1. University of Connecticut October 4, 2007
HIPAA at UCONN: Protecting Health-Related Information in Educational Settings
University of Connecticut
October 4, 2007

2. Health Insurance Portability
and Accountability Act of 1996
(HIPAA)

3. Public Law 104-191 Designed to: assure health insurance portability
reduce health care fraud and abuse
guarantee integrity and confidentiality of health information
improve the operations of health care systems and reduce administrative costs
Establishes:
Standards for privacy
Standards for security of health data
Standards for eight electronic transactions and the code sets to be used in those transactions
Unique health identifiers
HIPAA amends and is part of the Social Security Act of 1986.

4. HIPAA Applicability and Scope
Everyone in healthcare and health-related fields is impacted by this law in some way:
Payers Providers
Members Employers
Clearinghouses Billing agents
Volunteers Vendors
Service organizations

5. Who must comply? (aka-who does HIPAA apply to?)
Health Plans
Clearinghouses
Providers, if they conduct covered electronic transactions (or have someone conduct them on their behalf)
Employers who act as providers or health plans or who simply choose to comply
Other organizations that receive health data from those listed above and have formal agreements to protect the data (Business Associates)

6. “COVERED ENTITIES”
Health Care Providers (physicians, nurses, allied health practitioners, counselors)
Health Care Facilities (hospitals, clinics)
Health Plans (HMOs, insurers)
Health Information Clearinghouses

7. UCONN is a “Hybrid Entity”
Covered components:
Student Health Services
Speech & Hearing Clinic
EMS/Fire (within Public Safety) as first responders
Nayden Physical Therapy Clinic

8. Health Insurance Portability and Accountability Act of 1996
Title I
Title II
Title III
Title IV
Title V
Insurance
Portability
Fraud and Abuse Medical Liability Reform
Administrative
Simplification
Tax Related Health Provision
Group Health
Plan Requirements
Revenue Off-sets
Privacy
Security
Electronic
Data
Transactions
Code Sets
Identifiers

9. Health Insurance Portability and Accountability Act of 1996
The 4 components in HIPAA Title II are:
Health Insurance Portability and Accountability Act of 1996
Transactions
& Code Sets
Privacy
Security
Identifiers

10. HIPAA Privacy Rule
(Regulations)

11. Privacy Regulation Application
The HIPAA Privacy rule applies to any covered entity that maintains or transmits protected health information in any form:
Electronic
Oral
Written
Faxed
etc.

12. A Look At Privacy The Privacy Regulation includes:
Client/Patient rights
Regulatory authorizations for treatment, payment and health care operations
Minimum necessary for intended use
Business Associate requirements
Required authorizations
Review processes, restriction requests, and correction process

13. What information is protected by the HIPAA Privacy Rule?

14. Individually Identifiable Health Information (IIHI)
Any health information that is created or received by a health care provider, health plan, clearinghouse or an employer
Identifies the individual
Provides a reasonable basis to believe that the information can be used to identify the individual
Pertains to the health of an individual
Pertains to the provision of or payment of healthcare to an individual.

15. Protection of PHI What is PHI? (Protected Health Information)
Individually identifiable health information--IIHI: (relating to past, present, future health care or payment for health care)
ORAL
WRITTEN
ELECTRONIC
but NOT student IIHI in the hands of Student Health Services (broad FERPA/HIPAA exemption)
and NOT employee IIHI in the hands of the Employer (HIPAA exemption)

16. Scope of data covered
HIPAA places considerable emphasis on the definition, use and disclosure of IIHI. Below are just a few key data elements which require de-identification in certain situations when related or linked to health information:
Name
Address; street, city, county, zip code
Social security number
Birth date
Account number
Name of employers
Telephone/Fax numbers
Electronic mail addresses
Names of relatives
Any other unique identifying number or code that could be used to identify an individual (applies to a small cell)

17. Privacy Applicability and Scope
Does not preclude stricter state standards that apply to certain types of information (preemption)
Makes no distinction about the presumed sensitivity of information  Demographic info should be treated the same as clinical info
Protects the information itself, not the physical record, regardless of where the information appears
All PHI is treated the same way – no system to weight the value of the PHI
Privacy regulations protect the information itself

18. Records not covered by HIPAA Privacy Rule
Employment Records
FMLA certifications
ADA disability/accommodation records
Attendance/sick leave records
Employment physicals
Workers’ Compensation records
Enrollment/disenrollment/COBRA records

19. Records not covered by HIPAA Privacy Rule
Student Records
The definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), specifically excludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g).
FERPA provides privacy protections for student health records held by federally funded educational institutions.

