Go behind the scenes and listen to why we developed this course on HIPAA.
If you’re involved in the healthcare industry, then it’s a pretty safe bet that the requirements and regulations of “H” “I” “P” “A” “A”, which is often pronounced “hippa”, have affected your workplace and your daily routines and practice. You might not realize this, if you’ve never heard of HIPAA before, and you might not even know what H-I-P-A-A stands for. Maybe you have heard vaguely of HIPAA and associate it in your mind with a lot of additional paperwork or extra regulations and rules that don’t seem to make a lot of sense. Well, in this course we’ll not only help you to understand what HIPAA says and what its requirements are for the health and human services industry, but we’ll also discuss why the HIPAA regulations are in place and how they actually help health facilities to become safer, more secure places for patients to be. By the time you finish this course, you’ll not only know why the HIPAA regulations are in place, but you’ll know exactly what you should do, and what you should not do, to follow the law and help your clients have the best healthcare experience possible.
Upon completion of this course you will be able to:
- Understand the origins of HIPAA legislation
- Define “Personal Health Information” as HIPAA states it
- Understand what type of information is protected under HIPAA
- Articulate common sense procedures that facilities and providers often follow in order to align with HIPAA requirements
- Understand the penalties and consequences of failure to follow HIPAA guidelines
- Know what you, as a health and human services worker, must do to protect people’s privacy
Course Instructor Profile:
Donn Kropp founded CLiCKPLAY Continuing Education University out of a desire to bring others to greater levels of health and wellness. With over ten years of emergency and trauma room experience, Donn brings a seasoned, yet fresh approach to continuing education.
- CA Board of Registered Nursing: CA Provider # CEP 15849
- District of Columbia Board of Nursing: CE Provider #50-14108
- California Board of Vocational Nursing Provider # V10810
- Psychiatric Technicians Provider # V10806
- DSS/CCL Division for Adult Residential Facilities (ARF) Vendor Approval # 2000149-735-2: Course Approval #149-0112-25078
- DSS/CCL Division for Residential Facilities for the Elderly (RCFE) Vendor Approval # 2000149-740-2: Course Approval #149-0112-25079
- DSS/CCL Division for Group Homes (GH) Vendor Approval # 2000149-730-2: Course Approval #149-0112-25081
Far Northern Regional Center
Hi, my name is Donn Kropp. Welcome to our course on HIPAA. Some of you are thinking this topic and this course are going to be totally boring. Well, you’re right its a pretty boring topic. But we did try our best to make it interesting so sit back and enjoy because this is a really important topic. If you’re involved in the health-care and human services industry, then it’s a pretty safe bet that the requirements and regulations of H–I–P–A–A, which is often pronounced “hippa”, have affected your workplace and your daily routines slash practices. Do you guys know what Hippa is? Do you know what H I P P A stands for? Maybe you’ve heard vaguely of HIPAA and associate it in your mind with a lot of additional paperwork or extra regulations or rules that don’t seem to make a lot of sense. Well, in this course we’ll not only help you to understand what HIPAA says and what its requirements are, but we’ll also discuss why HIPAA regulations are in place and how they actually help facilities and businesses become safer, more secure places for patients and clients to be. By the time we finish this course, you’ll not only know why HIPAA regulations are in place, but you’ll know exactly what you should do, and what you shouldn’t do, so your clients feel safe and secure and snugly. Did I just say snugly. I did didn’t I.
When you finish this course, you’ll be able to:
- Explain the origins of HIPAA legislation
- Define “Personal Health Information” as HIPAA states it
- Understand what type of information is protected under HIPAA, and why
- Articulate common-sense procedures that facilities and providers often follow in order to align with HIPAA requirements
- Understand the penalties and consequences of failure to follow HIPAA guidelines
- Know what you, as a health and human services worker, must do to protect people’s privacy so that you can provide a safe and secure environment
When we finish this course, HIPAA won’t seem like a bunch of bureaucratic nonsense; you’ll know what the regulations are, why they’re in place, and how to comply with them. So let’s get started!
3. ORIGINS & HISTORY
The regulations that are bundled under the acronym HIPAA came about in 1996 during President Clinton’s time in office. HIPAA stands for Health Insurance Portability and Accountability Act. Wow, that’s a mouthful. Now, you might notice that it doesn’t say anything about privacy in that title… which seems strange, since that’s what people mostly associate HIPAA with these days. But the legislation actually contained a lot more than just privacy policies- one of its main intents was to standardize ways that health information could be stored and shared, especially in new electronic formats. In the 1990s, the internet was growing in a big way- think dial-up. AOL, and “You’ve got mail!”-and legislators thought that there should be some standards in the way that health information would be stored and transmitted online. As a part of those standards, though, the new law put into place some requirements for patient privacy and confidentiality. Many hospitals and medical offices were already protecting patient privacy, of course, but this new law made sure that any agency or entity that handles health-care information would do so in a responsible way. Health and human services related businesses and entities had until 2003 to implement their HIPAA reforms, so by now the new regulations are standard procedure and are fully in place.
