Privacy and Security of Health Information Information in New York State

Transcription

1 Privacy and Security of Health Information Information in New York State 2015

2 Privacy and Security of Health Information in New York State Welcome Hello, my name is Roger, and I'm here to talk with you about privacy laws that protect health information. You have probably already heard of HIPAA or other privacy laws, but you may not know how they affect your day to day work activities

3 Privacy and Security Laws in NYS HIPAA/HITECH, 42 CFR Part 2, Public Health Law, Mental Hygiene Law, Information Security Breach and Notification Act, Personal Privacy Protection Law These are the names of different privacy and security laws that protect patient health information in New York. Some are federal and some are New York State laws. Some protect all types of health and behavioral health information, and some are specific to mental health, HIV, developmental disabilities, or alcohol/substance abuse information. The important thing for you to know, though, is how they affect the way you do your job. These laws exist to ensure that when people seek treatment for either mental or physical health conditions, they can expect that, with limited exceptions, only the people involved in helping them will know details related to their care. Detailed descriptions of these laws can be found in the RESOURCES section at the end of this document NOTE - some of the laws listed may apply to certain agencies or facilities only. Your agency will provide training on the specific laws and regulations you need to know in order to do your job

4 Health Insurance Portability and Accountability Act The most far-reaching of the privacy laws is the Health Insurance Portability and Accountability Act, or HIPAA. This training focuses on the privacy and security rules in the federal HIPAA regulations. HIPAA in effect since 2003 amended in 2009 by the HITECH Act found in 45 CFR Parts 160 & 164 Health Information Terms Before we begin our discussion of HIPAA and other privacy laws, let's review a few general health terms. Privacy The right of individuals to determine for themselves when, how, and to what extent information about them is communicated to others Security The safeguarding of information from loss or misuse Health Physical health Behavioral Health Mental health, alcoholism/substance abuse, or developmental disabilities Health Information Any information, whether verbal or recorded in any form, about a person s past, present, or future physical or behavioral health care, including payment for that care. To be covered by HIPAA, information has to be kept by a Covered Entity or a covered entity's business associate

5 Individually Identifiable Health Information A combination of health information with something that identifies, or could reasonably identify, the person who is the subject of the information (such as the person's name, address, telephone number, or Social Security number) Covered Entities A Covered Entity is a term used in HIPAA to define who is responsible for complying with its provisions. It includes: Health Plans Insurance companies, HMOs, company health plans, dental or vision plans, or government programs that pay for health care, such as New York State's Medicaid program. Health Care Providers Physicians, hospitals, or any other provider of health or behavioral health care who transmits health information in electronic form in connection with a HIPAA standard transaction. Health Care Clearinghouses Billing companies that help health care providers engage in electronic transactions under HIPAA. A number of New York State Agencies are Covered Entities or have covered functions because they either provide health care or pay for health care. Business Associates As a Covered Entity, your agency may have contracts with outside vendors that provide services involving the use and disclosure of Protected Health Information on behalf of the agency. These contractors are called Business Associates and are required to protect health care information in the same manner that your agency protects it. HIPAA requires that Covered Entities and Business Associates enter into contracts to ensure that the Business Associates will properly safeguard PHI

6 Protected Health Information Any health information that could identify a particular individual is Protected Health Information, or PHI. Protected Health Information can be spoken, written or entered into a computer. For example, the fact that a patient has a particular diagnosis, received a particular treatment or is enrolled in a particular health insurance program is PHI. Even if the information does not contain an individual's name, if it contains other identifying information, such as a date of birth, or a date of admission to a specific hospital, it is still PHI under HIPAA. You are taking this training because you may need to use or disclose Protected Health Information to do your job. The HIPAA rules allow you to use and disclose PHI for the purpose of treatment, payment or health care operations, which is just another way of saying you are allowed to use and disclose PHI as needed to do your job. Notice of Privacy Practices When you visit a doctor for the first time, you will most likely receive a HIPAA Notice of Privacy Practices. Health plans and covered health care providers are required to give you a notice that describes how the doctor may use and disclose your Protected Health Information and how you can get access to this information. Notices of Privacy Practices are made available to the patients and health insurance enrollees served by your agency. HIPAA-covered entities must post Notices of Privacy Practices on their websites. Inspect and Copy HIPAA gives individuals a number of specific rights which are spelled out in the Notice of Privacy Practices. For example, patients and health plan enrollees have a right to see or get an electronic or paper copy of their medical records and other health information

