HIPAA FORM

    Please read through the following and complete the quiz at the end. This must be completed
    before you can volunteer at River City Clinic.

    HIPAA Privacy Training          

    Learning Objectives:  
    Department of Health workforce who complete this HIPAA training should be
    able to answer the following questions:

    Who is covered by the HIPAA Privacy Rule?
    What is protected health information?
    What are the rules for use and disclosure of PHI?
    What is the difference between using and disclosing information?
    What is included in an authorization form?
    When is authorization not required to disclose protected health information?
    What is “minimum necessary”?
    What is the privacy notice?
    What are patient’s privacy rights?
    What is needed to comply with HIPAA privacy requirements?


    FEDERAL LAW - HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

    HIPAA: PRIVACY COMPLIANCE

    Our health information is private.  We guard it closely.

    The HIPAA Privacy Rule, finalized on August 14, 2002, ensures that personal medical information you share with
    doctors, hospitals, and others who provide health care, and pay for it, is protected.

    Basically, the HIPAA Privacy Rule does two (2) things.

         It imposes new restrictions on the use and disclosure of Personal Health Information; and it gives patients
    greater access to, and protection of, their medical records – and more control over how they are used.

    Much of the rule is not new.  Health Care Providers like you have been practicing many of the privacy rules all
    along. HIPAA is just mandating us to convert these practices into policies and procedures that are consistent
    across the country.

    In the next few minutes, we’ll walk through some of the basics of the final HIPAA Privacy Rule – the first
    comprehensive federal protection guidelines for the privacy of health information ever.

    WHO IS COVERED BY THE HIPAA PRIVACY RULE?

    If you are a Health Care Provider, health plan, or a health care clearing house, that transmits health care
    information in electronic form, you are covered by the HIPAA Privacy Rule.  That makes you what is termed a
    “covered entity”.

    Business associates such as billing services who have access to medical records are also covered indirectly by the
    privacy rule.  We’ll get to that in a few minutes.

    First, let us look at what health information is protected.


    WHAT IS PROTECTED HEALTH INFORMATION?

    When a patient gives personal health information to a covered entity like you, that information becomes protected
    health information, or more simply, “PHI”.

    PHI includes any health information and other patient information that is used or disclosed by a covered entity in
    any form, oral or recorded, on paper or sent electronically.

    If it’s protected health information, it also contains personal information that connects the patient to the
    information.

         For example, the individual’s name, address, social security or other identification numbers, physician’s personal
    notes, billing information, or any other information that connects the patient to the information.

    Now that you know who and what is protected, let us take a closer look at some of the requirement basics.

    WHAT ARE THE RULES FOR USE AND DISCLOSURE OF PHI?

    HIPAA’s Privacy Rule is all about the use and disclosure of protected health information, or PHI.

    PHI is used when it is shared, examined, applied, or analyzed by a covered entity.

    PHI is disclosed when it is released, transferred, or in any way accessed by anyone outside that covered entity.

    With few exceptions, protected health information cannot be used or disclosed to anyone unless it is permitted or
    required by the privacy rule.

    You are permitted to use or disclose PHI for treatment, payment and healthcare operations (TPO); with
    authorization or agreement from the individual patient or for disclosure to the individual patient; for uses that are
    incidental, such as waiting room sign-in sheets or physicians talking to patients in semi-private rooms or conferring
    at nurse’s stations without fear of being overheard by a passerby; or transfer of records upon sale of, or merger
    of, a covered entity.

    You are required to use or disclose PHI when requested or authorized by the individual (although some exceptions
    apply) and when required by the Department of Health and Human Services (DHHS) for investigation or compliance.

    WHEN IS AUTHORIZATION REQUIRED?

    The final ruling makes consent for routine health care optional, but authorization rules stand.  As health care
    providers you know about authorizations – you have been getting them for years.  The privacy rule is just requiring
    that you get them in writing so nothing falls through the cracks.

    In simple terms, PHI cannot be used or disclosed for purposes other than treatment, payment or health care
    operations without authorization from the patient.

