Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Connecticut October 4, 2007

Similar presentations

Presentation on theme: "University of Connecticut October 4, 2007"— Presentation transcript:

1 University of Connecticut October 4, 2007
HIPAA at UCONN: Protecting Health-Related Information in Educational Settings University of Connecticut October 4, 2007

2 Health Insurance Portability
and Accountability Act of 1996 (HIPAA)

3 Public Law 104-191 Designed to: assure health insurance portability
reduce health care fraud and abuse guarantee integrity and confidentiality of health information improve the operations of health care systems and reduce administrative costs Establishes: Standards for privacy Standards for security of health data Standards for eight electronic transactions and the code sets to be used in those transactions Unique health identifiers HIPAA amends and is part of the Social Security Act of 1986.

4 HIPAA Applicability and Scope
Everyone in healthcare and health-related fields is impacted by this law in some way: Payers Providers Members Employers Clearinghouses Billing agents Volunteers Vendors Service organizations

5 Who must comply? (aka-who does HIPAA apply to?)
Health Plans Clearinghouses Providers, if they conduct covered electronic transactions (or have someone conduct them on their behalf) Employers who act as providers or health plans or who simply choose to comply Other organizations that receive health data from those listed above and have formal agreements to protect the data (Business Associates)

6 “COVERED ENTITIES” Health Care Providers (physicians, nurses, allied health practitioners, counselors) Health Care Facilities (hospitals, clinics) Health Plans (HMOs, insurers) Health Information Clearinghouses

7 UCONN is a “Hybrid Entity”
Covered components: Student Health Services Speech & Hearing Clinic EMS/Fire (within Public Safety) as first responders Nayden Physical Therapy Clinic

8 Health Insurance Portability and Accountability Act of 1996
Title I Title II Title III Title IV Title V Insurance Portability Fraud and Abuse Medical Liability Reform Administrative Simplification Tax Related Health Provision Group Health Plan Requirements Revenue Off-sets Privacy Security Electronic Data Transactions Code Sets Identifiers

9 Health Insurance Portability and Accountability Act of 1996
The 4 components in HIPAA Title II are: Health Insurance Portability and Accountability Act of 1996 Transactions & Code Sets Privacy Security Identifiers

10 HIPAA Privacy Rule (Regulations)

11 Privacy Regulation Application
The HIPAA Privacy rule applies to any covered entity that maintains or transmits protected health information in any form: Electronic Oral Written Faxed etc.

12 A Look At Privacy The Privacy Regulation includes:
Client/Patient rights Regulatory authorizations for treatment, payment and health care operations Minimum necessary for intended use Business Associate requirements Required authorizations Review processes, restriction requests, and correction process

13 What information is protected by the HIPAA Privacy Rule?

14 Individually Identifiable Health Information (IIHI)
Any health information that is created or received by a health care provider, health plan, clearinghouse or an employer Identifies the individual Provides a reasonable basis to believe that the information can be used to identify the individual Pertains to the health of an individual Pertains to the provision of or payment of healthcare to an individual.

15 Protection of PHI What is PHI? (Protected Health Information)
Individually identifiable health information--IIHI: (relating to past, present, future health care or payment for health care) ORAL WRITTEN ELECTRONIC but NOT student IIHI in the hands of Student Health Services (broad FERPA/HIPAA exemption) and NOT employee IIHI in the hands of the Employer (HIPAA exemption)

16 Scope of data covered HIPAA places considerable emphasis on the definition, use and disclosure of IIHI. Below are just a few key data elements which require de-identification in certain situations when related or linked to health information: Name Address; street, city, county, zip code Social security number Birth date Account number Name of employers Telephone/Fax numbers Electronic mail addresses Names of relatives Any other unique identifying number or code that could be used to identify an individual (applies to a small cell)

17 Privacy Applicability and Scope
Does not preclude stricter state standards that apply to certain types of information (preemption) Makes no distinction about the presumed sensitivity of information  Demographic info should be treated the same as clinical info Protects the information itself, not the physical record, regardless of where the information appears All PHI is treated the same way – no system to weight the value of the PHI Privacy regulations protect the information itself

18 Records not covered by HIPAA Privacy Rule
Employment Records FMLA certifications ADA disability/accommodation records Attendance/sick leave records Employment physicals Workers’ Compensation records Enrollment/disenrollment/COBRA records

19 Records not covered by HIPAA Privacy Rule
Student Records The definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), specifically excludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g). FERPA provides privacy protections for student health records held by federally funded educational institutions.

