Presentation on theme: "University of Connecticut October 4, 2007"— Presentation transcript:
1University of Connecticut October 4, 2007 HIPAA at UCONN: Protecting Health-Related Information in Educational SettingsUniversity of ConnecticutOctober 4, 2007
2Health Insurance Portability and Accountability Act of 1996(HIPAA)
3Public Law 104-191 Designed to: assure health insurance portability reduce health care fraud and abuseguarantee integrity and confidentiality of health informationimprove the operations of health care systems and reduce administrative costsEstablishes:Standards for privacyStandards for security of health dataStandards for eight electronic transactions and the code sets to be used in those transactionsUnique health identifiersHIPAA amends and is part of the Social Security Act of 1986.
4HIPAA Applicability and Scope Everyone in healthcare and health-related fields is impacted by this law in some way:Payers ProvidersMembers EmployersClearinghouses Billing agentsVolunteers VendorsService organizations
5Who must comply? (aka-who does HIPAA apply to?) Health PlansClearinghousesProviders, if they conduct covered electronic transactions (or have someone conduct them on their behalf)Employers who act as providers or health plans or who simply choose to complyOther organizations that receive health data from those listed above and have formal agreements to protect the data (Business Associates)
6“COVERED ENTITIES”Health Care Providers (physicians, nurses, allied health practitioners, counselors)Health Care Facilities (hospitals, clinics)Health Plans (HMOs, insurers)Health Information Clearinghouses
7UCONN is a “Hybrid Entity” Covered components:Student Health ServicesSpeech & Hearing ClinicEMS/Fire (within Public Safety) as first respondersNayden Physical Therapy Clinic
8Health Insurance Portability and Accountability Act of 1996 Title ITitle IITitle IIITitle IVTitle VInsurancePortabilityFraud and Abuse Medical Liability ReformAdministrativeSimplificationTax Related Health ProvisionGroup HealthPlan RequirementsRevenue Off-setsPrivacySecurityElectronicDataTransactionsCode SetsIdentifiers
9Health Insurance Portability and Accountability Act of 1996 The 4 components in HIPAA Title II are:Health Insurance Portability and Accountability Act of 1996Transactions& Code SetsPrivacySecurityIdentifiers
11Privacy Regulation Application The HIPAA Privacy rule applies to any covered entity that maintains or transmits protected health information in any form:ElectronicOralWrittenFaxedetc.
12A Look At Privacy The Privacy Regulation includes: Client/Patient rightsRegulatory authorizations for treatment, payment and health care operationsMinimum necessary for intended useBusiness Associate requirementsRequired authorizationsReview processes, restriction requests, and correction process
13What information is protected by the HIPAA Privacy Rule?
14Individually Identifiable Health Information (IIHI) Any health information that is created or received by a health care provider, health plan, clearinghouse or an employerIdentifies the individualProvides a reasonable basis to believe that the information can be used to identify the individualPertains to the health of an individualPertains to the provision of or payment of healthcare to an individual.
15Protection of PHI What is PHI? (Protected Health Information) Individually identifiable health information--IIHI: (relating to past, present, future health care or payment for health care)ORALWRITTENELECTRONICbut NOT student IIHI in the hands of Student Health Services (broad FERPA/HIPAA exemption)and NOT employee IIHI in the hands of the Employer (HIPAA exemption)
16Scope of data coveredHIPAA places considerable emphasis on the definition, use and disclosure of IIHI. Below are just a few key data elements which require de-identification in certain situations when related or linked to health information:NameAddress; street, city, county, zip codeSocial security numberBirth dateAccount numberName of employersTelephone/Fax numbersElectronic mail addressesNames of relativesAny other unique identifying number or code that could be used to identify an individual (applies to a small cell)
17Privacy Applicability and Scope Does not preclude stricter state standards that apply to certain types of information (preemption)Makes no distinction about the presumed sensitivity of information Demographic info should be treated the same as clinical infoProtects the information itself, not the physical record, regardless of where the information appearsAll PHI is treated the same way – no system to weight the value of the PHIPrivacy regulations protect the information itself
18Records not covered by HIPAA Privacy Rule Employment RecordsFMLA certificationsADA disability/accommodation recordsAttendance/sick leave recordsEmployment physicalsWorkers’ Compensation recordsEnrollment/disenrollment/COBRA records
19Records not covered by HIPAA Privacy Rule Student RecordsThe definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), specifically excludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g).FERPA provides privacy protections for student health records held by federally funded educational institutions.
