hipaa privacy training1 hipaa privacy: how it affects you !!!
TRANSCRIPT
HIPAA Privacy Training 2
Can You Believe This?
A woman brought her teenagedaughter to work at thehospital, and left herunattended at a logged incomputer. The girl looked uppatient phone numbers, andphoned to tell them that they'dtested positive for H IV. Onepatient attempted suicide.
HIPAA Privacy Training 3
Can You Believe This?
A medical student took homecopies of patients' psychiatricrecords to work on a researchproject. When finished, hedisposed of the material in thedumpster of a fast foodrestaurant (where they werefound and given to anewspaper reporter).
HIPAA Privacy Training 4
Can You Believe This?
Several hundred hospitalworkers browsed through therecords of a famous patientthat had recently come to thefacility, even though few ofthem were actually involved inthe case.
HIPAA Privacy Training 5
Indicted For Privacy Violations!• A Los Angeles woman was been
indicted for allegedly accessing the private medical records of celebrity patients at the UCLA Medical Center and selling information obtained from those files to a national media outlet.
HIPAA Privacy Training 6
HIPAA Indictment
• She allegedly received at least $4,600 from the media outlet in exchange for providing the private medical information. The media outlet paid her by writing checks to her husband, the indictment alleges.
• She faces a potential sentence of 10 years in prison if she is convicted of the felony charge.
HIPAA Privacy Training 7
What is the Purpose of HIPAA?Health Insurance Portability & Accountability Act
of 1996 [Public Law 104-191]• Improve portability and continuity of health
insurance coverage in the group and individual markets (portability);
• To combat waste, fraud, and abuse in health insurance and health care delivery;
• To promote the use of medical savings accounts;
• To create guidelines for computer/internet technology and electronic health information
• And to set up rules to protect the privacy of Health Information and security measures for new technology
HIPAA Privacy Training 8
What is HIPAA?
• Portability: Protects and guarantees health insurance coverage when an employee changes job
• Accountability: Protects health data integrity, confidentiality and availability
• Makes fraud prosecution easier (Medicare/Medicaid)
• Gives patients the right to ask for an accounting of unauthorized information releases
• Gives patients the right to review and amend their records if they are inaccurate
HIPAA Privacy Training 9
What is HIPAA?• Data Standardization
• Establishes National Standards for Electronic Data Transmission Portability– Transactions (Enrollment, Eligibility, Claims, Payment and
others), Codesets and Identifiers.
• Establishes Standards for Protection of Health Information– Privacy (Operational, Consumer Control, Administration) – Security (Administrative, Physical, Technical, Network)
HIPAA Privacy Training 10
DEFINITION: PRIVACY • Privacy is the right of an
individual to keep his/her individual health information from being disclosed.
HIPAA Privacy Training 11
HIPAA KEY TERMS as they relate to privacy of Protected Health Information (PHI)
•Privacy•Use•Disclose•Authorization•PHI•Minimum Necessary
HIPAA Privacy Training 12
HIPAA KEY TERMS Defined• Use - means, with respect to individually identifiable health information, the
sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. (Also see Part II, 45 CFR 164.50)
• Disclose - Release or divulgence of information by an entity to persons or organizations outside of that entity. (Also see Part II, 45 CFR 164.501)
• Authorization - The mechanism for obtaining consent from a patient for the use and disclosure of health information for a purpose that is not treatment, payment or health care operations. For example, Protected Health Information (PHI) released for special Olympics activity.
• PHI (Protected Health Information) - All Individually Identifiable Health Information and other information on treatment and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…)
• Minimum Necessary - When using any PHI, a covered entity must generally make reasonable efforts to limit itself to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request”.
HIPAA Privacy Training 13
PrivacyWhy the concern?
HIPAA Privacy Training 14
HIPAA Enforcement
• CIVIL PENALTIES for failure to comply– $100 fine per person per violation
– $25,000 fine per year for multiple violations
– $25,000 fine cap per year per requirement.
– You can be personally liable!
