CONFIDENTIALITY - TCCP



CONFIDENTIALITYTO:University-College Students and Faculty FROM:Mayo Clinic Board of Governors SUBJECT:Mayo Clinic’s Confidentiality PolicyThe Board of Governors calls your attention to Mayo Clinic’s Confidentiality Policy. All employees, students, faculty, and visitors at Mayo Clinic have an obligation to conduct themselves in accordance with the policy and hold in confidence all information concerning patients, employees and business information. Confidential information includes all material, both paper- based and electronic, related to the operation of Mayo Clinic including, but not limited to:financial informationpatient names and other identifying informationpatient personal and medical informationpatient billing informationemployee social security and other personal dataproprietary products and product developmentmarketing and general business strategiesany discoveries, inventions, ideas, methods, or programs that have not been publicly disclosedany information marked “confidential”Only physicians, or persons authorized by a physician, may access, use or release laboratory, medical and surgical information. Such matters are confidential between the health care provider and the patient.Students and faculty must also refrain from revealing any confidential information concerning employee records or business operations. Any carelessness or thoughtlessness in this respect, leading to the release of such information, is not only wrong ethically but may involve the individual and Mayo Clinic legally.I heard or read the above statement, understand the contents and agree, unless authorized, not to access, use or release confidential information regarding patients, employees and business operations. I also understand that my unauthorized access, use or release of any and all confidential information at any or all Mayo Clinic facilities may be cause for my immediate termination from the clinical experience. In addition, I understand that I may be personally liable for any disclosure, misappropriation or use of confidential information.SIGNATURE: DATE: PRINT NAME: Mayo FoundationElectronic Authentication Security Agreement StatementUniversity/College Students (“Students”) and University/College Faculty (“Faculty”) with authorized access to electronic clinical applications who need to authenticate documents electronically will be issued a User ID and will select a password that uniquely identifies them after competency has been demonstrated. This protects the database and maintains the privacy of patient information. The selected password should be kept confidential and should not be compromised for any reason.Students and Faculty are accountable for any transactions associated with their password and User ID.If at any time a Student or Faculty have reason to believe that the confidentiality of his/her password or confidential information has been compromised, Clinical Facility’s Data Security Officer should be notified immediately so that appropriate action can be taken. I, therefore, understand and agree:1.My User ID/password is the equivalent of a legal signature.2.In order to protect the security and integrity of Clinical Facility’s electronic data, I agree to approved Data Security Policies and Standards.3.I will not attempt to access information by using a User ID/password other than my own.4.I understand that failure to do any of the above may constitute a violation of the Data Security Policies and Standards and may result in disciplinary action by Clinical Facility as well as external regulatory bodies.Student Name:Student Signature:Date:ORFaculty Name:Faculty Signature:Date: _____________________________________________________________________Department of NursingMayo ClinicEducation and Professional Development DivisionAffiliated Clinical Nursing Education Programs – Mayo School of Health SciencesWelcome to HIPAA Training(Health Insurance Portability and Accountability Act)Mayo Clinic has a long-standing tradition of protecting patients’ rights and keeping their medical information private. An additional federal regulation known as HIPAA requires Mayo and other healthcare providers to place further safeguards and documentation of these safeguards to patient health information by April 14, 2003. HIPAA also requires that Mayo train each employee, volunteer, student and contractor on these safeguards by April 14, 2003 and thereafter. This mandatory training will inform each person about Mayo's privacy policies and practices. The educational content for each person is determined by the specific role they have and the amount of patient interaction required by the role. Please read the information in this packet. You will need to complete this packet prior to your visit/clinical experience at the Mayo Clinic. If you have questions, please do not hesitate to call the Education Liaison at 507-255-3236. Following your review of this packet, you will be asked to sign a form indicating that you have completed the HIPPA Training. This form will be filed with other important documents that you must submit before coming to Mayo.Module 1: An Introduction to HIPAAThe Mayo Foundation Integrity Program was created to reinforce the commitment to providing patient care with integrity. When people behave with integrity, they act honestly, sincerely, ethically, morally and legally. Our Integrity Program applies to everyone: Mayo Foundation trustees, officers, all staff who work at Mayo entities, and people who do business with Mayo.Mayo’s Code of Conduct is part of the Integrity Program. The Code of Conduct is a formal statement of our rules of ethical business conduct. It covers nine areas:EthicsConfidential information and trade secretsConflict of interest and outside activitiesUse of Mayo funds and assetsDealing with suppliers and referring providersBooks and recordsPolitical activity and contributionsSafety, health and environmentEmployee relationsDetailed descriptions of each topic can be found in the Mayo Foundation Integrity Handbook or the Integrity Program web site. Our patients trust us and believe that we will keep their information private. Confidentiality breaches are very serious matters. Staff who knowingly violate our policies on confidentiality will be dealt with appropriately.What is HIPAA?The Health Insurance Portability and Accountability Act (HIPAA) is a federal law intended to make the business part of healthcare more efficient by setting standards for submission of