Providing Care WithRespect and Dignity

Through Data Security & Privacy Practices

Springfield ClinicStudent/Resident HIPAA

Review9/23/13

Presented by: The Privacy Office

Core Elements of this Review1. Accessing PHI (Protected Health Information) beyond the scope of

your duties is a violation of HIPAA’s “Minimum Necessary” Rule”.2. It also violates Clinic Policy, and can lead to immediate termination

of your rotation here.3. HIPAA requires you to report privacy/security incidents or

suspected violations. Contact the Privacy Office at ext. 14216.4. You are not allowed to copy, transmit or print patient information for

your own use or for your school. Any documentation that you feel you need to send external for completion of your duties should be de-identified by the ROI Services Manager in Health Information Management (ext. 43742).

5. Sharing Passwords or user ID’s is strictly prohibited.6. Please keep all patient-related conversations out of patient areas.

Our patients perceive a lack of privacy when this happens – even if names are not used.

The OverviewHIPAA is a Federal Law named “The Health

Insurance Portability and Accountability Act”.

• HIPAA was enacted in 1996 to standardize electronic health insurance transactions. Its primary purpose was to reduce the gap in health insurance coverage occurring with change of employment, thereby reducing America’s personal bankruptcy rates as most of these were related to lack of medical insurance.

• HIPAA targets the uses and disclosures of Protected Health Information. PHI is any patient-identifiable health and/or billing information.

• Investigations and fines are handled by the Office for Civil Rights (OCR).

• Cases are referred to the Dept. of Justice for prosecution (500+ cases to date).

Health Insurance Portability & Accountability Act

HIPAA Privacy Rule gave patients 6 new civil rights. Requires delivery of a Notice of Privacy Practices before the first service, contractual agreements for privacy between Organizations, and mandatory internal and government reporting with mitigation of violations.

HIPAA Security Rule focuses on theConfidentiality, Integrity, and Availabilityof patient-identifiable electronic health and billing information. There are Organizational requirements, and safeguards include administrative, physical and technical safeguards.

HITECH expands penalties, requirements, and enforcement capacity. Expands the definition and responsibilities of a Business Associate (BA) to the same level as CE (Covered Entity). Requires HHS proactive auditing of CE’s. Adds patient right to Cash Restrictions. Requires patient notification within 60 days of PHI breach with potential harm. Requires that any breach over 500 patients is reported to HHS, media outlets, and patients. It also provides Meaningful Use incentives for Providers to use electronic records.

OMNIBUS The “Final Rule” expands requirements for BA’s and their subcontractors, increases penalties, expands HHS auditnumbers, and audit scope where evidence of willful negligenceis found. Huge increases in fines. It requires the CE to audit compliance of its Business Associates. BA’s are directly liable for their breaches. It changes the definition of Business Associate and “breach notification”. Lack of BA contract does not prevent the BA designation. State Attorneys General are given “private right to action” to prosecute on a patient’s behalf (the state gets a percentage). Genetic information is now PHI. Decedent info is no longer PHI 50 years after death. Documented Risk Analysis is now required for incidents not reported to HHS due to low probability that PHI was “compromised”. Patients can ask for records in electronic format and must accommodate if reasonable. Entities that create, receive, maintain or transmit ePHI for CE’s are now BA’s. BA’s must provide an accounting of disclosures if requested.Business associates will be subject to audits, compliance reviews, and enforcement actions by HHS.

It’s been updated several times!

10 Transactions that Define a “Covered Entity”1. Health Care claims or equivalent encounter information

2. Health care payment and remittance advice

3. Coordination of benefits

4. Health care claim status

5. Enrollment and disenrollment in a health plan

6. Eligibility for a health plan

7. Health plan premium payments

8. Referral certification and authorization

9. First report of injury

10. Health claims attachments

Note: HHS generally considers all providers, sites, and services within an Organization or System to be one CE.

Who Is A HIPAA Covered Entity?

• A Covered Entity (CE) is someone with a direct (face-to-face) patient care relationship. No authorization is required for PHI release for purposes of treatment, payment and CE operations.

• Everyone at Springfield Clinic is

considered part of the same covered entity. Internally releasing patient information without patient consent is allowed.

Who Is A Covered Entity Outside the

Clinic?• Any Provider with either a face-to-face patient relationship or who processes transactions using electronic patient information

• Any Health Care Plan paying for patient services• Any Clearinghouse providing healthcare billing services• Interpreters; Dentists; NP’s, PA’s, Counselors, Therapists• Medical Benefits Coordinator for ANY residential facility

including:– Prisons– Law enforcement officials holding prisoner in custody– Residential, Group & Nursing homes

• Pharmacists• School Nurses (only when evaluating students or

administering medications)

De-identifying PHI is the only legal way to transmit in an unsecured transmission. Consult with I.T. before using ePHI on personal devices. To de-identify information, call the ROI Services Manager in HIM Correspondence.