20 HIPAA Excludes FERPA “We have excluded educational records covered by FERPA [f]rom the definition of protected health information… because FERPA also provided a specific structure for the maintenance of these records.” U.S. Department of Health and Human Services, 65 Federal Register 82,483 (December 28, 2000)

21 FERPA (not HIPAA) protected records
Student immunization/medical history records Student disability/accommodation records Student health clinic/counseling records Student health insurance enrollment/disenrollment information submitted by student to University

22 Requirements to Protect Privacy
FERPA No set, specific requirements No clear consensus in higher ed on what is needed No court decisions on third party breach HIPAA Administrative Safeguards: (Processes, procedures, training, Risk Analysis) Physical Safeguards: (Facility, workstations, etc.) Technical Safeguards: (Access, audit control, data integrity, etc.)

23 A Look At Privacy The Privacy Regulation includes:
Client/Patient rights Regulatory authorizations for treatment, payment and health care operations Minimum necessary for intended use Business Associate requirements Required authorizations Review processes, restriction requests, and correction process

24 Some Administrative Requirements
Notice of Privacy Practices Individual Rights Business Associate Agreements

25 Notice of Privacy Practices
First Date of Service Acknowledgment

26 Basic Individual Rights
Right to privacy of PHI Treatment, Payment, Health Care Operations Uses Specified disclosures allowed (public health, subpoenas, etc.) Other disclosures with authorization Individual right to access, amendment, accounting Individual right to request restricted communications and uses/disclosures

27 Business Associate Agreements
Covered entities must have agreements with vendors, administrators, brokers, accountants, etc. that need PHI to perform services on behalf of or with the covered entity Agreement must ensure business associate’s compliance with HIPAA Privacy Rule

28 Other Administrative Requirements
Designate a Privacy Officer Create policies and procedures Provide privacy training Provide a means for individuals to lodge complaints Process for responding to complaints

29 Other Administrative Requirements (cont’d)
Administrative, technical, and physical safeguards to protect PHI Maintain HIPAA documentation for 6 years Sanctions for HIPAA privacy violations Mitigate harmful effects from violations Avoid retaliation or waiver of HIPAA rights

30 Authorization Obtain an authorization when appropriate
Usually a customized document Used for specified purposes, other than TPO Covers only the PHI for uses and disclosures specified in the authorization Required for uses and disclosures of PHI not otherwise allowed by the rule

31 Uses Requiring Authorization
Marketing Insurance pre-enrollment activities Employer/uses for employment Fund raising Other uses not exempted by these rules

32 Uses & Disclosures Exceptions -- TPO
Treatment Payment Health Care Operations

33 “Health Care Operations”
Quality assessment/improvement Determining clinical privileges Reviewing plan performance Insurance rating, underwriting, etc. Medical review and auditing Fraud and abuse detection Compiling PHI for legal proceedings

34 Other Permissible Uses Without Consent
Based on capacity or authority Public health activities Health care oversight Judicial/administrative proceedings Coroners/medical examiners Law enforcement, banking, or payment Research, emergencies, and next of kin

35 “Minimum Necessary” Only disclose the PHI needed to accomplish a function Case-by-case determination Designated decision maker Exceptions for: DHHS access plan audit and “as required by law”

36 Why Should You Care? Civil penalties for improper PHI disclosure:
$100 per day, up to $25,000 per year for identical violations Penalty may be avoided if disclosure was for reasonable cause, not willful neglect

37 Criminal Sanctions Criminal penalties for knowing wrongful disclosure of PHI: Fine of not more than $50,000/imprisonment for one year/both If committed under false pretenses, fine of not more than $100,000/imprisonment for not more than five years/both If committed with intent to sell, transfer or use such health information for gain or malicious harm, fine of not more than $250,000/imprisonment of ten years/both

38 The Bottom Line . . . Know Your Permitted Uses and Disclosures of PHI
Limit Access/Disclosure to Permitted Group Safeguard PHI Keep PHI Out of Employment-Related Actions and Decisions most importantly…

39 Don’t be afraid to ask questions!

40 Rachel Krinsky Rudnick, JD, CIPP
Questions? Rachel Krinsky Rudnick, JD, CIPP University Privacy Officer Office of Audit, Compliance & Ethics (860)

41 HIPAA Security Awareness Training
Elaine David, Director of IT Security, Policy & Quality Assurance

HIPAA Security Rule: The purpose of the final HIPAA rule is to adopt national standards for safeguards to protect the confidentiality, integrity and availability of electronic protected health information. These standards require measures to be taken to secure ePHI while in the custody of covered entities as well as in transit between covered entities and from covered entities to others.

