740 likes | 1.03k Views
HIPAA Privacy and Security Training For Employees Compliance is Everyone’s Job. University Medical Center. Topics to Cover. General HIPAA Privacy and Security Overview HIPAA Privacy ARRA of 2009: HIPAA Breach Notification Rules and Procedures HIPAA Security
E N D
HIPAA Privacy and Security Training For EmployeesCompliance is Everyone’s Job University Medical Center INTERNAL USE ONLY
Topics to Cover • General HIPAA Privacy and Security Overview • HIPAA Privacy • ARRA of 2009: HIPAA Breach Notification Rules and Procedures • HIPAA Security • Questions/Acknowledgment of Training INTERNAL USE ONLY
What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation which addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers. The portions that are important for our purposes are those that deal with protecting the privacy and security of health data, which HIPAA calls Protected Health Information or PHI. INTERNAL USE ONLY
Question 1 HIPAA addresses • Privacy • Security • Both A and B INTERNAL USE ONLY
Correct Answer c: HIPAA establishes requirements for both the privacy and security of PHI. Privacy refers to the confidentiality of protected information. Security addresses the safekeeping of both paper and electronic (computer-based) records. INTERNAL USE ONLY
Applicability of HIPAA to UA • HIPAA Applies to: • University Medical Center • Brewer-Porch Children's Center • The Speech & Hearing Center • Autism Clinic • Departments that have signed Business Associate Agreements • Group Health Insurance/Flexible Spending Plan/EAP • UA Administrative Departments supporting the above entities (like Legal Office, Auditing, Financial Affairs, Risk Management, OIT, UA Privacy/Security Officer, etc.) • Research involving PHI from a HIPAA covered entity • Does not apply to Psychology Clinic, Student Health Center/Pharmacy, ODS records, Counseling Center, WRC, Athletic Dept health records INTERNAL USE ONLY
What is Protected Health Information (PHI) • Any information, transmitted or maintained in any medium, including demographic information; • Created/received by covered entity or business associate; • Relates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare; and • Can be used to identify the patient INTERNAL USE ONLY
Types of Data Protected by HIPAA • Written documentation and all paper records • Spoken and verbal information including voice mail messages • Electronic databases and any electronic information, including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic device • Photographic images • Audio and Video recordings INTERNAL USE ONLY
Question 2 Jenny, a pediatric nurse, needs to report lab results to the mother of a 3 year old child who is sitting in the waiting room. She sticks her head in the waiting room door and says, “Good news. The lab results are normal.” Is this a privacy breach? • Yes • No INTERNAL USE ONLY
Correct Answer c: Yes, unless no one else was in the waiting room. The nurse should have asked the mother to step out into the hallway or taken other steps to be certain that no one else would overhear the conversation. INTERNAL USE ONLY
To De-Identify Patient Information You Must Remove All 18 Identifiers: • Names • Geographic subdivisions smaller than state (address, city, county, zip) • All elements of DATES (except year) including DOB, admission, discharge, death, ages over 89, dates indicative of age • Telephone, fax, SSN#s, VIN, license plate #s • Med record #, account #, health plan beneficiary # • Certificate/license #s • Email address, IP address, URLs • Biometric identifiers, including finger & voice prints • Device identifiers and serial numbers • Full face photographic and comparable images • Any other unique identifying #, characteristic, or code INTERNAL USE ONLY
Question 3 Photographs are considered PHI. • True • False INTERNAL USE ONLY
Correct Answer a: Photographs as well as video and audio recordings are protected under HIPAA regulations. INTERNAL USE ONLY
Department of Justice-Imposed Criminal Penalties for Employee • Wrongfully Accessing or Disclosing PHI: Fines up to $50,000 and up to 1 Year in Prison • Obtaining PHI Under False Pretenses: Fines up to $100,000 and up to 5 Years in Prison • Wrongfully Using PHI for a Commercial Activity: Fines up to $250,000 and up to 10 Years in Prison • HIPAA criminal and civil fines and penalties can be enforced against INDIVIDUALS as well as covered entities who obtain or disclose PHI without authorization including Business Associates INTERNAL USE ONLY
Federal-Imposed Civil Penalties • Tier A: Did not realize violated and would have handled differently: • Minimum per violation: $100 (each name in a data set can be a violation); Maximum per calendar year: $25,000 • Tier B: Violations due to reasonable cause, but not willful neglect: • Minimum per violation: $1,000; Maximum per calendar year: $50,000 • Tier C: Violations due to willful neglect that organization corrected: • Minimum per violation: $10,000; Maximum per calendar year: $250,000 • Tier D: Violations due to willful neglect that organization did not correct • Minimum per violation: $50,000; Maximum per calendar year: $1.5 Million • HHS is now required to investigate and impose civil penalties where violations are due to willful neglect • Feds have 6 yrs from occurrence to initiate civil penalty action • State attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulations • Civil Penalties now apply to Business Associates INTERNAL USE ONLY
Question 4 An individual convicted of HIPAA violation might be subject to • Fine • Jail term • Both A and B INTERNAL USE ONLY
Correct Answer c:HIPAA is federal legislation. Sanctions for violators can include both fines and incarceration. INTERNAL USE ONLY