HIPAA Protects Patient-identifiable Health and/or Billing Information, So What

Constitutes Identifiers?1. Name

2. Street address

3. SSN

4. DOB

5. All dates (admit/discharge, DOS, date of death)

6. First 3 digits of zip only (if population > 20,000)

7. any geographic divisions smaller than state

8. age (if 90 or more, report age as “90+”)

9. Telephone, cell, or other personal number

10. Fax Number

11. URL and IP addresses (e-mail/internet)

12. VIN and serial numbers (vehicle)

13. Full face photos

14. Tattoos and any unique physical anomalies

15. Medical Record Number

16. Account Number

17. Insurance plan numbers

18. Device identifiers and serial numbers

19. Biometrics including fingerprint, voice, iris

20. Certificate/License Numbers

De-identifying PHI is considered a “safe harbor” for transport or storage.However there must be a procedure in place, to de-identify and re-identifyaccurately. Encryption is more commonly used.

Fines/Violations

Degree of Culpability/ “State of Mind”

Potential Penalty Per Violation

Maximum Annual Cap for All Violations of Identical HIPAA Provision

Violation was not known and could not have been discovered with reasonable diligence

$100 - $50,000 $1,500,000

Reasonable cause for violation, not due to willful neglect

$1000 - $50,000 $1,500,000

Violation due to willful neglect, but corrected in 30 days

$10,000 - $50,000 $1,500,000

Violation due to willful neglect, not corrected in 30 days

$50,000 $1,500,000

•Violations are counted up “based on the nature of the … obligation to act or not to act.” New factors - # of persons affected by the violation, potential harm to those persons’ reputations and finances.•Generally, monetary penalties will be tallied on a per person and per day basis. A violation should be corrected promptly within 30 days. Delaying beyond the timeframe will foreclose certain defenses that could decrease monetary penalty amounts.•The maximum annual cap of $1.5 million is applied on a “per provision” basis.•Monetary penalty system is as follows:

HIPAA Rule: Provide Minimum Necessary Information Per

Business Transaction

• It is the individual’s responsibility to provide no more than the “minimum necessary” patient information to satisfy a request or to complete a transaction.

• The only exception to minimum necessary is releasing health and/or billing information to another Provider.

Patient Rights Under HIPAA

• If we accept terms or conditions requested by the patient they must be accepted Clinic-wide.

• Please contact the Privacy Office when patients assert the civil rights reviewed on the following slides.

The Right To Review their Health and/or Billing Information

• Patients may ask to sit with us and review their medical and billing records, which is a Health Information Review.– (Call the Privacy Office Staff)

• They may ask for paper or electronic copies in any preferred format and we generally must provide this (Behavioral Health Records may be an exception – Provider’s choice). – (Call Health Information Mgmt. - Correspondence)

The Right To Request Amendment of Their Health Or Billing

Information • When the patient disagrees with statements in the

record, it is their right to ask the author to change the item.– (Refer them to the Privacy Office)

• The provider may refuse the amendment if he/she feels that the content is “complete and accurate” as it is, or if the information came from another source (transferred record).

• The Privacy Office assists the patient in adding a rebuttal letter to the disputed content if amendment is denied.

The Right To Request Confidential Communications

• When a patient asks us to change our normal method of communicating with him or her.

• HIPAA states that where we can we should. Remember that this type of request applies to all Clinic computer systems and offices. Let the Privacy Office handle it.

The Right To Request Privacy Restrictions

When a patient asks us to change the way we internally flow their PHI through our transaction processes.

– (It is critical to call the Privacy Office)– Examples:

• Don’t give my records to the worker’s Comp Carrier

• Don’t let the receptionist ay my doctor’s office see my information (she’s my ex sister-in-law)

• Don’t send information to my other doctors

The Right To An Accounting Of

Disclosures• When a patient asks “Where have you sent my

information without my authorization”?– (Call the Privacy Office)

• We must supply a listing of 6 years of past transactions.

• With an EHR, we must include all electronic transactions as of 1/1/14.

The Right to a Paper Copy of the Notice of Privacy Practices

• HIPAA requires that patients receive the Notice of Privacy Practices (NPP) before their first service with a covered entity.

