440 likes | 917 Views
HIPAA PRIVACY 101. Orientation for the University of Maryland Dental School and U.M. FDSP. What’s HIPAA?. H ealth I nsurance P ortability and A ccountability A ct of 1996 . An act that sets standards for national electronic health data systems.
E N D
HIPAA PRIVACY 101 Orientation for the University of Maryland Dental School and U.M. FDSP
Health Insurance Portability and Accountability Act of 1996 • An act that sets standards for national electronic health data systems. • Simplifies submission of electronic insurance claims. • Section 264: Contains privacy provisions covering the transmission, uses, storage and disclosure of health information. Electronic databases increase the risk of invasion of privacy.
HIPAA – How do we prepare? • Health and Human Services expects us do what is REASONABLE, but reasonable has not been defined by the court. We must be compliant with privacy regulations by April 14, 2003.
HIPAA Glossary of Terms • HIPAA: Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191) • IIHI: Individually identifiable health information • OCR: Office for Civil Rights • PHI: Protected Health Information • HCFA: Health Care Financing Administration • TPO: Treatment, payment, operations
“PHI” • Protected health information includes any information that: • Relates to the health of the individual and … • Can be used to identify the individual but … • Does not include not education records covered by the Family Educational Right and Privacy Act (FERPA)
Name Address (except first 3 digits of Zipcode) Birthdate, and some limits on age Telephone & FAX number Email address Social Security number Medical record number Health plan beneficiary number Account number Certificate/ license number Vehicle ID and serial numbers Device ID and serial numbers Web addresses Internet Protocol address numbers Biometric Ids FULL FACE PHOTOGRAPHS PHI includes
Examples of PHI used at the Dental School: • Patient dental records • Dental bills • Routing control forms • Receipts • Doctor appointment schedules • X-rays with name/medical record number/social security number, etc. • Laboratory prescriptions, including prescriptions for dental prostheses (crowns, partials, dentures, etc.) • Insurance forms
PENALTIES FOR NON-COMPLIANCE WITH HIPAA $100 fine per day for each unmet standard. (Up to $25,000 per person, per year, per standard.) $50,000 fine + one year in prison for improper disclosure of health information. $100,000 fine + five years in prison for obtaining health information under false pretenses. $250,000 fine + ten years in prison for using health information for personal gain.
Sanctions policy • We are required by law to sanction students, staff and faculty who violate HIPAA regulations. • Disciplinary action (up to and including termination or student dismissal) may result from a violation of our HIPAA policies and procedures.
“Real Life” Examples of Privacy Breaches • Documents referring to over 125 psychiatric patients of a hospital were found in a convenience store trashcan. A medical student had taken papers outside of the hospital and dumped them in the trash. The documents included lists of patients in the psychiatric unit and their diagnoses. • Doctor’s staff looked up employee’s medical record to learn about her birthday so they could throw her a surprise birthday party. Employee’s medical record contained many sensitive details previously unknown to the staff.
Other examples of violations • Giving a former student the name, phone number, and chart information of a possible board patient. • Telling a friend that someone is a patient at the Dental School. • Talking about patients in the hallway or elevator. • Disclosing that someone is your patient in a situation that is not related to the patient’s treatment (i.e., telling others about famous people you treat in your practice).
HIPAA grants all patients these rights. We must have process in place to facilitate these rights by April 14, 2003 • Receive Notice of Privacy Practices • See and obtain copy of own health and billing records • Request corrections to health information • Obtain accounting of disclosures • Request restrictions and confidential communications • Name a personal representative • File complaints
Right to Receive Notice of Privacy Practices Each patient will be given a Notice of Privacy Practices (NPP) at the first treatment encounter after April 1, 2003. • The NPP will tell our patients: • Types of uses and disclosures we make • Their patient rights • How they may register a complaint • The NPP must also be posted in each clinic. • The patient will sign indicating they have received the notice.
Patient Acknowledgment of Receipt of NPP A “good faith” effort must be made to get the patient’s written acknowledgment that they received the NPP at the first treatment encounter. • If we cannot get the acknowledgment, we must document our “good faith” efforts to obtain the acknowledgment. Simply place a note in the chart that the patient refused or forgot to sign the acknowledgement, but the patient was given the NPP. • We must keep a record of the acknowledgment (or our effort to obtain one) for at least six years. This is accomplished by placing the acknowledgment or note about our efforts to get an acknowledgment in the written chart. Written charts of the Dental School are kept for seven years before they are destroyed.
Right to Request Access and Copying of PHI • Right to access and copy generally applies only to PHI in the medical record or billing record. • Timely action: Access must be provided no later than 30 days after receipt of request; copies must be provided no later than 21 working days after receipt of request. • We can deny access with reason. • We may charge for copying PHI unless prohibited by federal or state law, or a commercial contract. We charge $15.00 to copy a dental record, with additional charges for radiographs. • All requests must go through Office of Clinical Affairs. Do not duplicate records in individual clinics.
