hipaa privacy training1 hipaa privacy: how it affects you !!!

HIPAA Privacy Training 2

Can You Believe This?

A woman brought her teenagedaughter to work at thehospital, and left herunattended at a logged incomputer. The girl looked uppatient phone numbers, andphoned to tell them that they'dtested positive for H IV. Onepatient attempted suicide.



A medical student took homecopies of patients' psychiatricrecords to work on a researchproject. When finished, hedisposed of the material in thedumpster of a fast foodrestaurant (where they werefound and given to anewspaper reporter).



Several hundred hospitalworkers browsed through therecords of a famous patientthat had recently come to thefacility, even though few ofthem were actually involved inthe case.


Indicted For Privacy Violations!• A Los Angeles woman was been

indicted for allegedly accessing the private medical records of celebrity patients at the UCLA Medical Center and selling information obtained from those files to a national media outlet.


HIPAA Indictment

• She allegedly received at least $4,600 from the media outlet in exchange for providing the private medical information. The media outlet paid her by writing checks to her husband, the indictment alleges.

• She faces a potential sentence of 10 years in prison if she is convicted of the felony charge.


What is the Purpose of HIPAA?Health Insurance Portability & Accountability Act

of 1996 [Public Law 104-191]• Improve portability and continuity of health

insurance coverage in the group and individual markets (portability);

• To combat waste, fraud, and abuse in health insurance and health care delivery;

• To promote the use of medical savings accounts;

• To create guidelines for computer/internet technology and electronic health information

• And to set up rules to protect the privacy of Health Information and security measures for new technology


What is HIPAA?

• Portability: Protects and guarantees health insurance coverage when an employee changes job

• Accountability: Protects health data integrity, confidentiality and availability

• Makes fraud prosecution easier (Medicare/Medicaid)

• Gives patients the right to ask for an accounting of unauthorized information releases

• Gives patients the right to review and amend their records if they are inaccurate


What is HIPAA?• Data Standardization

• Establishes National Standards for Electronic Data Transmission Portability– Transactions (Enrollment, Eligibility, Claims, Payment and

others), Codesets and Identifiers.

• Establishes Standards for Protection of Health Information– Privacy (Operational, Consumer Control, Administration) – Security (Administrative, Physical, Technical, Network)


DEFINITION: PRIVACY • Privacy is the right of an

individual to keep his/her individual health information from being disclosed.


HIPAA KEY TERMS as they relate to privacy of Protected Health Information (PHI)

•Privacy•Use•Disclose•Authorization•PHI•Minimum Necessary


HIPAA KEY TERMS Defined• Use - means, with respect to individually identifiable health information, the

sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. (Also see Part II, 45 CFR 164.50)

• Disclose - Release or divulgence of information by an entity to persons or organizations outside of that entity. (Also see Part II, 45 CFR 164.501)

• Authorization - The mechanism for obtaining consent from a patient for the use and disclosure of health information for a purpose that is not treatment, payment or health care operations. For example, Protected Health Information (PHI) released for special Olympics activity.

• PHI (Protected Health Information) - All Individually Identifiable Health Information and other information on treatment and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…)

• Minimum Necessary - When using any PHI, a covered entity must generally make reasonable efforts to limit itself to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request”.


PrivacyWhy the concern?


HIPAA Enforcement

• CIVIL PENALTIES for failure to comply– $100 fine per person per violation

– $25,000 fine per year for multiple violations

– $25,000 fine cap per year per requirement.

– You can be personally liable!


HIPAA Enforcement

• CRIMINAL PENALTIES for failure to comply

– Knowingly or wrongfully disclosing or receiving PHI: $50,000 fine and/or one year prison time

– Commit offense under false pretenses: $100,000 fine and/or five years prison time– Intent to sell PHI or client lists for personal

gain or malicious harm: $250,000 fine and/or ten years prison time.– Again, you can be personally liable!


HIPAA Enforcement Continued

• These penalties apply to oral, paper and electronic Protected Health Information (PHI).


HIPAA Requires Entities to…..• Create:

– Policies and procedures to safeguard PHI– Privacy Officer/Security Officer– Privacy Officer and the Security Officer work with each facility’s

HIPAA core team

– A Notice of Privacy Practices that is give all patients and displayed

in the office and on any associated websites. • Provide HIPAA training to the workforce

- As necessary and appropriate on Privacy Policies and Procedures, even for janitorial staff or anybody who may be near health information.


What is PHI ?