HIPAA Security Rule Requirements: Administrative Safeguards Physical Safeguards Technical Safeguards

Administrative Safeguards: Security Management (Risk Analysis, Sanctions, Activity Review) Workforce Security Access Management Awareness & Training Incident Response & Reporting Business Associate Contracts Evaluation of Compliance

Physical Safeguards: Facility Access controls Workstation Acceptable Use & Responsibility Workstation/Server and Mobile Systems security Device and Media Control Security

Technical Safeguards: Access controls (e.g. unique id, password structure, firewall use, wireless access, remote access, etc.) Security Audit controls Authentication Transmission security

Compliance with HIPAA Security Rule: Development and dissemination of many security and data policies. See or

What is information security? The steps taken to protect the confidentiality, integrity and availability of our information resources. Confidentiality: assurance that information can only be seen or used by those who are authorized to access the information. Integrity: assurance that information that we use has not been modified inappropriately during storage, transmission, etc. Availability: assurance that computer resources are available when we expect them to be.

What is security awareness? Recognizing the various types of security issues; Knowing how to prevent a breach; Knowing how to react to a breach.

50 Good Computing Practices - Safeguards for Users
#1: Passwords: - Choose your password carefully Use at least 8 characters Do not use repetitive characters Combine alpha, numeric and non-alpha numeric characters, upper and lower-case Do not base password on familiar words or words/names that can be associated with you Choose one that is easy to remember and easy to type

51 Good Computing Practices - Safeguards for Users
#1: Passwords cont.: Keep your password safe Securely file or destroy paperwork that includes user-id and password information. Do not post, write or share passwords with anyone

52 Good Computing Practices - Safeguards for Users
#2: Control Access to Confidential Information Use a Password protected screensaver for your workstation (on-site, laptop, home, etc.) Lock your screen For a PC: <crtl> <alt> <delete> <enter> For a MAC: Configure a screensaver with your password; Create a shortcut to activate screensaver Use a password to start up or wake-up your computer Always log off shared workstations If you don’t log off, someone else could use your ID to illegally access confidential information

53 Good Computing Practices - Safeguards for Users
#2: Control Access to Confidential Information cont Just say “No” when a program ask: “Do you want me to remember your password?” When your password is saved on your hard drive, it makes you and your data vulnerable to hackers who can steal you Password.

54 Good Computing Practices - Safeguards for Users
#3: Physical Access Protect your computer, laptop, PDA, electronic media from being stolen or accessed by others Secure computers with a lockdown cable Store backup media safely and separately from the equipment Don’t leave portable devices unattended, even for a moment

55 Good Computing Practices - Safeguards for Users
#4: Anti Virus Make sure your computer has antivirus and all necessary security patches See Schedule and run regular virus scans of all your files Always close “pop-ups” when they solicit a response to advertisements or other messages Click the “x” box to close the pop-up ad Clicking “no” is the same as “yes” and allows the virus or hacker access to your computer

56 Good Computing Practices - Safeguards for Users
#5: Data Backup and Restoration Make backups a regular task Back up data to your department’s secure server or store on removable media Store backup media safely and separately from the equipment Test that backup data can be restored if necessary

57 Good Computing Practices - Safeguards for Users
#6: Operating System and Network Applications Update operating systems and network applications of your computers with current patches See

58 Good Computing Practices - Safeguards for Users
#7: Information Security Use good judgment about the amount of confidential data that you store on university-owned or personally-owned devices delete files containing confidential data from devices as soon as they are no longer needed Use encryption for transmitting and storing confidential data

59 Good Computing Practices - Safeguards for Users
#7: Information Security – cont Ensure that your computer and other devices are wiped clean of all confidential data using the University’s procedures before being surplused or redeployed to another individual. See

60 Good Computing Practices - Safeguards for Users
#8: Practice safe ing Do not open, forward or reply to suspicious s Keep your inbox “preview pane” closed to prevent certain types of malicious code from executing Turn off the “Automatic download HTML graphics” and “Display graphics in messages” options Delete spam Don’t open attachments or click on website addresses without being certain of their safety.

61 Good Computing Practices - Safeguards for Users
#8: cont Be Aware: is NEVER 100% secure Do not use to send, receive or store confidential information unless required by your job Always limit the amount of confidential information sent by to the minimum necessary Never send, reply or forward UConn confidential information from a non UConn account

62 Good Computing Practices - Safeguards for Users
#9: Computer Security Don’t install unknown or unsolicited programs on your compute Do not install any programs on your University computer that are not authorized by your department and licensed to use on a University computer Be cautious about installing any unknown or unsolicited program on any computer that is used with confidential data.

