HIPAA Privacy and Security Cindy Cummings, RHIT February, 2015 1
HIPAA Privacy and Security The regulation is designed to safeguard Protected Health Information referred to PHI AND electronic Protected Health Information referred to as ephi. 2
Authorization Facilities must obtain authorization from patients before using or sharing their PHI or ephi for reasons other than treatment, payment, or health care operations. 3
What is Confidential? Medical Record # Name Address Telephone Number Age Social Security # E-mail address Medical History Diagnosis Medications Observations And More 4
Breach Notification Requirements Individual Notices Media Notices Notice to the Secretary Notification of a Business Associate 5
Individual Notice Covered entities That s HOB Must notify affected individuals once we discover a breach of unsecured protected health information. Must provide this individual notice in writing by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive that way. If HOB has insufficient/ out-of-date contact information for 10 or more individuals, we must provide substitute individual notice Post the notice on the home page of its web site Or provide the notice in major print/ broadcast media to where the affected individuals likely reside. Must include a toll-free number for individuals to contact HOB to determine if their protected health information was involved in the breach. If fewer than 10 individuals, HOB may provide substitute notice by an alternative form of written, telephone, or other means. 6
Individual Notice The individual notifications must be provided without unreasonable delay No later than 60 days following the discovery of a breach Must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the HOB is doing to investigate the breach, mitigate the harm, and prevent further breaches, contact information for the HOB 7
Media Notice IF HOB has a breach affecting more than 500 residents of a State/ jurisdiction/area.. Besides notifying the affected individuals, HOB is required to.. Provide notice to prominent media outlets serving the State or jurisdiction. HOB would likely provide this notification in the form of a press release to appropriate media outlets serving the affected area Like individual notice, this media notification must be provided without unreasonable delay No case later than 60 days following the discovery of a breach Must include the same information required for the individual notice Notify the Secretary 8
Notice to the Secretary HHS In addition to notifying affected individuals and the media (where appropriate), HOB must notify the Secretary of breaches of unsecured protected health information. HOB notifies the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred. 9
Notification by a Business Associate If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify HOB following the discovery of the breach. A business associate must provide notice to HOB without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide HOB with the identification of each individual affected by the breach as well as any information required to be provided by HOB in its notification to affected individuals. 10
No Big Deal Right? Wrong!!!!! 11
Violations HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA HIPAA violation due to reasonable cause and not due to willful neglect $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million 12
They Mean Business: Since the compliance date in April 2003, HHS has received over 83,681 HIPAA complaints. Status of All Complaints Complaints Remaining Open 7,102 8% Total Complaints Resolved 76,579 92% Total Complaints Received 83,861 13
They Mean Business: Incident: A Massachusetts General Hospital employee took some work home, but accidentally left 192 paper billing records containing detailed protected health information on the subway. Penalties: Even though it appears to have been an accident, severe penalties have been imposed on the hospital: $1-million fine Three-year corrective action plan of unprecedented oversight and intervention by the OCR, including the appointment of a designated OCR representative on premises to conduct audits and inspections and additional and frequent reporting to OCR on the hospital s HIPAA compliance. Requirements to develop comprehensive policies and procedures on laptop and USB encryption, even though the breach involved paper records. The hospital must also implement a comprehensive training program on HIPAA policies and provide written certification that all staff have received and understand the policies. 14
They Mean Business: Incident: Thirteen staff members at UCLA accessed Britney Spears medical records without authorization. Penalty: UCLA fired the 13 individuals and suspended another 6. 15
How to Protect Patient Privacy 16
What is Information Security? All the protections put into place to ensure ephi is: Kept confidential Is not improperly altered or destroyed And readily available to those who are authorized 17
Protect Patients Privacy Do not discuss patients in public areas such as elevators and cafeteria lines Do not leave information about a patient s health on an answering machine 18
Protect Patients Privacy Always close curtains and speak softly when discussing treatments in semi-private rooms Always log off the computer when you re finished Always dispose of patient information only in locked containers 19
Protecting Patient Information Keep your computer login and passwords a secret. 20
Protecting Patient Information Rules for Using Computers Do not log into the system using someone else s password Only access patient information that you need to do your job Keep computer screens pointed away from the public Do not copy ephi onto a removable device such as a thumb drive, disc, etc. 21
E-mail How do I send a secure email? It is relatively simple = the word Secure followed by a colon : must appear in the subject line somewhere! Examples are: Subject: Secure: Conversation from yesterday Subject: RE: conversation from yesterday Secure: Subject: secure: RE: conversation from yesterday Subject: Secure RE: conversation from yesterday Subject: :Secure Conversation from yesterday 22
E-mail 23
Physical Security Practice Common Sense Security Keep Laptops and other portable devices locked when not in use Keep cell phones and pagers on your person at all times. Make sure doors and desks are locked as appropriate 24
Physical Security The most frequent risk to using PDAs and laptops is theft. When transporting laptops (or any patient information) it should be stored in the floorboard area or in the trunk. Keep your car locked at all times. X 25
Sanctions Hospice of the Bluegrass takes seriously the responsibility of privacy/security of all PHI in its care. Failure to adequately ensure the privacy/security of PHI can result in disciplinary action against you, up to and including: Dismissal Termination of Business Contract Reporting the violation to licensing agencies and law enforcement officials. 26
Scenarios What Would You 1. You are having lunch at a restaurant when someone notices your Hospice of the Bluegrass nametag. Their neighbor is a hospice patient and they want to know how the neighbor is doing. How do you handle that? Do??? 27
Scenarios What Would You Do??? A. Ignore them; they will go away eventually B. Tell them what they want to know C. Say you are sorry, but all patient information is confidential and therefore you cannot confirm or deny the person is a hospice patient. The Answer is C 28
Scenarios What Would You Do??? 2. A patient has a Cancer Policy that pays them $100.00 per day that they were at HCC; they want you to complete the claim form. What do you do? 29
Scenarios What Would You Do??? A. Throw the form away; they will forget about it. B. Notify the Medical Record Department; they handle all release of information requests. C. Give the family the information and let them complete the form themselves. The Answer is B 30
Scenarios What Would You Do??? You are at the nursing home visiting a Hospice patient. You have a screen open on your laptop that has your schedule for the day. That schedule includes the names of patients you are planning to visit at another nursing home. You stop at the nurses station to give a report of your visit without closing your screen. Is this a HIPAA violation? 31
Scenarios What Would You Do??? Yes, that could be a HIPAA violation. Patient names are considered confidential and should be protected from disclosure. 32