4. DEFINING HIPAA
HIPAA contains some important definitions as to what constitutes a persons’ health information and how and why that information can or cannot be shared. Let’s start with what’s considered to be Personal Health Information. This is often referred to as PHI for short, so let’s use that acronym as we continue here. Personal Health Information, PHI, obviously includes information relating to a person’s health conditions and treatment. Details such as a medical record, a diagnosis, medicines prescribed, medical history, recovery progress, and other medical information is part of PHI, and must be treated so as to ensure privacy, according to HIPAA. However, PHI also includes people’s personal information, such as address, phone number, birth date, social security number, and other similar information that anyone, including yourself, wouldn’t want to fall into the wrong hands. Here’s another important note- PHI includes verbal information as well as written. So when a doctor and a nurse discuss a patient’s condition and treatment, that conversation is a part of the patient’s PHI and must be treated with respect to privacy and confidentiality. We’ll get to the practical issues of this in a moment. In the meantime, just keep in mind that an individual’s Personal Health Information includes not only their medical info. but also other general personal identification information.
Another important definition for HIPAA is that of a “covered entity”-in other words, which businesses or groups have to follow the regulations of HIPAA? The obvious answer is that all medical and human services-related businesses and groups must follow the regulations, such as doctors’ offices, hospitals, therapy centers, pharmacies, and others. And since not all of these types of businesses operate in their own buildings, this applies to wherever the health care or other services are delivered. This means that nursing homes and home health workers are also required to follow the HIPAA regulations. Now, there are also some “covered entities” that might not be so obvious; these include non-medical businesses that handle patient information. They are also required to follow HIPAA regulations. Examples of these non-medical businesses are insurance companies, financial businesses that handle billing for hospitals or doctors, medical transcription agencies, or secretarial and paperwork-related agencies that handle health or personal information. In a nutshell, anyone who handles a patient’s medical records and general identification information, for the purposes of healthcare and/or human services, is required to follow HIPAA regulations. We’ve covered a lot so far. Are you guys having a good time. I am. I think you are all ready for a rapid review. Ready get set. Go. Now! NNNow.
5. WHY HIPAA
Welcome back. I know you are smart so I ‘m confident you did well on the Rapid Review. You did good didn’t ya. Yo done good, right? I don’t know why I just started that accent. Any who. Moving on. Now, let’s get to the question that you may have been asking yourself all along- why all this fuss over privacy? Since most health care and human services is performed in a controlled group setting-such as in a hospital, a doctor’s office, nursing home- where lots of people are interacting, how far can we really go to protect privacy without interfering with the normal, efficient delivery of services? How do we protect people’s privacy in group settings like these? Whether you work in the health and human services sector or are a recipient of these services, HIPAA regulations will affect you in one way or another. Because of that it’s important to know why these rules are in place. In order to answer these questions, here’s a very important thing to understand: HIPAA works from the principle that every patient or client is entitled to gold-standard privacy. Let’s take an example: a very famous person- the most popular movie star of the time, a well-known figure in government, or a star quarterback for an NFL team- becomes ill and is taken to the hospital for treatment. Just for our example, we’ll call this person “Mr. Big Wig”. Now, Mr. Big Wig is going to want privacy during this difficult time; he’s not going to want to read headlines in tomorrow’s paper about how sick he is, or hear talk-show hosts guessing about the nature of his illness and what treatments he should be taking, and he’s not going to want over-eager fans showing up at the hospital trying to see him.
Under these circumstances, the hospital is going to have to take some drastic measures to keep Mr. Big Wig’s information private and give him the quiet and confidentiality he needs. What drastic measures will the hospital take? I’m sure you can guess some of them… People who call the hospital, asking about Mr. Big Wig, won’t be told about his condition or even have it confirmed for them that he’s in the hospital. All the doctors and nurses that work with Mr. Big Wig will be reminded not to discuss his condition with anyone outside of work or even any other hospital staff who aren’t treating him. Visitors will be restricted and will have to have Mr. Big Wig’s permission to come see him. Someone who shows up at the door, claiming to be Mr. Big Wig’s mother, will not be allowed to come in until Mr. Big Wig gives the okay. If he doesn’t want to see his manager, then that manager will not be allowed in, even if he begs and pleads. All medical charts, test results, diagnoses, pharmacy orders, billing information, and personal data will be treated very carefully, so as not to allow them to be seen by anyone other than Mr. Big Wig himself and his medical team. If anyone else is to be involved- any friends or relatives must be given by permission from Mr. Big Wig himself for access to his information.
