HIPAA 101: The Whos, Whats & Whys of Protecting Patient Privacy

Krista Barnes, Senior Compliance Attorney

Institutional Compliance Office at MD Anderson Cancer Center

GSBS New Student Orientation

August 14, 2013

2

Name Title Areas of Expertise Krista Barnes, J.D.

Phone: 713-792-2511

Email: kmbarnes@mdanderson.org

Senior Compliance Attorney Responsible for providing legal guidance for and oversight of Privacy Compliance and general compliance matters.

Matthew Bourgeouis, J.D., C.H.P.C.

Phone: 713-745-0635

Email: mobourgeois@mdanderson.org

Associate Legal Officer Assists in Privacy Compliance matters and provides legal and regulatory guidance/training.

Regina Jackson, M.Ed., R.T.R., C.I.R.C.C., C.H.P.C., C.P.C.

Phone: 713-745-6042

Email: ryjackso@mdanderson.org

Project Manager Responsible for managing Privacy Compliance Program activities.

Kendra Moriarty, M.H.A.

Phone: 713-792-6841

Email: kcmoriarty@mdanderson.org

Senior Compliance Analyst Conducts projects and investigations involving Privacy Compliance issues.

Joe Conley Jr., M.B.A.

Phone: 713-745-9789

Email: JLConley@mdanderson.org

Senior Compliance Analyst Conducts projects and investigations involving Privacy Compliance issues.

Fadi Brian K. Badaoui

Phone: 713-745-6305

Email: fadi.badaoui@mdanderson.org

Compliance Analyst Conducts projects and investigations involving Privacy Compliance issues.

3

HI…what? • Health Insurance Portability & Accountability Act

(HIPAA)– Define “protected health information” (PHI) and how we

need to protect it– Gives patients certain rights with respect to PHI (see our

Notice of Privacy Practices)– Only applies to “covered entities” (health care providers,

insurers, and healthcare clearinghouses)

• Health Information Technology for Economic and Clinical Health (HITECH) Act– Imposes breach reporting obligations on covered entities– Gave HIPAA “teeth”

4

What is PHI?• Protected Health Information– Health information + Identifying Information• Health Information: diagnosis, treatment, lab results,

imaging studies, arguably even the fact that someone is a patient here because our name suggests a cancer diagnosis• Identifying Information: 18 types of identifying

information (see next slide).

5

• Names (including initials);• All geographic subdivisions smaller than a State,

including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code as long as there are more than 20,000 people in the area for those initial three digits;

• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, treatment dates; and all ages over 89 (can be combined into a “90 and over” category);

• Phone numbers; • Fax numbers; • E-mail addresses; • Social security numbers; • Medical record numbers

• Health plan beneficiary numbers; • Account numbers; • Certificate/license numbers; • Vehicle identifiers and serial numbers, including

license plate numbers; • Device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • Internet Protocol (IP) address numbers; • Biometric identifiers, including finger and voice

prints; • Full face photographic images and any

comparable images; and • Any other unique identifying number,

characteristic, or code (unless totally unrelated to any other identifying info and cannot be re-identified except by person who holds the key)

What are the 18 HIPAA Identifiers?Identifying information includes the following EIGHTEEN items for an individual and the individual’s relatives, employers, or household members:

You’re working on a research study. The protocol calls for blood samples to be sent to the study’s sponsor for banking. The samples are labeled with date and medical record number (no names). The informed consent promises that all samples will be “de-identified.” Can you send the samples out like this?

– NO. – Dates and MRNs are “identifiers”– You aren’t authorized to send any identifiers

POP QUIZ

6

7

What does HIPAA say?• HIPAA General Rule: You may not use or disclose PHI

without the patient’s Authorization, unless it falls under a regulatory exception, which include:– Treatment (e.g., nurse talking to a doctor, talking to another physician

about a common patient)– Payment (e.g., billing insurance)– Healthcare Operations (e.g., for formal internal training programs,

quality improvement)– Certain research purposes (IRB waiver, preparatory to research)– De-identified data

• Research uses and disclosures of PHI are governed by the protocol, informed consent and authorization document, and/or an IRB waiver

Who can look at PHI?

8

http://www.chron.com/news/houston-texas/article/Harris-hospital-district-fires-16-over-privacy-1736905.php

http://www.healthcareitnews.com/news/kardashian-hipaa-breach-catastrophe

Can only access PHI if you have a legitimate work-related reason for doing so.

• Six Fired for Keeping up with the Kardashian

• Harris Hospital District Fires 16 Over Privacy

You are entering data for a study into a spreadsheet. You notice that the mom of your best friend from Junior High is one of the subjects. You didn’t even know she had cancer! You feel awful and want to help your friend’s family, maybe by sending flowers or taking dinner over. You log into ClinicStation to see when her last appointment was and how she is doing. You’re very sad to learn that she passed away last month. You post on your friend’s Facebook page, “I just heard about your mom passing away, I’m so sorry.”

Have you violated HIPAA? A. No. There’s no way anyone would know that you learned about her death from looking in her medical record.

B. No. HIPAA doesn’t apply after death.

C. Yes. People who work at covered entities can’t use social media.

D. Yes. You accessed the mom’s record without authorization, and then disclosed her PHI on Facebook.

Answer: D.

POP QUIZ

9

10

What’s the big deal?• Use or disclosure of protected health information (“PHI”)

in a manner that doesn’t comply with HIPAA is a violation of federal (and probably state) law

• An unauthorized use or disclosure that compromises the patient’s privacy may be a “breach” of PHI– Breaches are reported to the patient, the government, and if big

enough, the media– Breaches compromise patient privacy; patients’ trust in the

hospital/institution; the hospital’s reputation; can cost big $$, and may cost you your career

– Fines for HIPAA violations: $100 to $50,000 per day, up to a maximum of $1.5 million for the same violation in any one year

11

What is at stake?

• Alaska Medicaid– Unencrypted USB hard drive stolen from employee’s car– $1.7 million settlement

• Massachusetts hospital– Theft of unencrypted laptop containing prescription & clinical information– $1.5 million settlement

• UCLA – Researcher accessed coworkers’ and celebrities’ medical records without

authorization– Prosecuted and sentenced to 4 months in prison

• MD Anderson examples

http://www.chron.com/news/houston-texas/article/M-D-Anderson-loses-device-with-patient-data-3796918.php

12

What happened here

• 2012: laptop stolen from researcher’s home contained 30,000 patients’ data

• 2012: lost jump drive contained 2200 research subjects’ data• 2013: lost jump drive contained 3600 research subjects’ data

http://www.chron.com/news/houston-texas/article/M-D-Anderson-loses-device-with-patient-data-3796918.php

Pop Quiz: What would have prevented all 3 of these breaches?

Answer: ENCRYPTION

What you can do to protect PHI

13

• Accessing PHI– Access PHI on encrypted devices only (laptops, jump drives, BlackBerry).– Never access the medical record of a celebrity, friend, family member, or

coworker (unless it is your job to do so).

• Storing PHI – Do not store PHI in the cloud unless sanctioned by the institution (e.g.,

MDACC box.com account)– Limit physical access to PHI (lock cabinets, use folders).– Shred (do not recycle!) paper and wipe devices when finished.

• Transporting PHI– Do not leave devices or paper files in your car.– ENCRYPTED DEVICES ONLY!

• Email– Encrypt emails in transit.– Don’t email PHI to your personal email account.

• Social Media– Never post about a patient/subject on social media

14

ONE LAST POP QUIZYou’re helping an MD Anderson PI and a collaborator from UT Health Science Center on a research study. The data relates to live human subjects, and is stored in a spreadsheet that you saved to the MD Anderson server. It contains medical record numbers, study ID numbers, treatment dates, diagnoses, and drugs administered.• The collaborator wants you to send him the data on a CD. Should you?

– First, is it PHI? • Yes (treatment dates, maybe study ID numbers, maybe genomic sequencing data = identifiers)

– Second, is the data allowed to leave MD Anderson? • Check the protocol and informed consent document to see if PHI can leave MD Anderson and be

shared with an outside collaborator.

– Is the CD a permissible way to send PHI? • Send on an encrypted CD and send the password separately, or ask InfoSec for more options.

• The MD Anderson PI is on vacation and wants you to put it on Dropbox (online cloud sharing/storage) so she can view it remotely while on vacation. Should you?– No. Dropbox is not necessarily secure, your consent probably doesn’t say that you’ll be

storing data on that site, and we do not have a Business Associate Agreement with Dropbox. Box.com is the only option right now (through MD Anderson’s institutional box.com account).

15

Reporting Privacy Incidents• What to do if a privacy incident occurs:– Report incidents quickly to:

• Institutional Compliance Office at 713-745-6636 or Privacy Hotline at 1-888-337-7497

– Document everything– Report to IRB as unanticipated problem (if research)– Report lost or stolen computers, BlackBerrys, jump drives

to:• UTPD: 713-792-5890• 4-INFO: 713-794-4636• Departmental asset manager

• It is every Workforce Member’s responsibility to report a violation or a potential violation

• Failure to report a violation or potential violation may subject you to disciplinary action

• To report compliance concerns:

- Call the Institutional Compliance Office (713-745-6636) - Page the Chief Compliance Officer (713-792-7090) - Call the Fraud and Abuse Hotline (1-800-789-4448) - Call the Privacy Hotline (1-888-337-7497)

IMPORTANT: All discussions and reports are treated confidentially and may be made anonymously

Suspected fraud, waste, and abuse involving state resources• State Auditor’s Office Hotline (1-800-892-8348).

Compliance Concerns

16

• Workforce Members should not hesitate to report any suspected violations out of fear of retaliation

• Non-Retaliation Policy (UTMDACC Institutional Policy #ADM0254)

Non-Retaliation

17

Krista BarnesSenior Compliance Attorney, Privacy Compliancekmbarnes@mdanderson.org713-792-2511

Questions?

18