Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA 101: The Whos, Whats & Whys of Protecting Patient Privacy

Published byKeshawn Plasters Modified over 9 years ago

Similar presentations

Presentation on theme: "HIPAA 101: The Whos, Whats & Whys of Protecting Patient Privacy"— Presentation transcript:

1 HIPAA 101: The Whos, Whats & Whys of Protecting Patient Privacy
Krista Barnes, Senior Compliance Attorney Institutional Compliance Office at MD Anderson Cancer Center GSBS New Student Orientation August 14, 2013

2

3 HI…what? Health Insurance Portability & Accountability Act (HIPAA)
Define “protected health information” (PHI) and how we need to protect it Gives patients certain rights with respect to PHI (see our Notice of Privacy Practices) Only applies to “covered entities” (health care providers, insurers, and healthcare clearinghouses) Health Information Technology for Economic and Clinical Health (HITECH) Act Imposes breach reporting obligations on covered entities Gave HIPAA “teeth”

4 What is PHI? Protected Health Information
Health information + Identifying Information Health Information: diagnosis, treatment, lab results, imaging studies, arguably even the fact that someone is a patient here because our name suggests a cancer diagnosis Identifying Information: 18 types of identifying information (see next slide).

5 What are the 18 HIPAA Identifiers?
Identifying information includes the following EIGHTEEN items for an individual and the individual’s relatives, employers, or household members: Names (including initials); All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code as long as there are more than 20,000 people in the area for those initial three digits; All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, treatment dates; and all ages over 89 (can be combined into a “90 and over” category); Phone numbers; Fax numbers; addresses; Social security numbers; Medical record numbers Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; Full face photographic images and any comparable images; and Any other unique identifying number, characteristic, or code (unless totally unrelated to any other identifying info and cannot be re-identified except by person who holds the key)

6 POP QUIZ You’re working on a research study. The protocol calls for blood samples to be sent to the study’s sponsor for banking. The samples are labeled with date and medical record number (no names). The informed consent promises that all samples will be “de-identified.” Can you send the samples out like this? NO. Dates and MRNs are “identifiers” You aren’t authorized to send any identifiers

7 What does HIPAA say? HIPAA General Rule: You may not use or disclose PHI without the patient’s Authorization, unless it falls under a regulatory exception, which include: Treatment (e.g., nurse talking to a doctor, talking to another physician about a common patient) Payment (e.g., billing insurance) Healthcare Operations (e.g., for formal internal training programs, quality improvement) Certain research purposes (IRB waiver, preparatory to research) De-identified data Research uses and disclosures of PHI are governed by the protocol, informed consent and authorization document, and/or an IRB waiver

8 Who can look at PHI? Can only access PHI if you have a legitimate work-related reason for doing so. Six Fired for Keeping up with the Kardashian Harris Hospital District Fires 16 Over Privacy

9 POP QUIZ Have you violated HIPAA?
You are entering data for a study into a spreadsheet. You notice that the mom of your best friend from Junior High is one of the subjects. You didn’t even know she had cancer! You feel awful and want to help your friend’s family, maybe by sending flowers or taking dinner over. You log into ClinicStation to see when her last appointment was and how she is doing. You’re very sad to learn that she passed away last month. You post on your friend’s Facebook page, “I just heard about your mom passing away, I’m so sorry.” Have you violated HIPAA? A. No. There’s no way anyone would know that you learned about her death from looking in her medical record. B. No. HIPAA doesn’t apply after death. Yes. People who work at covered entities can’t use social media. Yes. You accessed the mom’s record without authorization, and then disclosed her PHI on Facebook. Answer: D.

10 What’s the big deal? Use or disclosure of protected health information (“PHI”) in a manner that doesn’t comply with HIPAA is a violation of federal (and probably state) law An unauthorized use or disclosure that compromises the patient’s privacy may be a “breach” of PHI Breaches are reported to the patient, the government, and if big enough, the media Breaches compromise patient privacy; patients’ trust in the hospital/institution; the hospital’s reputation; can cost big $$, and may cost you your career Fines for HIPAA violations: $100 to $50,000 per day, up to a maximum of $1.5 million for the same violation in any one year