Sounds like a very thorough attempt to keep Mr. Big Wig’s information safe, right? And with good reason- he’s a very famous person! and he doesn’t want anybody knowing he is having hemorroid surgery. Ouch. But here is the vital thing to remember: the regulations of HIPAA say that everyone should get the same standards of privacy that Mr. Big Wig received. Let me say that again- because it’s very important to our understanding of HIPAA: every individual deserves the most careful handling of their personal and medical information. The same standards that the hospital used in keeping Mr. Big Wig’s information confidential are those that should apply to all of us. In a sense, every patient or client of ours should be treated like a rock star; their information should be as closely guarded and carefully treated as any famous or important person. This gives every one the peace of mind that their information, and their healthcare, is being handled carefully, and that they won’t have to deal with any unpleasant side effects, in the form of their information being mistreated or mishandled.
I’m sure you can imagine that the unpleasant side effects could be just as painful or harmful to an ordinary person as they could be to Mr. Big Shot- no one wants unwelcome relatives barging in to see them, or their medical condition to be the subject of gossipy neighbors and acquaintances. You don’t want your neighbors discussing your constipation issues do you? No one wants their identity stolen because their personal information was not kept secure, or discussions about their possibly embarrassing medical condition being overheard by friends in the hospital cafeteria. HIPAA regulations exist to give every person a safe and secure medical experience, through the careful and confidential handling of their Personal Health Information.
6. WHAT DOES IT MEAN?
When an individual receives these privacy policies, some businesses require patients to sign an acknowledgement that they’ve received the policies, and others consider the delivery of the information to be sufficient. Now, there is a tricky issue that arises for HIPAA, and that is when a patient is not in a condition to understand or consent to the privacy policies or the release of their PHI. You may have already been wondering about such cases yourself-what happens when a person is brought to a hospital unconscious, from having been in a terrible car wreck? What if an elderly patient is suffering from Alzheimer’s and doesn’t understand their rights under HIPAA? What if relatives are asking for information about a patient when the patient is in a coma? In these cases, the individual is unable to give consent for release of PHI or indicate their wishes. Then the decision-making power falls either to a guardian, or to the person who has “healthcare power of attorney”.
The healthcare business will consider this person to be acting on behalf of the patient and making their privacy decisions for them. If the patient does not have someone appointed as guardian or have a power of attorney, then a court will usually appoint someone to speak on their behalf. Let’s say that a woman in her 80s, suffering from Alzheimer’s, has been admitted to the hospital with emphysema. The patient is considered “incompetent” and cannot make her own medical decisions, but she has no person designated to make those decisions for her. The woman’s three adult children arrive at the hospital and start arguing about what their mother would want and who should be allowed to visit her. In a touchy situation like this, the court must appoint someone as the woman’s medical power of attorney; this could be one of the woman’s children, or a professional surrogate who works for the court system. Then hospital personnel are free to follow their usual privacy policies in dealing only with the woman’s appointed advocate, and not all the arguing relatives.
Let’s do a quick review of what we’ve just covered, since it gets a little complicated. Covered entities set their own privacy policies, so even though they align with HIPAA requirements, policies can vary from business to business. Covered entities inform clients of their rights under HIPAA and also explain when the covered entity may release information without the individual’s consent. Some of the reasons for releasing information without consent include the coordination of treatment with other healthcare entities, medical billing, public health and government requirements, or personal reminders and notifications. When an individual is incompetent and cannot speak for themselves, the person who holds the guardianship or medical power of attorney acts on behalf of the patient, and the covered entity treats that person as if they were the patient themselves.
7. HIPAA & YOU
Let’s start with paperwork. Paperwork, healthcare and human services go together like peanut butter and jelly, right. Actually, maybe a better analogy would be that paperwork goes with healthcare and human services like ants get into your PB&J sandwich at a picnic… annoying, but inevitable. In our industry, we know that paperwork is a huge part of what we do. In fact, sometimes it seems like that’s all we do! But paperwork is a significant area of concern when it comes to HIPAA regulations, because written information about our clients is what we’re trying to protect, and it’s so easy for it to get mishandled. So, according to HIPAA, what are some “dos and don’ts” of paperwork? Here are a few: DO treat paperwork as something valuable. DON’T leave it around unattended, or laid out where unauthorized people could read it. If you have a clipboard with patient information, hold it against you when talking with visitors.