63 Good Computing Practices - Safeguards for Users
#10: Mobile Devices Maintain the tracking number for the mobile device in a safe location. This will assist police in locating the device in case of loss or theft Only use devices that can restrict access by way of a password or other authentication method Enable all security features the device may have Remove all Personal Identifiers when possible If you use a mobile, wireless device for backup then encrypt all sensitive data and store separately. When available, always save and store to a secure server.

64 Good Computing Practices - Safeguards for Users
#11: Reporting Security Incidents/Breach What to Report: Lost or stolen devices especially if they contain confidential data Erratic computer behavior or unusual messages to your department manager, department IT resource, or UITS Help Center Suspected issues or incidents to a manager or Security Office

65 Good Computing Practices - Safeguards for Users
#11: Reporting Security Incidents/Breach cont Loss of Equipment Report lost or stolen laptops, Blackberries, PDAs, cell phones, flash drives, etc. to the UCONN Police Department

66 Good Computing Practices - Safeguards for Users
#11: Reporting Security Incidents/Breach cont Other Security Incidents/Breaches Your Supervisor/Manager Your Department’s IT person Privacy Office (Rachel Krinsky Rudnick): (860) Security Office (Elaine David): (860) UITS Help Center (860)

What about paper records? Important to consider not only electronic records, but paper records as well. See: Best Practice Office Procedures for Dealing with Confidential and Registered Confidential Data

Paper Records: Limit sign-in sheets to first name only. Do not post lists containing confidential information. Remove confidential data from reports where it is not required. Shred or store securely for shredding all reports no longer required that contain confidential. Account for any lists, records and reports containing confidential information.

69 What Does HIPAA Mean for UConn?
The UConn Speech & Hearing Clinic is “HIPAA-tized”

70 HIPAA’s Impact Clinic Operations Clinical Education

71 Brief History University of Connecticut Speech & Hearing Clinic – began in the late 1940’s to support clinical training of students becoming speech-language pathologists and audiologists 1976 – began to charge fees for services provided; billed through a clearinghouse 2001 – determined to be a HIPAA covered entity because billing was managed electronically

72 Getting ready for the Privacy Rule
Confidentiality practices in the clinic were always governed by the standards set forth by the American Speech-Language-Hearing Association Released information only when given permission by the clients except in specific situations Discussions about clients and their communication disorder were limited to conferences with other professionals related to client care AND to clinical teaching Forbidden to remove files from the Speech & Hearing Clinic (ACLU influence)

73 Safeguards pre-HIPAA Depended on students, clinical service providers, and staff to uphold the ASHA Code of Ethics Sanctions built in when violations to the Code occurred, but only applied to persons who were affected by the Code ASHA issued sanctions and the process is lengthy and cumbersome Dependent on students and clinical service providers to use good judgment to determine whether they were maintaining confidentiality

74 From August 2001 until April 14, 2003
Conduct gap analysis – where were the gaps between what we were doing and what we needed to do to comply with the Privacy Rule of HIPAA? Examples of gaps: PHI visible on the secretary’s computer and computer was easily viewed; PHI released to school systems as the payer of services Prepare a budget of what it would cost to become compliant Develop a plan of how to proceed State of Connecticut DoIT’s role

75 Highlights of the process toward compliance with the Privacy Rule
Upgrade the clinic lobby to insure that personal health information (PHI) was protected Create a comprehensive Policy and Procedures Manual that detailed the Clinic’s implementation of HIPAA Create a Notice of Privacy Practices and a procedure for disseminating this information (translated into Spanish) Create a new set of forms and procedures for documentation all relevant aspects of HIPAA to the care of clients with communication disorders

76 More highlights… Devise a training tool for all students and anyone having contact with clients and client records. Issue a “certificate” following training that students take with them. Issue Business Associate Agreements with all vendors and unions with whom we have contracts Gain an office that is self-contained

77 New Speech & Hearing Clinic Office

78 Security Rule Compliance date: April 17, 2005
Risk analysis revealed numerous compliance issues: transmission and storage of electronic data, building’s wireless capability and students’ access to that, encryption (and lack of), computer accessibility Plan put into place; work closely with UITS and CLAS computer support teams. Budget and ways to cover the costs of becoming compliant. Procedures for closing out computer access for students and others when they leave the program

