1
HIPAA
Privacy and
Security
Cindy Cummings, RHIT February, 2015
2
HIPAA Privacy and Security
The regulation is designed to
safeguard Protected Health
Information referred to PHI AND
electronic Protected Health
Information referred to as ePHI.
Authorization
Facilities must obtain
authorization from patients
before using or sharing their
PHI or ePHI for reasons other
than treatment, payment, or
health care operations.
4
What is Confidential?
• Medical Record #
• Name
• Address
• Telephone Number
• Age
• Social Security #
• E-mail address
• Medical History
• Diagnosis
• Medications
• Observations
• And More
Breach Notification
Requirements
• Individual Notices
• Media Notices
• Notice to the Secretary
• Notification of a Business
Associate
6
Individual Notice
Covered entities… That’s HOB
• Must notify affected individuals once we discover a breach of unsecured protected health information.
• Must provide this individual notice in writing by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive that way.
• If HOB has insufficient/ out-of-date contact information for 10 or more individuals, we must provide substitute individual notice
– Post the notice on the home page of its web site
– Or provide the notice in major print/ broadcast media to where the affected individuals likely reside.
– Must include a toll-free number for individuals to contact HOB to determine if their protected health information was involved in the breach.
– If fewer than 10 individuals, HOB may provide substitute notice by an alternative form of written, telephone, or other means.
• The individual notifications must be provided without unreasonable delay
– No later than 60 days following the discovery of a breach – Must include, to the extent possible,
• a description of the breach,
• a description of the types of information that were involved in the breach,
• the steps affected individuals should take to protect themselves from potential harm,
• a brief description of what the HOB is doing to investigate the breach, mitigate the harm, and prevent further
breaches,
• contact information for the HOB
Individual Notice
8
Media Notice
IF HOB has a breach affecting more than 500 residents of a State/ jurisdiction/area…..
– Besides notifying the affected individuals, HOB is required to..
– Provide notice to prominent media outlets serving the State or jurisdiction.
– HOB would likely provide this notification in the form of a press release to appropriate media outlets serving the affected area
Like individual notice, this media notification must be provided without unreasonable delay
– No case later than 60 days following the discovery of a breach
– Must include the same information required for the individual notice
Notify the Secretary
Notice to the Secretary HHS
In addition to notifying affected individuals and the media (where appropriate), HOB must notify the Secretary of breaches of unsecured protected health information.
HOB notifies the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.
If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no
case later than 60 days following a breach.
If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches
occurred.
10
Notification by a Business
Associate
If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify HOB following the discovery of the breach.
A business associate must provide notice to HOB without unreasonable delay and no later than 60 days from the discovery of the breach.
To the extent possible, the business associate should provide HOB with the identification of each
individual affected by the breach as well as any information required to be provided by HOB in its notification to affected individuals.
No Big Deal
Right?
Wrong!!!!!
12
Violations
•
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising reasonable diligence would not have
known) that he/she violated HIPAA
$100 per violation, with an annual maximum of
$25,000 for repeat violations (Note:
maximum that can be imposed by State Attorneys General regardless of the type of violation)
$50,000 per violation, with an annual maximum of
$1.5 million
HIPAA violation due to reasonable cause and not due to willful
neglect
$1,000 per violation, with an annual maximum of
$100,000 for repeat violations
$50,000 per violation, with an annual maximum of
$1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period
$10,000 per violation, with an annual maximum of
$250,000 for repeat violations
$50,000 per violation, with an annual maximum of
$1.5 million
HIPAA violation is due to willful neglect and is not corrected
$50,000 per violation, with an annual maximum of
$1.5 million
$50,000 per violation, with an annual maximum of
$1.5 million
They Mean Business:
• Since the compliance date in April 2003, HHS has received over 83,681 HIPAA
complaints.
Status of All Complaints
Complaints Remaining Open 7,102 8%
Total Complaints Resolved
76,579 92%
Total Complaints Received 83,861
14
They Mean Business:
• Incident: A Massachusetts General Hospital employee took some work home, but accidentally left 192 paper billing records—
containing detailed protected health information—on the subway.
