440 likes | 642 Views
Privacy and Confidentiality. Residents and Fellows Orientation 2010. Adrienne Green, MD Associate Chief Medical Officer Deborah Yano-Fong, RN, MS, PAAPC, CHP Chief Privacy Officer. June 18, 2010 & June 30, 2010. Overview. What Do You Need to Know? What’s New? New Privacy State Laws
E N D
Privacy and Confidentiality Residents and Fellows Orientation 2010 Adrienne Green, MD Associate Chief Medical Officer Deborah Yano-Fong, RN, MS, PAAPC, CHP Chief Privacy Officer June 18, 2010 & June 30, 2010
Overview • What Do You Need to Know? • What’s New? • New Privacy State Laws • New Federal Regulations- HITECH • Important Privacy Concepts • Privacy in the Clinical Environment • Scenarios • Best Privacy Practice Reminders • What to do in the Event of a Privacy Breach? • Resources
What do you need to know about Privacy and HIPAA? • Complete the required training • Privacy Handbook • Provider Training Module • Confidentiality Statement • Know the patient’s privacy rights • New State Privacy Laws and your personal liability • American Recovery and Reinvestment Act (ARRA) impact on healthcare and privacy- HITECH
Advanced ProviderHIPAATraining • Review Advanced Provider Module: http://www.ucsf.edu/hipaa/ • Read HIPAA Handbook (in your packet) • Sign Confidentiality Statement and turn it in to your Department Manager • Read Notice of Privacy Practices (NOPP) booklet: http://www.ucsfhealth.org/common/3-03ucsfhipaa.pdf
PatientHIPAARights can be Hot Spots for Providers HIPAA Patient Rights: • To restrict use and disclosure of their PHI • New restriction for self-pay patients • To request amendments to their PHI • To file complaints with UCSF, UCOP and OCR that may result in civil and criminal penalties for individuals as well as the healthcare organization • To request Accounting of Disclosure • To inspect and receive a copy of their medical record • New rights to receive on electronic copy of records • To request confidential communication
Survival Tips For HIPAA Patient Rights Don’t: • Agree to patient’s request for restriction of access to their medical record • Agree to patient’s request for an amendment to their medical record • Harvest research data yourself from any of the Medical Record sources. HIMS is the control point for providing research data. For questions go to http://hims.ucsfmedicalcenter.org or go to the IDR Do: • Refer patient’s request for restriction or amendment of the medical record to Patient Relations or HIMS • Patient Relations and HIMS must evaluate and coordinate all requests for restriction or amendment of medical records
What’s New? Privacy is more than HIPAA these days • New states laws and Federal Regulations are more stringent and impose increased fines/ penalties • The Privacy environment is constantly changing • National mandate for an Electronic Health Record • State wide initiatives for a Health Information Exchange
Major Impacts of The New Privacy State Laws: Key Requirements
Major Impacts of The New Privacy State Laws: Fines & Penalties
How Does This Impact You? • Increased Fines and Civil Penalties • 5 Day Notification Requirement to DPH and individuals • Surveillance and Monitoring • Audit Logs of Appropriate Access • Personal Liability
The answer to all legal/risk questions is… • IT DEPENDS…
Federal Regulations/Laws & Some Major Impacts • “Stimulus Package” included health information technology, e.g., Electronic Health Records • Multiple impacts related to Privacy • Defines unsecured PHI • Requires notification to the consumer w/in 60 days • Individuals may be fined for wrongful disclosure • Increases criminal fines and penalties for wrongful disclosure • Individuals have right of civil action for wrongful disclosure • Requires honoring restriction requests, when related to self pay situations. • Major impact on Business Associates (BAs) • More guidance from HHS expected American Recovery & Reinvestment Act of 2009 (ARRA) – HITECH Act amends HIPAA
Newspaper Headlines Kaiser hospital fined $250,000 for privacy breach in octuplet case Hacker Holding Virginia Health Records for $10 million Ransom Former UCLA Researcher sentenced for snooping (4 months in jail) $20M to Settle Lawsuit for Loss of Laptop
Important Privacy Concepts: • Utilize these concepts when making decisions regarding Privacy Protection in the clinical environment: Treatment, Payment or Operations (TPO) • You may access, use or disclosure PHI or ePHI for the purposes of TPO • See Notice of Privacy Practices (NOPP) for details • If your access, use or disclosure is not covered by the NOPP, then you will need to obtain an authorization from the patient prior to proceeding. PHI/ePHI • Protected Health Information/Electronic Protected Health Information • See HIPAA handbook for definition
Important Privacy Concepts cont’d… • Minimum Necessary Standard applies for all uses and disclosures except for treatment • Access only what you need to know. • Share only what you need to disclose. • Incidental Use and Disclosure as long as: • The disclosure is incidental to other permitted uses and disclosures. • Never access, use or disclosure PHI which you are not allowed to access in the first place. • Reasonable safeguards are in place to protect PHI that may be disclosed incidentally.
