LSU Health Logo

Office of Compliance Programs

Revised: July 18, 2017

HIPAA Privacy


HIPAA Privacy Workforce Training

The Health Insurance Portability & Accountability Act (HIPAA) requires that the University train all workforce members (faculty, staff, residents, students, volunteers and contractors) about the University’s HIPAA policies and those specific HIPAA required procedures that may affect the work you do for the University.

Overview

This presentation provides a brief summary of the HIPAA Privacy Rule.

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

Important HIPAA Privacy Terms

This Training Program will Help YOU Understand…

BEFORE HIPAA

What Does HIPAA Do?

HIPAA is the Health Insurance Portability and Accountability Act, a federal law that…

The Purpose of HIPAA?

To protect and enhance the rights of consumers by providing them with:

The Rule’s goal is to maintain the trust in the health care system and improve the quality, efficiency and effectiveness of health care delivery.

Promotes the balance of:

An Overview of the Law

Overview of the Law

HIPAA is the FLOOR

Training Methods Offered at LSUHSC-NO

HIPAA Provides for the Following:

Who is Impacted?

The organizations covered by HIPAA are defined as “covered entities.”

A “covered entity” can be any of the following:

LSUHSC-NO, as a health care provider, is a “covered entity” under HIPAA.

This means that the university must abide by the requirements of the HIPAA Privacy Rule.

Who Has to Follow the HIPAA Law?

EVERYONE!!!!   

What Patient Information Must We Protect?

We must protect an individual’s personal and health information that:

HIPAA says that this information is Protected Health Information (PHI).

Examples of Patient Identifiers

What is Protected Health Information (PHI)?

Protected Health Information (PHI) is when Patient Identifiers (listed above) are combined with:

Example: Patient's name and health diagnosis

Examples of What PHI is NOT…

Company proprietary information:

Health Information kept by an Employer:

Information regarding a person who has been deceased for more than 50 years.

Student health records

Use and Disclosure of PHI

LSUHSC-NO faculty, staff and students may not use or disclose PHI without a patient’s written authorization unless the use or disclosure qualifies for one of the exceptions in the HIPAA regulations.

Common Disclosures of PHI Allowed WITHOUT a HIPAA Authorization Form 

Treatment, Payment, and Health Care Operations (TPO) Defined

Use and Disclosure Exception:
De-identification

What is a HIPAA Authorization Form?

Examples of when a HIPAA Authorization is Required include, but are not limited to:

Invalid Authorizations

An authorization is considered invalid if the document has any of the following defects:

HIPAA Privacy regulations require very specific language be included in authorization documents. For that reason, only the HIPAA authorization forms available on the LSUHSC-NO's policy web pages or the authorization forms approved by the health care facility where you are working may be used to obtain a patient’s authorization to use or disclose their PHI.

Use of any other form will result in an Invalid Authorization and a Breach of PHI.

Who Has Access to PHI? The “Need to Know” Principles

PHI should be shared with as few individuals as needed to ensure patient care and then only to the extent demanded by the individual’s role.

The “Need to Know” Principles 

How Does “Need to Know” Translate into HIPAA?

HIPAA requires use of the Minimum Necessary concept:

                    TREATMENT is an EXCEPTION!

Never provide more information than what is needed!!

Minimum Necessary Rule (Exceptions)

The Minimum Necessary requirement does NOT apply in the following instances:

HIPAA Requires the University To:

Provide a copy of LSUHSC-NO’s Notice of Privacy Practices (NPP) Brochure when a patient First Visits an LSUHSC-NO clinic that describes:

Ask the patient to sign a written acknowledgment that he/she received the Notice of Privacy Practices.

Post the NPP at the location (ex. in the patient waiting room) and on the location’s website. (Contact the Office of Compliance Programs for NPP posters.)

Click here to view the related Privacy Policy.

Patient’s Rights

HIPAA Provides for specific Patient Rights, which include:

Right to Access 

Right to Request Amendment and Restrict Disclosure

If a patient requests an Amendment or Restriction of the PHI contained in their medical record, the health care provider must reference the corresponding HIPAA Privacy Policy contained in CM-53 AND contact the LSUHSC-NO Privacy Officer.

LSUHSC-NO must agree to the request of an individual to restrict disclosure of PHI about the individual to a health plan if:

Right to an Accounting of Disclosures

A patient has the right to receive an accounting of certain types of disclosures of Protected Health Information made by LSUHSC-NO for up to six (6) years prior to the date on which the accounting is requested. This includes any disclosures for reasons other than treatment, payment or operations.

Where Can I find The Privacy Policies and Procedures?

At LSHSC-NO, the HIPAA Privacy Policies and Procedures are contained in Chancellor’s Memorandum 53 available at: http://www.lsuhsc.edu/administration/cm/cm-53/

How Does HIPAA Privacy Affect Providers?

LSUHSC-NO has a commitment to protect the privacy of the patient’s health information, in both medical and billing records. 

The privacy policies and procedures affect the tasks a provider performs, including aspects of physical security of PHI and the minimum necessary standard.

Protecting a Patient’s PHI is YOUR Responsibility

PHI can be compromised in many different ways. It is your responsibility to protect PHI in all situations so that you do not expose a patient’s PHI.

A patient’s PHI can be breached in any of the following ways. (This is not an inclusive list, but rather examples of various risks to PHI.)

Role of the Privacy Officer

Privacy Complaints

If anyone suspects or knows of mishandling or misuse of patient PHI, a complaint can be made to the:

How to Report a HIPAA Violation

Contact the LSUHSC-NO Privacy Officer or the Office of Compliance Programs via:

Penalties for HIPAA Violations

There is a tiered system for assessing the level and penalty of each violation:

Additional Penalties

Loss of your job or student status.

Individuals and health care providers (hospitals, etc.) can also face civil and criminal prosecution, depending on the facts of the case.

As a Recap…

Getting Help

Office of Compliance Programs
433 Bolivar St.
Suite 807
New Orleans, LA. 70112
504-568-5135