HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

HIPAA Happenings in Hospital Systems Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

HIPAA

Health Insurance Portability and Accountability Act of 1996 Title 1 Title II Title III Title IV Title V Insurance Portability Fraud and Abuse Medical Liability Reform Administrative Simplification Tax Related Health Provision Group Health Plan Requirements Revenue Off-sets Privacy Transactions Security Code Sets Electronic Data Identifiers

HIPAA Privacy Rule Our focus today! HIPAA PRIVACY RULE Title 45, CFR Parts 164 & 160 Protect individuals rights to privacy and confidentiality

Who Does HIPAA Apply To? The law applies directly to 4 groups referred to as Covered Entities. Health Care Providers Health Plans Health Care Clearinghouses Business Associates

HIPAA What Should You Know Why privacy is important Provide awareness in protecting patient s health information Potential consequences and penalties for violation of HIPAA laws

Privacy Rule Set of national standards for protection of certain health information was established by the Standards for Privacy of Individually Identifiable Health Information Privacy Rule standards address the use and disclosure of individuals health information Protected Health Information (PHI) Name and birth date Picture ID drivers license # and email Developing and establishing Privacy Rule Standards is responsibility of Department of Health and Human Services (DHHS) Implemented and enforced by the Office of Civil Rights (OCR)

HITECH Act Overview American Recovery and Reinvestment Act of 2009 (ARRA) became federal law in February, 2009. The HITECH Act, a subset of the ARRA, expands and enhances the HIPAA Privacy and Security Rules giving more pressure to federal and state authorities to enforce privacy and security protections for patient data.

HIPAA Patient Rights Right to request restrictions on release of PHI Right to confidential communications Right to access and amend on request Right to provide specific authorization of their PHI other than TPO Right to opt out of patient directory Right to make a complaint Right to a copy of Notice of Privacy Practices on request

What Role Do You Play? Protect PHI at all times Written Electronic Spoken

True or False? HIPAA s goal is to catch staff sharing patients health information with those who do not need the information.

False Goal of HIPAA is to protect confidential patient information from improper use or disclosure. If you see an apparent violation, you should report it immediately to your Privacy Officer.

Beware of Discussing PHI Some of the most common threats to patient privacy is unintentional disclosure of PHI: Discussing where other patients or visitors may overhear

Unintentional Disclosure Leaving sensitive information out where others can see

Unauthorized Disclosures Another threat is when workforce members intentionally use or disclose information: Copying information and taking it home Removing PHI from facility and giving to others who don t have legal right Deliberately sharing with family, friends, coworkers

Unauthorized Disclosures Leaving a computer unattended after logging in Sharing passwords with others or leaving around computers Providing status of patient condition

Ways You Can Protect PHI Shred or properly dispose of all PHI Protect portable or mobile devices Faxing PHI Leaving messages Beware of taking PHI home

Do You Have the Right Patient? Two Identifiers Registering a patient Treating a patient Discharging a patient

Okay to Use and Disclose PHI Without patient s authorization Treatment, Payment, and Health Care Operations Facility Directory Agree or Object Incidental Disclosures Public Interest

True or False? One of the privileges of working in health care is that we have access to family and friends PHI so we can see how they are doing.

False We do not have the right to access anyone s health information unless it is directly needed for the completion of our job. If you accidently see patient information, you cannot share that information with anyone else.

What Role Do You Play? No access if it is NOT part of your job duty. Do I need to know this to do my job?

NOT Okay to Disclose Must have patient authorization for: Disclosure to patient s attorney for malpractice lawsuit Disclosure to life insurance company Person is seeking to obtain coverage

PHI is Protected Against Not involved in the care of the patient Insurance companies using PHI to deny life or disability insurance Employers using PHI in hiring/firing decisions News media Nosey family members, neighbors, coworkers

Is This a Violation? If an ambulance that is not affiliated with our organization transports a patient to our facility, can we give them PHI to use for their billing? Do we need the patient s written authorization?

Answer One covered entity (CE), such as the hospital, is permitted to share PHI with another CE, the ambulance service without authorization from the patient. TPO

What are the High Risks? Confidentiality Integrity Availability of ephi

Office of Civil Rights (OCR) OCR Phase 2 Focus Privacy Rule - Patient notice and access Breach Notification Rule - Content and timeliness of notifications Security Rule - Risk analysis and risk management BAs - Risk analysis and risk management; breach reporting to CE practices

Office of Civil Rights (OCR) Projected 2015 Focus ephi transmission security Device/media controls Privacy safeguards and training efforts Projected 2016 Focus Higher risk topics: Encryption and decryption Facility physical access controls Breach reports and complaints

Fines HIPAA Omnibus Rule Covered entities and business associates failing to safeguard PHI Up to $1.5M in annual fines

What Can Be Done to Minimize Violations? Regular risk analysis Updating policies regularly Combine device scanning with understanding of workflow, policies, procedures Implement a remediation plan

Use My Mobile Device Right?! Using cell phones at work

Social Media Is this acceptable practice?

Is this a HIPAA Violation/Breach? Credentialed physicians and allied health professionals have a right to access the records of their adult child or spouse to follow up on results while not treating provider?

Answer Yes, a breach may also be a federal crime Intentional or not? Accidental access? When would it be appropriate to access the medical record? From HCPro

Civil and Criminal Penalties Not only levied against the facility Employee can be fined and/or imprisoned $100/person/violation-up to $25,000/year Ignorance is not a defense U.S. Dept. of Health and Human Service for Civil Rights enforces civil penalties

Civil and Criminal Penalties Criminal penalties Up to $50,000 and 1 year prison; knowingly releasing patient information Up to $100,000 and 5 years prison; gaining access to health information under false pretenses Up to $250,000 and 10 years prison; releasing patient information with harmful intent or selling patient information U.S. Dept. of Justice enforces criminal penalties

Reporting Violations/Breaches

Is this a Violation? If you are presenting or demonstrating a workflow or application, is it okay to bring it up showing a real patient to all in the room?

Answer No, the people in the meeting do not have a business need to view that particular patient s chart.

Consider this What if it was about my medical or personal information? What can I do to protect someone else s privacy? If I violate HIPAA, would I: Lose my job and license? Be fined or imprisoned?

Protecting Privacy is EVERYONE S JOB! Donna J Brock, RHIT Donna.Brock@leememorial.org Lee Memorial Health System, Florida 239-343-8141