500 likes | 505 Views
Physician HIPAA Education. Objectives of HIPAA Training. Understand HIPAA Rules and Regulations How to Safeguard PHI (Protected Health Information) Your R esponsibilities HIPAA Concerns/Violations Identify Examples of HIPAA violations Monitoring & Penalties for HIPAA Breaches
E N D
Physician HIPAA Education
Objectives of HIPAA Training • Understand HIPAA • Rules and Regulations • How to Safeguard PHI (Protected Health Information) • Your Responsibilities • HIPAA Concerns/Violations • Identify Examples of HIPAA violations • Monitoring & Penalties for HIPAA Breaches • Contacts and Additional Resources
Protected Health Information (PHI) • Names • Biometric Identifiers • Full face photos • Medical Record Number • Health Plan Number • Account Numbers • Certificate/License Numbers • Vehicle identifiers • Telephone and fax numbers • E-mail & URL addresses • Geographic subdivisions smaller than a state • All elements of dates related to birth date, admission, discharge, or date of death, ages over 89 • Social Security Numbers • Device identifiers/serial # • IP Address Numbers • Any other unique identifying data
Consent and Authorizationfrom Patient • Consent and financial agreement is obtained from the patient upon presenting for treatment and the Privacy Rule allows disclosure for Treatment, Payment, Healthcare Operations (i.e. Case Mgmt., Quality Assessment, DOH/JC surveys) or is otherwise permitted or required by the Privacy Rule • Authorization from the patient is needed for disclosure of health information that exceeds the Privacy Rule
HIPAA Covered Entities Healthcare providers are HIPAA covered entities. Business Associates are also bound to HIPAA Access, Acquisition, Use, or Disclosure must be work related Can Providers Share Information with Patient’s Friends and Family? Yes, after obtaining the patient’s permission or if unable to obtain patient’s permission and you believe the patient would not object, it is permissible to use of professional judgment to determine if disclosure of the minimum amount necessary is in the best interest of the patient.
Personal Representativeswho have rights to PHI • Health Care Agent (Proxy) implemented/rescinded upon written order of the attending physician or medical director when the resident/patient no longer has capacity to make health care decisions • Guardian of adult patient if authorized by Judge • Executor or administrator of deceased must have legal authority • Parent or guardian for minor exceptions: mental health notes, drug & alcohol treatment, HIV & STD, pre-natal care, emancipated minors
HIPAA Security Safeguards • Dispose of paper PHI correctly in a shred bin • Secure PHI by locking files and keep PHI visible only to authorized individuals • Never leave Mobile Computing Devices (i.e.. Laptops) unsecured and report thefts immediately • Be aware of your surroundings when discussing PHI • Lower your voice • Confirm identity of patient and related PHI prior to disclosure.
Recognize Phishing Scams and Fraudulent E-mails • Phishing is a type of deception designed to steal valuable personal data, such as credit card numbers, passwords, account data, or information. • Con artists might send millions of fraudulent e-mail messages that appear to come from Web sites you trust, like your bank or credit card company, and request that you provide personal information.
Some Current Phishing Techniques (1) Email Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, and verify accounts. (2) Malware Phishing Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files. (3) Website Phishing Mimic visual elements from the target site or use subtle changes to the site address. - www.ebay.com.kr - www.ebay.com@192.168.0.5 - www.gooogle.com
You’ve been Phished! Example Note blue box information advising you to proceed with CAUTION Not a CH web address (chsbuffalo.org) Not a government website, incorrect spelling of HIPAA in text above, Request to click on link. REPORT ALL SUSPICIOUS CH EMAILS TO THE CH HELPDESK
Safeguard Against Phishing • Don’t reply to email or pop-up messages that ask for personal or financial information • Don’t click on links in email or instant message • Don’t cut and paste link from questionable message into your Web browser • Don’t email personal or financial information • If you are scammed, visit Federal Trade Commission’s Identity Theft website – www.consumer.gov/idtheft and let our help desk know!
Computer SecuritySafeguards • Computer accounts & passwords are kept confidential • Do NOT open or respond to suspicious e-mail • Do NOT post patient PHI to Social Media sites • Do NOT store protected health information (PHI) on an unencrypted computer or device. • Avoid the use of portable devices for PHI. If used they must be encrypted and secure. Loss or theft involving Catholic Health PHI is to be immediately reported. • Email • Do NOT email PHI directly from a business center copier • All e-mail with PHI sent outside CHS needs to be encrypted. • Verify any faxes sent with PHI
Log-in/Password Password creation recommendations: • construct with care • follow Catholic Health policies • have at least eight (8) characters • contain at least one alphabetic and one numeric character • difficult to guess It is in VIOLATION of Catholic Health Policy to share your password with other individuals. Safeguard your password
Text Messaging Protected Health Information Embrace the Tiger
Question How to…. IMPROVE the efficacy of patient communication and PROTECT the patient- do no harm BETTER COMMUNICATION = BETTER CARE
Answer = Secured Text Messaging Catholic Health App available for: • Smart Cell phones (iPhone or Android) • Tablets • Laptops Contact the Medical Staff Office to obtain this App or for more information
Catholic Health Policy Alignment • The TigerConnect App will NOT be used to place orders. • All orders must be placed using defined Catholic Health protocol. • This communication tool is in addition to existing communication methodologies already approved. • It is not intended to displace or replace the use of other approved processes; instead the tool is to augment communication processes.