• Protected Health Information - All Individually Identifiable Health Information and other information on treatment and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…)


Where do we find PHI?

• Medical records and billing records• Insurance/Benefit Enrollment and

Payment• Claims adjudication• Case or medical management

records

(Note---it exists both on paper and electronically)


• Names

• All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code……….

• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death……..

• Telephone numbers

• Fax numbers

• Electronic mail addresses

• Social Security Numbers

• Medical record numbers

• Health plan beneficiary numbers

Examples of PHI

• Account numbers

• Certificate/license numbers

• Vehicle identifiers and serial numbers, including license plate numbers

• Device identifiers and serial numbers

• Web Universal Resource Locators (URLs)

• Internet Protocol (IP) address numbers

• Biometric identifiers, including finger and voice prints

• Full face photographic images and any comparable images…..

• Any other unique identifying number, characteristic…..

+


HIPAA Requires Entities to…..

• Identify PHI Uses and Disclosures– WHO:

• People who routinely use or disclose (or receive requests to) PHI in our Institutions/Facilities

– WHAT: • Individually identifiable health information

– HOW:• Written, oral, electronic communication

– HOW MUCH:• Minimum necessary to accomplish purpose


PHI Does Not Include…..– Education records– Workman’s comp Records– Health information in your personnel record– Psychotherapy notes: (Treatment/Counseling by

mental health professionals)• Kept separate from the medical record, usually in a

clinician’s own file and not made part of the individual’s medical record.


Psychotherapy Notes ARE NOT

• The following are not considered psychotherapy notes and therefore are PHI:– Medication prescription and monitoring– Counseling session start and stop times, the

modalities and frequencies of treatment furnished

– Clinical test results– Any summary of the following items: diagnosis

functional status, the treatment plan, symptoms prognosis, and progress to date


WHO IS AFFECTED?

• Employees who handle/use/know individuals’ Protected Health Information (PHI)

• Health Care Providers (Health departments, hospitals, doctors’ offices, any agency that transmits PHI electronically)

• Health Plans that provide or pay the cost of medical care (e.g., Medicaid, Medicare, Champus, BC/BS, HMOs)

• Trading Partners - Electronically Exchange Protected Health Information

• Business Associates - Perform services “on your behalf”• HIPAA also applies to you as a consumer of healthcare!


Case Scenario Presentations

• How would we handle the following situations?


Think first!

• If you do NOT know whatwhat or wherewhere PHI is,

• and whowho uses or asks for it,

• You will be unable to protect it.


How Individual Staff Protect PHI

• Close doors or draw privacy curtains/screens• Conduct discussions so that others may not overhear them • Don’t leave medical records where others can see them or access them • Keep medical test results private• PHI info should NOT be shared or viewable in public areas• Don’t leave copies of PHI at copy machines, printers, or fax machines.• Don’t leave PHI exposed in mail boxes or conference rooms.• Don’t share computer passwords or leave them visible• Don’t leave computer files open when leaving unlocked or shared work

area• Secure PHI when no one is in the area, lock file cabinets and office doors• Safeguard PHI when records are in your possession• Return medical records to appropriate location• Dispose of paper containing PHI properly• Fax only if according to Center policy


How Individual Staff Protect PHI

• ……….Email with individuals’ identifiable information (1st name, last initial ok)

• ……….Leave PHI in any public wall file trays unless enclosed in an interoffice envelope

• ……….Discuss an individual in front of other individuals or visitors• ……….Leave diskette boxes containing PHI in unlocked areas• ……….Leave PHI for shredding in unlocked/undesignated area• ……….Place individuals’ full names on desk blotters• ……….Leave Rolodex files containing PHI accessible• ……….Leave individual/employee PHI lists publicly posted• ……….Leave records opened and unattended• ……….Bring personal computers for use at a Health Center• ……….Leave Center keys unattended• ……….Leave Rolodex files containing PHI accessible WHETHER A HEALTH or FINANCIAL INTERVIEW, WHETHER A HEALTH or FINANCIAL INTERVIEW, OBSERVE THESE GUIDELINES !!!OBSERVE THESE GUIDELINES !!!


“Need to Know” Principles

• Necessary for your job• How much do you need to

know?• How much do other people

need to know?


• HIPAA’s Minimum Necessary rules :– Must provide only PHI

• in the minimum necessary amount • to accomplish the purpose for which use or disclosure is

sought– Minimum necessary does not apply when patient provides a

valid, signed authorization for release of PHI– De-identified Information: De-identified information is PHI with

all HIPAA identifiers removed.• Exceptions:

– Disclosure to a health care provider for treatment– permissible uses or disclosures made by the patient.– Uses or disclosures made based on patient’s signed authorization.– Uses or disclosures required for HIPAA compliance– Use for legal proceedings, law enforcement, et.