79 HIPAA’s impact on clinical education
Students are provided with a model of the implementation of HIPAA Rules HIPAA training and certificates are often recognized by the host facility when students go to off-campus practicum sites Increased awareness of the procedural nature of maintaining privacy; documentation

80 Outcomes for students…
Awareness of consequences of non-compliance both at federal and local levels When files are removed from the building, the infraction is now treated and reported as “theft” Increased understanding about PHI and need for complying with procedures intended to protect information and confidentiality Exposure to the model of HIPAA implementation that is similar to other settings where they will be

81 What it has meant… Increasing vigilance to maintaining PHI
- ensuring that PHI does not exist on hard drives, on reports that students might use for models to write their own reports - clinicians’ compliance with maintaining confidentiality Increasing amounts of paper Increasing amounts of time spent in training, monitoring, and updating Increasing operating expenses as a result

82 Also has meant… Development of a Business Continuity Plan as part of complying with the Security Rule Increased vigilance in making sure that the release of any information has been authorized by the client and/or the designee An entirely new vocabulary! UConn Speech & Hearing Clinic is regarded as a model of implementation among similar training programs

83 Procedural safeguards have been prescribed and are clearly defined
Client records provide a rich database; OK to use the data as long as the client has been “de-identified” (meant, too, that researchers and teaching faculty had to go through HIPAA training) Installation of a scheduling system that was HIPAA compatible for storing client information Installation of a server that was dedicated to clinic operations; increased efficiency in backing up data regularly

84 Service providers became more HIPAA-savvy consumers!


86 STUDENT HEALTH SERVICES Who are we? What do we do?
We are the “Hospital” for our students and also for employees who have been injured on the job. Our 2006 – 2007 service numbers Advice Nurse 13,471 visits to 7076 patients Primary Care 13,169 visits to 7085 patients Women’s Clinic 3,508 visits to 1892 patients CMHS ,487 visits to 1289 patients Other Areas visits to 1005 patients More than 25,000 individual patient records

Prior to 2003 Physical renovations, new wiring, installing card accessible lock systems for file rooms, doors for patient check-in windows. Creation of Notice of Privacy Practices & Policies Staff training, both permanent and student staff “HIPAA – tizing” forms and procedures Determining Business Associates & Agreements Communicating to UCONN Departments Paper, Paper, Paper!

April 2003 & Beyond Distributing NPP to all of our patients! Continuing with education updates to new and seasoned staff Enforcement of HIPAA policies for release of information, who gets what and how Providing HIPAA course to all students in Allied Health, Nursing, Pharmacy, Physical Therapy prior to their Clinical site study. IRB (Independent Review Board) approves all Drug Study trials. Paper, Paper, Paper!

Prior to 2005 Risk assessment performed to identify security vulnerabilities Security awareness training Workforce clearance procedures for access to electronic PHI Servers moved from SHS building to UITS server farm Physical Security (theft) Data Security (firewall) Data backup and backup storage

Prior to 2005 Created isolated environment to test applications before using in production Data disposal policies & procedures Automatic log-off/password protected screensaver procedures

2005 & Beyond Vigilance to continue with recommendations of the risk assessment.

And now…… Any violations? Over 2200 complaints have been logged with DHHS Where are the HIPAA police? 7 staff members of DHHS were appointed to “police” the HIPAA regulation

93 How HIPAA Changed My Life
Jeffrey M. Anderson, MD Director of Sports Medicine Services University of Connecticut Student Health Services/Division of Athletics

94 How Does HIPAA Affect Me in the Patient Room?
Truth is, it really doesn’t Privacy has always been a hallmark of the physician-patient interaction My relationship with my patient depends on my discretion, whether the law dictates it, or not. Its real impact…


96 How Does HIPAA Affect the UConn Student-Athlete?
Information to athletic trainers Information to strength and conditioning coaches Information to sport coaches Information to parents Information to the media

97 Consent for Disclosure of Protected Information
Signed each year by every student-athlete Information related to the student-athlete’s ability to train, practice, and compete Nature and type of injury/illness, duration of expected recovery, treatment methods, and related rehab progress Essential to the protection of the student-athlete’s health while participating here.

98 HIPAA and Media Interaction
HIPAA can actually be helpful in this area Does affect sideline discussion Interaction is entirely mediated by Athletic Communications Official releases written by them and approved by both the student-athlete and the head coach

Download ppt "University of Connecticut October 4, 2007"

Similar presentations

Ads by Google