“Authorized” Access, Use or Disclosure of PHI Individuals must only: Access, Acquire, Use, and/or Disclose PHI based on job function and the need to know the information for treatment, payment or healthcare operations (see HIPAA policy PRIV-24 for additional information)
Restrictions Restrict access, use and disclosure to the minimum amount necessary for payment or healthcare operations. There arealso disclosure restrictions for: • HIV information • Psychotherapy notes (mental health) • Drug and alcohol treatment The types of information listed above are protected by federal and/or state statute and may not be faxed or photocopied without specific written patient authorization, unless required by law. Additional signed authorization must be obtained for any disclosure related to the restrictions noted above.
HIPAA Compliance Individuals granted Catholic Health computer privileges: • may use their authorized system access privileges only for legitimate treatment purposes • may access only the patient information they need to do their jobs • may not permit others to use their authorized access to look up patient information • must log-off or lock their screens when leaving their workstation to prevent unauthorized use by others • must follow Catholic Health policies and procedures related to patient privacy compliance
Fine Line: Professional vs Personal Remember the “fine line” between your business role and your personal role as a family member, friend or co-worker, or patient. The “3 C’s” (Care, Curiosity, Concern) are NOT acceptable reasons for inappropriately accessing patient information including information about: • Family or Relatives • Friends or Neighbors • Co-workers • VIPs or High Profile Patients • Personal Health Information
UNAUTHORIZED ACCESS or DISCLOSURE OF PATIENT INFORMATION • Curiosity can be a normal human trait…however, unauthorized access or disclosure of health information of family members, friends, co-workers, persons of public interest or any other person is a ... VIOLATION and can result in fines, being sued, jail time, and/or termination of your employment • Individuals are NOT allowed to look up their own health records
Individuals viewing their own Medical Record Physicians may file a written request with Health Information Management for their own medical record information OR Physicians are encouraged to utilize the Patient Portal for direct secured access to their medical information. It is a violation of CH policy for an individual to look up their own medical record using system access privileges
Business Sensitive Information Information related to business practices of Catholic Health are considered to be “business sensitive” and therefore must be kept confidential: • Patient protected health information • Budget/revenue information • Strategic planning information • Survey information • Personnel-related information • Performance/Quality Improvement data • Proprietary information
Unintentional, Incidental Disclosures Steps have been takento avoid disclosure but disclosure may have accidentally occurred While not considered a HIPAA violation… • Do the best that you can to maintain confidentiality under the circumstances • Be mindful of areas at risk: • Emergency Room • Semi-private room • Waiting room
Expected Behaviors: Accountability Individuals are: • to use their system access privileges for the delivery of quality patient care and legitimate business needs; • to access only the Minimum Necessary (minimal) information needed to do their jobs; • responsible for protecting all confidential patient and business sensitive information to which they have access or otherwise receive; • will immediately notify if they believe that there has been improper/unauthorized access to the Catholic Health network; • will immediately notify if they believe that there has been improper use or sharing of confidential information in any format; • will comply with Catholic Health privacy and security policies that apply to use or access to Catholic Health patient and proprietary information.
Breach of Protected Health Information (PHI) Definition of a Breach Unauthorized acquisition, access, use, or disclosure of “unsecured” PHI that does not meet an exception Secured Encryption or destruction Compromised Risk Assessment Determines if breach notification is required
Unauthorized Access or Disclosure of PHI • Violates HIPAA • Fails to support patient rights • Is not in alignment with CHS core values • Violates CHS HIPAA Policies • Opens the potential for Fines & Penalties • Can negatively impact upon CHS • Can negatively impact the person committing the breach • Can negatively impact the patient
“Joe, I just thought I’d give you a call and let you know that your neighbor, Mrs. Smith, had heart surgery last week – I am looking at her record now. You might want to go over and check on her later.” Example of HIPAA VIOLATIONUnauthorized Verbal Disclosureof Medical Record
“It was unfortunate that he left that instrument in Mrs. Blaine. She almost died from an infection.” “Did you hear what happened with Dr. Careless?” hmm…that’s my doctor. I think I will need to find another doctor... Example of HIPAA VIOLATIONPublic Discussion of PHIFailure to Safeguard
“…a guy came into the lab today and stole one of the laptops with patient information from the workstation. The guards were unable to find him...” “…at our nursing home a confused patient got dressed and wandered out of the building…it took the staff 4 hours to find her – she was 10 blocks away...” Example of HIPAA VIOLATIONSocial Media & Facebook Entries Regarding PHI & Events at Work
5 Social Media No-No’s • Anything with a photo of a patient. • The well-meaning breach. “Happy birthday Millie! I love being your nurse!” • The failed attempt at anonymity. “Treated a pregnant teen tonight for an overdose. So sad…” • The rant. “Alcoholic hockey players are so grumpy…” • The HIPAA problem AND the dignity problem. “Tired of cranky patients who argue with me over which shirt to wear!” By Margaret Scavotto, JD, CHC
“…It was no problem...anytime you need this information I’ll provide it … of course I’m assuming you’ll still be providing me $15 for every referral” “…thank you for supplying that list of pregnant patients...we would be happy to send them information on our new child care products” Example of HIPAA VIOLATIONSale of Patient Information
“…Is that a patient from our group? Example ofHIPAA VIOLATIONUnauthorized Access of Medical Record “…No, my newborn niece is under the care of Dr. Trouble and has had some problems. I just want to see if her test results are back yet.”