• Penalties: Even though it appears to have been an accident, severe penalties have been imposed on the hospital:
• $1-million fine
• Three-year corrective action plan of unprecedented oversight and intervention by the OCR, including the appointment of a designated OCR representative on premises to conduct audits and inspections and additional and frequent reporting to OCR on the hospital’s
HIPAA compliance.
• Requirements to develop comprehensive policies and procedures on laptop and USB encryption, even though the breach involved paper records. The hospital must also implement a comprehensive training program on HIPAA policies and provide written certification that all staff have received and understand the policies.
They Mean Business:
• Incident: Thirteen staff members
at UCLA accessed Britney Spears’
medical records without
authorization.
• Penalty: UCLA fired the 13
individuals and suspended
another 6.
16
How to Protect
Patient Privacy
17
What is Information Security?
All the protections put into place to ensure ePHI is:
– Kept confidential – Is not improperly
altered or destroyed – And readily
available to those who are
authorized
18
Protect Patients’ Privacy
• Do not discuss
patients in public areas such as
elevators and cafeteria lines
•Do not leave
information about a patient’s health on an answering machine
•Always close curtains and
speak softly when discussing
treatments in semi-private
rooms
•Always log off the computer
when you’re finished
•Always dispose of patient
information only in locked
containers
Protect Patients’ Privacy
20
Protecting Patient Information
Keep your
computer
login and
passwords
a secret.
Rules for Using Computers
• Do not log into the system using someone else’s password
• Only access patient information that you need to do your job
• Keep computer screens pointed away from the public
• Do not copy ePHI onto a removable device such as a thumb drive, disc, etc.
Protecting Patient Information
22
How do I send a secure email?
It is relatively simple = the word Secure followed by a colon : must appear in the subject line somewhere!
Examples are:
Subject: Secure: Conversation from yesterday
Subject: RE: conversation from yesterday Secure:
Subject: secure: RE: conversation from yesterday Subject: Secure RE: conversation from yesterday Subject: :Secure Conversation from yesterday
24
Practice Common Sense Security
• Keep Laptops and
other portable devices locked when not in use
• Keep cell phones and pagers on your person at all times.
• Make sure doors and desks are locked as appropriate
Physical Security
25
The most frequent risk to using PDAs and laptops is theft.
• When transporting laptops (or any patient information) it should be stored in the
floorboard area or in the trunk.
• Keep your car locked at all times.
X
Physical Security
26
Sanctions
• Hospice of the Bluegrass takes seriously the responsibility of
privacy/security of all PHI in its care.
• Failure to adequately ensure the
privacy/security of PHI can result in disciplinary action against you, up to and including:
• Dismissal
• Termination of Business Contract
• Reporting the violation to licensing
agencies and law enforcement officials.
Scenarios – What Would You
Do???
1. You are having lunch at a
restaurant when someone notices your Hospice of the Bluegrass nametag.
Their neighbor is a hospice patient and they want to know how the neighbor is doing. How do you handle that?
28
• A. Ignore them; they will go away eventually
• B. Tell them what they want to know
• C. Say you are sorry, but all patient information is confidential and
therefore you cannot confirm or deny the person is a hospice patient.
The Answer is C
Scenarios – What Would You
Do???
• 2. A patient has a Cancer Policy
that pays them $100.00 per day
that they were at HCC; they want
you to complete the claim form.
What do you do?
Scenarios – What Would You
Do???
30
• A. Throw the form away; they will forget about it.
• B. Notify the Medical Record
Department; they handle all release of information requests.
• C. Give the family the information and let them complete the form
themselves.
The Answer is B
Scenarios – What Would You
Do???
You are at the nursing home visiting a Hospice patient. You have a screen open on your laptop that has your
schedule for the day. That schedule
includes the names of patients you are planning to visit at another nursing
home. You stop at the nurses station to give a report of your visit without closing your screen. Is this a HIPAA violation?
Scenarios – What Would You
Do???
32