HIPAA and Health Information Privacy and Security

HIPAA and Health Information Privacy and Security Revised 7/2014

What Is HIPAA? H Health I Insurance P Portability & A Accountability A - Act

HIPAA Privacy and Security Rules were passed to protect patient privacy and secure electronic health information.

HIPAA Violations Are Serious! Penalties for HIPAA Violations: MCMH penalties: Range from employee suspension to termination. Federal and state penalties: Include possible criminal and/or civil penalties.

Examples of HIPAA Privacy Violations Throwing documents containing PHI in the trash Sending unencrypted email containing PHI Leaving documents with PHI lying on a copier Letting your spouse know that you saw his/her friend in the ED today Discussing a patient s condition with a co-worker in the cafeteria lunch line or other public area Accessing patient records that you do not have any need to see Sharing patient information, such as a list, with outsiders Losing or misplacing mobile devices, such as a voice recorder, PDA, unencrypted USB drive, or CD that contain PHI

HIPAA Privacy and Security Privacy The right of each patient to protect the privacy of his or her health information Security MCMH must ensure that each patient s electronic health information is protected from unauthorized disclosure

HIPAA PRIVACY

What is PHI? Protected Health Information (PHI) is Any information, used alone or in combination with other information, that could identify an individual who is the subject of the information. Examples include name, date of birth, social security number, diagnosis, home town

PHI: Protected Health Information PHI includes any information connected to a patient PHI can be written, spoken or stored in a computer, on a thumb drive or CD, or faxed PHI SHOULD NOT BE LEFT unattended on printers or copiers, or face up on desks

Examples of PHI Name, Address Telephone Number, Fax Number Social Security Number All elements of dates (birth, admit, discharge, death dates) Diagnosis Medical Records Number, Account Number Health Plan Beneficiary Number

Includes but is not limited to: Protecting a Patient s Privacy Do not discuss patients in public Ensure that you discuss patient information only with authorized individuals Always dispose of patient information in locked containers or containers clearly marked for confidential documents, NEVER IN THE TRASH! Log off your computer when not in use Make sure all patient records are secured and safe before you leave your work space Never remove patient information from the work area Never send email containing PHI or sensitive information, unless it is encrypted

What if I want to access my own PHI? Before accessing your record for the first time, you MUST go to Medical Records and sign a document which allows you to look at your own electronic medical record. If you wish to access a family member s record, they must authorize you by signing a document provided by Medical Records WARNING: MCMH audits unauthorized access, including unauthorized access to your own record

What if I want to access my own PHI? If you want to access your own records via the electronic records available in Meditech or LSS (EAR), you must: Have access to Meditech PCI and or EAR as part of your job You must sign a form available from Medical Records once

Accessing Records Other Than Your Own Other than when performing your job, accessing the record of another, such as a family member or friend, the person must: Sign a consent to release information to you and have it filed in Medical Records Individuals must consent yearly and file their consent in the Medical Records Department NOTE: YOU MAY NOT ACCESS THE RECORDS OF A SPOUSE FAMILY, OR FRIEND UNLESS THE ABOVE STEPS HAVE BEEN TAKEN.

PHI: Protected Health Information If patients do not trust us to keep their PHI safe They may not give us their complete health information (hide important health issues for fear someone may find out) They may not get treatment (don t want anyone to know they are having a procedure) They may pay hospital bills out of pocket to prevent insurance claims (don t want their employer to know their diagnosis)

Minimum Necessary Privacy Rule HIPAA requires healthcare workers to use the Minimum Necessary amount of information when accessing patient information to do their jobs efficiently and effectively and to provide quality care.

Your Responsibilities Regarding HIPAA Privacy Share and access only pertinent information when needed (Minimum Necessary) Understand departmental and organizational policies Protect the patients rights to privacy

Privacy at MCMH At MCMH, we standardize the process for release of Protected Patient Health Information (PHI) to reduce the risk of wrongful disclosures and to increase consumer confidence in the integrity of the organization as it relates to patient privacy. See your supervisor for details.

Information Security Information security is everyone s responsibility!

Information Security at MCMH includes compliance with the HIPAA Security Rule and other applicable federal and state laws.

Federal and State Laws Require that we protect a variety of personal information Health related patient information (HIPAA) Personal credit card and financial information Other information security laws that apply

What Does the HIPAA Security Rule Require? Ensure the confidentiality, integrity, and availability of all electronic Protected Health Information (PHI). Protect against reasonably anticipated threats or hazards to the security or integrity of electronic PHI Protect against reasonably anticipated unauthorized uses or disclosures. Ensure workforce compliance with the Rule.

ephi and Encryption Electronic PHI (ephi) includes any device or medium used to store, transmit or receive PHI electronically.