• The purpose is to:– Assist the patient in choosing a provider based on our uses and

disclosures of their PHI– Inform them of their privacy rights under the law– Provide a contact to complain to when they feel their rights have

been violated. • If anyone asks for a privacy notice, please take them to

the nearest reception desk for an NPP (Notice of Privacy Practices) booklet.

Purpose Of The NPP

• Intent of a public notice• To help patients choose between

covered entities• To explain rights given to

individuals• To inform a patient where to

complain if rights are violated

The Right to Receive Their PHI Electronically in Their Preferred Format

• Patients now have the right to ask for their PHI in their preferred electronic format. We must accommodate if reasonable to produce.

• We must provide a reason why if we decline and ask for another preference.

The Right to Request a HITECH Cash Restriction

• Any patient may request that today’s services not be submitted to insurance, and if he/she meets conditions, we must allow it.

• In order to allow this cash restriction, the patient must request it before the visit is completed, and pay up front total charges for today.

• When those conditions are met, we must never release this information to the insurer (even in the future).

HIPAA Says: No Snooping!Five medical workers have been fired over patient data breaches at Cedars-Sinai Medical Center. The audit was triggered by Kim Kardashian’s delivery of daughter North West on June 15, 2013. Kim’s family suspected a leak of information at Cedars-Sinai after media reports included undisclosed details of the stay.

Four of the workers logged onto the hospital’s information system to access patient records, as employees of local physicians with staff privileges at the hospital. The others included a Medical Assistant, a Foundation employee, and a volunteer student research assistant.

After “Octomom’ was discharged, Kaiser Permanente fired 15 employees and disciplined 8 more for inappropriate access.

After Fashion Designer Gianni Versace passed away, 5 employees were fired for inappropriate access.

UCLA paid $865,500 for breach of celebrity privacy. The audit was 2005-2009 where breaches had been reported on dozens of celebrities, including Britney Spears, Farrah Fawcett, and Maria Shriver.

• Extra sensitivity for well-known patients is required. Access audits are likely on VIP’s, such as celebrities, politicians, or recent news stories.

• Even mentioning that the VIP was treated at the Clinic is a HIPAA violation.

• Clinic Policy states that all health and health-related services and programs provided by the Clinic are available and accessible equally to patients who are hearing impaired, and to those with limited English proficiency (“LEP”).

• Interpreters shall receive payment for services performed only upon submitting a Clinic form invoice, which is verified or endorsed by a Clinic Manager.

Interpreter Services

May I discuss treatment information with a visitor present in the exam

room?• The patient has implied consent to discuss

treatment-related information by allowing them in the treatment room.

• Include the visitor by name and relationship in your dictation.

• Best practice is always to ask the visitor to step out at some point and ask the patient if there is anything they wish to discuss privately at this time. Also inquire as to social history and any potential abuse issues.

Good to Know!• A visitor brought to the exam room is

only allowed to be privy to the discussion during the exam. For an adult patient, even a parent’s presence does not provide access to any additional information later, regarding that visit (or any other encounter) without a signed patient authorization.

Authorized Patient Representatives

May I release information to a patient’s healthcare power of attorney?– Watch this! Typically a POA for healthcare may

only access a patient’s information after the patient is deemed incapacitated. However, some forms state they are effective on the date signed.

– You must read the form to see if it is activated.– This is different from a non-healthcare POA.– Protect yourself and do not act on a POA unless

the document is in patient’s record!

Business Associate• A Business Associate is defined as a

business or person who is hired to assist with daily operations, and whose job requires them to have access to PHI.

• HIPAA requires written contracts with legally specific language which requires that BA to handle all PHI according to HIPAA rules even when subcontracting.

Is It Okay to E-mail Patient Information to Another

Provider?• Students are not allowed to do

this at Springfield Clinic. • Please discuss any need to

disclose PHI with the ROI Services Manager in Health Information Management.

How Can I Reach the Privacy Office? The phone directory lists us under Privacy Office.

• Information Privacy Officer– Linda Meadows ext. 14540

• Privacy Operations Manager – Nancy Cardinale-Lower ext. 14216

• Privacy Operations Analysts: – Dawn Kane ext. 14245– Farrah Reagon ext. 14217– Danielle Dellaquila ext. 14278

• Privacy Support Specialist– Safron Squires ext. 14198

Let’s Test Your Skills• Answer each of the following questions.

Click here to access the quiz.

• Be sure to click on SUBMIT THE QUIZ in order to meet your training requirement.

• Thank you!

Thank Youfor completing this

HIPAA primer!Helping to educate our students about privacy and security rules is part of the Clinic’s ongoing mission to provide the highest quality of healthcare to the people of Central Illinois!