TO:University-College Studentsandfaculty FROM:Mayo Clinic Boardofgovernorssubject: Mayo

CONFIDENTIALITY

TO:University-College StudentsandFaculty FROM:Mayo Clinic BoardofGovernorsSUBJECT: Mayo Clinic’s ConfidentialityPolicy

The Board of Governors calls your attention to Mayo Clinic’s Confidentiality Policy. All employees, students, faculty, and visitors at Mayo Clinic have an obligation to conduct themselves in accordance with the policy and hold in confidence all information concerning patients, employees and business information. Confidential information includes all material, both paper- based and electronic, related to the operation of Mayo Clinic including, but not limited to:

financialinformation
patient names and other identifyinginformation
patient personal and medicalinformation
patient billinginformation
employee social security and other personaldata
proprietary products and productdevelopment
marketing and general businessstrategies
any discoveries, inventions, ideas, methods, or programs that have not been publicly disclosed
any information marked“confidential”

Only physicians, or persons authorized by a physician, may access, use or release laboratory, medical and surgical information. Such matters are confidential between the health care provider and the patient.

Students and faculty must also refrain from revealing any confidential information concerning employee records or business operations. Any carelessness or thoughtlessness in this respect, leading to the release of such information, is not only wrong ethically but may involve the individual and Mayo Clinic legally.

I heard or read the above statement, understand the contents and agree, unless authorized, not to access, use or release confidential information regarding patients, employees and business operations. I also understand that my unauthorized access, use or release of any and all confidential information at any or all Mayo Clinic facilities may be cause for my immediate termination from the clinical experience. In addition, I understand that I may be personally liable for any disclosure, misappropriation or use of confidential information.

SIGNATURE:DATE:

PRINTNAME:

Mayo Foundation

Electronic Authentication Security Agreement Statement

University/College Students (“Students”) and University/College Faculty (“Faculty”) with authorized access to electronic clinical applications who need to authenticate documents electronically will be issued a User ID and will select a password that uniquely identifies them after competency has been demonstrated. This protects the database and maintains the privacy of patient information. The selected password should be kept confidential and should not be compromised for any reason.

Students and Faculty are accountable for any transactions associated with their password and User ID.

If at any time a Student or Faculty have reason to believe that the confidentiality of his/her password or confidential information has been compromised, Clinical Facility’s Data Security Officer should be notified immediately so that appropriate action can be taken.

I, therefore, understand and agree:

1.My User ID/password is the equivalent of a legal signature.

2.In order to protect the security and integrity of Clinical Facility’s electronic data, I agree to approved Data Security Policies and Standards.

3.I will not attempt to access information by using a User ID/password other than my own.

4.I understand that failure to do any of the above may constitute a violation of the Data Security Policies and Standards and may result in disciplinary action by Clinical Facility as well as external regulatory bodies.

Student Name:

Student Signature:

Date:

Faculty Name:

Faculty Signature:

Date: ______

Department of Nursing

Mayo Clinic

Education and Professional Development Division

Affiliated Clinical Nursing Education Programs – MayoSchool of Health Sciences

Welcome to HIPAA Training

(Health Insurance Portability and Accountability Act)

Mayo Clinic has a long-standing tradition of protecting patients’ rights and keeping their medical information private. An additional federal regulation known as HIPAA requires Mayo and other healthcare providers to place further safeguards and documentation of these safeguards to patient health information by April 14, 2003. HIPAA also requires that Mayo train each employee, volunteer, student and contractor on these safeguards by April 14, 2003 and thereafter. This mandatory training will inform each person about Mayo's privacy policies and practices. The educational content for each person is determined by the specific role they have and the amount of patient interaction required by the role.

Please read the information in this packet. You will need to complete this packet prior to your visit/clinical experience at the Mayo Clinic. If you have questions, please do not hesitate to call the Education Liaison at 507-255-3236. Following your review of this packet, you will be asked to sign a form indicating that you have completed the HIPPA Training. This form will be filed with other important documents that you must submit before coming to Mayo.

Module 1: An Introduction to HIPAA

The Mayo Foundation Integrity Program was created to reinforce the commitment to providing patient care with integrity. When people behave with integrity, they act honestly, sincerely, ethically, morally and legally. Our Integrity Program applies to everyone: Mayo Foundation trustees, officers, all staff who work at Mayo entities, and people who do business with Mayo.