20HIPAA Excludes FERPA“We have excluded educational records covered by FERPA [f]rom the definition of protected health information… because FERPA also provided a specific structure for the maintenance of these records.”U.S. Department of Health and Human Services,65 Federal Register 82,483 (December 28, 2000)
21FERPA (not HIPAA) protected records Student immunization/medical history recordsStudent disability/accommodation recordsStudent health clinic/counseling recordsStudent health insurance enrollment/disenrollment information submitted by student to University
22Requirements to Protect Privacy FERPANo set, specific requirementsNo clear consensus in higher ed on what is neededNo court decisions on third party breachHIPAAAdministrative Safeguards:(Processes, procedures, training, Risk Analysis)Physical Safeguards:(Facility, workstations, etc.)Technical Safeguards:(Access, audit control, data integrity, etc.)
23A Look At Privacy The Privacy Regulation includes: Client/Patient rightsRegulatory authorizations for treatment, payment and health care operationsMinimum necessary for intended useBusiness Associate requirementsRequired authorizationsReview processes, restriction requests, and correction process
24Some Administrative Requirements Notice of Privacy PracticesIndividual RightsBusiness Associate Agreements
25Notice of Privacy Practices First Date of ServiceAcknowledgment
26Basic Individual Rights Right to privacy of PHITreatment, Payment, Health Care Operations UsesSpecified disclosures allowed (public health, subpoenas, etc.)Other disclosures with authorizationIndividual right to access, amendment, accountingIndividual right to request restricted communications and uses/disclosures
27Business Associate Agreements Covered entities must have agreements with vendors, administrators, brokers, accountants, etc. that need PHI to perform services on behalf of or with the covered entityAgreement must ensure business associate’s compliance with HIPAA Privacy Rule
28Other Administrative Requirements Designate a Privacy OfficerCreate policies and proceduresProvide privacy trainingProvide a means for individuals to lodge complaintsProcess for responding to complaints
29Other Administrative Requirements (cont’d) Administrative, technical, and physical safeguards to protect PHIMaintain HIPAA documentation for 6 yearsSanctions for HIPAA privacy violationsMitigate harmful effects from violationsAvoid retaliation or waiver of HIPAA rights
30Authorization Obtain an authorization when appropriate Usually a customized documentUsed for specified purposes, other than TPOCovers only the PHI for uses and disclosures specified in the authorizationRequired for uses and disclosures of PHI not otherwise allowed by the rule
31Uses Requiring Authorization MarketingInsurance pre-enrollment activitiesEmployer/uses for employmentFund raisingOther uses not exempted by these rules
32Uses & Disclosures Exceptions -- TPO TreatmentPaymentHealth Care Operations
33“Health Care Operations” Quality assessment/improvementDetermining clinical privilegesReviewing plan performanceInsurance rating, underwriting, etc.Medical review and auditingFraud and abuse detectionCompiling PHI for legal proceedings
34Other Permissible Uses Without Consent Based on capacity or authorityPublic health activitiesHealth care oversightJudicial/administrative proceedingsCoroners/medical examinersLaw enforcement, banking, or paymentResearch, emergencies, and next of kin
35“Minimum Necessary”Only disclose the PHI needed to accomplish a functionCase-by-case determinationDesignated decision makerExceptions for:DHHS accessplan audit and “as required by law”
36Why Should You Care? Civil penalties for improper PHI disclosure: $100 per day, up to $25,000 per year for identical violationsPenalty may be avoided if disclosure was for reasonable cause, not willful neglect
37Criminal SanctionsCriminal penalties for knowing wrongful disclosure of PHI:Fine of not more than $50,000/imprisonment for one year/bothIf committed under false pretenses, fine of not more than $100,000/imprisonment for not more than five years/bothIf committed with intent to sell, transfer or use such health information for gain or malicious harm, fine of not more than $250,000/imprisonment of ten years/both
38The Bottom Line . . . Know Your Permitted Uses and Disclosures of PHI Limit Access/Disclosure to Permitted GroupSafeguard PHIKeep PHI Out of Employment-Related Actions and Decisionsmost importantly…
41HIPAA Security Awareness Training Elaine David, Director of IT Security, Policy & Quality Assurance
42HIPAA SECURITY AWARENESS TRAINING HIPAA Security Rule: The purpose of the final HIPAA rule is to adopt national standards for safeguards to protect the confidentiality, integrity and availability of electronic protected health information.These standards require measures to be taken to secure ePHI while in the custody of covered entities as well as in transit between covered entities and from covered entities to others.
