HIPAA regulations.  

Covered Entity—An organization that must follow HIPAA rules to protect your identifiable health information. Covered entities are organizations like health plans, physicians, hospitals, and others who perform HIPAA governed functions as a part of their business. Within the Memorial Health System HIPAA applies to the hospital physician group practice, Harmar Place and other ancillary sites.

Business Associates—Person or organization who does something on behalf of MMH, but is not a member of MMH’s workforce. The service they perform involves the use or disclosure of identifiable personal health information. Regulations require MMH to make sure that all Business Associates agree to HIPAA standards that are spelled out in our Business Associate Agreement. Business Associates will include people like vendors, consultants and auditors who help us to serve our patients.

Authorizations—Permission for any disclosure that is not already allowed under HIPAA. All authorizations must be “informed and voluntary”. The hospital will give a copy of our authorization to each individual we treat and we will maintain a copy of that authorization for 6 years. Of course, the individual who gives the authorization has the right to change their mind and stop the authorization at any time.

Releasing Information—There are certain situations where Marietta Memorial can release personal health information outside of the treatment context. Those situations are: 

1. When it is required by law to report or disclose personal health information.

2. When personal health information is needed for public health activities such as disease notification & surveillance.

3. When it is necessary to avert a serious threat to health or safety.

4. When the personal health information is needed or required for state/federal health oversight activities.

5. When the information is required for judicial and administrative purposes.

6. When the information is required for cadaver organ, eye, or tissue donation purposes.

7. When the information is related to abuse, neglect, or domestic violence situations.

8. For specialized government functions such as the military or VA.

9. When the information is needed for certain limited law enforcement purposes.

10.For worker’s compensation activities.

Hospital Directory—Patients are given the chance to decline to be listed in the hospital directory. If a patient refuses to be listed in the hospital directory they should be aware that the hospital will be unable to give information. This means that flowers or mail cannot be delivered, clergy, family or friends will not be given a room number to call or to visit. 

Minimum Necessary Rule—This rule states that we must limit the use and disclosure of personal health information to the minimum necessary to carry out the intended purpose of the request. In other words:

If you don’t need it, don’t ask for it. If they don’t need it, don’t give it to them!

There are several policies MMH has developed to help us meet the HIPAA guidelines. These policies can be found in Meditech, Policy 1, HIPAA Policies, 11.1-11.16.  In the event you would not have Meditech access, your supervisor can assist you. These policies cover 16 different areas of the guidelines from business associates to use of protected health information for marketing and fundraising activities.  

Here are some additional tips for keeping information confidential:  

1. Confidential information is not to be released to employees who have no need to know.

2. Confidential information is not to be released to unauthorized family or Friends.

3. Avoid giving patient information over the phone or in a fax.

4. Never give patient information to the media unless consistent with hospital policies.

5. Never give patient information to the general public.  

Computerization of hospital medical records and patient information poses a threat to confidentiality. Access to computers can be as easy as opening a chart out of curiosity. A broad group of people from admitting, lab, nursing and physicians have access to a client’s chart. The American College of Healthcare Administration estimates that an average of 75 persons have access to a single patient record. 

INFORMATION TECHNOLOGY ACCESS & PASSWORD POLICY

Appropriate access to the Electronic Protected Health Information (EPHI) is recognized as being necessary to perform an individual’s responsibilities.  Access will be granted to individuals who provide and support quality patient care to the extent that access falls within their responsibilities to the patient and facility.   

In consideration of a password to access the EPHI, all recipients must agree to the following principles: 

1.  Users will collect, dispose, process, view, maintain and store patients’ clinical and financial information in an honest, ethical and confidential manner.

2.  The collection, processing, viewing, maintenance, and storage of patient information will be done in such a manner that, at a minimum, meets all federal and state laws, regulations and accreditation standards.

3.  Each department or office must provide support to effectively maintain patient information in a confidential manner.

4.  Access to EPHI will be limited to the minimum amount of EPHI necessary for responsibilities.

5.  Access will be granted through the use of the Department of Information Technology’s Password Information Security Agreement.

6.  Passwords are personal and confidential.  Recipients shall, in no circumstance, share passwords with any other individual. 

Auditing of password terminations is conducted every 6 months and results including breaches of the Policy are recorded for follow-up by the Security and Privacy Officers.  Any violation will be forwarded to the HIPAA Security Officer.

INFORMATION SECURITY AUDIT POLICY 

This policy applies to all users of Meditech and ChartMaxx Systems.  This policy was established to provide a process for monitoring appropriateness of access to the EPHI and to periodically assess potential risks and vulnerabilities to the EPHI.  

Access to the EPHI is monitored through the use of audit trail reports to ensure compliance on a monthly basis and can also be performed based on: 

1.  Complaints by an employee or patient or a patient representative.

2.  Random reviews based on information that would be expected to trigger a desire to inappropriately access EPHI.

3.  Repeated failed log-on attempts or account lockouts.  

Any inappropriate access identified through this policy will be reported on a Security Incident Tracking form and reviewed by the Security and Privacy Officers.  

The guideline here is to NEVER share computer access codes and ensure that information on the screen remains confidential. Looking up information for friends and family is not permitted and can be grounds for discipline and termination.

DON'T FORGET TO TAKE THE QUIZ!