Presented by:Scott Addison, CPC

AHEC Compliance/Privacy Officer

Definition The Law UAMS Policies Examples of non-compliance Consequences of non-compliance Auditing for compliance: Access Audits Why would the HIPAA Office call me? The important question to ask yourself

Snooping: 1. To pry into the private affairs of others, especially by prowling about. 2. A person who pries into the business of others. 3. to make secretive investigations into things that do not concern oneself (She’s always snooping into other people’s business)

Access to a patient’s medical record outside the performance of one’s job duties is a breach that, by law, must be reported to the OCR and to the patient.

Penalties include: Disciplinary action, up to and including

termination from employment with UAMS (AHEC).

Civil/Criminal penalties imposed by the federal government up to $1.5 million and 10 years in prison.

UAMS Confidentiality Policy is found in the Administrative Guide # 3.1.15

“UAMS prohibits the unlawful or unauthorized access, use or disclosure of Confidential Information obtained during the course of employment or other relationship with UAMS.”

UAMS Confidentiality Agreement. It is a condition of employment that you sign it.

CONFIDENTIALITY AGREEMENT As a condition of my employment, continued employment or relationship with UAMS, I agree to

abide by the requirements of the UAMS Confidentiality Policy and with federal and state laws governing confidentiality of a patient’s Protected Health Information, and I agree to the terms of this Confidentiality Agreement. I understand and agree that the confidentiality laws require me to maintain the confidentiality of this information even when I am not at work or acting within the scope of my relationship with UAMS and also after my employment or relationship with UAMS ends.

I understand and agree that if I access, use or disclose Confidential Information in any form – verbal, written, or electronic – in a manner that is inconsistent with or in violation of the Confidentiality Policy, UAMS may impose disciplinary action, including but not limited to, immediate termination of employment, dismissal from an academic program, loss of privileges, or termination of relationship with UAMS.

I understand that when I receive a sign-on code to access the UAMS Network and Systems, I have agreed to the following terms and conditions:

The sign-on and password codes assigned to me are equivalent to my signature, and I will not share the passwords with anyone.

I will not attempt to use or share the passwords of another. I will be responsible for any use or misuse of my network or application system sign-on codes. I will not attempt to access information on the UAMS Network and Systems except to meet needs

specific to my job or position at UAMS.

I acknowledge that I have read the terms of this Confidentiality Agreement, and that I have received a copy of the Confidentiality Policy.

The OCR announced on July 7, 2011 that UCLA Health System has agreed to pay $865,500 to settle alleged HIPAA violations over employees who peeked at two celebrities electronic medical records. The OCR also alleged that UCLAHS failed to discipline workforce members who looked at patient records inappropriately or train employees generally.

“Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the every day operations of any health care provider,” said OCR Director Georgina Verdugo. “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”

Two St. Vincent employees and one community physician plead guilty to Federal charges that they snooped in a VIP’s record. They were fired from their jobs and face high fines and possible prison time.

Other similar cases around the country (i.e. Britney Spears, George Clooney & the “Octo” Mom)

Written warning. This is placed in your personnel file and is permanent.

Employment terminated. Snooping into medical records is considered gross misconduct and is grounds for immediate dismissal. No warning or write ups are necessary. You can and most likely would be fired.

Possible civil fines Possible criminal prosecution

A new process for auditing access to patient records will take effect immediately.

Electronic medical records of patients will be audited to see which employees accessed them.

Our EMR system has the capability to run a report that shows who accessed any given patient record and which portion of the record was accessed.

If your name shows up on an audited record and the reason you accessed it is not readily known, it will be investigated.

Access of patient records outside the performance of your job is prohibitedThis includes your own records and the records of: Family Friends and acquaintances Co-workers

Violations of UAMS HIPAA Policies are taken so seriously that your supervisor will be notified and must impose disciplinary action

Access to patient records is monitored •If your name is on an audit report, and the

appropriateness is not readily apparent to the auditors, you and/or your supervisor will be contacted

•This is routine follow-up and is done for physicians, students and staff.

Before accessing any patient record, ask yourself this question:Is accessing this record required for me to do my job?If the answer is yes, go ahead and access the record (but only the portion needed to do your job)If the answer is no, DO NOT ACCESS THE RECORD!!!

Definition:Snooping is defined as inappropriately accessing a medical record outside the performance of one’s job duties. This includes family, friends and acquaintances, and co-workers.

The law is clear. There are fines up to $1.5 million for snooping as well as possible criminal prosecution for the individual responsible.

UAMS Policy dealing with snooping:

The UAMS Confidentiality Agreement, which is signed as a condition of your employment with UAMS, states you will abide by the Confidentiality policy.

The UAMS Confidentiality policy prohibits the unauthorized access to patient PHI.

Recent case examples: UCLAHS $865,500 settlement for two celebrity

patients and for not having disciplinary procedures and training in place.

Other case examples found on the OCR website.

Consequences of non compliance:

Written warning placed in your personnel file Employment terminated Possible civil fines Possible criminal prosecution

Access Audits: New process for auditing access to medical

records to take effect immediately Patient records will be audited to see who

accessed them and which portions of those records were accessed

Investigations will be conducted for questionable access and violators will face sanctions based on the Confidentiality Policy.

Remember to ask yourself the question:

Do I need to access this patient’s record (or this portion of the patient’s record) in order to do my job??????

Contact information:

Scott Addison, CPCAHEC Compliance/Privacy Officer4301 W. Markham St. Slot # 829Little Rock, AR. 72205

Email: addisonterryscott@uams.eduPhone: 501-526-0350