How Does “Need to Know” Translate into HIPAA?


HIPAA Requires…

• Notice of Privacy Practices – Purpose: to provide consumer with

adequate notice of uses or disclosures of PHI

– Must be written in plain language– Must be provided at the time of first

service or assessment for eligibility– Has to provide Privacy Officer contact

information


HIPAA Consumer Protections• Amendment

– Consumers may request to amend PHI in medical records

– That request may be referred to the facility Privacy Official

• Providers may either grant OR deny the request


HIPAA Consumer Protections• Restrictions

– Consumers may request that the facility restrict how it uses/discloses their PHI

– Facility is NOT required to accept the request

– If restriction is accepted, then follow it• Don’t deviate or depart from that

restriction!


HIPAA Consumer Protections• Access

– Consumers can access PHI• Inspect• Copy

– Request for access MUST be in writing– Facility Must - Respond to request within 60 days;

• May recover cost-based fee for copy, explanation, or summary of records

– If access is denied, reason for that denial will determine if the consumer can appeal

– Consumer must appeal to facility Privacy Official


HIPAA Consumer Protections• Accounting of Disclosures

– Consumers have a right for an

accounting of disclosures• Time frame: 6-year period• Clock starts: April 14, 2003

– Applies to both written and oral disclosure

– Specific to times, places, beneficiaries and content disclosures


HIPAA Consumer Protections• Verification

– Facility must verify that• Person or agency requesting the PHI • Is who they say they are

– Facility must document the verification.


HIPAA Consumer Protections• Complaint Procedure

– HIPAA requirement– Allows a consumer to file a

complaint if they believe we have improperly used or disclosed their PHI


HIPAA PHI Protections

• Staff Access to PHI

– Purpose: to guide staff in keeping PHI confidential

– Inappropriate access/use/disclosure of consumer PHI results in disciplinary action, possible other penalties.


HIPAA Disclosure Protections• Authorization

– Required to disclose PHI to person or agency outside the facility

– Must be specific:• What PHI is to be shared• With whom• For what purpose

– May be revoked


When No Authorization Is Needed…• Key examples:

– Child abuse/neglect reports– Judicial/administrative proceeding– Law enforcement– To avert serious threat to health or safety– Audits

• Management and Financial

– When required by US DHHS– Program monitoring and evaluation– Certification of facilities and individuals


PRIVACY REGULATIONS RELATING TO RESEARCH,

MARKETING, FUND RAISING • For Research, Marketing and Fund Raising

purposes, all PHI must be De-identified

Information. (De-identified information is PHI with all HIPAA identifiers removed.)

• HIPAA still allows research to be conducted

• Proper authorizations must be in place

WHAT ELSE DOES HIPAA REQUIRE?


What Else Does HIPAA Require?• Preemption of state law

– Privacy Rule overrides any other state law unless that state law provides more protection for the consumer


WAIVER OF RIGHTS

• Waiver: Covered entities may not require individuals to waive their rights as a condition of:– Treatment – Payment– Enrollment– Eligibility


REFRAIN FROM INTIMIDATING OR RETALITORY ACTS

• Protection for individuals exercising their rights or whistleblowers:

• Covered entities may not – Intimidate– Threaten– Coerce– Discriminate against– Take any other retaliatory action


QUESTIONS?

• If you are ever in doubt, always ask your Privacy Officer or their designee!

• Remember, that person is your first line of response to privacy questions.

Privacy


Key Things to Remember about Privacy

• We must safeguard consumer records

• Share only information necessary to do the work

• Consumers have the right to ask about use and disclosure of PHI

• You need to know HIPAA rules, and you also need to know state laws if they are stricter than HIPAA rules.


PRIVACY Vs. SECURITY• Privacy is the right of an

individual to keep his/her individual health information from being disclosed.

• Security is how we protect PHI from accidental or intentional disclosure, alteration, destruction or loss.