Example of HIPAA VIOLATIONUnauthorized Disclosure of Protected Health Information “ Well this will make you laugh. It says that I am pregnant. Oh look here, I was given someone else’s discharge papers.” “ Let’s review the papers that you were given upon discharge from the hospital”
PotentialHIPAA Violation,Risk for Identity Theft and Potential Patient Harm I thought the information was close enough, I guess being off only by one character does make a difference. Failure to properly identify or input information into the computer system
System Access: Case Studies Dan works in radiology. He overheard his co-worker talking about taking x-rays of a patient who is CEO of a major corporation in town. The patient was in an accident and the local media has been reporting on the story. Dan used his authorized access to review the CEO’s record. That evening he posted details of the case on his Face Book page. • This action is a privacy and security violation: Dan did not need this information for legitimate business or treatment purposes. He accessed the information without patient authorization. He disclosed the information without patient authorization using a social network site. The fact that the patient’s accident was a story on the local media does not mean that Dan can ignore privacy and security policies and procedures. Posting the information on the social media site compounded Dan’s policy violations. • Depending on why his co-worker was discussing the x-ray of the CEO (gossip vs a treatment-related discussion), the co-worker may have committed a privacy breach.
System Access: Case Studies Laura is in a custody battle with her ex-husband, Sam. Sam’s fiancé, Stacey, has access to Laura’s EMR. Stacey used her authorized access to review Laura’s chart and report back to Sam what she found out, with the hope that the information will support his custody case. • This action is a privacy and security violation: Stacey did not need access to this information for legitimate treatment purposes; she accessed and disclosed Laura’s information solely for personal reasons. Stacey’s actions can potentially cause great harm to the patient. There is no justification for Stacey’s actions.
System Access: Case Studies Marcia and Lily are “long-timers” at the hospital and have known each other for years. They don’t socialize much after work but consider each other good friends. Marcia learns from a co-worker that Lily was admitted through the ED over the weekend and it looks like she will be taking an extended medical leave. Marcia is concerned about Lily so she uses her authorized access to look up Marcia’s ED and admit report to find out what’s wrong with her. • This action is a privacy and security violation: Marcia did not need to access Lily’s information for legitimate treatment or business purposes. If Marcia was concerned about Lily she should have tried to contact Lily or someone in Lily’s family. Care, curiosity or concern about a friend or co-worker does not justify unauthorized use of system access privileges.
Auditing and Monitoring of System Access Activity Top reason for reported privacy and security policy violations: • Inappropriate access of the Electronic Medical Health Record (EMR) of family, friends, and co-workers by staff. Risk will increase with the increased use of the EMR Catholic Health associates’ system access activity is monitored and audited on an on-going basis to ensure compliance with access privilege standards. Auditing and monitoring of system access activity: • holds users accountable for their actions; • serves as a deterrent to unauthorized access; • helps determine whether access meets the standards for Minimum Necessary Security safeguards under Federal patient privacy regulations (HIPAA) require monitoring of user access.
Education Law § 6530 (23) New York State Department of Health The following is professional misconduct for a physician, physician's assistant or a specialist's assistant: "Revealing of personally identifiable facts, data, or information obtained in a professional capacity without the prior consent of the patient, except as authorized or required by law."
Penaltiesfor HIPAA Violations • Applicable to Catholic Health and to the individual responsible for the breach • Penalties (Civil & Criminal) - Knowing and wrongful disclosure up to $50,000 and 1 year in prison - Disclosure under false pretenses not more than $100,000 and 5 years in prison - Disclosure with intent to profit or maliciously harm not more than $250,000 and 10 years in prison. • Mandatory Civil Monetary Penalties for “willful neglect”- tiered based on type of breach ($25,000 to $1.5 Million) • The State Attorney General on behalf of the patient can sue the person responsible for the breach.
HIPAA Policies are found On Catholic Health Inter and Intranet M-files Includes both: • Privacy Policies • Security Policies
Catholic HealthHIPAA Contacts Duty to report suspected or actual HIPAA violations immediately to one of the following: Chief Compliance & HIPAA Privacy Officer Leonardo Sette-Camara, Esq. 821-4469 IT Security & Chief Information Security OfficerJeremy Walczak 862-1777 IT Help Desk 828-3600 CHS HIPAA Hotline862-1790 Corporate Compliance HotLine(24/7) 1-888-200-5380 All calls are confidential