HIPAA Privacy & Security Rules

(1)

HIPAA Privacy & Security Rules

HITECH Act

(2)

Applicability

• If you are part of any of the HIPAA Affected Areas,

this training is required under the IU HIPAA g q

Privacy and Security Compliance Plan pursuant to

the Health Insurance Portability and

Accountability Act (HIPAA) *

*

Even if you believe you personally may not have access toEven if you believe you personally may not have access to individually identifiable health information

(3)

Applicability

A H b id C d E i d HIPAA

• As a Hybrid Covered Entity under HIPAA,

Indiana University has established a HIPAA

Privacy and Security Compliance Plan

Privacy and Security Compliance Plan.

• A part of this Plan, the university has also

established policies

established policies.

• Completion of this HIPAA training acts as your

acknowledgement of IU's HIPAA Privacy and

acknowledgement of IU s HIPAA Privacy and

Security Compliance Plan.

(4)

Goals

• Our goal is to provide a secure environment for

all health information provided to Indiana

University Also to promote personal

University. Also to promote personal

responsibility and behaviors to ensure the

privacy, security and integrity of sensitive

information at Indiana University. Everyone

has a role in this responsibility. Without your

engagement, sensitive information can be

breached or exposed.

(5)

Objectives

• The objectives of this module include:

• Increase your awareness of HIPAA Privacy and Security Rules as well as the HITECH Act

Security Rules as well as the HITECH Act

• Increase your awareness of the Indiana University HIPAA Compliance Plan & Policies

• Define HIPAA requirements & your responsibilities

• Identify patient sensitive information

• Identify privacy and security vulnerabilities

• Identify privacy and security safeguards

(6)

Health Insurance Portability and

Accountability Act (HIPAA)- 1996 y ( )

• HIPAA Privacy Rule – April 14, 2003

E t bli h ti l t d d t t t i di id l ’

• Establishes national standards to protect individuals’

medical records and other personal health information;

• Established Patients’ Rightsg

• Requires appropriate Administrative, Physical and

Technical safeguards to protect the privacy of personal health information;

health information;

• Sets limits and conditions on the uses and disclosures patients’ personal health information without an

th i ti authorization

(7)

Health Insurance Portability and

Accountability Act (HIPAA)- 1996 y ( )

• HIPAA Security Rule – April 21, 2005

E t bli h ti l t d d t t t i di id l ’

• Establishes national standards to protect individuals’

electronic personal health information;

• Requires appropriate Administrative, Physical and q pp p y

Technical safeguards to protect the security of personal health information;

• Requires a Covered Entity to ensure the confidentialityRequires a Covered Entity to ensure the confidentiality, integrity, availability and security of electronic protected health information

(8)

Health Insurance Portability and

Accountability Act (HIPAA)- 1996 y ( )

• HITECH Act – Signed February, 2009

I d E f t f HIPAA

• Improved Enforcement of HIPAA;

• Increased Civil Monetary Penalties;

• Provide Notification to Individuals involved in Breach of their personal health information;

• Requires Business Associates to be in compliance with the HIPAA Privacy and Security Rules;

the HIPAA Privacy and Security Rules;

• Application of Civil Monetary Penalties to Business Associates

(9)

HIPAA - Terms

Covered Entity (CE)

• Healthcare Organizations who conduct financial

d d i i t ti t ti l t i ll

and administrative transactions electronically Includes:

• Health Plans (Anthem, Medicare, Medicaid, IU's Health Plan, etc.)

• Healthcare Clearinghouses (Claims Processing)

• Healthcare Providers (Hospitals, Physicians, Dentists, Optometrists, Chiropractors, Pharmacies, etc.)p , p , , )

• Examples of a qualified transaction:

1) Electronic claim submitted to Medicare, Medicaid or commercial insurancesu a ce

2) Submitting member information from IU to the Health Plans

(10)

HIPAA - Terms

Workforce

• HIPAA defines the workforce to include:

" l l t t i d th

"employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct

t l f h tit h th t th

control of such entity, whether or not they are paid by the covered entity.“

• Persons who do not fall in these categories butPersons who do not fall in these categories, but nonetheless perform services on behalf of the covered entity, would be considered part of the workforce of a Business Associate

workforce of a Business Associate

(11)

HIPAA - Terms

Business Associate

A person or entity that performs certain functions or

ti iti th t i l th di l f

activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity (CE).