45HIPAA SECURITY AWARENESS TRAINING Physical Safeguards:Facility Access controlsWorkstation Acceptable Use & ResponsibilityWorkstation/Server and Mobile Systems securityDevice and Media Control Security
47HIPAA SECURITY AWARENESS TRAINING Compliance with HIPAA Security Rule:Development and dissemination of many security and data policies.See or
48HIPAA SECURITY AWARENESS TRAINING What is information security?The steps taken to protect the confidentiality, integrity and availability of our information resources.Confidentiality: assurance that information can only be seen or used by those who are authorized to access the information.Integrity: assurance that information that we use has not been modified inappropriately during storage, transmission, etc.Availability: assurance that computer resources are available when we expect them to be.
49HIPAA SECURITY AWARENESS TRAINING What is security awareness?Recognizing the various types of security issues;Knowing how to prevent a breach;Knowing how to react to a breach.
50Good Computing Practices - Safeguards for Users #1: Passwords:- Choose your password carefullyUse at least 8 charactersDo not use repetitive charactersCombine alpha, numeric and non-alpha numeric characters, upper and lower-caseDo not base password on familiar words or words/names that can be associated with youChoose one that is easy to remember and easy to type
51Good Computing Practices - Safeguards for Users #1: Passwords cont.:Keep your password safeSecurely file or destroy paperwork that includes user-id and password information.Do not post, write or share passwords with anyone
52Good Computing Practices - Safeguards for Users #2: Control Access to Confidential InformationUse a Password protected screensaver for your workstation (on-site, laptop, home, etc.)Lock your screenFor a PC: <crtl> <alt> <delete> <enter>For a MAC:Configure a screensaver with your password; Create a shortcut to activate screensaverUse a password to start up or wake-up your computerAlways log off shared workstationsIf you don’t log off, someone else could use your ID to illegally access confidential information
53Good Computing Practices - Safeguards for Users #2: Control Access to Confidential Information contJust say “No” when a program ask: “Do you want me to remember your password?”When your password is saved on your hard drive, it makes you and your data vulnerable to hackers who can steal you Password.
54Good Computing Practices - Safeguards for Users #3: Physical AccessProtect your computer, laptop, PDA, electronic media from being stolen or accessed by othersSecure computers with a lockdown cableStore backup media safely and separately from the equipmentDon’t leave portable devices unattended, even for a moment
55Good Computing Practices - Safeguards for Users #4: Anti VirusMake sure your computer has antivirus and all necessary security patchesSeeSchedule and run regular virus scans of all your filesAlways close “pop-ups” when they solicit a response to advertisements or other messagesClick the “x” box to close the pop-up adClicking “no” is the same as “yes” and allows the virus or hacker access to your computer
56Good Computing Practices - Safeguards for Users #5: Data Backup and RestorationMake backups a regular taskBack up data to your department’s secure server or store on removable mediaStore backup media safely and separately from the equipmentTest that backup data can be restored if necessary
57Good Computing Practices - Safeguards for Users #6: Operating System and Network ApplicationsUpdate operating systems and network applications of your computers with current patchesSee
58Good Computing Practices - Safeguards for Users #7: Information SecurityUse good judgment about the amount of confidential data that you store on university-owned or personally-owned devicesdelete files containing confidential data from devices as soon as they are no longer neededUse encryption for transmitting and storing confidential data
59Good Computing Practices - Safeguards for Users #7: Information Security – contEnsure that your computer and other devices are wiped clean of all confidential data using the University’s procedures before being surplused or redeployed to another individual.See
60Good Computing Practices - Safeguards for Users #8:Practice safe ingDo not open, forward or reply to suspicious sKeep your inbox “preview pane” closed to prevent certain types of malicious code from executingTurn off the “Automatic download HTML graphics” and “Display graphics in messages” optionsDelete spamDon’t open attachments or click on website addresses without being certain of their safety.
61Good Computing Practices - Safeguards for Users #8: contBe Aware: is NEVER 100% secureDo not use to send, receive or store confidential information unless required by your jobAlways limit the amount of confidential information sent by to the minimum necessaryNever send, reply or forward UConn confidential information from a non UConn account
62Good Computing Practices - Safeguards for Users #9: Computer SecurityDon’t install unknown or unsolicited programs on your computeDo not install any programs on your University computer that are not authorized by your department and licensed to use on a University computerBe cautious about installing any unknown or unsolicited program on any computer that is used with confidential data.
63Good Computing Practices - Safeguards for Users #10: Mobile DevicesMaintain the tracking number for the mobile device in a safe location.This will assist police in locating the device in case of loss or theftOnly use devices that can restrict access by way of a password or other authentication methodEnable all security features the device may haveRemove all Personal Identifiers when possibleIf you use a mobile, wireless device for backup then encrypt all sensitive data and store separately.When available, always save and store to a secure server.