HIPAA Privacy Training 15
HIPAA Enforcement
• CRIMINAL PENALTIES for failure to comply
– Knowingly or wrongfully disclosing or receiving PHI: $50,000 fine and/or one year prison time
– Commit offense under false pretenses: $100,000 fine and/or five years prison time– Intent to sell PHI or client lists for personal
gain or malicious harm: $250,000 fine and/or ten years prison time.– Again, you can be personally liable!
HIPAA Privacy Training 16
HIPAA Enforcement Continued
• These penalties apply to oral, paper and electronic Protected Health Information (PHI).
HIPAA Privacy Training 17
HIPAA Requires Entities to…..• Create:
– Policies and procedures to safeguard PHI– Privacy Officer/Security Officer– Privacy Officer and the Security Officer work with each facility’s
HIPAA core team
– A Notice of Privacy Practices that is give all patients and displayed
in the office and on any associated websites. • Provide HIPAA training to the workforce
- As necessary and appropriate on Privacy Policies and Procedures, even for janitorial staff or anybody who may be near health information.
HIPAA Privacy Training 18
What is PHI ?
• Protected Health Information - All Individually Identifiable Health Information and other information on treatment and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…)
HIPAA Privacy Training 19
Where do we find PHI?
• Medical records and billing records• Insurance/Benefit Enrollment and
Payment• Claims adjudication• Case or medical management
records
(Note---it exists both on paper and electronically)
HIPAA Privacy Training 20
• Names
• All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code……….
• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death……..
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social Security Numbers
• Medical record numbers
• Health plan beneficiary numbers
Examples of PHI
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images…..
• Any other unique identifying number, characteristic…..
+
HIPAA Privacy Training 21
HIPAA Requires Entities to…..
• Identify PHI Uses and Disclosures– WHO:
• People who routinely use or disclose (or receive requests to) PHI in our Institutions/Facilities
– WHAT: • Individually identifiable health information
– HOW:• Written, oral, electronic communication
– HOW MUCH:• Minimum necessary to accomplish purpose
HIPAA Privacy Training 22
PHI Does Not Include…..– Education records– Workman’s comp Records– Health information in your personnel record– Psychotherapy notes: (Treatment/Counseling by
mental health professionals)• Kept separate from the medical record, usually in a
clinician’s own file and not made part of the individual’s medical record.
HIPAA Privacy Training 23
Psychotherapy Notes ARE NOT
• The following are not considered psychotherapy notes and therefore are PHI:– Medication prescription and monitoring– Counseling session start and stop times, the
modalities and frequencies of treatment furnished
– Clinical test results– Any summary of the following items: diagnosis
functional status, the treatment plan, symptoms prognosis, and progress to date
HIPAA Privacy Training 24
WHO IS AFFECTED?
• Employees who handle/use/know individuals’ Protected Health Information (PHI)
• Health Care Providers (Health departments, hospitals, doctors’ offices, any agency that transmits PHI electronically)
• Health Plans that provide or pay the cost of medical care (e.g., Medicaid, Medicare, Champus, BC/BS, HMOs)
• Trading Partners - Electronically Exchange Protected Health Information
• Business Associates - Perform services “on your behalf”• HIPAA also applies to you as a consumer of healthcare!
HIPAA Privacy Training 25
Case Scenario Presentations
• How would we handle the following situations?
HIPAA Privacy Training 26
Think first!
• If you do NOT know whatwhat or wherewhere PHI is,
• and whowho uses or asks for it,
• You will be unable to protect it.