Mayo’s Code of Conduct is part of the Integrity Program. The Code of Conduct is a formal statement of our rules of ethical business conduct. It covers nine areas:

Ethics
Confidential information and trade secrets
Conflict of interest and outside activities
Use of Mayo funds and assets
Dealing with suppliers and referring providers
Books and records
Political activity and contributions
Safety, health and environment
Employee relations

Detailed descriptions of each topic can be found in the Mayo Foundation Integrity Handbook or the Integrity Program web site.

Our patients trust us and believe that we will keep their information private. Confidentiality breaches are very serious matters. Staff who knowingly violate our policies on confidentiality will be dealt with appropriately.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law intended to make the business part of healthcare more efficient by setting standards for submission of electronic bills, for electronic payments, and for checking referrals and authorizations electronically. The HIPAA transaction standards will save the healthcare industry – and us – a lot of money over the long term.

When the healthcare industry begins to use these electronic transactions, a great deal of patient information will be exchanged among the industry’s computer systems. The Department of Health and Human Services has issued HIPAA privacy and security standards to provide for the protection of patient information from inappropriate use or disclosure.

HIPAA does not limit a healthcare provider from using a patient’s information to provide appropriate treatment to the patient, sending patient information to insurance companies for reimbursement, or using patient information for quality control or operational improvement.

While HIPAA will not require major process changes in our medical practice, it will require the cooperation and support of everyone in order to achieve and maintain compliance. To help with HIPAA compliance, we have developed some new policies and procedures, and we have changed some existing policies and procedures. This educational program describes these new and changed policies and procedures and highlights what each of you needs to do to protect the confidentiality of our patients’ information so that we maintain HIPAA compliance.

We have a long-standing practice of protecting patients’ privacy and maintaining the confidentiality of their information. We can continue to maintain that practice but only with your help!

Who does HIPAA apply to?

HIPAA regulations apply to all covered entities.

What will HIPAA require us to do?

HIPAA requires us to:

Inform patients that they have certain rights, such as the right to obtain copies of their health information and the right to request amendments (Notice of Privacy Practices)
Inform patients how their health information may be used and disclosed (Notice of Privacy Practices)
Verify that those to whom we give patients’ health information, our business associates, also maintain its confidentiality
Meet certain administrative requirements, such as appointing a Privacy Officer at each site and documenting how we interact with patients about their rights
Ensure that only authorized people have access to patients’ information

This educational program is designed to provide the information while you are at Mayo Clinic.

What type of information is protected by HIPAA?

Patients’ health and demographic information, defined as “protected health information,” is protected by HIPAA. This protected information includes identifying information about the patient such as:

Name
Addresses
Dates related to the patient, like birth date and dates of services
Telephone numbers, fax numbers, and e-mail addresses
Social Security Number
Medical record number
Any other account numbers or numbers that are specific to the patient
Pictures of the patient

What does this mean for you?

HIPAA means that all of our patient information needs to be protected.

Are there any exceptions?

Yes, HIPAA treats patient information differently if it will be used for research, public health activities, or certain internal operations.

State law may require us to follow additional guidelines. For example, Minnesota state law requires patient authorization for billing prior to sending information to an insurance company.

Is non-electronic information protected by HIPAA?

Yes. All patient health and demographic information is protected, whether it is on a computer, in a paper record, or verbal.

Who is protected by HIPAA?

ALL of our patients are protected by HIPAA!

To whom do you refer questions regarding HIPAA?

If you have questions regarding HIPAA and our related policies and procedures, please discuss with the coordinator of the Nurse Visitor Program.

Module 2: Patient Rights

HIPAA mandates certain rights for patients concerning their health information. Most of these patient rights are already part of our policies and practices; the remainder required development of new policies.

In this module, we review patients’ rights as related to their health information. You need to know and understand the following six rights:

Patients have the right to see and obtain copies of their health information.

Most patients can see their entire medical record; however, there are a few exceptions that are explained in the policy.

Patients have the right to request amendments to the information in their medical record.

These requests occur when the patient believes that their record is incomplete or inaccurate. The process and circumstances by which they are reviewed are explained in the policy.

Patients have the right to request a list of certain non-routine disclosures of their health information.

For example, release of health information to the State Health Department or release of patient information under a subpoena must be documented and included in a list that is provided to the patient upon request.

Patients have the right to request that their health information be communicated in a certain way.

Patients have the right to discuss their health information confidentially. If a patient is uncomfortable speaking to a healthcare provided in a crowded area, move to a more isolated spot where confidentiality is easier to maintain.

Patients have the right to request that their health information be communicated in a certain way. Patients may request to have written communications sent to an address that is different from their “regular” address, as found in their medical record. For example, a patient may not want certain laboratory test results sent to their home address.

Patients have the right to request restrictions on how their health information is used or disclosed.

