HIPAA Compliance and Best Practices for Managing Information Protection & Storage Wednesday, March 31, 2010 Sponsored by:
Moderator Bernie Monegain Editor Healthcare IT News
Guest Speakers Shawna Ridley, MBA, RHIA Director of Health Information Management UT Southwestern Medical Center G g P b t E CIPP/G/C Greg Pemberton, Esq., CIPP/G/C Corporate Counsel & Manager of Privacy and Compliance Iron Mountain
Health hcare Place image here HIPAA Compliance and Best Practices for Managing Information Protection & Storage Greg Pemberton, ESQ., CIPP/ G/C Corporate Counsel & Manager of Privacy & Compliance Iron Mountain March 31, 2010 2010 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks of Iron Mountain Incorporated. All other trademarks and registered trademarks are the property of their respective owners.
Agenda What s New With HIPAA Five Things to Ask Your Vendor Best Practices Beyond Compliance 5
ARRA Introduces HIPAA Changes Stimulus bill signed February 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act expands HIPAA - Stricter regulations - Larger penalties - Stronger enforcement - Inclusion of Business Associates - Greater public visibility 6
What it Means to be HIPAA Compliant Policies & procedures that: - Address the 60+ Security Rule requirements for ephi (electronic protected health information) - Meet the Privacy Rule requirements controlling the use and disclosure of all PHI Procedures should be documented, employees trained, the process should be audited and compliance tracked 7
Five Things to Ask Your Vendor Have you audited your solutions to ensure they are 1 HIPAA-compliant? compliant? 2 Can you deliver against the provisions incorporated into our contract? 3 What policies and procedures have you put in place to monitor the use or disclosure of PHI? 4 Have your employees been properly trained? 5 Do your agents and subcontractors to whom you provide PHI agree to the same restrictions and conditions that you do? 8
Best Practices Beyond Compliance Best practices go beyond compliance Look at risk beyond the rules Leverage best practices to reduce risk 9
Information Protection & Storage Best Practices Information at Rest: Information in Motion: When Information is Used: When Information is Handled: When Information is Lost or Destroyed: When Business Associates are Involved: Storage Best Practices Transportation /Transmission Best Practices Access Controls Employee Best Practices Contingency Planning Third-Party Vendors 10
UT SOUTHWESTERN MEDICAL CENTER Shawna Ridley, MBA, RHIA Director, Health Information Management shawna.ridley@utsouthwestern.edu 214.645.3035
UT Southwestern Medical Center at a Glance Texas-based Ranked among top academic medical centers 97k inpatients & 1.8M outpatients cared for annually 10k employees and $1.5B operating budget 2k licensed beds 20k requests per yr. for PHI Facilities include: UT Southwestern University Hospitals Parkland Health & Hospital System Children s Medical Center Dallas VA North TX Health Care System Other affiliated hospitals & clinics
Changing the Way We Do Business Privacy Rule Policy & Procedures/Forms Management Staff Education and Training Patient Education Business Relationships Marketing & Fundraising Human Resources Security Rule Policy & Procedures Protecting ephi E-Communications Social Security Usage Electronic Medical Record Issues
Privacy Rule Policies & Procedures/Forms Management Attorney hired to review and overhaul existing policies and procedures Reviewed over 1,100 forms Made multiple revisions to designated record set (medical records, billing records and various claims records used to make patient decisions) Continuously reviewing situations in which PHI is handled Daily struggles with minimum necessary standard to limit the amount of PHI used, disclosed and requested
Privacy Rule Staff Education and Training Training workforce members is a challenge: employees, volunteers, student interns, and even en employees ees of outsourced vendors who routinely work onsite Online Privacy and Information Security Training is required for all new hires Annually, employees have to take the refresher course (this year included ARRA and HITECH components) Release of Information staff requires most training due to hybrid environment While de-identified information falls outside the scope of the Privacy Rule, constantly training on the importance of this type of information Created policy identifying 19 data elements to be removed for de- identification of information
Patient Education Extensive resources instituted to educate patients The Privacy Rule provides patients with significant rights and greater control over their health information: Right of access Right to request amendment of PHI Right to accounting of disclosures Right to request restrictions of PHI Right to request confidential communication. Established patient hotline and staff hotline for reporting Privacy Rule violations Privacy practices posted throughout 42+ clinics and confidential Privacy practices posted throughout 42+ clinics and confidential communication placards placed in community settings.
Business Relationships We reviewed over 300 business associate agreements and this review continues annually: 1. Prohibit your business associate from using or disclosing the PHI for any ypurpose p other than that stated in the contract 2. Prohibit your business associate from using or disclosing the PHI in a manner that would violate the requirements of the HIPAA Privacy Rule 3. Require your business associate to ensure that any of its subcontractors that use PHI received from the covered entity agree to the same restrictions ti and conditions.
Marketing & Fundraising Southwestern Medical Foundation was established to endow the future of medicine Generous gifts from donors have aided in breakthrough medical research, education and patient care UT reviews all marketing and fundraising materials in published and oral form High profile patients are not used in marketing
Human Resources Greater shift to employee accountability while decreasing fraud and abuse in the workplace More extensive background checks Hired Chief Information Security Officer On termination employees must surrender all property and information managed by UT Southwestern t and must not subsequently disclose any confidential or sensitive information Access to all systems ceased upon termination
Security Rule Policy & Procedures Creation and on-going review of security policies to address intentional and accidental mishandling of information All privacy and security policies and procedures posted on intranet t Information Security Agreements signed by all workforce members UTs intrusion detector systems filter about 10 million hits or possible threats monthly Millions invested in firewalls and intruder systems, worms, viruses, spyware and adware software
Protecting ephi We safeguard ephi through: Secure system logins and monitoring Strong passwords and passphrases Laptop and desktop security Physical security Secure remote access and wireless connectivity Contingency planning and disaster recovery Saving sensitive confidential information on secure network drives Using encryption on portable computing and mobile devices
E-Communications E-communications are subject to the same compliance provisions as other elements of the patient medical record UT uses secure, email systems. The recipient s identity must be authenticated PRIOR to sending the email UT has developed a convenient messaging tool specifically for UT has developed a convenient messaging tool specifically for easy, confidential patient-provider communications.
Protecting Social Security Numbers Social Security Numbers in the past were commonly used as personal identifiers for UT employees and patients The use of SSNs has been replaced with Person Number or Person ID, which is an internally created identifier for employees The last four digits of SSN are captured for patients
The Electronic Medical Record The growth of electronic records has created new issues for UT Southwestern, since electronic data may be more difficult to secure than paper records UTs information security practices and protective ti measures have been established for our computer networks UT has invested into a multi-million dollar electronic medical record system that creates an audit trail for all entries and screen views The Privacy and Security Officers are capable of reviewing the audit trails and determining the names, dates and sites of UT employees who access the electronic medical record and find individuals who have gained inappropriate p access
Wrap Up Protecting health information is an important part of healthcare The regulatory landscape is complex, evolving and more comprehensive It s a balancing act Protecting patient privacy and security while delivering outstanding patient care This is only the beginning
QUESTIONS? Submit your question to today s speakers by typing your question into the box on the left side of your screen and then hitting submit. If you have news or comments on this topic for the editors of Healthcare IT News, please email editor@healthcareitnews.com Sponsored by: