1
By the end of this course you will demonstrate: 1. that HIPAA privacy rules protect privacy and security of confidential information. 2. your responsibility for use and protection of protected health information (PHI), including the electronic health record. 3. an awareness of fines and penalties for privacy violations. 4. that you must not put a client* name or any PHI in an email subject line. 5. that you must not post PHI to social media. 6. how to report an actual or suspected Privacy Breach * The term client includes patients & long-term care residents 2
Recent Privacy Violations: Backpacks & laptops with PHI stolen from locked cars Briefcase/ packets with PHI stolen while out in public Client information and memorials posted on internet blogs PHI sent insecurely on electronic devices such as unencrypted cell phones, PDA s, flash drives, or personal emails Misdirected emails, faxes, and mail Emails, faxes, and mail sent without the required DPH coversheet Lost charts Unauthorized access to electronic client records Result: Expensive Fines to DPH 3
HIPAA is the Health Insurance Portability and Accountability Act HIPAA Federal privacy law: protects client privacy and only allows sharing of protected information for the purposes of: Treatment Payment Operational purposes (such as quality management and risk management) requires that information sharing must be kept to the minimum amount of information necessary to do our jobs this is known as the minimum necessary rule identifies fines and other consequences for violations California has additional laws: We are held to the most strict standard 4
These laws apply to institutions and individuals Unauthorized access includes the inappropriate viewing of client medical information without the direct need for diagnosis, treatment, or other lawful use OR the loss of client medical information whether in paper or electronic format Licensed facilities are required to report known or suspected Privacy Breaches within 5 days to the California Department of Public Health (CDPH) Licensed facilities must also notify the affected client(s) within 5 days after breach detection 5
YOU are responsible to follow SFDPH policies and procedures to protect the privacy and security of information Random audits of inappropriate access are regularly conducted Contractors and Business Associates of DPH must comply with all Privacy laws, and there is direct liability for noncompliance YOU MUST Report known or suspected Privacy Breaches to your Privacy Office immediately. 6
Privacy violations may carry penalties under Federal HIPAA, State Privacy Laws, and DPH Policies: HIPAA: Criminal Penalties: $50,000 - $1,500,000 fines and imprisonment up to 10 years HIPAA: Civil Penalties: $100 - $25,000/ year fines and more fines if multiple year violations 2009/2013 federal HITECH (Health Information Technology for Economic and Clinical Health) laws added even stricter penalties State Laws: Fines and penalties apply to individuals and institutions up to $250,000 Violations may jeopardize an individual s professional license Various DPH disciplinary actions up to termination 7
PHI is information that can be individually identified as belonging to a particular person either living or dead: Personal Identifiers (name, medical record number, etc.) Health status Care received Payment of services Demographics (age, gender, zip code, etc.) Protections apply to all types of communication: Verbal Paper documents Electronic data An individual s privacy rights continue after the person s death 8
Client Rights: Notice of HIPAA Privacy Practices Every client is provided with the DPH Notice of HIPAA Privacy Practices upon admission What the HIPAA Notice does: Informs the client that DPH may use and disclose PHI without the client's authorization ONLY for treatment, payment and health care operations Advises the client of their right to ask to see, read and obtain a copy of information used to make decisions about their care Provides information about how to file a complaint if they feel their privacy rights have not been maintained Gives the client the opportunity to sign the Notice Clients of Mental Health services must be given the Notice Annually 9
Client Rights: Access to the Health Record The Health Record is the property of the facility Clients can request a copy of their Health Record through Medical Records DO NOT give out any part of the health record on your own Even if you are subpoenaed, ONLY the Medical Records staff can release the requested records 10
We can share the minimum necessary information with those that have a need to know for purposes of Treatment, Payment, or Operations including: Diagnosis and treatment Referrals Coordination of health care with any health provider in any discipline who has medical or psychological responsibility for the client Follow the DPH Privacy Matrix when deciding to share PHI 11
DPH Privacy Policy Matrix *including knowledge of Mental Health, Substance use/ Abuse, HIV/AIDS, STD Description of PHI Who may disclose it? Who may receive it? General Health* Mental Health* Drug/Alcohol Treatment Program* HIV/AIDS CCSF Health Service Provider Network* General Health Provider Mental Health Provider Drug/Alcohol Treatment Program Provider HIV/AIDS CCSF Health Service Provider Patient s providers and providers staff for the purpose of treatment, diagnosis, or referral Any healthcare provider (any discipline) "who has medical or psychological responsibility for the patient" Only another member of the client's treatment team WITHIN the specific drug/alcohol treatment program Exception: a medical emergency Only another HIV Health Service provider who registers client in ARIES database. All other circumstances require signed authorization 12
A signed Authorization for Release and Disclosure of PHI is required before sharing: For any purpose other than Treatment, Payment or Operations Before a Substance Abuse Treatment program may share PHI outside their own program Before City and County of S.F. HIV Health Services providers may share PHI with providers outside of the ARIES system (used by HIV Health Service providers) 13
Disclosures to family, relatives, friends No information may be disclosed to a family member, relative, or close personal friend regarding treatment or health status Get written authorization from the client prior to sharing any information about mental health, substance abuse, sexually transmitted disease, HIV/AIDS, or developmental disabilities. 14
If the client is a minor: Authorizations to release PHI must come from the parent/legal guardian If the services fall under the DPH Minor Consent Policy, the Minor may authorize disclosures Authorizations are NOT required for minors who are dependents or wards of the court when information used is for purposes of coordinating care with county social workers probation officers another person legally authorized to have care and custody of a dependent or ward of the court 15