20. HIPAA Excludes FERPA
“We have excluded educational records covered by FERPA [f]rom the definition of protected health information… because FERPA also provided a specific structure for the maintenance of these records.”
U.S. Department of Health and Human Services,
65 Federal Register 82,483 (December 28, 2000)

21. FERPA (not HIPAA) protected records
Student immunization/medical history records
Student disability/accommodation records
Student health clinic/counseling records
Student health insurance enrollment/disenrollment information submitted by student to University

22. Requirements to Protect Privacy
FERPA
No set, specific requirements
No clear consensus in higher ed on what is needed
No court decisions on third party breach
HIPAA
Administrative Safeguards:
(Processes, procedures, training, Risk Analysis)
Physical Safeguards:
(Facility, workstations, etc.)
Technical Safeguards:
(Access, audit control, data integrity, etc.)

23. A Look At Privacy The Privacy Regulation includes:
Client/Patient rights
Regulatory authorizations for treatment, payment and health care operations
Minimum necessary for intended use
Business Associate requirements
Required authorizations
Review processes, restriction requests, and correction process

24. Some Administrative Requirements
Notice of Privacy Practices
Individual Rights
Business Associate Agreements

25. Notice of Privacy Practices
First Date of Service
Acknowledgment

26. Basic Individual Rights
Right to privacy of PHI
Treatment, Payment, Health Care Operations Uses
Specified disclosures allowed (public health, subpoenas, etc.)
Other disclosures with authorization
Individual right to access, amendment, accounting
Individual right to request restricted communications and uses/disclosures

27. Business Associate Agreements
Covered entities must have agreements with vendors, administrators, brokers, accountants, etc. that need PHI to perform services on behalf of or with the covered entity
Agreement must ensure business associate’s compliance with HIPAA Privacy Rule

28. Other Administrative Requirements
Designate a Privacy Officer
Create policies and procedures
Provide privacy training
Provide a means for individuals to lodge complaints
Process for responding to complaints

29. Other Administrative Requirements (cont’d)
Administrative, technical, and physical safeguards to protect PHI
Maintain HIPAA documentation for 6 years
Sanctions for HIPAA privacy violations
Mitigate harmful effects from violations
Avoid retaliation or waiver of HIPAA rights

30. Authorization Obtain an authorization when appropriate
Usually a customized document
Used for specified purposes, other than TPO
Covers only the PHI for uses and disclosures specified in the authorization
Required for uses and disclosures of PHI not otherwise allowed by the rule

31. Uses Requiring Authorization
Marketing
Insurance pre-enrollment activities
Employer/uses for employment
Fund raising
Other uses not exempted by these rules

32. Uses & Disclosures Exceptions -- TPO
Treatment
Payment
Health Care Operations

33. “Health Care Operations”
Quality assessment/improvement
Determining clinical privileges
Reviewing plan performance
Insurance rating, underwriting, etc.
Medical review and auditing
Fraud and abuse detection
Compiling PHI for legal proceedings

34. Other Permissible Uses Without Consent
Based on capacity or authority
Public health activities
Health care oversight
Judicial/administrative proceedings
Coroners/medical examiners
Law enforcement, banking, or payment
Research, emergencies, and next of kin

35. “Minimum Necessary”
Only disclose the PHI needed to accomplish a function
Case-by-case determination
Designated decision maker
Exceptions for:
DHHS access
plan audit and “as required by law”

36. Why Should You Care? Civil penalties for improper PHI disclosure:
$100 per day, up to $25,000 per year for identical violations
Penalty may be avoided if disclosure was for reasonable cause, not willful neglect