We may use a patient’s information for their treatment, payment for services, and to conduct healthcare operations. It is important that patients receive consistent responses to their requests for restrictions.

Patients have the right to complain to us and to the government about our privacy practices or about a violation of those privacy practices.

We do our best to ensure that our patients’ information is kept private. However, mistakes sometimes happen. If patients feel that their privacy has been violated, they have the right to complain.

How do patients learn about these rights?

Beginning in early 2003, each patient will receive a document that describes patient rights and how patient information is handled. This document is known as the Notice of Privacy Practices. In addition, the Notice of Privacy Practices will be available on our web site, in all patient areas, and in the Emergency Department.

Module 3: Incidental Use of Patient Information

How is patient information protected?

Policies have been established governing how patient information can be used. While you may not routinely handle patient information, you do encounter patients and may see their health information. You may also hear others talking about patients. This module reviews how to appropriately handle these incidental encounters in order to ensure that patient information is protected and remains confidential.

Is the fact that a patient was here confidential?

Yes. A patient’s presence here must remain confidential. If you recognize a patient, keep it private. Many individuals come here because we provide excellent care. They trust us to keep their presence – and their information – confidential. Do not talk about patients with your colleagues unless it is necessary to do so for your job. Also, it is inappropriate to discuss patients outside of the medical center.

Do not place yourself, or Mayo Clinic in a compromising situation because you have failed to respect a patient’s privacy. Keep all patient information private. It is the right thing to do.

What do you do if you overhear conversations about patients?

Occasionally, you may hear others talking about patients. All patient information, written and verbal, is protected by HIPAA. For example, while in an elevator, you might overhear a physician speaking with a resident about a patient. No matter how interesting the conversation might be, do not pass it on.

In a situation where you need to talk about a patient, pay attention to who may overhear your conversation. Look for a private place to speak if others – especially members of the public – can hear you.

What if you see patient information while you are here?

You may occasionally encounter patient information. Regardless of the way it is encountered, patient information is protected and must remain confidential.

If you are concerned that others are not being careful with patient information, it is important to share with the coordinator of the Nurse Visitor Program.

Remember that privacy is everyone’s responsibility.

How can we use patient information?

Patient information can be used for:

Treatment: provision, coordination or management of healthcare and related services for a patient including communications with other providers about patient treatment or referral of a patient to another provider.

Payment: activities undertaken to obtain reimbursement for the provision of healthcare

Healthcare Operations: activities including, but not limited to, quality assurance, medical review, legal services, auditing functions, and general administration

How much patient information can we use?

Your department will determine what types of patient information you have acces to in the role of a nurse visitor. The “need-to-know” rule is HIPAA’s minimum necessary standard.

Not every employee needs access to a patient’s entire medical record. Clinical staff, such as physicians and nurses, generally need to see the whole patient record in order to properly care for a patient. Other staff, however, may only need the patient address and phone number for appointment scheduling.

In addition, not every employee needs access to every patient’s record. Clinical personnel should only access the patient information of patients with whom they have a treatment relationship. “Curiosity viewing” of patient records is absolutely prohibited.

What is your responsibility in providing a patient’s information to another staff member?

You should verify the identity of anyone who requests patient information from you. Just because a person is asking does not mean that there is a need-to-know. You should be certain that it is necessary for the requestor to see the patient’s information, even if you know the person is any employee of our organization.

Module 4: Disclosure of Patient Information – Awareness

It is sometimes necessary to disclose a patient’s information outside of our organization.

Does HIPAA require patient authorization for disclosure of their health information?

HIPAA requires us to obtain patient authorization for certain disclosures. Many other disclosures can still be made without prior patient authorization. Disclosures for treatment, payment, healthcare operations, or those required by law, do not require patient authorization. For example:

Patient information sent to other providers for follow-up treatment of patients

Patient information sent to insurance companies for reimbursement

Patient information disclosed to accrediting organizations, such as JCAHO, to maintain facility accreditation

Patient information inspection by a state health agency during the course of a review

Communicable disease instances reported to the public health department

Release of patient information to a public health authority or to law enforcement

What if someone from outside our organization sees a patient’s information?

Disclosure occurs when someone from outside our organization sees a patient’s information. All disclosures must follow our disclosure policies. It is important to recognize that unintentional disclosures may result in violations of our policies. For example:

A medical record left unattended so that anyone can read its contents

An unattended computer workstation displaying patient information

Disposal of patient information in the trash bin

Including recognizable patient information on a careplan that is handed into a professor

In these examples, simple steps can prevent unintentional disclosure.