electronic bills, for electronic payments, and for checking referrals and authorizations electronically. The HIPAA transaction standards will save the healthcare industry – and us – a lot of money over the long term. When the healthcare industry begins to use these electronic transactions, a great deal of patient information will be exchanged among the industry’s computer systems. The Department of Health and Human Services has issued HIPAA privacy and security standards to provide for the protection of patient information from inappropriate use or disclosure. HIPAA does not limit a healthcare provider from using a patient’s information to provide appropriate treatment to the patient, sending patient information to insurance companies for reimbursement, or using patient information for quality control or operational improvement. While HIPAA will not require major process changes in our medical practice, it will require the cooperation and support of everyone in order to achieve and maintain compliance. To help with HIPAA compliance, we have developed some new policies and procedures, and we have changed some existing policies and procedures. This educational program describes these new and changed policies and procedures and highlights what each of you needs to do to protect the confidentiality of our patients’ information so that we maintain HIPAA compliance. We have a long-standing practice of protecting patients’ privacy and maintaining the confidentiality of their information. We can continue to maintain that practice but only with your help! Who does HIPAA apply to? HIPAA regulations apply to all covered entities. What will HIPAA require us to do? HIPAA requires us to:Inform patients that they have certain rights, such as the right to obtain copies of their health information and the right to request amendments (Notice of Privacy Practices)Inform patients how their health information may be used and disclosed (Notice of Privacy Practices)Verify that those to whom we give patients’ health information, our business associates, also maintain its confidentiality Meet certain administrative requirements, such as appointing a Privacy Officer at each site and documenting how we interact with patients about their rights Ensure that only authorized people have access to patients’ informationThis educational program is designed to provide the information while you are at Mayo Clinic. What type of information is protected by HIPAA? Patients’ health and demographic information, defined as “protected health information,” is protected by HIPAA. This protected information includes identifying information about the patient such as:NameAddressesDates related to the patient, like birth date and dates of servicesTelephone numbers, fax numbers, and e-mail addressesSocial Security NumberMedical record numberAny other account numbers or numbers that are specific to the patientPictures of the patientWhat does this mean for you? HIPAA means that all of our patient information needs to be protected. Are there any exceptions? Yes, HIPAA treats patient information differently if it will be used for research, public health activities, or certain internal operations.State law may require us to follow additional guidelines. For example, Minnesota state law requires patient authorization for billing prior to sending information to an insurance company. Is non-electronic information protected by HIPAA?Yes. All patient health and demographic information is protected, whether it is on a computer, in a paper record, or verbal. Who is protected by HIPAA? ALL of our patients are protected by HIPAA!To whom do you refer questions regarding HIPAA?If you have questions regarding HIPAA and our related policies and procedures, please discuss with the coordinator of the Nurse Visitor Program. Module 2: Patient RightsHIPAA mandates certain rights for patients concerning their health information. Most of these patient rights are already part of our policies and practices; the remainder required development of new policies.In this module, we review patients’ rights as related to their health information. You need to know and understand the following six rights:Patients have the right to see and obtain copies of their health information.Most patients can see their entire medical record; however, there are a few exceptions that are explained in the policy. Patients have the right to request amendments to the information in their medical record. These requests occur when the patient believes that their record is incomplete or inaccurate. The process and circumstances by which they are reviewed are explained in the policy. Patients have the right to request a list of certain non-routine disclosures of their health information. For example, release of health information to the State Health Department or release of patient information under a subpoena must be documented and included in a list that is provided to the patient upon request.Patients have the right to request that their health information be communicated in a certain way. Patients have the right to discuss their health information confidentially. If a patient is uncomfortable speaking to a healthcare provided in a crowded area, move to a more isolated spot where confidentiality is easier to maintain. Patients have the right to request that their health information be communicated in a certain way. Patients may request to have written communications sent to an address that is different from their “regular” address, as found in their medical record. For example, a patient may not want certain laboratory test results sent to their home address.Patients have the right to request restrictions on how their health information is used or disclosed. We may use a patient’s information for their treatment, payment for services, and to conduct healthcare operations. It is important that patients receive consistent responses to their requests for restrictions. Patients have the right to complain to us and to the government about our privacy practices or about a violation of those privacy practices.We do our best to ensure that our patients’ information is kept private. However, mistakes sometimes happen. If patients feel that their privacy has been violated, they have the right to complain. How do patients learn about these rights?Beginning in early 2003, each patient will receive a document that describes patient rights and how patient information is handled. This document is known as the Notice of