Breach and Sanction Information In the Office of Civil Rights annual report to Congress: • 9/23/09 – 12/31/09 – 45 breach reports involving 2.4 million individuals • 1/1/10 – 12/31/10 – 207 breach reports involving 5.4 million individuals • Four general causes (individuals affected): • Theft of electronic or paper records (2,979,121); • Loss of electronic medical or paper records (1,156,847); • Intentional unauthorized access to, use, or disclosure (1,006,393); • Human error (78,663) INTERNAL USE ONLY
Breach and Sanction Information January 16, 2009 the Department of Health and Human Services reached an agreement with CVS Pharmacy, Inc. (CVS) to settle potential violations of the Privacy Rule. CVS agreed to pay $2.25 million and to implement a detailed Corrective Action Plan to ensure that its workforce members appropriately dispose of PHI, such as labels from prescription bottles and old prescriptions. INTERNAL USE ONLY
Breach and Sanction Information On July 27, 2010, the Department of Health and Human Services (HHS) reached an agreement with Rite Aid Corporation and its 40 affiliated entities (Rite Aid) to settle potential violations of the Privacy Rule. Rite Aid agreed to pay $1 million and to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing PHI on pill bottle labels and other health information. INTERNAL USE ONLY
Breach and Sanction Information July 6, 2011 The Department of Health and Human Services (HHS) entered into its third largest settlement for potential HIPAA privacy and security rule violations, reaching a resolution agreement of $865,500 with the University of California at Los Angeles Health System (UCLAHS) associated with 2 complaints of intentional unauthorized access to/use/disclosure of PHI. INTERNAL USE ONLY
UA HIPAA Sanctions • Employees who do not follow Privacy and Security Policies and related workplace rules and policies are subject to disciplinary action, up to and including dismissal • Type of sanction depends on severity of violation, intent, pattern/practice of improper activity, etc. INTERNAL USE ONLY
Question 5 A University of Alabama employee who violates HIPAA Policies can be fired. • True • False INTERNAL USE ONLY
Correct Answer a: True: The University of Alabama is legally obligated to enforce HIPAA Policies. Employees who violate policy will be subject to sanctions which can included termination of employment. The nature of the sanction is determined by the severity of the policy breach. INTERNAL USE ONLY
HIPAA Permitted Uses and Disclosures of PHI • A covered entity can always use and disclose PHI for any purpose if it gets the person’s signed HIPAA-valid authorization • Only designated, HIPAA trained personnel are permitted to approve disclosure of PHI per the person’s HIPAA-valid authorization • For a complete list of permitted uses and disclosures of PHI, see your entity’s notice of health information practices INTERNAL USE ONLY
HIPAA Permitted Uses and Disclosures of PHI • The HIPAA Privacy Rule states that PHI may be used and disclosed to facilitate treatment, payment, and healthcare operations (TPO) which means: • PHI may be disclosed to other providers for treatment • PHI may be disclosed to other covered entities for payment • PHI may be disclosed to other covered entities that have a relationship with the patient for certain healthcare operations such as quality improvement, credentialing, and compliance • PHI may be disclosed to individuals involved in a patient’s care or payment for care unless the patient objects INTERNAL USE ONLY
Minimum Necessary Standard • When HIPAA permits use or disclosure of PHI, a covered entity must use or disclose only the minimum necessary PHI required to accomplish the purpose of the use or disclosure. • The only exceptions to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons: • Treatment • Purposes for which an authorization is signed • Disclosures required by law • Sharing information to the patient about himself/herself INTERNAL USE ONLY
What HIPAA Did Not Change: • Family and friends can still pick up prescriptions for sick people • Physicians and Nurses do not have to whisper • State laws still govern the disclosure of minor’s health information to parents (a minor is under the age of 19 in Alabama) INTERNAL USE ONLY
Other Privacy Safeguards • Avoid conversations involving PHI in public or common areas such as hallways or elevators • Keep documents containing PHI in locked cabinets or locked rooms when not in use • During work hours, place written materials in secure areas that are not in view or easily accessed by unauthorized persons • Do not leave materials containing PHI on desks or counters, in conference rooms, or in public areas • Do not remove PHI in any form from the designated work site unless authorized to do so by management • Never take photographs in patient care areas INTERNAL USE ONLY
Required Forms and Documents Used at UA • Notice of Health Information Practices • Acknowledgement of Receipt of Notice • Confidentiality Statement • Authorization for Use or Disclosure of Information • Accounting of Disclosures Documentation • Business Associate Agreements • Fax Coversheet • Data Use Agreement INTERNAL USE ONLY
Question 6 TPO stands for • Therapy, patient, outcome • Treatment, payment, operation • Training, participation, organization INTERNAL USE ONLY
Correct Answer b:Treatment, payment, operation. Once the Acknowledgement of Health Information Practices has been signed by the patient, PHI can be disclosed as necessary to complete treatment, bill for services, and manage healthcare operations. INTERNAL USE ONLY
Question 7 PHI can never be released for any reason except TPO (treatment, payment, operations). • True • False INTERNAL USE ONLY
Correct Answer b: False. PHI can be released for reasons other than TPO if additional release forms have been signed by the patient. INTERNAL USE ONLY
