PHI
HIPAA Breach
HIPAA
Prevent Breach
Is this a violation?
100

Acronym PHI refers to

What is Protected Health Information

100

Steps to take at the school of nursing if there is a HIPAA violation

Contact your instructor, course coordinator, academic counselor or go directly to the website: https://compliance.wisc.edu/hipaa/ 

100

What does HIPAA stand for

What is the Health Insurance Portability and Accountability Act

100

You receive a text message from a peer asking about specifics as to what happened to a patient on your clinical unit.

Do not text back information.

100
  • You are a nurse manager and one of your staff needs to be out on a medical leave for a minor procedure. She is expected to return in a week but calls and states she will need an additional week. You see her surgeon in the hallway the next day and ask him about the procedure and the additional time out of work. As her employer, do you have the right to ask this information?

What is No. 

This is personal and protected health information that should not be requested without patient consent, even for employment reasons. There are no special privileges afforded to managers regarding the specific details of an employee’s health status.

200

5 Possible PHI

  • -Name
  • -Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
  • -All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
  • -Telephone numbers
  • -Fax number
  • -Email address
  • -Social Security Number
  • -Medical record number
  • -Health plan beneficiary number
  • -Account number
  • -Certificate or license number
  • -Vehicle identifiers and serial numbers, including license plate numbers
  • -Device identifiers and serial numbers
  • -Web URL
  • -Internet Protocol (IP) Address
  • -Finger or voice print
  • -Photographic image - Photographic images are not limited to images of the face.
  • -Any other characteristic that could uniquely identify the individual
200

Result of  talking about patients cared for at a priorly employed medical facility.

What are legal penalties.

We are all required to keep patient information confidential "forever". A privacy breach could result in legal penalties even if you no longer work there.

200

What does HIPAA do?

•Sets privacy standards for individual health information

•Overseen by US Department of Health and Human Services and Department of Justice

•Governs PHI (protected health information)

200

Place to find the name of the HIPAA compliance/privacy officer?

200

One of your nurse colleagues is expecting and it’s been decided that you will organize the baby shower. Not having access to co-workers addresses, you only look in the demographics portion of the electronic medical record to obtain this information. You do not look at any clinical information. Would this be OK?

What is No.

Even demographic (address, phone number, etc) information is considered protected health information under the privacy regulations and should not be accessed without approval of the patient.

300

Meaning of the term having access to the "minimum necessary" information to do our jobs?

What is having access to all information that we need to do our jobs, but not having access to unnecessary information.

300

Persons listed on the SoN HIPAA incident report

 i.e persons who must be listed


Who are everyone who is aware of the breach.

Note: Your name and contact information has to be on the SoN HIPAA incident report.

300

The question to ask yourself when accessing a medical record.

What is "Is this a patient I am currently caring for?"

You may not access the records of patients for whom you are not providing care. This includes:

–Upstream Patients: Patients on other units (e.g., ER) who may make their way to your unit (e.g., Surgery)

–Downstream Patients: Patients you cared for who are now off of your unit and you need to finish charting, etc.

300

The Wisconsin Administrative Code N7 Rules of Conduct, N7.03(3)(c), says this about social media regarding HIPAA?


Grounds for taking disciplinary action: Confidentiality, patient privacy, consent, or disclosure violations, including any of the following: (c) Making statements or disclosures that create a risk of compromising a patient’s privacy, confidentiality, or dignity, including statements or disclosures via electronic or social media.

300

Is it a HIPAA breach to discuss patients with my spouse if he/she doesn't work here and promises to keep it secret?

Yes

400

How to protect written PHI needed to complete job

Keep PHI paper on person

Shred it directly when no longer need

Place it in a locked shred bin

Only write out/print minimum necessary PHI to complete job-never carry home these papers.

400

Rule regarding informing the patient when a HIPAA breach has been first identified.

What is do not inform.

If the subject is not yet aware, please do NOT inform the individual at this time. Decisions about informing the patient/subject will be made by the HIPAA Privacy Officer and HIPAA Security Officer after their review of the incident.

400

The year HIPAA was enacted?

What is 1996

400

Two ways to protect the information on your computer screen.


What are:

  • Turn the screen away from public view. 
  • Use a password-protected screen saver that pops up after a few minutes of idle time and hides the information. 
  • Log off when you leave the area.
  • Also remember: Never give your sign in to someone else and never sign in using some else’s ID
400

A patient named John has just completed his procedure and is wheeled into the recovery area. The nurse comes to talk with John about the procedure and to discuss discharge plans. There are other patients around them and a closed privacy curtain only separates them. Should the nurse have this discussion with the patient in the recovery room?

Yes, this is considered an "incidental disclosure." It is unrealistic for care to always be provided in a private room. Incidental disclosure is when patients hear health information during the normal course of providing health care. This is not considered a HIPAA violation.

M
e
n
u