64Good Computing Practices - Safeguards for Users #11: Reporting Security Incidents/BreachWhat to Report:Lost or stolen devices especially if they contain confidential dataErratic computer behavior or unusual messages to your department manager, department IT resource, or UITS Help CenterSuspected issues or incidents to a manager or Security Office
65Good Computing Practices - Safeguards for Users #11: Reporting Security Incidents/Breach contLoss of EquipmentReport lost or stolen laptops, Blackberries, PDAs, cell phones, flash drives, etc. to the UCONN Police Department
66Good Computing Practices - Safeguards for Users #11: Reporting Security Incidents/Breach contOther Security Incidents/BreachesYour Supervisor/ManagerYour Department’s IT personPrivacy Office (Rachel Krinsky Rudnick):(860)Security Office (Elaine David):(860)UITS Help Center(860)
67HIPAA SECURITY AWARENESS TRAINING What about paper records?Important to consider not only electronic records, but paper records as well.See: Best Practice Office Procedures for Dealing with Confidential and Registered Confidential Data
68HIPAA SECURITY AWARENESS TRAINING Paper Records:Limit sign-in sheets to first name only.Do not post lists containing confidential information.Remove confidential data from reports where it is not required.Shred or store securely for shredding all reports no longer required that contain confidential.Account for any lists, records and reports containing confidential information.
69What Does HIPAA Mean for UConn? The UConn Speech & Hearing Clinic is “HIPAA-tized”
71Brief HistoryUniversity of Connecticut Speech & Hearing Clinic – began in the late 1940’s to support clinical training of students becoming speech-language pathologists and audiologists1976 – began to charge fees for services provided; billed through a clearinghouse2001 – determined to be a HIPAA covered entity because billing was managed electronically
72Getting ready for the Privacy Rule Confidentiality practices in the clinic were always governed by the standards set forth by the American Speech-Language-Hearing AssociationReleased information only when given permission by the clients except in specific situationsDiscussions about clients and their communication disorder were limited to conferences with other professionals related to client care AND to clinical teachingForbidden to remove files from the Speech & Hearing Clinic (ACLU influence)
73Safeguards pre-HIPAADepended on students, clinical service providers, and staff to uphold the ASHA Code of EthicsSanctions built in when violations to the Code occurred, but only applied to persons who were affected by the CodeASHA issued sanctions and the process is lengthy and cumbersomeDependent on students and clinical service providers to use good judgment to determine whether they were maintaining confidentiality
74From August 2001 until April 14, 2003 Conduct gap analysis – where were the gaps between what we were doing and what we needed to do to comply with the Privacy Rule of HIPAA?Examples of gaps: PHI visible on the secretary’s computer and computer was easily viewed; PHI released to school systems as the payer of servicesPrepare a budget of what it would cost to become compliantDevelop a plan of how to proceedState of Connecticut DoIT’s role
75Highlights of the process toward compliance with the Privacy Rule Upgrade the clinic lobby to insure that personal health information (PHI) was protectedCreate a comprehensive Policy and Procedures Manual that detailed the Clinic’s implementation of HIPAACreate a Notice of Privacy Practices and a procedure for disseminating this information (translated into Spanish)Create a new set of forms and procedures for documentation all relevant aspects of HIPAA to the care of clients with communication disorders
76More highlights…Devise a training tool for all students and anyone having contact with clients and client records. Issue a “certificate” following training that students take with them.Issue Business Associate Agreements with all vendors and unions with whom we have contractsGain an office that is self-contained
78Security Rule Compliance date: April 17, 2005 Risk analysis revealed numerous compliance issues: transmission and storage of electronic data, building’s wireless capability and students’ access to that, encryption (and lack of), computer accessibilityPlan put into place; work closely with UITS and CLAS computer support teams. Budget and ways to cover the costs of becoming compliant.Procedures for closing out computer access for students and others when they leave the program
79HIPAA’s impact on clinical education Students are provided with a model of the implementation of HIPAA RulesHIPAA training and certificates are often recognized by the host facility when students go to off-campus practicum sitesIncreased awareness of the procedural nature of maintaining privacy; documentation
80Outcomes for students… Awareness of consequences of non-compliance both at federal and local levelsWhen files are removed from the building, the infraction is now treated and reported as “theft”Increased understanding about PHI and need for complying with procedures intended to protect information and confidentialityExposure to the model of HIPAA implementation that is similar to other settings where they will be
81What it has meant… Increasing vigilance to maintaining PHI - ensuring that PHI does not exist on hard drives, on reports that students might use for models to write their own reports- clinicians’ compliance with maintaining confidentialityIncreasing amounts of paperIncreasing amounts of time spent in training, monitoring, and updatingIncreasing operating expenses as a result
82Also has meant…Development of a Business Continuity Plan as part of complying with the Security RuleIncreased vigilance in making sure that the release of any information has been authorized by the client and/or the designeeAn entirely new vocabulary!UConn Speech & Hearing Clinic is regarded as a model of implementation among similar training programs
83Procedural safeguards have been prescribed and are clearly defined Client records provide a rich database; OK to use the data as long as the client has been “de-identified” (meant, too, that researchers and teaching faculty had to go through HIPAA training)Installation of a scheduling system that was HIPAA compatible for storing client informationInstallation of a server that was dedicated to clinic operations; increased efficiency in backing up data regularly
84Service providers became more HIPAA-savvy consumers!