37. Criminal Sanctions
Criminal penalties for knowing wrongful disclosure of PHI:
Fine of not more than $50,000/imprisonment for one year/both
If committed under false pretenses, fine of not more than $100,000/imprisonment for not more than five years/both
If committed with intent to sell, transfer or use such health information for gain or malicious harm, fine of not more than $250,000/imprisonment of ten years/both

38. The Bottom Line . . . Know Your Permitted Uses and Disclosures of PHI
Limit Access/Disclosure to Permitted Group
Safeguard PHI
Keep PHI Out of Employment-Related Actions and Decisions
most importantly…

39. Don’t be afraid to ask questions!

40. Rachel Krinsky Rudnick, JD, CIPP
Questions?
Rachel Krinsky Rudnick, JD, CIPP
University Privacy Officer
Office of Audit, Compliance & Ethics
(860)

41. HIPAA Security Awareness Training
Elaine David, Director of IT Security, Policy & Quality Assurance

42. HIPAA SECURITY AWARENESS TRAINING
HIPAA Security Rule: The purpose of the final HIPAA rule is to adopt national standards for safeguards to protect the confidentiality, integrity and availability of electronic protected health information.
These standards require measures to be taken to secure ePHI while in the custody of covered entities as well as in transit between covered entities and from covered entities to others.

43. HIPAA SECURITY AWARENESS TRAINING
HIPAA Security Rule Requirements:
Administrative Safeguards
Physical Safeguards
Technical Safeguards

44. HIPAA SECURITY AWARENESS TRAINING
Administrative Safeguards:
Security Management (Risk Analysis, Sanctions, Activity Review)
Workforce Security
Access Management
Awareness & Training
Incident Response & Reporting
Business Associate Contracts
Evaluation of Compliance

45. HIPAA SECURITY AWARENESS TRAINING
Physical Safeguards:
Facility Access controls
Workstation Acceptable Use & Responsibility
Workstation/Server and Mobile Systems security
Device and Media Control Security

46. HIPAA SECURITY AWARENESS TRAINING
Technical Safeguards:
Access controls (e.g. unique id, password structure, firewall use, wireless access, remote access, etc.)
Security Audit controls
Authentication
Transmission security

47. HIPAA SECURITY AWARENESS TRAINING
Compliance with HIPAA Security Rule:
Development and dissemination of many security and data policies.
See or

48. HIPAA SECURITY AWARENESS TRAINING
What is information security?
The steps taken to protect the confidentiality, integrity and availability of our information resources.
Confidentiality: assurance that information can only be seen or used by those who are authorized to access the information.
Integrity: assurance that information that we use has not been modified inappropriately during storage, transmission, etc.
Availability: assurance that computer resources are available when we expect them to be.

49. HIPAA SECURITY AWARENESS TRAINING
What is security awareness?
Recognizing the various types of security issues;
Knowing how to prevent a breach;
Knowing how to react to a breach.

50. Good Computing Practices - Safeguards for Users
#1: Passwords:
- Choose your password carefully
Use at least 8 characters
Do not use repetitive characters
Combine alpha, numeric and non-alpha numeric characters, upper and lower-case
Do not base password on familiar words or words/names that can be associated with you
Choose one that is easy to remember and easy to type

51. Good Computing Practices - Safeguards for Users
#1: Passwords cont.:
Keep your password safe
Securely file or destroy paperwork that includes user-id and password information.
Do not post, write or share passwords with anyone

52. Good Computing Practices - Safeguards for Users
#2: Control Access to Confidential Information
Use a Password protected screensaver for your workstation (on-site, laptop, home, etc.)
Lock your screen
For a PC: <crtl> <alt> <delete> <enter>
For a MAC:
Configure a screensaver with your password; Create a shortcut to activate screensaver
Use a password to start up or wake-up your computer
Always log off shared workstations
If you don’t log off, someone else could use your ID to illegally access confidential information

53. Good Computing Practices - Safeguards for Users
#2: Control Access to Confidential Information cont
Just say “No” when a program ask: “Do you want me to remember your password?”
When your password is saved on your hard drive, it makes you and your data vulnerable to hackers who can steal you Password.