If you’re manning the front desk, turn papers upside-down when they’re not being used. Right side up for all to read lose your job or get fined. Faced down keep your job, protect your job. Can we do that in slow motion?DO watch out where information gets thrown away. This includes medication labels for patients, discarded papers, or clean-up after a patient is discharged or finished with their appointment. DON’T put paperwork with PHI in the regular trash- send it to be shredded or disposed of in a secure manner. When it comes to computerized records, DO treat online access as secure and confidential. DON’T give your login to anyone else, or leave yourself logged in and go away from the computer. DO face computer screens away from public view, and DON’T leave a patient’s information up on the screen if you must leave the computer to go provide care of services to someone. While we’re on the subject of paperwork, let’s remember that a patient’s information gets put on a lot more than just medical documents. In order to give a patient gold-standard privacy at all times, any identifying information needs to be treated in a sensitive manner. Again, there are far too many situations to name specifically, so let’s just give a few examples of things to be aware of when handling patient information. DO be aware of non-medical uses of a patient’s information. A cafeteria tray in a hospital that is labeled with a patient’s name and dietary restrictions; a box of medical supplies, delivered to the home of a hospice patient; a whiteboard in a common area with directions for nurses listed with patient names- all of these are ways that a person’s information could be conveyed to unauthorized people in a violation of HIPAA. DON’T forget that personal information is protected as well as medical information, so that a patient’s name in a visible or public place violates the gold-standard privacy that HIPAA says every person is entitled to. Let’s turn to the topic of communication among a medical team or human services workers. HIPAA regulations can seem annoying in this aspect, because they require an extra level of caution and communication among healthcare teams and staff, but they also help give patients peace of mind about their information. What are some examples of “dos and don’ts” in communication? DO be aware of where you’re discussing a patient’s medical or personal information. If you and another worker are both caring for Mrs. X, DON’T discuss her medical or personal information in a crowded elevator, over lunch in the cafeteria, or walking through the hallways. Wait until you’re in a more private area where you won’t be overheard. DO be aware of why you’re discussing a patient’s medical or personal information. This is part of the concept of “need-to-know”; the more people know and discuss certain information, the less likely it is to stay private. This doesn’t mean that HIPAA forbids you from talking with co-workers about patients, but a good rule of thumb is to ask yourself if the conversation is to help aid the patient’s treatment, or is just for the sake of curiosity or interest. Ben Franklin said it best in his famous quote- “Three people can keep a secret, if two of them are dead!” DON’T discuss patient information with every co-worker who comes along; make sure it’s a necessary and relevant conversation. A new and pressing concern in the area of HIPAA regulations is that of social media. Remember that HIPAA was written just as the internet and information-sharing was taking off, and lawmakers at the time had no idea that society would become even more closely connected through social media, available at our fingertips through a variety of devices. A slip-up in privacy protection used to be a small matter; now we’re one Tweet or Facebook status away from revealing things to hundreds or thousands of people at once. With smart phones, tablets, texts, and Wifi, we’re sharing information at lunch, in the car at home, in a restaurant, or just about anywhere else you can think of. The key, according to HIPAA, is that each person gets to decide what is or is not shared about their personal information. No healthcare worker gets to decide that for them, by sharing something that should have been kept private. What does this mean?