Privacy Practices. In addition, the Notice of Privacy Practices will be available on our web site, in all patient areas, and in the Emergency Department. Module 3: Incidental Use of Patient InformationHow is patient information protected?Policies have been established governing how patient information can be used. While you may not routinely handle patient information, you do encounter patients and may see their health information. You may also hear others talking about patients. This module reviews how to appropriately handle these incidental encounters in order to ensure that patient information is protected and remains confidential. Is the fact that a patient was here confidential?Yes. A patient’s presence here must remain confidential. If you recognize a patient, keep it private. Many individuals come here because we provide excellent care. They trust us to keep their presence – and their information – confidential. Do not talk about patients with your colleagues unless it is necessary to do so for your job. Also, it is inappropriate to discuss patients outside of the medical center. Do not place yourself, or Mayo Clinic in a compromising situation because you have failed to respect a patient’s privacy. Keep all patient information private. It is the right thing to do. What do you do if you overhear conversations about patients? Occasionally, you may hear others talking about patients. All patient information, written and verbal, is protected by HIPAA. For example, while in an elevator, you might overhear a physician speaking with a resident about a patient. No matter how interesting the conversation might be, do not pass it on. In a situation where you need to talk about a patient, pay attention to who may overhear your conversation. Look for a private place to speak if others – especially members of the public – can hear you. What if you see patient information while you are here? You may occasionally encounter patient information. Regardless of the way it is encountered, patient information is protected and must remain confidential. If you are concerned that others are not being careful with patient information, it is important to share with the coordinator of the Nurse Visitor Program.Remember that privacy is everyone’s responsibility.How can we use patient information?Patient information can be used for:Treatment: provision, coordination or management of healthcare and related services for a patient including communications with other providers about patient treatment or referral of a patient to another provider. Payment: activities undertaken to obtain reimbursement for the provision of healthcareHealthcare Operations: activities including, but not limited to, quality assurance, medical review, legal services, auditing functions, and general administrationHow much patient information can we use?Your department will determine what types of patient information you have acces to in the role of a nurse visitor. The “need-to-know” rule is HIPAA’s minimum necessary standard.Not every employee needs access to a patient’s entire medical record. Clinical staff, such as physicians and nurses, generally need to see the whole patient record in order to properly care for a patient. Other staff, however, may only need the patient address and phone number for appointment scheduling. In addition, not every employee needs access to every patient’s record. Clinical personnel should only access the patient information of patients with whom they have a treatment relationship. “Curiosity viewing” of patient records is absolutely prohibited. What is your responsibility in providing a patient’s information to another staff member?You should verify the identity of anyone who requests patient information from you. Just because a person is asking does not mean that there is a need-to-know. You should be certain that it is necessary for the requestor to see the patient’s information, even if you know the person is any employee of our organization. Module 4: Disclosure of Patient Information – AwarenessIt is sometimes necessary to disclose a patient’s information outside of our organization. Does HIPAA require patient authorization for disclosure of their health information?HIPAA requires us to obtain patient authorization for certain disclosures. Many other disclosures can still be made without prior patient authorization. Disclosures for treatment, payment, healthcare operations, or those required by law, do not require patient authorization. For example:Patient information sent to other providers for follow-up treatment of patientsPatient information sent to insurance companies for reimbursementPatient information disclosed to accrediting organizations, such as JCAHO, to maintain facility accreditationPatient information inspection by a state health agency during the course of a reviewCommunicable disease instances reported to the public health departmentRelease of patient information to a public health authority or to law enforcementWhat if someone from outside our organization sees a patient’s information? Disclosure occurs when someone from outside our organization sees a patient’s information. All disclosures must follow our disclosure policies. It is important to recognize that unintentional disclosures may result in violations of our policies. For example:A medical record left unattended so that anyone can read its contentsAn unattended computer workstation displaying patient informationDisposal of patient information in the trash binIncluding recognizable patient information on a careplan that is handed into a professorIn these examples, simple steps can prevent unintentional disclosure.Close records and folders to prevent unintended readingTerminate and lock workstation displays before leaving the work areaDiscard patient information properly and before you leave the hospital settingModule 5: ConclusionCongratulations! You have completed the HIPAA Training Program!Here are a few reminders for protecting patient information:Do not give patient information to anyone unless there is a “need-to-know.”When you need to discuss patient information, pay attention to who may overhear your conversation. Look for a private place to speak if others – especially members of the public – may hear you.If you overhear others inappropriately discussing a patient, you may want to remind them that they have an obligation to maintain patient confidentiality. Keep patient information out of public traffic areas. For example, do