HIPAA Privacy & Security Rules

HIPAA Privacy & Security Rules HITECH Act

Applicability If you are part of any of the HIPAA Affected Areas, this training is required under the IU HIPAA Privacy and Security Compliance Plan pursuant to the Health Insurance Portability and Accountability Act (HIPAA) * * Even if you believe you personally may not have access to Even if you believe you personally may not have access to individually identifiable health information

Applicability As a Hybrid Covered Entity under HIPAA, Indiana University has established a HIPAA Privacy and Security Compliance Plan. A part of this Plan, the university has also established policies. Completion of this HIPAA training acts as your acknowledgement of IU's HIPAA Privacy and Security Compliance Plan.

Goals Our goal is to provide a secure environment for all health information provided to Indiana University. Also to promote personal responsibility and behaviors to ensure the privacy, security and integrity of sensitive information at Indiana University. Everyone has a role in this responsibility. Without your engagement, sensitive information can be breached or exposed.

Objectives The objectives of this module include: Increase your awareness of HIPAA Privacy and Security Rules as well as the HITECH Act Increase your awareness of the Indiana University HIPAA Compliance Plan & Policies Define HIPAA requirements & your responsibilities Identify patient sensitive information Identify privacy and security vulnerabilities Identify privacy and security safeguards

Health Insurance Portability and Accountability Act (HIPAA)- 1996 HIPAA Privacy Rule April 14, 2003 Establishes national standards d to protect t individuals id medical records and other personal health information; Established Patients Rights Requires appropriate Administrative, Physical and Technical safeguards to protect the privacy of personal health information; Sets limits and conditions on the uses and disclosures patients personal health information without an authorization ti 6

Health Insurance Portability and Accountability Act (HIPAA)- 1996 HIPAA Security Rule April 21, 2005 Establishes national standards d to protect t individuals id electronic personal health information; Requires appropriate p Administrative, Physical and Technical safeguards to protect the security of personal health information; Requires a Covered Entity to ensure the confidentiality, integrity, availability and security of electronic protected health information 7

Health Insurance Portability and Accountability Act (HIPAA)- 1996 HITECH Act Signed February, 2009 Improved Enforcement of HIPAA; Increased Civil Monetary Penalties; Provide Notification to Individuals involved in Breach of their personal health information; Requires Business Associates to be in compliance with the HIPAA Privacy and Security Rules; Application of Civil Monetary Penalties to Business Associates 8

HIPAA - Terms Covered Entity (CE) Healthcare Organizations who conduct financial and administrative i ti transactions ti electronically ll Includes: Health Plans (Anthem, Medicare, Medicaid, IU's Health Plan, etc.) Healthcare Clearinghouses (Claims Processing) Healthcare Providers (Hospitals, Physicians, Dentists, Optometrists, Chiropractors, Pharmacies, etc.) Examples of a qualified transaction: 1) Electronic claim submitted to Medicare, Medicaid or commercial insurance 2) Submitting member information from IU to the Health Plans 9

HIPAA - Terms Workforce HIPAA defines the workforce to include: "employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. Persons who do not fall in these categories, but nonetheless perform services on behalf of the covered entity, would be considered part of the workforce of a Business Associate 10

HIPAA - Terms Business Associate A person or entity that performs certain functions or activities iti that t involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity (CE). Not a member of the CE s workforce; Need a Business Associate Agreement; One CE can be a Business Associate to another CE; Business Associate requirements do not apply to CEs who disclose PHI to providers for treatment purposes 11

HIPAA - Terms PII (Personally Identifiable Information) Any data about a patient that could potentially identify them, such as: Name Address Driver license number Payment information Date of birth Social security number Photographic images Other private information that one would generally want to protect from public disclosure 12

HIPAA - Terms PHI (Protected Health Information) Any information about a patient s health, such as: Includes PII if collected by a Covered Entity Medical history Test and laboratory results Insurance information Data collected by a healthcare professional to identify an individual and determine appropriate care Data collected by a health plan 13

HIPAA - Terms Minimum Necessary HIPAA requires you take reasonable steps to limit the Use of Disclosure of Request for PHI to the Minimum Necessary to accomplish the assigned duty or task or intended purpose Minimum Necessary does not apply to Treatment Only use and disclose PHI when you have a business need to do so 14

HIPAA Indiana University IU - Hybrid Covered Entity These Areas must Comply with the IU HIPAA Pi Privacy &S Security Plan Healthcare Components (Covered Components) This means if these areas were not part of IU, they would be a Covered Entity Areas that provide Business Associate type services to the IU Healthcare Components or external Covered Entities Other HIPAA Affected Areas that have access to PHI for Education and Research Purposes 15

HIPAA Indiana University IU's Healthcare Components include but are not limited to: School of Medicine School of Dentistry School of Optometry IU s Health Plan Speech & Hearing Health Center - Bloomington & Indianapolis 16

HIPAA Indiana University Areas at IU which perform Business Associate type functions include, but are not limited to: School of Nursing UITS (Research Technologies, Intelligent Infrastructure, t etc.) Financial Services/Accounting Research Compliance Internal Audit University Counsel 17

HIPAA Indiana University Areas at IU which might access PHI for Education or Research Proposes or act as a Business Associate for outside Covered Entities include but are not limited to: School of Social Work School of Health, Physical Education & Recreation (HPER) School of Health & Rehabilitation Sciences Department of Psychology & Brain Sciences 18

HIPAA Notice of Privacy Practices Notice of Privacy Practices is a document that describes how we might use and disclose patient sensitive information and informs patients or members how we might use their health information; It should be provided to all patients upon their first visit to an IU treatment facility; or Provided to all participants in IU's Health Plan 19