HIPAA Privacy Training 27
How Individual Staff Protect PHI
• Close doors or draw privacy curtains/screens• Conduct discussions so that others may not overhear them • Don’t leave medical records where others can see them or access them • Keep medical test results private• PHI info should NOT be shared or viewable in public areas• Don’t leave copies of PHI at copy machines, printers, or fax machines.• Don’t leave PHI exposed in mail boxes or conference rooms.• Don’t share computer passwords or leave them visible• Don’t leave computer files open when leaving unlocked or shared work
area• Secure PHI when no one is in the area, lock file cabinets and office doors• Safeguard PHI when records are in your possession• Return medical records to appropriate location• Dispose of paper containing PHI properly• Fax only if according to Center policy
HIPAA Privacy Training 28
How Individual Staff Protect PHI
• ……….Email with individuals’ identifiable information (1st name, last initial ok)
• ……….Leave PHI in any public wall file trays unless enclosed in an interoffice envelope
• ……….Discuss an individual in front of other individuals or visitors• ……….Leave diskette boxes containing PHI in unlocked areas• ……….Leave PHI for shredding in unlocked/undesignated area• ……….Place individuals’ full names on desk blotters• ……….Leave Rolodex files containing PHI accessible• ……….Leave individual/employee PHI lists publicly posted• ……….Leave records opened and unattended• ……….Bring personal computers for use at a Health Center• ……….Leave Center keys unattended• ……….Leave Rolodex files containing PHI accessible WHETHER A HEALTH or FINANCIAL INTERVIEW, WHETHER A HEALTH or FINANCIAL INTERVIEW, OBSERVE THESE GUIDELINES !!!OBSERVE THESE GUIDELINES !!!
HIPAA Privacy Training 29
“Need to Know” Principles
• Necessary for your job• How much do you need to
know?• How much do other people
need to know?
HIPAA Privacy Training 30
• HIPAA’s Minimum Necessary rules :– Must provide only PHI
• in the minimum necessary amount • to accomplish the purpose for which use or disclosure is
sought– Minimum necessary does not apply when patient provides a
valid, signed authorization for release of PHI– De-identified Information: De-identified information is PHI with
all HIPAA identifiers removed.• Exceptions:
– Disclosure to a health care provider for treatment– permissible uses or disclosures made by the patient.– Uses or disclosures made based on patient’s signed authorization.– Uses or disclosures required for HIPAA compliance– Use for legal proceedings, law enforcement, et.
How Does “Need to Know” Translate into HIPAA?
HIPAA Privacy Training 31
HIPAA Requires…
• Notice of Privacy Practices – Purpose: to provide consumer with
adequate notice of uses or disclosures of PHI
– Must be written in plain language– Must be provided at the time of first
service or assessment for eligibility– Has to provide Privacy Officer contact
information
HIPAA Privacy Training 32
HIPAA Consumer Protections• Amendment
– Consumers may request to amend PHI in medical records
– That request may be referred to the facility Privacy Official
• Providers may either grant OR deny the request
HIPAA Privacy Training 33
HIPAA Consumer Protections• Restrictions
– Consumers may request that the facility restrict how it uses/discloses their PHI
– Facility is NOT required to accept the request
– If restriction is accepted, then follow it• Don’t deviate or depart from that
restriction!
HIPAA Privacy Training 34
HIPAA Consumer Protections• Access
– Consumers can access PHI• Inspect• Copy
– Request for access MUST be in writing– Facility Must - Respond to request within 60 days;
• May recover cost-based fee for copy, explanation, or summary of records
– If access is denied, reason for that denial will determine if the consumer can appeal
– Consumer must appeal to facility Privacy Official
HIPAA Privacy Training 35
HIPAA Consumer Protections• Accounting of Disclosures
– Consumers have a right for an
accounting of disclosures• Time frame: 6-year period• Clock starts: April 14, 2003
– Applies to both written and oral disclosure
– Specific to times, places, beneficiaries and content disclosures
HIPAA Privacy Training 36
HIPAA Consumer Protections• Verification
– Facility must verify that• Person or agency requesting the PHI • Is who they say they are
– Facility must document the verification.
HIPAA Privacy Training 37
HIPAA Consumer Protections• Complaint Procedure
– HIPAA requirement– Allows a consumer to file a
complaint if they believe we have improperly used or disclosed their PHI
HIPAA Privacy Training 38
HIPAA PHI Protections
• Staff Access to PHI
– Purpose: to guide staff in keeping PHI confidential
– Inappropriate access/use/disclosure of consumer PHI results in disciplinary action, possible other penalties.