Right to Request Amendment of PHI • Applies only to PHI in a dental, medical or billing record • Requests may be denied if: • PHI was not created by us (unless the originator is no longer available to receive the request to amend) • PHI is not part of medical record or billing record • Records at issue are no longer available, or • PHI is already accurate and complete. • Denials must be in writing, and must give basis for denial.
Right to Request an Accounting of Disclosures • Individuals have a right to receive an accounting of some disclosures made after April 14, 2003 by Dental School. • No accounting is required for disclosures made: • For treatment, payment or health care operations purposes • To the individual • Incidentally to treatment, payment or health care operations disclosures • Based on a valid written authorization • For certain other law enforcement, national security and disaster relief effort purposes, or • Prior to April 14, 2003.
Right to Request Restrictions on Uses and Disclosures • We must permit requests to be made, but need not grant all requests. • Even if a request is granted, an “emergency exception” will allow disclosures as needed to provide emergency treatment.
Right to Request Alternative Channels of Communications • Alternative channels include for example, calling a patient at an alternate phone number or mailing information to an alternate location. • Reasonable requests for alternative channels of communications will be granted, and the patient must not be asked the reason for the request. • The computer system and written record will indicate that we have honored this request.
Right to Name a personal representative • This is not the same as power of attorney, which takes a court order. These individuals cannot consent for treatment. • Please note in the written record the name of the personal representative or have the patient fill out a form naming a personal representative. The patient can name a personal representative verbally or with written notice.
Right to Submit a Complaint • Individuals have a right to complain about the privacy policies and procedures directly to the Dental School, or to the federal Department of Health and Human Services. • We must: • Investigate the complaint in a timely manner and inform the patient of the findings and actions, if any. • Take appropriate actions against members of our workforce who do not follow our privacy policies and procedures. • Minimize, to the extent possible, any harmful effects of unauthorized or accidental uses or disclosures. • Not intimidate, threaten, coerce or otherwise retaliateagainst anyone who files a complaint or exercises any of their other rights under the HIPAA Privacy rules.
New procedures • “Minimum necessary” is the buzz phrase for PHI – only request what is needed, and only disclose what is needed. “Minimum necessary” varies according to a person’s job. A receptionist does not need to know all the details of a patient’s medical history to do his or her job. • We cannot disclose PHI to the portions of the Dental School not involved with patient care. We must ensure this does not happen, as part of our hybrid entity status.
New procedures • Patient requests for amendments will go through the PCCs. They will also receive complaints about privacy practices. The Office of Clinical Affairs will investigate. • Restrictions on disclosures will go through the business managers, as will requests for a list of disclosures. • Dr. Atkinson is the chief privacy officer; Mr. Wong is in charge of electronic and computer security. • We must keep all of the written requests and our responses for six years.
Covered entities may use & disclose health information only: • For treatment, payment, and health care operations (TPO). This includes education, as it is a function of our operations. This is a use, not a disclosure. • To a business associate with whom we have an agreement. • After an opportunity to agree or object through the notice of privacy practices. • Without consent for specific public purposes: public health, law enforcement, oversight, etc. • As AUTHORIZED by the individual for everything else.
Business Associates Who is a Business Associate? Business associates may include: • Answering and Transcription Services • Accountants, Lawyers, Auditors, Consultants • Third party administrators • Billing companies • Collection agencies • Collaborating researchers at other institutions (for these business associates other confidentiality agreements may be required) • Who is NOT a Business Associate? • Health care providers when receiving PHI for treatment-related purposes (dental laboratories) • HMOs, Health Insurers, and group health plans • Vendors who have only incidental contact with PHI ( postal workers, cleaning and repair services, and plant maintenance services.
Authorizations A valid written authorization must contain the following: • Who may use or disclose the information • Who may receive the information • Purpose of the use or disclosure • Expiration date or event • Individual’s signature and date • A statement about the right to revoke • A statement about the right to refuse to sign • Redisclosure statement
Authorizations • Maryland law states PHI can only be authorized for disclosure for one year. This would apply to the use of a full-face photograph in a study club presentation. • A consent form for research (a clinical trial) is different from an authorization. • Patients enrolled in clinical trials after April 14, 2003 will sign both an authorization and an informed consent. In the case of research, the authorization can be longer than one year. The IRB will post an authorization form template on the Web. • A waiver for authorization for research can be granted by the IRB for retrospective studies.
Full-face photography • It is acceptable to show full-face photographs for education within your own institution. Education is one of our defined operations. • When publishing a photograph, the patient can authorize its use for multiple years to a non-HIPAA entity (such as a publisher). • The best solution is to only show the lower half of the face and limit full-face photography to when absolutely needed.