HIPAA Patients Right to Privacy Sensitive information may be disclosed: To Treat a patient To receive Payment for services provided to a patient To perform daily healthcare Operations aka TPO Patients have the right to (includes but not limited to): Receive a copy of the Notice of Privacy Practices Inspect and request a copy of their health information Request an amendment to their medical record Request restrictions to their health information Request confidential or alternative means of communication 20

HIPAA Patients Right to Privacy Never view sensitive patient, family or employee information without a business need-to-know or a provider relationship which h allows for such an action. Access to PHI is only granted for a business purpose not for personal use. Unauthorized access or disclosure of patient information is subject to disciplinary action, up to and including termination of employment. 21

HIPAA Major Concepts Safeguard PHI during use & disclosure Administrative Physical Technical HIPAA Awareness Training of Workforce All Forms of PHI Paper Electronic Oral Communication 22

HIPAA Safeguards Always place medical records and forms containing patient information face down or away from view; Turn or block your computer monitor screens from public view; Dispose of unnecessary patient information in proper receptacles for shredding; Discuss patient information privately not in elevators, lobbies, Starbucks or other public areas. 23

HIPAA Safeguards Use lowered voices and limit access to areas where patient/member information is discussed; Supervise non-employees while in a work area; Request only minimally necessary information for your specific task or purpose (except Treatment); t) Determine appropriate procedures when contacting patients in general, such as verifying identification 24

HIPAA Safeguards Any mobile device that may store University sensitive data such as PHI must be encrypted; IU offers PGP encryption software free Encrypt and keep portable storage devices out of public view; DO NOT share system passphrases with ANYONE; Change your passphrase on a regular basis; Select a passphrase p that cannot be easily guessed; DO NOT tape passwords to ID badges, computers, monitors, keyboards, in desk drawers, etc.; DO NOT assume any public area is safe to leave your device, even for just a moment 25

HIPAA Safeguards Dispose of storage media in a safe and secure manner; Make sure timeout precautions are active; Always log-off applications or lock your computer if you are going away from your workstation or computer; Save information on secure network drives; Use [secure message], secure message, [confidential] or confidential in the subject line when using IU's exchange email to share sensitive information (this will encrypt outgoing emails) 26

HIPAA Safeguards User sign-on activity is tied to your unique user sign-on identification and passphrase; Your activity may be logged and monitored by Information Services to ensure appropriate uses and disclosures of PHI; Log-off after you have completed your work, so someone e cannot access the system with your log-on. o *You are held responsible for any information access or work completed under your sign-on 27

HIPAA Safeguards Be conscious of the information you are carrying with you (electronic or on paper). Do not leave sensitive information unattended d where the information could be viewed or taken by others. Over 60% of breaches involving 500 or more individuals are a result of stolen, unencrypted devices such as: laptops, USB drives, desktops, backup disks 28

BREACH When there is a breach or potential breach (i.e. when equipment or data are lost or stolen), prompt action is critical. Notify your Manager, Supervisor, Privacy Officer immediately and follow IU s sensitive data incident reporting procedures. The faster the breach or vulnerability is investigated and understood, the faster we can respond. http://protect.iu.edu/cybersecurity/incident/sensitive-data t t / it /i id t/ iti dt IU is legally required to notify regulatory agencies and those impacted by a data breach. 29

Social Media All IU employees have an obligation to protect the privacy and confidentiality of patients, subjects, their families, & other employees even when not at work. Social Media sites like Facebook, Twitter, MySpace, YouTube, LinkedIn, etc. require extra care to prevent privacy breaches. Never post patients health information on Social Media, even if you believe it to be de-identified Be aware of the threats and associated risks using these services, which include damage to the patient, user and/or organization or risks of media exposure, civil penalties or infection by malicious computer software such as viruses or worms. 30

Social Media Sharing any private or confidential patient information on the Internet is a breach of patient confidentiality and a violation of HIPAA and IU policies and other applicable laws; Violators are subject to immediate discipline, up to and including termination; Report any known or suspected activity to your Manager, Supervisor, Privacy Officer or the compliance notification line. 877-526-6759; https://iu.alertline.com 31

Social Networking Reminders Do not take pictures of patients t without t a healthcare purpose and a written consent from the patient on file in the medical record. Do not take pictures of patients with personal cameras, personal cell phones for personal use. Do not post patient pictures or information about patients on any Internet forums or social networking sites (i.e. Facebook, Twitter, professional association blogs, newspaper blogs, etc.) Do not post any pictures of patients received from the patient or their family. Do not discuss patient information on social networking sites. 32

Conclusion Protecting patient privacy and maintaining a secure information environment is everyone s job! It is your responsibility to report information privacy and security concerns to your Manager, Supervisor, Privacy Officer. Employees should feel comfortable knowing that IU may not intimidate, threaten, coerce, discriminate against or take retaliatory action when employees file complaints. 33

Conclusion Violation of the HIPAA Privacy and Security Rules will be subject to: IU progressive disciplinary procedures, including the possible loss of computer system privileges and/or termination of employment; Possible prosecution by state and federal authorities, fines and jail sentences 34

Contact Leslie J. Pfeffer, BS, CHP Interim University HIPAA Privacy Officer lpfeffer@iu.edu ff (317) 278-4521 Eric W. Schmidt, CISSP, CISM Interim University HIPAA Security Officer erschmid@iu.eduedu (317) 278-8751 35

HIPAA Basic Training Attestation Statement I have reviewed the HIPAA basic training module which includes information regarding the Privacy and Security regulations, the IU HIPAA Privacy and Security Compliance Plan and my responsibilities under those regulations and the Plan. Signature Printed Name Date Please provide a copy of this attestation to the HIPAA Liaison for your department. 36