Privacy in the Clinical Environment Privacy answers are not black and white. You need to assess the appropriate access, use, storage, and disclosure of PHI each and every time by asking yourselves all of the following questions. • Do I need to access this information to do my job? • Am I using the minimum information needed to do my job? • Am I providing others with the minimum necessary information to do their job? • Do I need to store this information to do my job? • If yes, how will I secure this information? • Ok, I can do this, should I really do it? • What if this was my information? How would I feel about how it is being handled? • How would this process/practice look on the front page of the Chronicle?
Scenario 1 – Email Communication • A patient emails you about new symptoms that have presented since taking a new medication. • Since the patient has sent the email unencrypted, can you respond without sending your message in a secure manner?
Scenario #1- Answers • Yes • No
Correct Answer to Scenario #1 • B.) NO It is your responsibility, when communicating to send any PHI securely. DO NOT use personal email accounts or personal devices.
SECTION HEADING SecureE-Mailis easy to use at UCSF! SECURE • How to use • Use the secure email system when sending emails with ePHI • Type in the email Subject Line the word: Secure: ePHI: PHI: • Make sure you are sending your message to the correct recipient. • Key points to remember • This protects the information when it leaves our UCSF network environment. It does not encrypt the message within the UCSF network. However, best practice is to use the secure email system when sending ePHI anywhere. This will protect you if someone forwards your ePHI outside of the UCSF network.
Scenario #2- Lost/ stolen Laptop • Your personal laptop contained information about your current patients. The laptop was locked in your trunk and it had a complex password on the device. • Since you locked the laptop up and you had a complex password on the device, is this enough to keep you from being personally responsible for the loss of the patient information?
Scenario #2 - Answers • Yes, I cannot be responsible if someone steals my laptop. • No, I am still responsible.
Correct Answer to Scenario #2 • B.) “No, I am still responsible.” The only safe harbor is to have the device encrypted
SECTION HEADING Keyto Your Survival Is How You Control Access, Use, and Disclosure of PHI
SECTION HEADING PHIis Everywhere • Desktop computer • Laptops • Memory Sticks • Text pagers • Memory sticks • PDAs • Cell Phones • Conversations • Paper records/notes
Best Privacy Practice Reminders • Make sure you maintain access for only the systems that you have a business need • Review privacy newsletters and make sure you understand them • PHI/ePHI should never leave the department • If unavoidable, then the materials should stay with the person without exception • Limit discussion in public areas • Place PHI/ePHI in the InstaShred • Do not block software updates • Encrypt ePHI on mobile devices; Laptops, Memory sticks etc
Best Privacy Practice Reminders cont’d... Ensure additional layers of protection for PHI and ePHI • Use locked doors/storage areas • Lock up patient information such as paper, floppies, memory sticks, CDs, tapes or other portable media • Secure devices with locks when possible, even when laptops are docked in docking stations • You are responsible for securing home and mobile devices w/confidential information. If you take your laptop home, you need to keep it with you at all times while in transport. • Secure building at the end of the business day • Store information on a secure/encrypted server
SECTION HEADING Protectyour computers and mobile eDevices: • Backup all confidential information on a UCSF protected server • Complex password protection • Encryption • Delete old files • Create an encrypted back-up file and store separately from the computer/mobile e-device • AccessUCSF network using an approved, secure means • VPN
What is my responsibility, if I suspect a breach or have questions • Report any known or suspected privacy breaches to the Privacy Office ASAP. • Report erratic computer behavior or unusual e-mails to IT • Report lost/stolen e-devices to UCSF Police immediately. If it is hard copy PHI, report it to the Privacy Office. • Be prepared to outline exact data elements disclosed, how many patients, over what time period, to whom, and for what purpose. • When you are planning any project that involves releasing PHI outside of UCSF for any purpose outside of TPO and without patient authorization contact the Privacy Office for consultation.