7 Restricted Use and Disclosure of PHI Patients can ask that health information not be shared with certain people, groups, or companies. When visiting a clinic, for example, a patient may ask the doctor not to share medical records with other doctors or nurses at the clinic. A covered entity may not agree to do so if it could affect the patient s care. Patients have the right to restrict disclosures of health information to a health plan when they pay out of pocket in full for the health care. Amendment HIPAA also gives people the right to request an amendment to their health information. For example, a patient may see a specialist for a second opinion and request that information be included in his health information. A Covered Entity is not required to make the amendment if the existing information is believed to be accurate. In this case, the individual requesting an amendment is entitled to add to the record a statement indicating why he or she believes the record should be amended. Confidential Communications Individuals can request to be contacted in a specific way. For example, patients can request to be called on an office, home, or cell phone or have mail sent to a mailing address different from their home address. This makes it possible to get treatment without others finding out about it

8 Disclosure Accounting/Complaints Disclosure Accounting Individuals have a right to an accounting of disclosures that are not for treatment, payment, or health care operations. Complaints Individuals can file a complaint with an agency if they feel the agency is not following HIPAA rules. Report any such complaints to your supervisor so the complaints can be investigated and handled properly. Complaints about an organization other than a state agency or its Business Associates should be filed with the U.S. Department of Health and Human Services. Contact information for this federal agency can be found at the end of this document. Handling Patient Requests Your agency may have specific procedures for handling patient requests. Be sure to ask your supervisor for the guidelines you are required to follow. Following the Rules We talked about Protected Health Information (PHI), what it is, and the rights individuals have with respect to their own PHI. Next we'll discuss the specific rules Covered Entities must follow when using and disclosing PHI. Authorizations As we mentioned earlier, HIPAA rules allow you to use and disclose Protected Health Information for the purpose of treatment, payment or health care operations. But HIPAA prohibits you from using or disclosing PHI for any other purpose unless you have a written, signed authorization from the individual whose information you are using or disclosing. For example, you are not allowed to access information about your neighbor or a local celebrity if it's not something you are doing as part of your normal job responsibilities. Minimum Necessary Your agency s policies and procedures allow access to Protected Health Information only to those members of the workforce who need it. Once you are given access (unless you are a health care provider accessing the information for the purpose of treating a patient) you are only allowed to use and share the minimum necessary amount of PHI required to do your job

9 This is just another way of saying that you should use and disclose PHI on a "need to know" basis. Remember PHI can be verbal. Do not disclose PHI in places where people who do not need the information can overhear you, such as in an elevator. Verification When you are disclosing Protected Health Information to do your job you must make sure that the person you are disclosing information to is authorized to receive the PHI. Before disclosing information to a person you have not dealt with before you will need to verify the individual's identity. Your agency has policies and procedures in place to identify the people or groups of people who need access to PHI to do their jobs. Check with your supervisor for the proper way to verify the person is authorized to receive PHI. Incidental Disclosures In a health care setting such as a hospital providing treatment to a patient, other patients and visitors will inevitably see and hear certain things that provide some information about the patient s diagnosis and treatment, such as the very fact that the person is a patient at that hospital. HIPAA recognizes this reality and allows disclosures that are incidental to normal health care operations, so long as the Covered Entity takes reasonable measures to keep such disclosures to the minimum necessary

10 Breaches If you learn that someone in your agency has disclosed Protected Health Information to a person not authorized to receive it, tell your supervisor immediately so that appropriate steps can be taken to protect information and systems. This is important whether the disclosure was intentional or not. Your agency will investigate the possible breach and determine what steps to take next. If the breach may have compromised the security or privacy of the information, the agency may have to notify the individuals and the U.S. Department of Health and Human Services of the breach or unauthorized disclosure. In addition, the agency and members of the workforce may face fines and criminal charges. But even more than that, keeping people's health information private and secure is just the right thing to do. Security of PHI Most breaches are not intentional but are often due to carelessness. Following these best practices will help you maintain the security of Protected Health Information and avoid breaches. Work Stations Do not write your password down or give it to other people. Lock your computer when you leave your work station. Do not leave Protected Health Information out in an unlocked office. Do not put PHI in the trash or recycle bin. Instead, make sure it is shredded. Position your computer so your screen is not visible to others