The Dental School must have appropriate physical, administrative and technical safeguards to reasonably protect PHI from any intentional or unintentional use or disclosure. • Safeguard information resources entrusted to you • Any record checked out to you is your responsibility. • Any paper containing PHI must be shredded, and not thrown away in the regular trash. • Lock up any chart or any information when you leave your desk at night. Lock office and control access to office keys. Lock up appointment books. • Unauthorized individuals should not be in areas where they can view PHI. • Limit PHI storage in offices – the chart is more secure. Get rid of un-needed old PHI (shred it!).
Other issues • Conversations with patients involving sensitive PHI should occur in private areas. • Discussion of PHI will occur only between certified individuals and the patient or designee, provided permission is obtained. • Use lowered voices in clinical treatment areas.
Incidental Uses and Disclosures • Some uses and disclosures of PHI happen as a result of an otherwise permitted use or disclosure and cannot reasonably be prevented: • Conversations that can be overheard in a waiting room, exam room or other patient accessible area • Patient charts kept outside of exam rooms • Appointment reminder messages left on a patient’s home answering machine • Front Desk sign in sheets and calling out a patient’s name • Each member of the workforce must take reasonable efforts to limit uses and disclosures to the minimum necessary, but HIPAA does not require that all risk of incidental disclosure of PHI be eliminated. Gossip is Not an Acceptable Incidental Use!
Verification Requirements for Disclosures • Verify the identity of the individual before making a disclosure. • Call to verify the FAX number before sending it. • Limit the use of FAX in 3E-32 to official use. • Use a cover sheet with a statement about confidentiality with any FAX containing PHI. • All Faxes will be put in envelopes when received if they contain PHI.
Research • Any researcher who has or is conducting IRB-approved research must do additional training (HIPAA 201). Please contact the IRB for more information.
Marketing and Fundraising are permitted…….but • ONLY WITH THE AUTHORIZATION OF THE INDIVIDUAL. Either activity must be cleared by the Office of Clinical Affairs.
Electronic Data - General Guidelines • It is the responsibility of every authorized data user to maintain confidentiality of University of Maryland Dental School health information assets even if technical security mechanisms fail or are absent. • A lack of security measures to protect the confidentiality of information does not imply that such information is public. • An authorized data user who finds that he or she has retained or been inadvertently granted additional access beyond that appropriate to his or her current role should report this to his or her current department director.
Password • Passwords are the individual’s responsibility and users should not share them. All computers with PHI need password protection. • Passwords should be changed at least every ninety days. • Passwords should be at least six characters long and not easily guessed or found in a dictionary. Use of numeric digits and non-alphanumeric characters in passwords is encouraged for protection of confidential information. • Users should not write down passwords, store them on hard copy or store them locally on workstations and laptop computers
email • Email usage guidelines • Do not use an off-campus or non-secure email account (e.g. AOL, Hotmail) to send, receive, forward or relay email that contains PHI. • Sharing email accounts or mail boxes on an email system is not permitted. • No employee may automatically forward mail outside of the UMB. Do not send email with PHI outside of the school / campus network if possible. • Do not originate communication with a patient or research subject via email. • “Instant Messaging” programs are not secure. They should not be used to transmit patient health information
email • Do not put the patient’s name, number or other PHI in the subject field. • Print out a copy of PHI-containing emails and place it in the written record.
email disclaimer This email may contain confidential information and may be protected by law as a legally privileged document and copyright work.Its content should not be disclosed and it should not be given or copied to anyone other than the person(s)Namedor referenced above. Any review, retransmission, dissemination,or other use of this information by other than the intended recipientis prohibited. If you have received this emailin error, please contact the sender.
Anti-Virus • Computer Virus • OIT managed workstations will have Norton Anti-Virus software setup. • Norton Anti-Virus software may be purchased for home computer use at the front desk of Health Science Library. • Verify with sender of email if you receive an unexpected attachment before opening it. • Never open any attachment in email from unknown sender • Hoax/Chain Letter • If you received a virus warning email, do not forward to others, please verify with Office of Information Technology (OIT). Never forward any chain letter to others. • “SPAM” junk email • Delete email • Report to UCE@ftc.gov
Portable Devices • Storing patient health information in portable devices (laptop, PDA, tablet PC, etc) is not recommended. • If you choose to store patient health information in portable devices, you are responsible for the security of this information (e.g. strong password protection for accessing the device, file encryption, proper disposal of unwanted storage media)
Wireless network • It is the current school policy to disallow any wireless network or installation of any wireless access point (hub). • If you use a laptop with a wireless network card, you must disable the wireless card when connecting to a LAN jack in the school. • A campus wide standard will be implemented to provide wireless access to information systems.