What is Phishing? • Wikipedia Definition • Phishing is the criminally fraudulent process of attempting to acquire sensitive information, such as user names, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. • Phishing is typically carried out by email or instant messaging, and it often directs users to enter details at a fake website, whose look and feel are almost identical to the legitimate one
Examples of Phishing • What does a phishing scam look like? • As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows. • They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
Current Facts * • The Internet has never been more dangerous: rogue Anti-Virus, infected computers and malicious code break new barriers as electronic crime’s sophistication and ambition grow unchecked. • Rogue anti-malware programs are proliferating at an unprecedented rate. The first 6 months of 2009, the number of such programs grew 585 %. • The number of unique phishing websites detected in June 2009 rose to 49,084, the second-highest number recorded since APWG began reporting this measurement. • (*www.antiphising.org/phishing_archive)
What Is the Real Risk When This Happens? • Virgin mail accounts are hot commodities and can be sold for $2/account. This is double what a stolen credit card account is worth. • With your User ID and PW, the cyber thief can carry out many lucrative online activities. They can access your address book, collect clues to your social networks and online banks, then they crack into those accounts and change the PW, so only they can access them. • Remember, many online services require an email address in order to set up the web account, and replacement passwords are sent to that email address.
How Does UCSF Reduce This Risk? • Never provide your User ID and PW to email queries, even if it looks legitimate. • Use different PWs for each online account. • Adhere to UCSF’s PW policy for complex PWs and change the PW regularly. • Never store spreadsheets with PHI or sensitive data in your email folders. • Adhere to the Minimum Necessary standard when communicating about a patient.
Scenario 3 • A patient arrives in the ED and states that he has been seen at another ED two times in the last 24 hours for abdominal pain. He now presents with increased abdominal pain. You diagnose him with a bowel obstruction, and he goes to the OR for surgery. You know the MD at the other hospital and want to inform him about what happened to this patient. • Should you contact the MD at the other ED?
Scenario #3- Answers • Yes • No
Correct Answer to Scenario #3 • B.) No • To do so would cause a Privacy violation • If you feel strongly that the other ED should know you should: • Obtain authorization from the patient to disclose this information • Document the authorization in the medical record
Remember- Privacy is bigger than HIPAA • California Confidentiality of Medical Information Act (COMIA) (CA Civil Code 56-56.07) • California Confidentiality of Social Security Numbers (CA Civil Code 1798.85) • California Information Practices Act (IPA) (CA Civil Code 1798.24) • California Lanterman-Petris-Short Act (CA Welfare and Institutions Code 5000-5120) • Federal Education Rights and Privacy Act (FERPA) (34 CFR Part 99) • Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (45 CFR Parts 160, 162, 164) • AB-211 • SB-541 • Red Flag Rule • HITECH
UCSF Resources Where to go for help • Your Department Manager or IT support person • UCSF Privacy Officer • Deborah Yano-Fong • UCSF Information Security Officer (Medical Center) • Jose Claudio • UCSF Information Security Officer (Campus) • David Rusting • School of Medicine Information Security Unit Director • Opinder Bawa • IT Customer Support • 514-4100 • UCSF Police • 476-1414