54. Good Computing Practices - Safeguards for Users
#3: Physical Access
Protect your computer, laptop, PDA, electronic media from being stolen or accessed by others
Secure computers with a lockdown cable
Store backup media safely and separately from the equipment
Don’t leave portable devices unattended, even for a moment

55. Good Computing Practices - Safeguards for Users
#4: Anti Virus
Make sure your computer has antivirus and all necessary security patches
See
Schedule and run regular virus scans of all your files
Always close “pop-ups” when they solicit a response to advertisements or other messages
Click the “x” box to close the pop-up ad
Clicking “no” is the same as “yes” and allows the virus or hacker access to your computer

56. Good Computing Practices - Safeguards for Users
#5: Data Backup and Restoration
Make backups a regular task
Back up data to your department’s secure server or store on removable media
Store backup media safely and separately from the equipment
Test that backup data can be restored if necessary

57. Good Computing Practices - Safeguards for Users
#6: Operating System and Network Applications
Update operating systems and network applications of your computers with current patches
See

58. Good Computing Practices - Safeguards for Users
#7: Information Security
Use good judgment about the amount of confidential data that you store on university-owned or personally-owned devices
delete files containing confidential data from devices as soon as they are no longer needed
Use encryption for transmitting and storing confidential data

59. Good Computing Practices - Safeguards for Users
#7: Information Security – cont
Ensure that your computer and other devices are wiped clean of all confidential data using the University’s procedures before being surplused or redeployed to another individual.
See

60. Good Computing Practices - Safeguards for Users
#8:
Practice safe ing
Do not open, forward or reply to suspicious s
Keep your inbox “preview pane” closed to prevent certain types of malicious code from executing
Turn off the “Automatic download HTML graphics” and “Display graphics in messages” options
Delete spam
Don’t open attachments or click on website addresses without being certain of their safety.

61. Good Computing Practices - Safeguards for Users
#8: cont
Be Aware: is NEVER 100% secure
Do not use to send, receive or store confidential information unless required by your job
Always limit the amount of confidential information sent by to the minimum necessary
Never send, reply or forward UConn confidential information from a non UConn account

62. Good Computing Practices - Safeguards for Users
#9: Computer Security
Don’t install unknown or unsolicited programs on your compute
Do not install any programs on your University computer that are not authorized by your department and licensed to use on a University computer
Be cautious about installing any unknown or unsolicited program on any computer that is used with confidential data.

63. Good Computing Practices - Safeguards for Users
#10: Mobile Devices
Maintain the tracking number for the mobile device in a safe location.
This will assist police in locating the device in case of loss or theft
Only use devices that can restrict access by way of a password or other authentication method
Enable all security features the device may have
Remove all Personal Identifiers when possible
If you use a mobile, wireless device for backup then encrypt all sensitive data and store separately.
When available, always save and store to a secure server.

64. Good Computing Practices - Safeguards for Users
#11: Reporting Security Incidents/Breach
What to Report:
Lost or stolen devices especially if they contain confidential data
Erratic computer behavior or unusual messages to your department manager, department IT resource, or UITS Help Center
Suspected issues or incidents to a manager or Security Office

65. Good Computing Practices - Safeguards for Users
#11: Reporting Security Incidents/Breach cont
Loss of Equipment
Report lost or stolen laptops, Blackberries, PDAs, cell phones, flash drives, etc. to the UCONN Police Department

66. Good Computing Practices - Safeguards for Users
#11: Reporting Security Incidents/Breach cont
Other Security Incidents/Breaches
Your Supervisor/Manager
Your Department’s IT person
Privacy Office (Rachel Krinsky Rudnick):
(860)
Security Office (Elaine David):
(860)
UITS Help Center
(860)

67. HIPAA SECURITY AWARENESS TRAINING
What about paper records?
Important to consider not only electronic records, but paper records as well.
See: Best Practice Office Procedures for Dealing with Confidential and Registered Confidential Data

68. HIPAA SECURITY AWARENESS TRAINING
Paper Records:
Limit sign-in sheets to first name only.
Do not post lists containing confidential information.
Remove confidential data from reports where it is not required.
Shred or store securely for shredding all reports no longer required that contain confidential.
Account for any lists, records and reports containing confidential information.