    Written authorization is required for use or disclosure of psychotherapy notes (except for treatment, payment or
    health care operations) for use and disclosure to third parties for marketing activities such as selling lists of
    patients and enrollees.  However, health care providers and other covered entities can communicate freely with
    patients about specific treatment options and other health related information including disease management.

         For example, health care plans can inform patients about additional coverage and services such as discounts for
    prescription drugs.

    WHAT IS INCLUDED IN AN AUTHORIZATION FORM?

    The privacy rule outlines the specifics of what should be included in your authorization form.

    - A description of the PHI to be used or disclosed in clear, understandable language.
    - Who will use or disclose the PHI and for what purpose.
    - Whether or not use or disclosure will result in financial gain for the covered entity.
    - The patient’s right to revoke authorization.
    - A signature of the patient whose records are being used or disclosed.
    - Date of signing

    But keep in mind that each authorization form only covers the use and disclosure outlined in that form, and it has
    an expiration date.  After that, you are required to get a new authorization.

    WHEN IS AUTHORIZATION NOT REQUIRED?

    In some limited circumstances the privacy rule permits the use and disclosure of PHI without authorization but with
    patient agreement.  For instance, to maintain a facility patient directory; or inform family members or other
    identified persons involved in the patient’s care  or payment; or notify them on patient location, general condition,
    or death; and, to inform appropriate agencies during disaster relief efforts.

    Other permitted uses and disclosures that do not require patient agreement include public health activities related
    to disease prevention or control; to report victims of abuse, neglect, or domestic violence; health oversight
    activities such as audits, administrative or legal investigations; licensure; or for certain law enforcement purposes
    or government functions; for coroners, medical examiners, funeral directors, tissue or organ donations, or certain
    research purposes; to avert a serious threat to health and safety.

    PHI can also be used or disclosed for research, public health or healthcare operations as a Limited Data Set.  This
    means any data that could possibly link the PHI to a person has first been removed.

    WHAT IS MINIMUM NECESSARY?

    In general, disclosure of PHI is limited to the minimum amount of health information necessary to get the job done.  
    That means covered entities have to develop policies and practices to make sure the least amount of health
    information is shared both inside and outside of your facility.  Also, employees who regularly access PHI must be
    identified, along with the types of PHI needed and the conditions for access.

    Health Care Providers can discuss a patients treatment with other professionals without violating the rule if they
    take reasonable safeguards to avoid being overheard.

    The minimum necessary rule does not apply to the use and disclosure of medical records for treatment for obvious
    reasons.  Health Care Providers need access to the entire record to provide quality care.

    WHAT IS THE PRIVACY NOTICE?

    The HIPAA Privacy Rule gives patients the right to adequate notice concerning use and disclosure of their PHI, as
    well as patients’ rights and the covered entity’s legal duties.

    Adequate notice must be given on the first date of service delivery or as soon as possible after an emergency.  
    Also, covered entities must make an effort to get written acknowledgement of receipt of notice from patients and
    keep copies of all notices and acknowledgements or document reasons why it was not obtained.  Also, notice of
    your facility’s privacy practices should be made available to patients in print, displayed at the site of services, and
    when possible, posted on a web site.  New notices must be issued when your facility’s privacy practices change.

    WHAT ARE PATIENT’S PRIVACY RIGHTS?

    The privacy rule grants patients new rights over their health information. As a covered entity, it is your job to make
    sure patients can exercise these rights over the PHI that you maintain.

    They include the right to:

    - Receive privacy notice at time of first delivery of services.
    - Restrict use and disclosure although the covered entity is not required to agree.
    - Have PHI communicated to them by alternate means and at alternative locations to protect confidentiality.
    - Inspect, amend or correct PHI and obtain copies with some exceptions.
    - Request a history of non-routine disclosures for six (6) years prior to the request.
    - Finally, patients have a right to contact designated persons regarding any privacy concern or breach of privacy
    both within the facility and at DHHS.

    WHAT ABOUT THE PRIVACY RIGHTS OF MINORS?