• Not a member of the CE’s workforce;

• Need a Business Associate Agreement;

• One CE can be a Business Associate to another CE;

• Business Associate requirements do not apply to CEs who disclose PHI to providers for treatment purposes

(12)

HIPAA - Terms

• PII

(Personally Identifiable Information)

Any data about a patient that could potentially identify them, such as:

such as:

• Name

• Address

• Driver license numberDriver license number

• Payment information

• Date of birth

• Social security numberSocial security number

• Photographic images

• Other private information that one would generally want to protect from public disclosure

(13)

HIPAA - Terms

• PHI (Protected Health Information)

Any information about a patient’s health, such as:

• Includes PII if collected by a Covered Entity

• Medical history

• Test and laboratory results

• Insurance information

• Data collected by a healthcare professional to identify an individual and determine appropriate care

• Data collected by a health plan

(14)

HIPAA - Terms

Minimum Necessary

• HIPAA requires you take reasonable steps to limit the q y p

• Use of

• Disclosure of

• Request for

PHI to the “Minimum Necessary” to accomplish the assigned duty or task or intended purpose

• Minimum Necessary does not apply to Treatment

• Only use and disclose PHI when you have a business y y need to do so

(15)

HIPAA – Indiana University

IU - Hybrid Covered Entity

These Areas must Comply with the IU HIPAA

P i & S it Pl

Privacy & Security Plan

• Healthcare Components (Covered Components)

• This means if these areas were not part of IU, they would be a Covered Entity

• Areas that provide Business Associate type p yp services to the IU Healthcare Components or external Covered Entities

• Other HIPAA Affected Areas that have access to

• Other HIPAA Affected Areas that have access to PHI for Education and Research Purposes

(16)

HIPAA – Indiana University

• IU's Healthcare Components include but are not

limited to:

• School of Medicine

• School of Dentistry

• School of Optometry

• IU’s Health Plan

• Speech & Hearing

• Health Center - Bloomington & Indianapolis

(17)

HIPAA – Indiana University

• Areas at IU which perform Business Associate

type functions include, but are not limited to:

• School of Nursing

• UITS (Research Technologies, Intelligent

I f t t t )

Infrastructure, etc.)

• Financial Services/Accounting

• Research Compliancep

• Internal Audit

• University Counsel

(18)

HIPAA – Indiana University

• Areas at IU which might access PHI for Education

or Research Proposes or act as a Business

Associate for outside Covered Entities include but

are not limited to:

• School of Social Work

• School of Health, Physical Education

& Recreation (HPER)

• School of Health & Rehabilitation Sciences

• Department of Psychology & Brain Sciences

(19)

HIPAA – Notice of Privacy Practices

• Notice of Privacy Practices is a document that

describes how we might use and disclose

patient sensitive information and informs

patients or members how we might use their

health information;

• It should be provided to all patients upon their

first visit to an IU treatment facility; or

• Provided to all participants in IU's Health Plan

(20)

HIPAA – Patients’ Right to Privacy

• Sensitive information may be disclosed:

• To Treat a patient

• To receive Payment for services provided to a patient

• To perform daily healthcare Operations aka TPO

• Patients have the right to (includes but not

limited to):

• Receive a copy of the Notice of Privacy Practices

f f

• Inspect and request a copy of their health information

• Request an amendment to their medical record

• Request restrictions to their health information

• Request confidential or alternative means of communication

(21)

HIPAA – Patients’ Right to Privacy

• Never view sensitive patient, family or employee information without a business need-to-know or a

id l ti hi hi h ll f h ti

provider relationship which allows for such an action.

• Access to PHI is only granted for a business purpose not for personal use.

not for personal use.

• Unauthorized access or disclosure of patient

information is subject to disciplinary action, up to and including termination of employment.

(22)

HIPAA – Major Concepts

• Safeguard PHI during use & disclosure

• Administrative

• Physical

• Technical

• HIPAA Awareness Training of Workforce

• All Forms of PHI

• PaperPaper

• Electronic

• Oral Communication

(23)

HIPAA – Safeguards

• Always place medical records and forms containing patient information face down or away from view;

T bl k t it f

• Turn or block your computer monitor screens from public view;

• Dispose of unnecessary patient information in properDispose of unnecessary patient information in proper receptacles for shredding;

• Discuss patient information privately not in elevators, lobbies, Starbucks or other public areas.

(24)

HIPAA – Safeguards

• Use lowered voices and limit access to areas where patient/member information is discussed;

• Supervise non-employees while in a work area;

• Request only minimally necessary information for your

ifi t k ( t T t t)

specific task or purpose (except Treatment);

• Determine appropriate procedures when contacting patients in general such as verifying identification patients in general, such as verifying identification

(25)

HIPAA – Safeguards

• Any mobile device that may store University sensitive data such as PHI must be encrypted;

• IU offers PGP encryption software free

• Encrypt and keep portable storage devices out of public view;

• DO NOT share system passphrases with ANYONE;

• Change your passphrase on a regular basis;

• Select a passphrase that cannot be easily guessed;p p y g ;

• DO NOT tape passwords to ID badges, computers, monitors, keyboards, in desk drawers, etc.;

• DO NOT assume any public area is “safe” to leave your

• DO NOT assume any public area is safe to leave your device, even for just a moment

(26)

HIPAA – Safeguards

• Dispose of storage media in a safe and secure manner;

• Make sure timeout precautions are active;