11 Portable Electronic Media Devices Don't save Protected Health Information onto a laptop, flash drive or other portable electronic media device unless you have to. If you do have to, make sure the device is encrypted. Just because your laptop s operating system prompts you to enter a password, that does not mean that your laptop is encrypted. Speak with your supervisor and IT support to make sure your laptop or other device is encrypted and not merely password protected. Do not leave a laptop or other media device unattended. Personal Electronic Devices DO NOT store Protected Health Information on personal electronic devices, such as your mobile phone or tablet. Course Title Voic /Faxes Do not include Protected Health Information when you leave a voic message. Do not include PHI in faxes unless you have to. Be sure to check your agency s policies regarding sending PHI in faxes. When PHI is in a fax, make sure the intended recipient knows the fax is being sent and takes it out of the machine on the other end. This will prevent other people from viewing the PHI

12 Check your agency s policies regarding sending Protected Health Information in messages. If you do send an with PHI, limit the amount of PHI to the minimum necessary and don't include PHI in the subject line. The preferred method for sending PHI in is to put the PHI in an attachment that is encrypted. Then send the password to unencrypt the attachment in a second, separate communication. Always verify the address before hitting "Send." Many systems auto fill the address based on the first few letters typed. Sanctions HIPAA is a federal law. Even if you accidentally break the rules, you can be subject to discipline or other administrative action, the same as if you were to break other rules of the workplace. If you purposely break the HIPAA rules, you could face criminal prosecution. The most important thing to remember is that you should only use or disclose health information as needed to do your job. If you have questions about the privacy and security laws that apply to your work environment, be sure to talk to your supervisor. Training HIPAA requires all members of the workforce who handle Protected Health Information receive HIPAA training. In addition to this training, your agency may provide training on the privacy laws and policies and procedures you are required to follow as well as the specific security measures used by your agency. Your supervisor will also give you information about ways that HIPAA applies to your particular job

13 Real-Life Examples Now that you have the basics down, we re going to look at some real-life examples of how health information privacy laws relate to your work. Not all of them will be situations you will encounter every day, but all of them will help you learn how to apply privacy laws at work. Scenario 1 You receive an from Sue, a coworker, asking you to send her all the records you have on Mr. Kattan, a patient. You know that Sue is authorized to receive Mr. Kattan's Protected Health Information. What should you do? A. Forward all records you have for Mr. Kattan. B. Forward all records for Mr. Kattan since the diagnosis was made. C. Call your coworker and make sure that she really needs all the records; depending on the purpose behind her request, you may be able to limit the amount of information that needs to be shared (by date, diagnosis, etc.). D. Refuse the request. Feedback: The correct option is C. Sharing of PHI with a coworker is acceptable use and is permissible. However, by taking the extra step of clarifying her request, you will ensure that only the minimum necessary amount of information needed will be given to Sue

14 Scenario 2 You receive an that is intended for a coworker that has the same first name as you. The contains Protected Health Information. What should you do? A. Delete the and go back to work. B. Forward the to your supervisor, with a copy to the person who sent it to you, explaining that you should not have received the original . C. Reply to the person that sent it to you, removing the Protected Health Information from the body of the and letting the sender know that you received the message in error. Finally, delete the original . D. Forward the to the person you think it was intended for. Feedback: The correct option is C. By deleting the PHI and then advising the sender that you received the in error, you ensure that there is no further privacy violation. Deleting the original further ensures privacy. When handled appropriately in this manner, this type of unintended disclosure would not be considered a breach that compromises the privacy or security of the PHI