HIPAA Privacy Training 39
HIPAA Disclosure Protections• Authorization
– Required to disclose PHI to person or agency outside the facility
– Must be specific:• What PHI is to be shared• With whom• For what purpose
– May be revoked
HIPAA Privacy Training 40
When No Authorization Is Needed…• Key examples:
– Child abuse/neglect reports– Judicial/administrative proceeding– Law enforcement– To avert serious threat to health or safety– Audits
• Management and Financial
– When required by US DHHS– Program monitoring and evaluation– Certification of facilities and individuals
HIPAA Privacy Training 41
PRIVACY REGULATIONS RELATING TO RESEARCH,
MARKETING, FUND RAISING • For Research, Marketing and Fund Raising
purposes, all PHI must be De-identified
Information. (De-identified information is PHI with all HIPAA identifiers removed.)
• HIPAA still allows research to be conducted
• Proper authorizations must be in place
WHAT ELSE DOES HIPAA REQUIRE?
HIPAA Privacy Training 42
What Else Does HIPAA Require?• Preemption of state law
– Privacy Rule overrides any other state law unless that state law provides more protection for the consumer
HIPAA Privacy Training 43
WAIVER OF RIGHTS
• Waiver: Covered entities may not require individuals to waive their rights as a condition of:– Treatment – Payment– Enrollment– Eligibility
HIPAA Privacy Training 44
REFRAIN FROM INTIMIDATING OR RETALITORY ACTS
• Protection for individuals exercising their rights or whistleblowers:
• Covered entities may not – Intimidate– Threaten– Coerce– Discriminate against– Take any other retaliatory action
HIPAA Privacy Training 45
QUESTIONS?
• If you are ever in doubt, always ask your Privacy Officer or their designee!
• Remember, that person is your first line of response to privacy questions.
Privacy
HIPAA Privacy Training 46
Key Things to Remember about Privacy
• We must safeguard consumer records
• Share only information necessary to do the work
• Consumers have the right to ask about use and disclosure of PHI
• You need to know HIPAA rules, and you also need to know state laws if they are stricter than HIPAA rules.
HIPAA Privacy Training 47
PRIVACY Vs. SECURITY• Privacy is the right of an
individual to keep his/her individual health information from being disclosed.
• Security is how we protect PHI from accidental or intentional disclosure, alteration, destruction or loss.
HIPAA Privacy Training 48
SAFEGUARDS• NCSCC must have appropriate safeguards in
place:– Administrative– Technical– Physical
• Exceptions for preemption of state laws as agreed to by the US DHHS Secretary– More stringent– Public health investigation/intervention– Audits; management & financial– Program monitoring and evaluation– Certification of facilities and individuals
HIPAA Privacy Training 49
Required Training Topics
• Security Issues that Impact Privacy– General Security Awareness– System Access– Password Management
HIPAA Privacy Training 50
Purpose of Security
• To protect the system and information from unauthorized access
• To protect the system and information from unauthorized use
HIPAA Privacy Training 51
General Security Awareness
• Security (protecting the system and the information it contains) includes
protecting against unauthorized access from outside and misuse from within
– hardware and software (Physical Computer Systems)– personnel policies– information practice policies– develop disaster/intrusion/response and recovery
plans– designate security responsibilities– develop protocols regarding activities and security at
personnel and work station level– Safeguards from fire, natural and environmental
hazards and intrusions
HIPAA Privacy Training 52
General Security Awareness• Two Types of Security in HIPAA
– Building\Physical Security– Computer\Electronic Security
HIPAA Privacy Training 53
General Security Awareness• Building\Physical
Security– Building\Work Area Access– Locks and Keys– Badges\ID – Security Officer– Printers\Copy\Fax
Machines
HIPAA Privacy Training 54
General Security Awareness• Building\Work Area Access
– Sign into building– Show ID\Visitors Badge– Patient\Client Area Entry
HIPAA Privacy Training 55
General Security Awareness• Computer\Electronic Security
– Computers– Location of PCs– Passwords\Log On– E-mail – Faxes
HIPAA Privacy Training 56
Things to Know about System Access• Don’t share the
session • Report Discrepancies• Be aware that
disciplinary action may result
• Termination of Access
HIPAA Privacy Training 57
PC and System Protection
• Be aware of potential harm• Follow the e-mail policy• Don’t download programs• Report unknown or suspicious
e-mail, attachments
HIPAA Privacy Training 58
• What is Password Security?–Don’t tell anyone your password.
