EMPLOYEE HIPAA TIP SHEET
Suggestions to Help Ensure the Privacy and Security of PHI: z Do not use, disclose, release, copy, or print PHI except to treat patients, obtain payment for treatment and conduct healthcare operations specifically permitted by federal and state law. z Access and use only the minimum necessary amount of PHI to perform your job. This applies when using the information for payment or operations purposes (but not for treatment purposes). z If by error you access or come across PHI that you do not need, do not use it. z When creating written reports, spreadsheets or databases that have PHI, only use the minimum necessary PHI and only share the reports with those who need to know. z You may find that your access to PHI is beyond what you truly need for your job or to perform a certain task. Use your professional judgement with PHI. Just because you have access to PHI through our information systems does not necessarily mean that you have approval to use or disclose that PHI. z Respect passwords and logons to systems containing PHI by keeping them private and secure. For example, do not share passwords with other users or post passwords in public places such as on the computer terminal. z Safeguard, protect and/or properly dispose of any document, report, or printout that includes PHI of any type. Sample Scripts:
If a patient or visitor asks you what HIPAA is:
“HIPAA is The Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPPA, was created by the federal government to promote the portability of health insurance and to protect again fraud and abuse. The law also included provisions aimed at improving the efficiency of health care. These provisions promote the use of electronic transactions, such as paying insurance claims, while protecting the privacy and security of health information.
If a patient asks where they can learn more about HIPPA:
“The Notice of Privacy Practices has information about how our organization uses health information and your rights under HIPPA.” Depending on the circumstance, you might also refer the person to the organization’s Privacy Official.
If a patient or family member has an expectation of privacy that HIPAA clearly does not require:
“While HIPAA strives to enhance privacy, please understand that HIPAA also applies a standard of reasonableness to this effort. At Mercy Medical Center in Dubuque and Dyersville, we intend to do what we can to protect your health information. At the same time, we ask patients and family members to realize that complete privacy may not be possible in every circumstance. Should you have any concerns regarding privacy, please talk to our Privacy Official.” Patient Rights: HIPAA gives our patients specific rights over to their PHI. It is important that you are aware of what these rights are and how Mercy Medical Center ensures they are protected. For more information on what these rights are, refer to your employee brochure and/or your organization’s policies and procedures. Patients can learn more about their rights in the Notice of Privacy Practices. What To Do If There is an Issue or Problem Regarding Privacy: v Get the facts (Who? What? Where? When?) v Following your organization’s policies, see what you can do to resolve the issue right then v Inform or involve your organization’s Privacy Official
Here are some principles for interacting with patients for families regarding a privacy issue or problem: v v v
Maintain or enhance self-esteem (e.g. “Pleased to meet you, Mrs. Smith.”) Listen and respond with empathy (e.g. “It sounds like you are upset about something.”) Ask for ideas and/or offer suggestions (e.g. “Do you have any ideas?” or “”This is what we could do.” COPY-3167
For difficult situations, take the HEAT: v v v v
H - Hear them out. Don’t interrupt E - Empathize (e.g. “I understand”) A - Apologize (e.g. “I am sorry for . . . “) T - Take responsibility for action (e.g. “What can I do to make this better?”)
Remember, inform or involve your organization’s Privacy Official. Reporting Privacy Concerns: The new privacy regulations are complex, and you will likely have questions from time to time. As a member of Mercy Medical Center’s work force, you are responsible for seeking answers to questions or concerns, including possible violations of law, regulations, policies, and procedures. When seeking answers to your questions or concerns, it is recommended that you follow a Four-Step process similar to that of Trinity Health Organizational Integrity Program: v Contact your supervisor. v If you are not comfortable asking your supervisor or not satisfied with the answer, contact a higher-level manager. v If you are still not satisfied, contact our Privacy Official. v If nne of the above steps resolves your concern, call the toll-free, 24-hour Integrity ALERTLINE @ 1-866-477-4661. Key Messages for All Employees: v HIPAA’s goals of privacy and security are consistent with Mercy Medical Center’s mission to steward the resources entrusted to us and our Value of Respect. v Mercy Medical Center has staff who have leadership responsibility for HIPAA within the organization. This includes the organization’s Privacy Official. v Mercy Medical Center has policies and procedures to address the many requirements of HIPAA. It is important for staff to be aware of and follow these policies. When in doubt, it is important for staff to seek guidance from the policies, their supervisor, or the Privacy Official. Tips for Using and Disclosing Patient Information - When asked for patient information, you should consider two things: 1) Who is asking for the information? and 2) Why do they need it? Here are some examples of common requests and how they should be handled: Who’s Asking?
Why?
Requirements
Provider (physician, hospital, nursing home, other provider)
To treat the patient
No Authorization is needed. Minimum necessary does not apply.
Provider
For billing purposes
No Authorization is needed. Release the minimum amount of information needed.
Payer (health plan, insurance company)
To payment purposes
No Authorization is needed. Release the minimum amount of information needed.
Family member
To help in caring for the patient
No Authorization is needed, but the patient should be asked and given an opportunity to object or limit the information shared.
Media
For a news story
Refer this request to Public Relations
Attorney
For a lawsuit
Written patient authorization or a valid subpoena is required. Follow Mercy Medical Center’s policy and procedure in this circumstance. Administrative Policy 3.05.
Patient’s Employer
To obtain the results of drug testing
Written patient authorization is required. Follow Mercy Medical Center’s policy and procedure in this circumstance. Administrative Policy 3.05.
Remember: When in doubt, check with your supervisor or your organization’s Privacy Official before disclosing any information. Mercy’s Privacy Official is John LaPrell.