15 Scenario 3 NYS Freedom of Information Law (FOIL) grants citizens the right to know how government operates. It provides rights of access to records reflective of governmental decisions and policies that affect the lives of every New Yorker. An attorney submits a request under FOIL to Rita Timonen, the agency's Records Access Officer, requesting the clinical record of a patient who his client is suing. What should Rita do? A. She should release all of the information the attorney is seeking. B. She should not release any information, on the grounds that clinical records are confidential and are not subject to disclosure under the Freedom of Information Law. C. She should release only the part of the clinical record that seems to pertain to the lawsuit. D. She should release the entire clinical record, but should scratch out or remove the patient's name wherever it appears in the record. Feedback: The correct option is B. She should not release any information because the Personal Privacy Protection Law prohibits disclosure when it would be an unwarranted invasion of personal privacy. The agency should give no information about whether they have the individual s records at all

16 Scenario 4 Dr. Shen from your facility, who you work with and know well, needs to enter clinical information about a patient into your facility's computer system, but has forgotten her password. You are not personally involved with this patient in any way. After several attempts to access the system, Dr. Shen gets locked out. The Information Technology department staff members have left for the day, so Dr. Shen cannot contact them for assistance. While the information is not critical to patient care, she would like to enter the information as soon as possible. She asks for your password. You have been authorized with the same access into the system as Dr. Shen, so she can enter what she needs to by being logged in as you. What should you do? A. Since you know and trust Dr. Shen, give her your password to access the site. B. Tell her you cannot give her your password, but you will access the system using your password and then allow the physician to directly enter the information into the system. C. Tell Dr. Shen you cannot give her your password, but offer to enter the information into the system for her. D. Tell Dr. Shen you cannot give her your password and advise her to use the facility s emergency contact procedures to have her password reset. Feedback: The correct option is D. Never let anyone use your password to obtain access to the network

17 Scenario 5 You are in a hospital common area with two of your hospital coworkers, who both work together on a different ward than you do. They begin to casually discuss an incident that happened that day with one of their patients. Because you work in a different ward, you do not know the patient and you are not involved in that patient's care. During the course of their conversation, they mention the patient's name and that he was diagnosed as being schizophrenic. What should you do? A. Advise your two coworkers to please stop discussing the patient and the incident while you are with them. Remind them that they should not be discussing Protected Health Information and other confidential information with you or with others who are not authorized to have this. B. Since you all work at the same hospital, tell your coworkers that they can continue their discussion, but should be quieter since others in the area may not be employees and may overhear what they are saying about the patient. C. Continue what you re doing and don t say anything. D. Since a similar type of incident could happen with patients on your ward, ask for more details from the two coworkers because it would be a good learning experience for you. Feedback: The correct option is A. When discussing PHI or other confidential information with others (in person or on the phone), this information should be shared with only those people who are authorized to receive the information and have a need to know status

18 Scenario 6 While you are providing services to a patient in a hospital, a doctor is talking quietly to another patient in another hospital bed in the same room. You, your patient, and your patient's visitors overhear parts of the conversation. What should you do? A. Nothing. B. Speak to the doctor after you both leave the room, reminding him of his patient s right to privacy. C. Speak loudly while you are in the room so that your patient and his visitors cannot overhear the other conversation. D. Interrupt the doctor to remind him of his patient s protection under privacy laws. Feedback: The correct option is A. Incidental disclosures are allowed, so long as the Covered Entity takes reasonable measures to keep the disclosures to the minimum necessary

19 Scenario 7 You have a number of patient case files to update, and you will not be able to complete them by the end of the week. If the files are not updated, information about the changes in the patients' medications will not be available to direct care staff when they report to work on Monday. You would like to bring your laptop home to work over the weekend. You've recently changed your password and still have trouble remembering it from time to time. What should you do? A. Write the password on a sticky note and paste it on the laptop so you don t have to remember it, take the laptop home, and work on the files over the weekend. B. Before you take Protected Health Information home, contact your IT department to make the data in the laptop is encrypted. If you take the laptop home, make sure that you take all reasonable safeguards to prevent it from being lost or stolen. C. Tell your supervisor that you are unable to update your case files in a timely manner, and then go home and enjoy your weekend. Feedback: The correct option is B. Before you take PHI home, contact your IT department to make sure the data in the laptop is encrypted. Encrypting the data will make it less likely that anyone will be able to access it if it is lost or stolen. (Agencies should encrypt all laptops that contain confidential information.) Do not write down your password, especially not where somebody else who gained access to your device could see it