69. What Does HIPAA Mean for UConn?
The UConn Speech & Hearing Clinic is “HIPAA-tized”

70. HIPAA’s Impact
Clinic Operations
Clinical Education

71. Brief History
University of Connecticut Speech & Hearing Clinic – began in the late 1940’s to support clinical training of students becoming speech-language pathologists and audiologists
1976 – began to charge fees for services provided; billed through a clearinghouse
2001 – determined to be a HIPAA covered entity because billing was managed electronically

72. Getting ready for the Privacy Rule
Confidentiality practices in the clinic were always governed by the standards set forth by the American Speech-Language-Hearing Association
Released information only when given permission by the clients except in specific situations
Discussions about clients and their communication disorder were limited to conferences with other professionals related to client care AND to clinical teaching
Forbidden to remove files from the Speech & Hearing Clinic (ACLU influence)

73. Safeguards pre-HIPAA
Depended on students, clinical service providers, and staff to uphold the ASHA Code of Ethics
Sanctions built in when violations to the Code occurred, but only applied to persons who were affected by the Code
ASHA issued sanctions and the process is lengthy and cumbersome
Dependent on students and clinical service providers to use good judgment to determine whether they were maintaining confidentiality

74. From August 2001 until April 14, 2003
Conduct gap analysis – where were the gaps between what we were doing and what we needed to do to comply with the Privacy Rule of HIPAA?
Examples of gaps: PHI visible on the secretary’s computer and computer was easily viewed; PHI released to school systems as the payer of services
Prepare a budget of what it would cost to become compliant
Develop a plan of how to proceed
State of Connecticut DoIT’s role

75. Highlights of the process toward compliance with the Privacy Rule
Upgrade the clinic lobby to insure that personal health information (PHI) was protected
Create a comprehensive Policy and Procedures Manual that detailed the Clinic’s implementation of HIPAA
Create a Notice of Privacy Practices and a procedure for disseminating this information (translated into Spanish)
Create a new set of forms and procedures for documentation all relevant aspects of HIPAA to the care of clients with communication disorders

76. More highlights…
Devise a training tool for all students and anyone having contact with clients and client records. Issue a “certificate” following training that students take with them.
Issue Business Associate Agreements with all vendors and unions with whom we have contracts
Gain an office that is self-contained

77. New Speech & Hearing Clinic Office

78. Security Rule Compliance date: April 17, 2005
Risk analysis revealed numerous compliance issues: transmission and storage of electronic data, building’s wireless capability and students’ access to that, encryption (and lack of), computer accessibility
Plan put into place; work closely with UITS and CLAS computer support teams. Budget and ways to cover the costs of becoming compliant.
Procedures for closing out computer access for students and others when they leave the program

79. HIPAA’s impact on clinical education
Students are provided with a model of the implementation of HIPAA Rules
HIPAA training and certificates are often recognized by the host facility when students go to off-campus practicum sites
Increased awareness of the procedural nature of maintaining privacy; documentation

80. Outcomes for students…
Awareness of consequences of non-compliance both at federal and local levels
When files are removed from the building, the infraction is now treated and reported as “theft”
Increased understanding about PHI and need for complying with procedures intended to protect information and confidentiality
Exposure to the model of HIPAA implementation that is similar to other settings where they will be

81. What it has meant… Increasing vigilance to maintaining PHI
- ensuring that PHI does not exist on hard drives, on reports that students might use for models to write their own reports
- clinicians’ compliance with maintaining confidentiality
Increasing amounts of paper
Increasing amounts of time spent in training, monitoring, and updating
Increasing operating expenses as a result

82. Also has meant…
Development of a Business Continuity Plan as part of complying with the Security Rule
Increased vigilance in making sure that the release of any information has been authorized by the client and/or the designee
An entirely new vocabulary!
UConn Speech & Hearing Clinic is regarded as a model of implementation among similar training programs