Where is our Electronic PHI? MEDITECH, LSS, OR+ Systems Nurse Call System Patient Monitoring Dictation Radiology Systems Any PC, laptop or tablet on which PHI is maintained Encrypted USB devices CDs Smart Phones Electronic transmission including Email, File Transfer (FTP)

Patient accounts Credit cards Additional Electronic Information Applications for payment plans Applications for payment plans Copies of income tax returns Rule of thumb: If you wouldn t want the information known to others or published publicly, neither would our patients and families

Understanding the Threats The Insider 75% of information systems security incidents are attributed to internal employees or contractors. Emailing PHI without encryption Accessing inappropriate websites Misusing or recording information improperly Opening email and attachments from addresses you may not recognize or expect

Understand the Threats of the Internet to MCMH Network worms, viruses Spyware, sometimes contained in attachments or clickable web addresses Professional Cyber crime Exposures due to unsafe transmission of data Social Networking such as Facebook Instant Messaging (IM)

Phishing: Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity. If you receive an e-mail from an unknown origin, or from family, a friend, or employee that looks suspicious, please DO NOT open. Notify the I.S. Department. If you receive a phone call requesting you take a survey, or give out information about MCMH, DO NOT answer. MCMH does not participate in surveys.

Protecting Against Threats at MCMH No access to social networking, such as Facebook, is allowed. It is against hospital policy to circumvent IS security in order to access these sites Screen saver downloads and downloading of personal software and free ware is prohibited Certain sites are blocked in order to protect the security of the MCMH network No one should open an email or attachment from a source unknown to you Beginning in July, 2010 always use Secure email when sending confidential information

Using Secure Email Secure email at MCMH allows employees to exchange confidential information securely over the Internet. If you need to exchange confidential information from your MCMH email, type the word SECURE in the subject line AND DO NOT INCLUDE PHI IN THE SUBJECT LINE Your email will be automatically encrypted Call the I.S. Help Desk at ext 5369 if you need help or have questions about using secure email

Impact of Security Breaches Patient Impact Potential damage to individual patient reputation Inappropriate disclosure of patient information to the public MCMH Impact MCMH community reputation Resources spent fixing infected workstations Cost of recovery from identity theft Legal repercussions

HIPAA and Information Security Policies Understand Your Responsibilities! IS Security Responsibilities IS Security User Passwords IS Security Internet IS Security E-Mail IS Security Workstation Use MCMH User Confidentiality and Security Agreement YOU ARE RESPONSIBLE FOR UNDERSTANDING YOUR RESPONSIBILITIES AND WILL BE HELD ACCOUNTABLE! All I.S. Security Policies are located on the Intranet.

Security Basics Reminder You are on the front-line when it comes to the security of MCMH information systems. Do not share passwords or leave them where others can find them. Do not leave any computer session open when not in use. Lock your computer. Do not cruise the Internet. Patient information is on a need to know basis Do not put ANY patient information in an unencrypted email, on a social networking site, or on your Smart Phone (iphone, Blackberry etc) DO use encrypted email for confidential information All system access with your ID is YOUR responsibility.

Password Guidance Do not re-use the last 12 passwords. Change your password at least every 90 days. User account locks after 3 failed attempts.

Internet Examples of Acceptable Use: Job related research, education, business activity and limited personal use are permitted. Examples of Unacceptable Use: Posting PHI or a patient s personal information on a website Sending unsecured email containing PHI or personal information Visiting sites considered offensive, counterproductive, or that may degrade network performance. Accepting and forwarding jokes or cartoons

E-mail MEDITECH E-mail Inclusion of PHI is strongly discouraged because it can be copied and sent outside of MEDITECH. If you must, use minimum PHI necessary, sent to limited number of authorized recipients Internet E-mail CAUTION!!!! NEVER transmit unencrypted PHI or financial information through the Internet

Workstation Use Workstation use governed by the Workstation Use policy. Users are responsible for securing and backing up information that resides on the desktop Passwords are changed every 90 days in order to protect information All workstation applications must be approved for use by Information Systems PRIOR to purchase

Remote Access Requires user authentication. Always physically secure your laptop. PDA, or other mobile device when traveling! July 07, 2010 Conn. AG, Health Net Research Settlement Over Medical Data Breach On Tuesday, insurer Health Net reached a $250,000 settlement with Connecticut Attorney General Richard Blumenthal (D), who sued the company after it lost a computer hard drive in 2009, Dow Jones/Wall Street Journal reports. The hard drive contained medical and financial information on about 500,000 members from the state. (Solsman, Dow Jones/Wall Street Journal, 7/6).

Auditing Requirements HIPAA Privacy and Security rules require MCMH to perform regular audits of access to PHI. Other information audits may occur as needed Patients may request and review a record of who has accessed PHI. If MCMH is audited regarding a suspected HIPAA or other security violation, we must share audit records with federal, state and other officials.

Your Responsibilities Read and adhere to the IS Security Policies HIPAA Policy Packet and on the Intranet Sign the User Confidentiality and Security Agreement Report any potential HIPAA Security Violation MCMH IS Security Officer, Compliance Hotline, Management, IS Help Desk

And Finally. The Privacy/Security Golden Rule Put yourself in the shoes of the patient. Who would you want to know about your protected health information? Keep what you know to yourself and protect Keep what you know to yourself and protect patient privacy.

Questions? Please contact : Scott Burtchell Director, Information Systems 664-5608 Jeff Carr, IS Security Officer 664-5605