11 What is at stake? Alaska Medicaid Massachusetts hospital UCLA
Unencrypted USB hard drive stolen from employee’s car $1.7 million settlement Massachusetts hospital Theft of unencrypted laptop containing prescription & clinical information $1.5 million settlement UCLA Researcher accessed coworkers’ and celebrities’ medical records without authorization Prosecuted and sentenced to 4 months in prison MD Anderson examples

12 What happened here 2012: laptop stolen from researcher’s home contained 30,000 patients’ data 2012: lost jump drive contained 2200 research subjects’ data 2013: lost jump drive contained 3600 research subjects’ data Pop Quiz: What would have prevented all 3 of these breaches? Answer: ENCRYPTION

13 What you can do to protect PHI
Accessing PHI Access PHI on encrypted devices only (laptops, jump drives, BlackBerry). Never access the medical record of a celebrity, friend, family member, or coworker (unless it is your job to do so). Storing PHI Do not store PHI in the cloud unless sanctioned by the institution (e.g., MDACC box.com account) Limit physical access to PHI (lock cabinets, use folders). Shred (do not recycle!) paper and wipe devices when finished. Transporting PHI Do not leave devices or paper files in your car. ENCRYPTED DEVICES ONLY! Encrypt s in transit. Don’t PHI to your personal account. Social Media Never post about a patient/subject on social media

14 ONE LAST POP QUIZ You’re helping an MD Anderson PI and a collaborator from UT Health Science Center on a research study. The data relates to live human subjects, and is stored in a spreadsheet that you saved to the MD Anderson server. It contains medical record numbers, study ID numbers, treatment dates, diagnoses, and drugs administered. The collaborator wants you to send him the data on a CD. Should you? First, is it PHI? Yes (treatment dates, maybe study ID numbers, maybe genomic sequencing data = identifiers) Second, is the data allowed to leave MD Anderson? Check the protocol and informed consent document to see if PHI can leave MD Anderson and be shared with an outside collaborator. Is the CD a permissible way to send PHI? Send on an encrypted CD and send the password separately, or ask InfoSec for more options. The MD Anderson PI is on vacation and wants you to put it on Dropbox (online cloud sharing/storage) so she can view it remotely while on vacation. Should you? No. Dropbox is not necessarily secure, your consent probably doesn’t say that you’ll be storing data on that site, and we do not have a Business Associate Agreement with Dropbox. Box.com is the only option right now (through MD Anderson’s institutional box.com account).

15 Reporting Privacy Incidents
What to do if a privacy incident occurs: Report incidents quickly to: Institutional Compliance Office at or Privacy Hotline at Document everything Report to IRB as unanticipated problem (if research) Report lost or stolen computers, BlackBerrys, jump drives to: UTPD: 4-INFO: Departmental asset manager

16 State Auditor’s Office Hotline (1-800-892-8348).
Compliance Concerns It is every Workforce Member’s responsibility to report a violation or a potential violation Failure to report a violation or potential violation may subject you to disciplinary action To report compliance concerns: - Call the Institutional Compliance Office ( ) - Page the Chief Compliance Officer ( ) - Call the Fraud and Abuse Hotline ( ) - Call the Privacy Hotline ( ) IMPORTANT: All discussions and reports are treated confidentially and may be made anonymously Suspected fraud, waste, and abuse involving state resources State Auditor’s Office Hotline ( ).

17 Non-Retaliation Workforce Members should not hesitate to report any suspected violations out of fear of retaliation Non-Retaliation Policy (UTMDACC Institutional Policy #ADM0254)

18 Questions? Krista Barnes Senior Compliance Attorney, Privacy Compliance

Download ppt "HIPAA 101: The Whos, Whats & Whys of Protecting Patient Privacy"

Similar presentations

And the finer details of patient privacy TCH Confidential Understanding HIPAA.

And the finer details of patient privacy TCH Confidential Understanding HIPAA.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.

The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
HIPAA Privacy Keys to Success Education for Nursing and all other Clinical Students Effective January 2010 HIPAA Job Specific Education1.

HIPAA Privacy Keys to Success Education for Nursing and all other Clinical Students Effective January 2010 HIPAA Job Specific Education1.
Informed Consent.

Informed Consent.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
Protecting Client Data HIPAA, HITECH and PIPA Part 1A

Protecting Client Data HIPAA, HITECH and PIPA Part 1A
HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.

HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.

What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

Similar presentations

Ads by Google