–Don’t write your password down anywhere
–Change password if others know it
–Enter your password in private
Password Management
HIPAA Privacy Training 59
Password Management
• Guidelines for good passwords– Don’t
• Choose password with more than 8 characters
• Choose password that can be found in a dictionary
• Choose password that uses public information such as SSN, Credit Card or ATM #, Birthday, date, etc.
• Reuse old passwords or any variation
• Use user id or any variation
HIPAA Privacy Training 60
• Guidelines for good passwords– Do
•No clear link to you personally•Six to 8 characters•Minimum of 2 alpha and 1 numeric •Use upper and lower case characters•Change to a completely new
password •Memorize your password
Password Management
HIPAA Privacy Training 61
Application Role in Security
• Role will dictate access– Only access to what you need in
order to do the job
HIPAA Privacy Training 62
Key Things to Remember about Security
• Security impacts privacy• Both building and computer
security are important• Fundamentals of good
password management
HIPAA Privacy Training 63
TOP 10 PRIVACY & SECURITY PRACTICES
1. When in doubt, don’t give information out2. Log off before you walk off from your computer3. Double check fax numbers before sending4. Do not send e-mails or use the internet unless the connection is
secure and approved.5. Identity of the caller before releasing confidential information.6. Never share your password with anyone.7. Maintain the security of all patient information in all its medium
like paper, electronic and oral.8. Discuss patient information in private locations9. Access information on a need to know basis, only to do your job.10. Dispose of confidential information according to proper
procedures (ie. Locked Shred Bins)
HIPAA Privacy Training 64
SUMMARY -1
HIPAA - A Health Care Paradigm• Affects clearinghouses, patients.• Requires changes to business processes and
applications, staffing plans, facilities and Information systems applications• Provides patients with rights• Shifts power in provider/consumer relationships• Introduces new legal liabilities• Conveys severe civil and criminal penalties
payers, providers, employers, medical manufacturers, Pharmaceutical companies, employees
HIPAA Privacy Training 65
SUMMARY -2
HIPAA - is not going away• Healthcare industry wants standardization• Consumers want health information to be protected• HIPAA is not an option• HIPAA is doing business in the “New Millennium”• Implementation cost is short term• Operational benefit is long term
HIPAA Privacy Training 66
Where To Go For More Information
US Department of Health and Human Services- www.aspe.os.shhs.gov
Center for Medicare and Medical Aid Services- www.cms/gov
Workgroup for Electronic Data Interchange (WEDI)
- www.wedi.orgWashington Publishing Company
- www.wpc-edi.comNorth Carolina Division of Medical Assistance
- www.dhhs.state.nc.us/dms/
NC DHHS HIPAA Web Site-http://dirm.state.nc.us/hipaa/
HIPAA Privacy Training 67
New HIPAA-Related Law
HITECH (Health Information Technology for Economic and Clinical Health Act – part of
ARRA 2009).Extends Privacy and Security Provisions of HIPAA to business associates of covered entities and includes new “breach notification” requirements. If PHI is released in any way, including a website hacking or computer theft, the patients must be notified of the breach. Notice must include:• How the breach occurred.• Who obtained the information (if known).• What is being done to resolve the issue.• Appropriate steps the patient may take to protect themselves from damage such as identity theft caused by the information breach.**If the breach was 500 or more patients, major news media must also be contacted with a press release (!).**