The Health Insurance Portability and Accountability Act (HIPAA) applies to you.
- It allows you to keep receiving health insurance when you switch jobs.
- It means you will be punished for using health insurance with fraud.
- Penalties and fines may be up to $250,000 and ten years of imprisonment.
Privacy & Confidentiality
- Privacy is the patient’s right to decide how information about himself or herself is used. Confidentiality is the obligation you have to keep a patient’s privacy.
- When patients enter a healthcare organization, they are given information about privacy. They are told (usually in writing) how their privacy will be protected, what types of information will be shared, and why. This is called the Notice of Privacy Practices. The patient signs a paper that this notice was received.
- Under HIPAA, a healthcare organization may share patient information for these purposes:
- To carry out treatment
- To receive payment from the patient’s health insurance plan
- To carry out programs necessary for quality control
- To comply with legally mandated reporting to public health agencies
- Patients can sign a separate consent for any other information sharing that they want, such as between family members or with an advocate.
- There are both civil and criminal penalties for not following the HIPAA guidelines. These penalties vary. They depend on the intention of the violation and the type of information released. Penalties and fines may be up to $250,000 and ten years imprisonment.
- Protected Health Information
- You will hear the term Protected Health Information (PHI) more and more in your job. It refers to personal information about patients that can be used to identify them. It is the right of patients to decide when, why, and to whom PHI may be released.
- The information that is protected includes the patient’s name, address, telephone number, age, diagnosis, surgery, date of procedure, and medications. It also includes the medical history, results of physical examinations, laboratory and other diagnostic tests, billing records, and claim forms. In short – ANY information that could be used to identify a patient is protected under HIPAA. It is important for you to know this means information in any form, be it written, electronic, or verbal.
- Patient Directory
- Your organization may have a patient directory with basic patient information including name, address, and general condition. If your patient decides to be listed in the directory, information may be released to family, friends, or the press.
- Your organization may decide not to have a directory though, or a patient may decide not to be included in one. Your response then to people asking for information would be: “I have no information on anyone with that name.” You may use a similar response instead, one that does not tell whether the individual is in your organization or not.
- Discussions about Patients with Other Employees
- Most likely, all the personal information you use and share in your daily duties is covered under HIPAA. You obviously must discuss assignments with other team members in order to coordinate care and report information.
- Although there are people with whom you need to talk to about specific patients, ask yourself:
- Does this person need to know the information about the patient? Is there a medical need to discuss the patient? Also, how much does this person need to know? For example, the person delivering meals does not need to know the details of the patient’s illness unless it affects where the meal tray is placed.
- Are you talking about the patient out of the hearing range of others?
- Even without using a patient’s name, are you still talking in a way that allows others to guess who you are talking about?
- Discussions about Patients with Their Families and Representatives
- A personal representative is any person who is legally authorized to act on the patient’s behalf. You may share information with them. This can be someone with a legal document, such as a general or limited medical power of attorney. It may be someone who has the authority to act on behalf of the patient, such as a guardian, spouse, or parent. HIPAA allows you to disclose PHI to family members without getting the patient’s formal, written permission. If you are in a patient room and need to discuss the patient’s care or treatment when others are present, simply ask the patient if there is any objection. Ask visitors to leave the room temporarily if the patient wants privacy.
- Sign-in Sheets, Waiting Rooms, and Phone Messages
- Your organization may use patient sign-in sheets. You may be asked to call out patient names in waiting rooms. This is permitted by HIPAA within limits. Reasonable safeguards must be in place, such as sign-in sheets that do not show any medical information. You may also leave a phone message for a patient on a machine, or with another person. Be sure to limit the information you give (U.S. Department of Health and Human Services, 2003).
- Patients Needing Maximum Confidentiality
- Some patients need a greater level of confidentiality. These patients include those receiving care for substance abuse, psychiatric disorder, HIV (Human Immunodeficiency Virus), pregnancy, sexual abuse, or rape. This means it is illegal for you to say that the patient is being treated or seeking treatment. Your organization should give you the exact wording to use in this situation. Additionally, this applies to any patient who requests NOT to be in the patient directory.
- Maximum confidentiality rights are a critical feature of HIPAA. Your organization has specific standards to follow.
Who Must Comply with HIPAA?
- HIPAA applies to all people working in a healthcare organization. This means all employees: Aides, nurses and physicians, technicians, administrators, clerical staff, food service workers, environmental services staff, and volunteers.
In addition, independent contractors or separate service providers must also comply with HIPAA. These people may include:
- Baby photographers
- Computer technicians, coming from outside the organization
- Retail service providers, coming from outside the organization
- Accreditation agencies that review patient information during a survey
- Laboratory or imaging service providers, coming from outside the organization
How much information can you share with all these people? HIPAA limits the sharing of information to only what is necessary. When you talk with other people on the job, ask yourself what is the minimum they need to know. Thus, a baby photographer may need to know information about a baby’s birth, but does not need to know additional information about the baby’s or mother’s conditions. A clergy person may want to visit your patient. HIPAA allows clergy to be informed of parishioners in the hospital as long as the patient has been informed of this and does not object. In an emergency, the patient may not have had a chance to agree or object. In this situation, a decision will have to be made by a nurse or physician using professional judgment on what is in the patient’s best interest.
Ensuring the security of patient information relies on you. Unauthorized disclosures of protected information can occur if:
- You fail to make sure that the information you are giving is going to a person authorized to receive it
- You neglect to find out what restrictions on information are in the patient’s record
- You hear discussions about patients in non-secure locations, within hearing range of people not authorized to know the patient’s personal information
If you are aware of a HIPAA violation, report it immediately. Your organization has a method to report this violation without revealing you as the reporter. Remember we are all in this together!!