SAFEGUARDS• NCSCC must have appropriate safeguards in

place:– Administrative– Technical– Physical

• Exceptions for preemption of state laws as agreed to by the US DHHS Secretary– More stringent– Public health investigation/intervention– Audits; management & financial– Program monitoring and evaluation– Certification of facilities and individuals


Required Training Topics

• Security Issues that Impact Privacy– General Security Awareness– System Access– Password Management


Purpose of Security

• To protect the system and information from unauthorized access

• To protect the system and information from unauthorized use


General Security Awareness

• Security (protecting the system and the information it contains) includes

protecting against unauthorized access from outside and misuse from within

– hardware and software (Physical Computer Systems)– personnel policies– information practice policies– develop disaster/intrusion/response and recovery

plans– designate security responsibilities– develop protocols regarding activities and security at

personnel and work station level– Safeguards from fire, natural and environmental

hazards and intrusions


General Security Awareness• Two Types of Security in HIPAA

– Building\Physical Security– Computer\Electronic Security


General Security Awareness• Building\Physical

Security– Building\Work Area Access– Locks and Keys– Badges\ID – Security Officer– Printers\Copy\Fax

Machines


General Security Awareness• Building\Work Area Access

– Sign into building– Show ID\Visitors Badge– Patient\Client Area Entry


General Security Awareness• Computer\Electronic Security

– Computers– Location of PCs– Passwords\Log On– E-mail – Faxes


Things to Know about System Access• Don’t share the

session • Report Discrepancies• Be aware that

disciplinary action may result

• Termination of Access


PC and System Protection

• Be aware of potential harm• Follow the e-mail policy• Don’t download programs• Report unknown or suspicious

e-mail, attachments


• What is Password Security?–Don’t tell anyone your password.

–Don’t write your password down anywhere

–Change password if others know it

–Enter your password in private

Password Management


Password Management

• Guidelines for good passwords– Don’t

• Choose password with more than 8 characters

• Choose password that can be found in a dictionary

• Choose password that uses public information such as SSN, Credit Card or ATM #, Birthday, date, etc.

• Reuse old passwords or any variation

• Use user id or any variation


• Guidelines for good passwords– Do

•No clear link to you personally•Six to 8 characters•Minimum of 2 alpha and 1 numeric •Use upper and lower case characters•Change to a completely new

password •Memorize your password

Password Management


Application Role in Security

• Role will dictate access– Only access to what you need in

order to do the job


Key Things to Remember about Security

• Security impacts privacy• Both building and computer

security are important• Fundamentals of good

password management


TOP 10 PRIVACY & SECURITY PRACTICES

1. When in doubt, don’t give information out2. Log off before you walk off from your computer3. Double check fax numbers before sending4. Do not send e-mails or use the internet unless the connection is

secure and approved.5. Identity of the caller before releasing confidential information.6. Never share your password with anyone.7. Maintain the security of all patient information in all its medium

like paper, electronic and oral.8. Discuss patient information in private locations9. Access information on a need to know basis, only to do your job.10. Dispose of confidential information according to proper

procedures (ie. Locked Shred Bins)


SUMMARY -1

HIPAA - A Health Care Paradigm• Affects clearinghouses, patients.• Requires changes to business processes and

applications, staffing plans, facilities and Information systems applications• Provides patients with rights• Shifts power in provider/consumer relationships• Introduces new legal liabilities• Conveys severe civil and criminal penalties

payers, providers, employers, medical manufacturers, Pharmaceutical companies, employees


SUMMARY -2

HIPAA - is not going away• Healthcare industry wants standardization• Consumers want health information to be protected• HIPAA is not an option• HIPAA is doing business in the “New Millennium”• Implementation cost is short term• Operational benefit is long term


Where To Go For More Information

US Department of Health and Human Services- www.aspe.os.shhs.gov

Center for Medicare and Medical Aid Services- www.cms/gov

Workgroup for Electronic Data Interchange (WEDI)

- www.wedi.orgWashington Publishing Company

- www.wpc-edi.comNorth Carolina Division of Medical Assistance

- www.dhhs.state.nc.us/dms/

NC DHHS HIPAA Web Site-http://dirm.state.nc.us/hipaa/


New HIPAA-Related Law

HITECH (Health Information Technology for Economic and Clinical Health Act – part of

ARRA 2009).Extends Privacy and Security Provisions of HIPAA to business associates of covered entities and includes new “breach notification” requirements. If PHI is released in any way, including a website hacking or computer theft, the patients must be notified of the breach. Notice must include:• How the breach occurred.• Who obtained the information (if known).• What is being done to resolve the issue.• Appropriate steps the patient may take to protect themselves from damage such as identity theft caused by the information breach.**If the breach was 500 or more patients, major news media must also be contacted with a press release (!).**

hipaa privacy training1 hipaa privacy: how it affects you !!!

Documents