20 Scenario 8 After working for many years at a mental health clinic, you start a new job at a substance abuse clinic. You receive a call from an insurance company asking for information about one of your patients in order to pay for care. You used to answer questions like this all the time at the mental health clinic and know that it is okay to disclose Protected Health Information for payment purposes. What should you do? A. Disclose the information, because you know it was okay to disclose this information at the mental health clinic. B. Check with your supervisor to make sure the laws that protect the information at the substance abuse clinic are the same as the laws that protect the information at the mental health clinic. C. Refuse to disclose the information and do nothing further. Feedback: The correct option is B. In this case, disclosures for payment purposes without patient authorization are permitted under HIPAA and New York s Mental Hygiene Law, so it was appropriate to disclose the information in the mental health clinic. However, disclosures for payment purposes without patient authorization are NOT permitted for alcohol and substance abuse treatment records under federal regulations in 42 CFR Part 2. Following the same practice under these circumstances would violate this privacy regulation

21 Scenario 9 You receive a voice message from Patricia, who says she is researching her genealogy and thinks that her great-aunt, Shirley, was a patient in a State hospital just before she died 25 years ago. She gives you Shirley's full name and asks you to send her the entire medical record. You run a search on the name and find that there is a person of that name in your files. What should you do? A. Contact Patricia and explain that because HIPAA protects the records of deceased individuals, you are unable to simply release any records you may have to her. B. Because the records are over 25 years old, they are no longer protected by HIPAA. Contact the person requesting the information, verify her identity, and send her the entire record. C. Put together five questions from the record, such as, 'What was your greataunt's maiden name? When was her birthday? Did she have any children?' Contact the person requesting the records and ask her the five questions. If she gets three out of five correct, send her the entire medical record. D. Release only a limited amount of information from the record, including the patient's name, date of birth, diagnosis, and date of death, but withhold the rest of the medical record. Feedback: The correct option is A. Under HIPAA, a person s right to confidentiality of his/her clinical information continues for a period of 50 years following the death of the individual

22 Scenario 10 You find a portion of a patient's record left on the glass of a copy machine in a public area of your office. No one else is around. What should you do? A. Call the patient and notify them that their Protected Health Information was left out in the open. B. Shred the document. C. Leave it by the copier. The person who left it will most likely come back. D. Secure the document by putting it in a folder or envelope and report it to your supervisor. Feedback: The correct option is D. Securing the document prevents further unintentional disclosure, and a supervisor can make sure the incident is properly documented. Be sure to cover the information appropriately at all times while delivering it

23 Information Sources - Privacy and Security of Health Information Complaints If you believe that your health information privacy rights have been violated, you may file a complaint with: US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Model Notices of Privacy Practices Several formats, in both English and Spanish, are available on the HHS website

24 Privacy and Security Law Descriptions HIPAA The Health Insurance Portability and Accountability Act of 1996 (this is a federal law) HITECH The Health Information Technology for Economic and Clinical Health Act, which made some amendments to HIPAA (this is a federal law) Public Health Law New York State laws that protect the privacy of health information, including special protections for information about HIV or AIDS Mental Hygiene Law New York State laws that protect the privacy of clinical records created by mental health providers under the jurisdiction of the Office of Mental Health, and of clinical records created by providers of services for persons with developmental disabilities under the jurisdiction of the Office for People With Developmental Disabilities 42 CFR Part 2 Federal regulations that protect the confidentiality of records created by federally funded alcoholism/substance abuse providers (providers under the jurisdiction of the Office of Alcoholism and Substance Abuse Services) Information Security Breach and Notification Act New York State laws found in the State Technology Law and General Business Law which require state agencies or businesses conducting business in NY who own or license computerized data which includes private information to disclose any breach of the data to NY residents Personal Privacy Protection Law Public Officer s Law Article 6-A prohibits disclosing information when it would be an unwarranted invasion of personal privacy