83. Procedural safeguards have been prescribed and are clearly defined
Client records provide a rich database; OK to use the data as long as the client has been “de-identified” (meant, too, that researchers and teaching faculty had to go through HIPAA training)
Installation of a scheduling system that was HIPAA compatible for storing client information
Installation of a server that was dedicated to clinic operations; increased efficiency in backing up data regularly

84. Service providers became more HIPAA-savvy consumers!

85. HIPAA AT STUDENT HEALTH SERVICES
JANE DESROSIERS, RHIT
INFORMATION COORDINATOR
PRIVACY OFFICER
October 2007

86. STUDENT HEALTH SERVICES Who are we? What do we do?
We are the “Hospital” for our students and also for employees who have been injured on the job.
Our 2006 – 2007 service numbers
Advice Nurse 13,471 visits to 7076 patients
Primary Care 13,169 visits to 7085 patients
Women’s Clinic 3,508 visits to 1892 patients
CMHS ,487 visits to 1289 patients
Other Areas visits to 1005 patients
More than 25,000 individual patient records

87. PRIVACY - HIPAA IMPACT ON STUDENT HEALTH SERVICES
Prior to 2003
Physical renovations, new wiring, installing card accessible lock systems for file rooms, doors for patient check-in windows.
Creation of Notice of Privacy Practices & Policies
Staff training, both permanent and student staff
“HIPAA – tizing” forms and procedures
Determining Business Associates & Agreements
Communicating to UCONN Departments
Paper, Paper, Paper!

88. PRIVACY - HIPAA IMPACT ON STUDENT HEALTH SERVICES
April 2003 & Beyond
Distributing NPP to all of our patients!
Continuing with education updates to new and seasoned staff
Enforcement of HIPAA policies for release of information, who gets what and how
Providing HIPAA course to all students in Allied Health, Nursing, Pharmacy, Physical Therapy prior to their Clinical site study.
IRB (Independent Review Board) approves all Drug Study trials.
Paper, Paper, Paper!

89. SECURITY - HIPAA IMPACT ON STUDENT HEALTH SERVICES
Prior to 2005
Risk assessment performed to identify security vulnerabilities
Security awareness training
Workforce clearance procedures for access to electronic PHI
Servers moved from SHS building to UITS server farm
Physical Security (theft)
Data Security (firewall)
Data backup and backup storage

90. SECURITY - HIPAA IMPACT ON STUDENT HEALTH SERVICES
Prior to 2005
Created isolated environment to test applications before using in production
Data disposal policies & procedures
Automatic log-off/password protected screensaver procedures

91. SECURITY - HIPAA IMPACT ON STUDENT HEALTH SERVICES
2005 & Beyond
Vigilance to continue with recommendations of the risk assessment.

92. HIPAA IMPACT ON STUDENT HEALTH SERVICES
And now……
Any violations?
Over 2200 complaints have been logged with DHHS
Where are the HIPAA police?
7 staff members of DHHS were appointed to “police” the HIPAA regulation

93. How HIPAA Changed My Life
Jeffrey M. Anderson, MD
Director of Sports Medicine Services
University of Connecticut
Student Health Services/Division of Athletics

94. How Does HIPAA Affect Me in the Patient Room?
Truth is, it really doesn’t
Privacy has always been a hallmark of the physician-patient interaction
My relationship with my patient depends on my discretion, whether the law dictates it, or not.
Its real impact…

96. How Does HIPAA Affect the UConn Student-Athlete?
Information to athletic trainers
Information to strength and conditioning coaches
Information to sport coaches
Information to parents
Information to the media

97. Consent for Disclosure of Protected Information
Signed each year by every student-athlete
Information related to the student-athlete’s ability to train, practice, and compete
Nature and type of injury/illness, duration of expected recovery, treatment methods, and related rehab progress
Essential to the protection of the student-athlete’s health while participating here.

98. HIPAA and Media Interaction
HIPAA can actually be helpful in this area
Does affect sideline discussion
Interaction is entirely mediated by Athletic Communications
Official releases written by them and approved by both the student-athlete and the head coach