Let’s look at some more examples: DO keep your work and personal life separate. This means that any information from your job in healthcare, which pertains to a patients’ PHI, stays at work. DON’T post on Facebook about the difficult patient you worked with, even anonymously and certainly not by name!. This goes for even positive information as well- DON’T tweet about the adorable triplets you saw in the office today, or how happy you were to see a patient get better after their hernia surgery. DO keep a professional relationship with patients, even if you’ve worked with them for a long time. This doesn’t mean that you can’t be friendly with patients; but DO remember that being friendly, and being friends, are two very different things. DON’T let yourself become casual with a patient’s information, even if it’s your 27th time seeing the patient. DO remember that issues of familiarity also pertains to a patient’s family members; even if a family member accompanies an elderly relative to every appointment and seems to be taking charge of the patient’s medical care, HIPAA still applies. Unless the relative has medical power of attorney, we can’t share information with the relative unless the patient gives permission. So, let’s be very realistic here: do these HIPAA requirements sometimes mean unnecessary or extra steps to take when dealing with someones PHI? Yes. Here’s an example that illustrates this point: Martha, a woman in her 60s, accompanies her mother Gladys, who is in her 90s, to all her medical appointments and handles her prescriptions. Gladys is hard of hearing and can’t understand doctors very well, and she can no longer talk on the phone with pharmacists or medical personnel, because she can’t hear the other person well enough to understand. Because of this, and because she and her daughter have a good relationship, Gladys is happy to have Martha help her with all her healthcare needs and depends on her assistance. Does this mean that medical personnel can openly share Gladys’ PHI with Martha? No, unfortunately; because Gladys has not gone to a lawyer yet and given Martha official medical power of attorney, healthcare workers still need Gladys’ permission before they can share her PHI with Martha. This results in extra hassles for both Gladys and Martha. But does this mean that HIPAA standards are unnecessary and bothersome? No, not at all. HIPAA simply standardizes procedures in order to ensure gold-standard privacy for all patients, even if they feel that they don’t need such top-notch privacy! Imagine, for a moment, if Gladys and Martha didn’t have a good relationship; then HIPAA would be a significant protection for Gladys in not allowing Martha to have control over her medical affairs. Just like all our other laws, HIPAA does not make exceptions for special circumstances; it gives rules and procedures that must be followed by everyone. This may inconvenience some, but it gives needed protection and safety to others, and because of that is a necessary and valued set of laws.
8. HIPAA HITS THE FAN
Since we’ve learned that HIPAA is a part of federal law, this now brings up the question of what might occur should someone break that law. Shocking, I know, that people might violate a law! Well, believe it or not, the federal government has considered the possibility, and set up penalties for violations of HIPAA regulations. There are two types of penalties for violations of HIPAA: civil penalties, and criminal penalties. Civil penalties levy fines against covered entities, or individuals, who do something to violate HIPAA regulations, either knowingly or unknowingly. That statement at the end is an important point that bears repeating: violations of HIPAA are treated the same, whether they happen knowingly or unknowingly. This may be familiar to anyone who’s ever gotten pulled over for a speeding ticket because they didn’t see the sign that reduced the speed limit to 45 miles an hour, and thought the speed limit was still 65. If an employee does something to violate HIPAA regulations, and does not realize that they are violating the law, they are still held liable for their actions, as is their employer. This is why covered entities have real incentive to train and inform all employees about HIPAA policies and procedures, because in the event of a violation, even an unintentional one, both the individual and the business can be fined, with the amount ranging into thousands of dollars. Criminal penalties for HIPAA violations are less common, and usually occur when an individual or covered entity has purposefully violated HIPAA regulations and used information for false purposes or criminal intent. The consequences for a criminal violation of HIPAA can be fines up to $250,000 and up to 10 years in prison, depending on the severity of the offense. I think we can all agree that it sounds like a good idea to stay on the right side of HIPAA rules and regulations!
Key point six-HIPAA regulations cover spoken, as well as written information, so be aware of how you communicate and make it a priority to keep patient information confidential. Key point seven-There are stiff penalties for violations of HIPAA, even unintentional ones, for both employees and businesses; so it’s in everyone’s best interests to follow the laws. Key point eight-HIPAA exists to give people a safe and secure experience when receiving services, and the peace of mind that comes from knowing their information is under their own control. With these key concepts in mind, you can now seek out your own employer’s specific privacy policies and practices, and prepare to implement them in your workplace. Following HIPAA regulations will make both your work experience and your client’s experience a safe and secure one. So be ready to comply with the provisions of HIPAA and keep your patient’s and client’s information safe. Thanks for joining me. We will see you again next time. Now all you have to do is take a short quiz and get your certificate of completion. Have a great day!
- John C. Lincoln Health Network. Policies and Procedures: Protected Health Information of HIPAA. http://www.jcl.com/ Revised 2010; accessed June 2012.
- Stewart, Marian. What Nurses Need to Know about HIPAA. www.mscc.edu/nursing/hippa.ppt . Accessed June 2012.
- U.S. Department of Health and Human Services. Health Information Privacy. http://www.hhs.gov/ocr/privacy/ . Accessed June 2012. U.S. Department of Health and Human Services. Understanding Health Information Privacy. http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html Accessed June 2012.
This is the introduction to the course on HIPAA
These are the objectives for this course.
This lesson explores the origins and history of HIPAA legislation.
This lesson the meaning of HIPAA is explored.
Why is there a need for HIPAA legislation? Find out in this lesson.
What does it mean to you and the place you work when it comes to HIPAA legislation? Find out in this lesson.
How does HIPAA affect you?
HIPAA Matters: HIPAA Hits the Fan
This lesson concludes our Course on HIPAA.