not leave paper containing patient information where others can see it. Be responsible when disposing of patient information.Follow all of your policies and procedures on protecting the confidentiality of patient information.If you have any questions about HIPAA compliance, please discuss with your preceptor, faculty representative or Education Liaison.Thank you!Appendix A: Glossary TermsAuthorization: A signed, written permission, specific to a narrow, defined purpose—such as for insurance payment or medical research authorization. Authorizations must have an expiration date and can be revoked at anytime.Business Associate: A person or company that provides a service or performs a function that requires routine access to a patient's health information to perform that service or function and is not under the direct control of the institutions required to comply with HIPAA. Covered Entity:An entity in the healthcare sector that is a health plan, a healthcare clearinghouse, or a healthcare provider that provides treatment to patients in either a direct or indirect way.De-identified: Patient information is de-identified if sufficient key items have been removed such that it is no longer individually identifiable and can not be used, alone or in combination with other reasonably available information, to identify the individual patient.Disclosure:The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. Facility Directory: A patient list that includes the patient's name, his or her location in the facility, his or her general condition, and his or her religious affiliation. This information is shared only with clergy or those asking about a patient by name. Healthcare Operations:Activities that are necessary for the entity to conduct business. For example,any quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, case management and care coordination reviewing the competence or qualifications of healthcare professionals,training, accreditation, certification, licensing, or credentialing activitiesconducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programsbusiness planning, business management and general administrative activities of the covered entity.Health Insurance Portability and Accountability Act (HIPAA): The Health Insurance Portability and Accountability Act, also known as HIPAA, is a new federal law intended to make the business part of healthcare more efficient by setting standards for submission of electronic bills, for electronic payments, and for checking referrals and authorizations electronically. Identifier: Data attributable to a unique individual that may be used to identify that individual.Joint Commission (JC) on Accreditation of Healthcare Organizations: An organization that measures healthcare organization performance in a variety of areas. Achieving accreditation through the JC means that a healthcare organization has met or exceeded the JC's standards concerning levels of service and patient care. An independent, not-for-profit organization, JC is the nation's predominant standards-setting and accrediting body in healthcare. JC accreditation is recognized nationwide as a symbol of quality that reflects an organization's commitment to meeting certain performance standards. To earn and maintain accreditation, an organization must undergo an on-site survey by a JC survey team at least every three years. Laboratories must be surveyed every two years.Limited Data Set: A set of patient information, not including any directly identifiable information, that may be use for research, public health and healthcare operations.Minimum Necessary: A stipulation that covered entities must make reasonable efforts to limit use or disclosure of protected health information to the minimum information necessary to accomplish the intended purpose. Protected Health Information: Any individually identifiable health information, including demographic information, collected from an individual that relates to the past, present, or future physical or mental health of an individual, or the past, present or future payment for the provision of healthcare to an individual.Psychotherapy Notes: Notes recorded by a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes exclude medication prescriptions and any summary of diagnosis, functional status, treatment plans, symptoms, prognosis, and notes regarding progress to date. Treatment: The provision, coordination, or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party, consultation between healthcare providers relating to a patient, or the referral of a patient for healthcare from one healthcare provider to another. Workforce:Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of the entity, regardless of whether they are paid by the covered entity or not.Health Insurance Portability and Accountability Act (HIPAA)Mayo ClinicDepartment of NursingEducation and Professional Development DivisionAffiliated Clinical Nursing Education Programs – Mayo School of Health SciencesYou have completed the HIPAA Privacy Education packet. Name (printed): __________________________________________________________School name:________________________________________________Type of clinical experience:_________________________________________________Dates of clinical experience:_________________________________________________Student’s Signature __________________________________________________Date:_____________________ -363220-10955100Student Orientation Signature FormI have read the information/policies included in the Student Orientation Packet.I understand the content and agree to comply with the Organizations policies, procedures and guidelines.I agree, unless authorized, not to access, use or release confidential information regarding patients, employees and business operations. I also understand that my unauthorized access, use or release of any and all confidential information at the Organization may be cause for my immediate termination from the clinical experience. In addition, I understand that I may be personally liable for any disclosure, misappropriation or use of confidential information.?Print Name: _________________________________________?Signature: _________________________________________Date: ______________________?Please turn this signed document into your clinical instructor to be retained in your student’s files at your college/university ?Date:_________________________________________? ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download