Question 8 Charlie works at a medical center and is responsible for entering billing data into the computer system. He looks at his mother-in-law’s medical records, because he is concerned that she has not been fully honest with her family about some recent health problems. Since he has been HIPAA trained, is this a breach of privacy? • Yes • No INTERNAL USE ONLY
Correct Answer a: Yes. Although Charlie has been HIPAA trained, his access is based on the minimum necessary requirement to complete his job. He does not need to access health records to enter billing data. Unless his mother-in-law has given permission, in writing, for him to access her records, this action was a violation of Privacy Policies. INTERNAL USE ONLY
Business Associate Agreements • Are required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity’s PHI • Binds the third party individual or vendor to the HIPAA regulations when performing the contracted services • Must be approved in accordance with appropriate UA policies and procedures Individual employees are NOT authorized to sign contracts on behalf of UA. INTERNAL USE ONLY
HIPAA Put New Requirements on Research: • If you work for a Health Care Provider under HIPAA, do not release PHI for research unless: • The patient has signed a valid HIPAA authorization, or • The IRB at UA has approved a waiver of authorization; or • The IRB agrees that an exception applies Information regarding HIPAA and Research is available through Office of Research Compliance – Director is Tanta Myles INTERNAL USE ONLY
American Recovery and Reinvestment Act of 2009 (ARRA) • Expanded privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) • One new requirement is that we must notify affected individuals and federal officials when a breach or potential breach of privacy has occurred • The following slides discuss our obligation under these rules INTERNAL USE ONLY
Question 9 _______ requires that individuals and federal officials be notified when a breach or potential breach of PHI Privacy or Security regulations has occurred • HIPAA • AARA • FERPA INTERNAL USE ONLY
Correct Answer b: AARA, or the American Recovery and Reinvestment Act of 2009, expanded HIPAA to establish regulations for notification of a breach or potential breach of PHI. INTERNAL USE ONLY
First Federal Definition of Breach • ARRA provides the first federal definition of a Breach: • The unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of the information • Exceptions: • Unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity • Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity to another person authorized to access PHI at the covered entity • Unauthorized disclosures in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information INTERNAL USE ONLY
Secured PHI • ARRA further identified the information to which the breach notification provisions apply. It defined “unsecured protected health information” as PHI that is not secured through the use of a technology or methodology that renders it unusable, unreadable, or indecipherable and that is developed or endorsed by the American National Standards Institute • Therefore, for breaches involving the misuse, loss, or inappropriate disclosure of paper or electronic data, there are some “home free” methods under which the loss would indicate no harm done: • Paper-secured by use of crosscut shredder (or destroyed) • Electronic data-encrypted data files and/or transmissions INTERNAL USE ONLY
Encryption • Security Rules require Covered Entity/Business Associate to consider implementing encryption as a method for safeguarding Electronic Protected Health Information (PHI) • If you choose to encrypt, then not required to notify in event of breach INTERNAL USE ONLY
What Constitutes a Breach? • A breach could result from many activities. Some examples are • Failing to log off when leaving a workstation • Unauthorized access to PHI • Sharing confidential information, including passwords • Having patient-related conversations in public settings • Improper disposal of confidential materials in any form • Copying or removing PHI from the appropriate area • Why? • Curiosity…about a co-worker or friend • Laziness…so shared sign-on to information systems • Compassion…the desire to help someone • Greed or malicious intent…for personal gain INTERNAL USE ONLY
Question 10 Bill, a billing employee, receives and opens an email containing PHI which a nurse, Nancy, mistakenly sent to Bill. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email, and deletes it. • Was this a breach of PHI? • Yes • No INTERNAL USE ONLY
Correct Answer b:No. Bill unintentionally accessed PHI that he was not authorized to access. However, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI. This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule. INTERNAL USE ONLY
Question 11 Rhonda is a receptionist for a covered entity, and, due to her work responsibilities, she is not authorized to access PHI. Rhonda decides to look through patient files to learn about a friend’s last visit to the doctor. • Does Rhonda’s action constitute a breach? • Yes • No INTERNAL USE ONLY
Correct Answer a: Yes. Rhonda accessed PHI without a work-related need to know. This access was not unintentional, done in good faith, or within the scope of her job for the covered entity. INTERNAL USE ONLY
Question 12 Rob, a research assistant, wanted to get ahead on some statistical work, so he copied the information from 240 research participants to his thumb drive. The information included PHI, and the thumb drive was not encrypted. On his way home to continue his work, he stopped by the store to get some snacks. When he returned to his car, he found it had been broken into. Missing were his GPS, dozens of CDs, and his book bag containing the thumb drive. • Does this event constitute a breach? • Yes • No INTERNAL USE ONLY