85HIPAA AT STUDENT HEALTH SERVICES JANE DESROSIERS, RHITINFORMATION COORDINATORPRIVACY OFFICEROctober 2007
86STUDENT HEALTH SERVICES Who are we? What do we do? We are the “Hospital” for our students and also for employees who have been injured on the job.Our 2006 – 2007 service numbersAdvice Nurse 13,471 visits to 7076 patientsPrimary Care 13,169 visits to 7085 patientsWomen’s Clinic 3,508 visits to 1892 patientsCMHS ,487 visits to 1289 patientsOther Areas visits to 1005 patientsMore than 25,000 individual patient records
87PRIVACY - HIPAA IMPACT ON STUDENT HEALTH SERVICES Prior to 2003Physical renovations, new wiring, installing card accessible lock systems for file rooms, doors for patient check-in windows.Creation of Notice of Privacy Practices & PoliciesStaff training, both permanent and student staff“HIPAA – tizing” forms and proceduresDetermining Business Associates & AgreementsCommunicating to UCONN DepartmentsPaper, Paper, Paper!
88PRIVACY - HIPAA IMPACT ON STUDENT HEALTH SERVICES April 2003 & BeyondDistributing NPP to all of our patients!Continuing with education updates to new and seasoned staffEnforcement of HIPAA policies for release of information, who gets what and howProviding HIPAA course to all students in Allied Health, Nursing, Pharmacy, Physical Therapy prior to their Clinical site study.IRB (Independent Review Board) approves all Drug Study trials.Paper, Paper, Paper!
89SECURITY - HIPAA IMPACT ON STUDENT HEALTH SERVICES Prior to 2005Risk assessment performed to identify security vulnerabilitiesSecurity awareness trainingWorkforce clearance procedures for access to electronic PHIServers moved from SHS building to UITS server farmPhysical Security (theft)Data Security (firewall)Data backup and backup storage
90SECURITY - HIPAA IMPACT ON STUDENT HEALTH SERVICES Prior to 2005Created isolated environment to test applications before using in productionData disposal policies & proceduresAutomatic log-off/password protected screensaver procedures
91SECURITY - HIPAA IMPACT ON STUDENT HEALTH SERVICES 2005 & BeyondVigilance to continue with recommendations of the risk assessment.
92HIPAA IMPACT ON STUDENT HEALTH SERVICES And now……Any violations?Over 2200 complaints have been logged with DHHSWhere are the HIPAA police?7 staff members of DHHS were appointed to “police” the HIPAA regulation
93How HIPAA Changed My Life Jeffrey M. Anderson, MDDirector of Sports Medicine ServicesUniversity of ConnecticutStudent Health Services/Division of Athletics
94How Does HIPAA Affect Me in the Patient Room? Truth is, it really doesn’tPrivacy has always been a hallmark of the physician-patient interactionMy relationship with my patient depends on my discretion, whether the law dictates it, or not.Its real impact…
96How Does HIPAA Affect the UConn Student-Athlete? Information to athletic trainersInformation to strength and conditioning coachesInformation to sport coachesInformation to parentsInformation to the media
97Consent for Disclosure of Protected Information Signed each year by every student-athleteInformation related to the student-athlete’s ability to train, practice, and competeNature and type of injury/illness, duration of expected recovery, treatment methods, and related rehab progressEssential to the protection of the student-athlete’s health while participating here.
98HIPAA and Media Interaction HIPAA can actually be helpful in this areaDoes affect sideline discussionInteraction is entirely mediated by Athletic CommunicationsOfficial releases written by them and approved by both the student-athlete and the head coach