    For the most part, parents have right to access and control the PHI of their minor children, except in situations
    when state law overrides parental control.  Examples include HIV testing of minors without parental permission, or
    in cases of abuse, or when parents have agreed to give up control of their minor child.

    WHAT MUST ADMINISTRATION DO TO COMPLY?

    We have covered most of the basics.  Now let us move on to some of the things your facility will need to comply
    with concerning the privacy portion of HIPAA.

    - Allow patients to see and copy their PHI.
    - Develop a notice of privacy practices document.
    - Develop policies and safeguards to protect PHI and limit incidental use or disclosure.
    - Institute employee training programs so everyone knows about the privacy policies and procedures for
    safeguarding PHI.
    - Institute a complaints process and file and resolve formal complaints.
    - Make sure contracts with business associates comply with the privacy rule.

    The privacy rule also requires a designated full or part time privacy official responsible for implementing the
    programs, and a contact person or office responsible for receiving complaints.  It is a good idea to get to know your
    facility privacy officer so you can go to him or her with any issues you do not understand.

    WHAT HAPPENS TO THOSE WHO DO NOT COMPLY?

    HIPAA established civil and criminal penalties for violations of the privacy rule.  For starters, there is a $100 civil
    penalty  up to a maximum of $25,000 per year for each standard violated; and a criminal penalty for knowingly
    disclosing PHI, a penalty that may escalate to a maximum of $250,000 for conspicuously bad offenses.

    But keep in mind that the DHHS is mandated to give you and your organization advice, technical assistance, and
    help you work out problems if you inadvertently make a mistake.

    WHAT CAN YOU DO TO PROTECT PATIENTS PRIVACY AND CONFIDENTIALITY?

    It looks like a lot to understand, but the privacy rule is not going away, and for a very good reason – it protects our
    fundamental right to privacy and confidentiality.  That means HIPAA’s Privacy Rule is everyone’s business – from the
    CEO to the health care professional to the maintenance staff.

    So do your part by making sure you understand the privacy practices fully and protect your patients’ personal
    health information, and encourage others to do the same.
HIPAA Privacy Quiz
Please check true or false for each statement then click on the 'submit' button
The HIPAA Privacy Rule protects a patient’s fundamental rights to privacy and
confidentiality.
False
True
You are called a covered entity if you are a healthcare provider, health plan, and
healthcare clearinghouse who transmits health information in electronic form.
True
False
Protected Health Information is anything that connects a patient to his or her
health information.
True
False
PHI includes all health information that is used/disclosed – except PHI in oral form.
True
False
PHI is used when it is shared, examined, applied or analyzed.
False
True
PHI is disclosed when it is released, transferred, or allowed to be accessed or          
    divulged outside the covered entity.
True
 False
You are permitted to use/disclose PHI for treatment, payment, and health-Care
operations.
False
True
You are required to use/disclose PHI when authorized or requested by the
individual patient.
True
False
Using PHI for purpose not specified by the rules requires covered entities to
get patient authorization.
True
False
Authorization must be obtained for any use/disclosure of PHI for marketing
purposes.
True
False
An Authorization must contain an expiration date.
False
True
You must obtain patient agreement to use/disclose PHI for public health activities
related to disease prevention.
True
 False
After signing an authorization, the patient can decide to revoke it.
True
 False
You can use/disclose PHI without patient agreement to report victims of
abuse, neglect or domestic violence.
True
False
In general, disclosure of PHI must be limited to the least amount needed to get
the job done right.
True
False
The Notice of Privacy Practices gives patients notice about the use/disclosure of
their PHI, as well as their rights in general.
True
False
The Privacy Rules gives patients the right to request a history of routine
disclosures.
True
False
True
 False
 The Privacy Rule gives patients the right to take action if their privacy is violated.
If you need help understanding the rules, the Department of Health and Human
Services is required to give you assistance.
True
False
To protect patient confidentially, learn about your facility’s patient privacy rights-
and encourage others to do the same.
True
False
True
Use of PHI is allowable for reasons of treatment, payment or operations (TPO)
False
Date:
Your name:
*By printing your name here this serves as an electronic signature confirming that you have
completed this document and understand its contents