columbia university medical center health insurance portability and accountability act of 1996...
TRANSCRIPT
Columbia University Medical Center
Health Insurance Portability and Accountability Act of 1996
(“HIPAA”)
Privacy & Information Security Training
2009
Administrative
Simplification
[Accountability]
InsuranceReform
[Portability]
Health Insurance Portability and
Accountability Act (HIPAA)
HIPAA OVERVIEW
Transactions, Code Sets, & Identifiers
Compliance Date: 10/16/2002
and 10/16/03
Transactions, Code Sets, & Identifiers
Compliance Date: 10/16/2002
and 10/16/03
Privacy
Compliance Date: 4/14/2003
Privacy
Compliance Date: 4/14/2003
Security
Compliance Date: 4/20/2005
Security
Compliance Date: 4/20/2005
Fraud and Abuse (Accountability)
Fraud and Abuse (Accountability)
Who Needs HIPAA Training?
All staff working at CUMC should receive HIPAA training
Clinical – Patient Care requirements
Research – HIPAA research requirements
Administration – Billing, Fundraising, Marketing,
Public Relations & other Business functions
Privacy & Security Concerns
Theft of Patient Data Identity Theft Stolen lap top USB Drives
Loss of Patient Data Incorrect disposal
Misuse of Patient Data Privacy Breach
In the News……
An employee from the Admissions Department at a prestigious NYC hospital has been accused of stealing and selling information of nearly 50,000 patients
CVS Caremark Corp. has agreed to pay $2.25 million to settle allegations by the government that it dumped credit-card data, Social Security numbers and customer medical records into garbage containers outside a number of its stores.
53 staff members disciplined for accessing Britney Spears medical records at UCLA medical center
1. Provide patient with the Notice of Privacy Practices
2. Shred patient information – disposal 3. Telephone Guidance –
messages and requests for patient information4. Use and Disclose Medical Information Correctly
Release of medical information Minimum necessary
5. Fax patient information utilizing a cover sheet
HIPAA Guidance – Top 10Privacy Guidance
HIPAA Guidance – Top 10Information Security Guidance
1. Never share your password
2. Secure (password / encrypt) electronic devices with patient information
3. SS# number should not be included in databases when not required
4. Do not access records of co-workers, family members, friends or high profile patients
5. Promptly Report loss or theft of electronic devices with protected health information and inform Privacy Officer of improper use/ privacy breach
9
Privacy/Security Breaches
Sharing Passwords Loss / theft of USB drive, blackberry, disc or Laptop with patient information Failure to use passwords/encryption to protect portable devices Mailing medical records Incorrect patient registration Failing to log off systems (CROWN, WebCIS, Eclipsys, IDX
etc.) Sending ePHI (electronic protected health information)
outside the institution without encryption Using a non-CUMC email account to communicate patient
information
Information Security & Privacy Failures
Employee Carelessness
DO NOT USE PERSONAL EMAIL ACCOUNTS FOR WORK PURPOSE
New Requirements for Patient’s
Notice of Privacy Practices must be offered to the patient at the time of their first visit. On first visit only, not every visit.
Tells patients their specific rights regarding their health information.
A signed acknowledgement must be placed in the patient’s medical record and documented in IDX.
12
Notice of Privacy Practices
Patients have the right to: Request restrictions on release of their PHI Receive confidential communications Inspect and copy medical records (access) Request amendment to medical records Make a complaint Receive an accounting of any external
releases. Obtain a paper copy of the Notice of
Privacy Practices on request
Use or Disclosure of Medical Information
Written Authorization required to release medical information
Physician may share information with referring physician “patient in common” without an authorization
All legal requests for release of information should be forwarded to the HIPAA Compliance Office for review
Electronic Access is Recorded Your access to Crown,
WebCIS, Eclipsys, and other clinical electronic systems is recorded and subject to audit
Periodic audits are done and access is monitored
If you access medical information without a legitimate business purpose you will be disciplined
Do not allow others to use your password or user ID or work after you have signed into a clinical application
New Regulations - 2009 HITECH – Economic Stimulus Plan
Significantly increased penalties PERSONAL liability for violations Significantly increased requirements to protect
electronic medical information Red Flag Regulations
New regulations to detect, prevent and respond to medical identity theft
Social Security Notification Act Individual notification and free credit monitoring
when the SS# of an individual is lost/stolen
HIPAA Research Training
All researchers are required to complete HIPAA Research online training in addition to the HIPAA general training
Researcher TrainingRegister on RASCAL: www.rascal.columbia.edu
HIPAA and Research
Two main avenues— Form A HIPAA Clinical Research Authorization—required
elements Form B HIPAA Application for Waiver of Authorization—
subject to approval of the IRB
Some exceptions: Research using solely Decedent Information Research using solely De-identified Information Activities prior to research or preparatory
Medical Record Research done under a HIPAA Waiver of Authorization is approved by the IRB
19
PATIENT PRIVACY
At some point in our lives we will all be a patient
Treat all information as though it was your own
Questions & Answers
Karen Pagliaro-MeyerPrivacy Officer
Columbia University Medical Center