Al l ff li ti l k t if

• Always log-off applications or lock your computer if you are going away from your workstation or computer;

• Save information on secure network drives;Save information on secure network drives;

• Use [secure message], secure message, [confidential]

or confidential in the subject line when using IU's

exchange email to share sensitive information (this will encrypt outgoing emails)

(27)

HIPAA – Safeguards

• User sign-on activity is tied to your unique user sign-on identification and passphrase;

• Your activity may be logged and monitored by

Information Services to ensure appropriate uses and disclosures of PHI;

disclosures of PHI;

• Log-off after you have completed your work, so

someone cannot access the system with your log-on.

so eo e ca ot access t e syste t you og o

*You are held responsible for any information access or work completed under your sign-on

(28)

HIPAA – Safeguards

• Be conscious of the information you are carrying with you (electronic or on paper).

D t l iti i f ti tt d d h

• Do not leave sensitive information unattended where the information could be viewed or taken by others.

Over 60% of breaches involving 500 or more

individuals are a result of stolen, unencrypted devices

h l t USB d i d kt b k di k

such as: laptops, USB drives, desktops, backup disks

(29)

BREACH

• When there is a breach or potential breach (i.e. when p ( equipment or data are lost or stolen), prompt action is critical.

N tif M S i P i Offi

• Notify your Manager, Supervisor, Privacy Officer immediately and follow IU ‘s sensitive data incident reporting procedures.

• The faster the breach or vulnerability is investigated and understood, the faster we can respond.

htt // t t i d / b it /i id t/ iti d t

• http://protect.iu.edu/cybersecurity/incident/sensitive-data

• IU is legally required to notify regulatory agencies and those impacted by a data breach.p y

(30)

Social Media

• All IU employees have an obligation to protect the privacy

• All IU employees have an obligation to protect the privacy and confidentiality of patients, subjects, their families, &

other employees … even when not at work.

• Social Media sites like Facebook, Twitter, MySpace,

YouTube, LinkedIn, etc. require extra care to prevent privacy breaches.

• Never post patients’ health information on Social Media, even if you believe it to be de-identified

• Be aware of the threats and associated risks using theseBe aware of the threats and associated risks using these services, which include damage to the patient, user and/or organization or risks of media exposure, civil penalties or infection by malicious computer software such as viruses or infection by malicious computer software such as viruses or worms.

(31)

Social Media

• Sharing any private or confidential patient information on the Internet is a breach of patient confidentiality and a violation of HIPAA and IU policies and other

a violation of HIPAA and IU policies and other applicable laws;

• Violators are subject to immediate discipline, up to and j p p including termination;

• Report any known or suspected activity to your

Manager Supervisor Privacy Officer or the compliance Manager, Supervisor, Privacy Officer or the compliance notification line.

•• 877877--526526--67596759;;

•• httpshttps://iu.alertline.com://iu.alertline.com

(32)

Social Networking Reminders

D t t k i t f ti t ith t h lth

• Do not take pictures of patients without a healthcare

purpose and a written consent from the patient on file in the medical record.

• Do not take pictures of patients with personal cameras, personal cell phones for personal use.

• Do not post patient pictures or information about patients on

• Do not post patient pictures or information about patients on any Internet forums or social networking sites (i.e.

Facebook, Twitter, professional association blogs, newspaper blogs, etc.)

• Do not post any pictures of patients received from the patient or their family.

p y

• Do not discuss patient information on social networking

(33)

Conclusion

• Protecting patient privacy and maintaining a secure information environment is everyone’s job!

It i ibilit t t i f ti i d

• It is your responsibility to report information privacy and security concerns to your Manager, Supervisor, Privacy Officer.

Officer.

• Employees should feel comfortable knowing that IU may not intimidate, threaten, coerce, discriminate

against or take retaliatory action when employees file complaints.

(34)

Conclusion

• Violation of the HIPAA Privacy and Security

Rules will be subject to:

• IU progressive disciplinary procedures, including the possible loss of computer system privileges and/or termination of employment;

termination of employment;

• Possible prosecution by state and federal authorities fines and jail sentences

authorities, fines and jail sentences

(35)

Contact

• Leslie J. Pfeffer, BS, CHP

Interim University HIPAA Privacy Officer l f ff @i d

[email protected] (317) 278-4521

E i W S h idt CISSP CISM

• Eric W. Schmidt, CISSP, CISM

Interim University HIPAA Security Officer erschmid@iu edu

[email protected] (317) 278-8751

(36)

HIPAA Basic Training Attestation Statement

I have reviewed the HIPAA basic training module which includes information regarding the Privacy and Security regulations the IU HIPAA Privacy and Security

regulations, the IU HIPAA Privacy and Security

Compliance Plan and my responsibilities under those regulations and the Plan.

Signature ______________________________________

Printed Name ______________________________________

Date _________________________________________

Please provide a copy of this attestation to the HIPAA Liaison for your department.