Special Case for Public Health Activities In conducting certain limited Public Health Activities, authorized DPH staff may access PHI without individual authorization, including for the purposes of: reporting of disease, injury, and vital events (e.g., birth or death); conducting public health surveillance, investigations, and interventions (e.g., outbreaks, partner elicitation and notifications); and; providing the SF Medical Examiner information needed to carry out duties authorized by law. Contact the Privacy Office if you have questions 16
All DPH staff must refer media requests to the Public Information Officer DPH programs should not release or publish identifiable photos, videos or any other information about clients with diagnoses or services for mental health, substance abuse, or HIV / AIDS, even if the client authorizes or requests you to do so This policy applies to media in any publication, brochure, and training materials PHI may NOT be used for marketing or fundraising 17
Do Not access records of employees even if they ask you or give you permission unless authorized to do so as part of your job If authorized to access employee PHI as part of your job, the minimum necessary and confidentiality rules still apply Employees are prohibited from accessing their own records and records of family members 18
Data Security Policies Guiding Principle: You are responsible for protecting data, information, workstations, portable electronic devices used in your job from: LOSS DAMAGE MISUSE 19
All staff are required to follow DPH Data Security Policies Log off anytime you leave your computer unattended Do not allow others to use a computer under your log on Place your monitor so it cannot be read by unauthorized persons Be present at the fax and printer when documents print out Discard documents with PHI only in the confidential bin / shredder Never recycle documents with PHI or re-use to save paper 20
Use complex passwords and change passwords regularly when using DPH computer systems Do not share passwords, even with IT or your supervisor Do not store passwords where anyone else might discover them If you feel you must write down your password to remember it: Keep it under lock and key Do not label it password Write only a hint that will remind you of the password 21
Never put personal identifiers of a living or dead client in the subject line of an email Always confirm the recipient s email address before sending PHI Email only the minimum necessary and only between DPH or UCSF providers with a need to know (i.e. emails ending in sfdph.org or ucsf.edu) Never send PHI to personal or home emails such as gmail Always put the official confidentiality statement as a permanent signature statement for all of your emails Emails to clients are limited to appointment reminders- put the client email address in the BCC: line to avoid inadvertent disclosure For SFGH and LHH Only: Type the word Secure: in the subject line for any email containing PHI 22
If you receive an email that does not follow DPH policies: Call or email the sender to respectfully let them know Never choose reply to all Never forward to others unless it is to refer to the Privacy Office for follow up in this case, make sure you remove any PHI from the subject line 23
Electronic Devices present new challenges to privacy & confidentiality DPH prohibits the storing or use of client data on privately owned portable devices, such as cell phones, flash drives, memory sticks, and lap tops All portable devices issued by DPH or UCSF must be encrypted or have a security token When traveling, keep portable devices with you at all times and guard against theft or loss Loss of a device with PHI that is not encrypted is a reportable privacy breach, even if the loss occurs in another city or state Have I.T. staff render PHI on devices unreadable before discarding or recycling the device 24
When you participate in personal blogs/ social media remember: Never share any client information or share details of a client situation that you have experienced from your work Never post pictures of clients Posting of client information or sharing details of a client situation can result in a privacy violation which may subject you to disciplinary action, individual fines and penalties and professional sanctions which could impact your professional license Social media includes Twitter, Facebook, blogs, etc. 25
Research Data HIPAA regulates how PHI may be obtained and used for research. This is true whether the PHI is completely identifiable or partially de-identified in a limited data set A researcher or health care provider cannot use PHI in research without the appropriate HIPAA documentation, including authorization or an IRB-approved waiver Research that proposes to use SFDPH sites or recruit clients from SFDPH programs must be approved in advance by the appropriate SFDPH Administrator and by an IRB Researchers must abide by the SFDPH Conduct of Research Policy http://www.sfdph.org/dph/files/hipaadocs/privacypolicies/h IPAAPrivacyConductResearchPol051311.pdf 26
Any actual or suspected breach must be reported to your Privacy Office immediately You may also report anonymously to the DPH Privacy Hotline at 415 206-2354 DPH has a non-retaliation policy for employees that register complaints 27
NAME REPRESENTING PHONE Alice Gleghorn Lorraine Killpack Community Programs/ Population Health Division 415 255-3722 415 255-3732 Jill LeCount Laguna Honda Hospital 415 759-4500 Maggie Rykowski San Francisco General Hospital Campus 415 206-4294 Joe Goldenson Jail Medical Services 415 995-1701 28
DPH Privacy and Data Security Policies: http://www.sfdph.org/dph/comupg/oservices/medsvs/hipaa/default.asp Link to official DPH cover sheet for ALL faxes and mail: http://www.sfdph.org/dph/files/hipaadocs/privacypolicies/formphicvr Sht4FaxInterofficeyMailAdopted05132010.pdf SFDPH Email confidentiality statement to copy and paste to permanent signature line: This message and any attachments are solely for the intended recipient and may contain confidential information. If you are not the intended recipient, any disclosure, copying, use or distribution of this message and any attachments is prohibited. If you have received this communication in error, please notify sender by reply e-mail and immediately and permanently delete this message and any attachments. 29
Before completing and receiving credit for the Annual Privacy and Security training, you MUST: 1. Read and sign the User Confidentiality, Security, and Electronic Signature Agreement (This form can be downloaded from the DPH website) http://www.sfdph.org/dph/files/hipaadocs/privacypolicies/form- ConfidSecElecSigAgrmnt06252010.pdf 2. Take and pass the Annual Privacy Quiz 3. Give your Privacy Certificate to your supervisor 30
SFDPH values patient privacy as an important part of our mission to provide quality healthcare and trauma services with compassion and respect. Thank you for helping us protect the privacy and security of our patients and staff. 31