Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HIPAA at UCONN: Protecting Health-Related Information in Educational Settings University of Connecticut October 4, 2007.

Similar presentations


Presentation on theme: "1 HIPAA at UCONN: Protecting Health-Related Information in Educational Settings University of Connecticut October 4, 2007."— Presentation transcript:

1 1 HIPAA at UCONN: Protecting Health-Related Information in Educational Settings University of Connecticut October 4, 2007

2 2 H ealth I nsurance P ortability and A ccountability A ct of 1996 (HIPAA)

3 3 Public Law Designed to: assure health insurance portability reduce health care fraud and abuse guarantee integrity and confidentiality of health information improve the operations of health care systems and reduce administrative costs Establishes: Standards for privacy Standards for security of health data Standards for eight electronic transactions and the code sets to be used in those transactions Unique health identifiers

4 4 HIPAA Applicability and Scope Everyone in healthcare and health- related fields is impacted by this law in some way: PayersProviders MembersEmployers Clearinghouses Billing agents VolunteersVendors Service organizations

5 5 Who must comply? (aka-who does HIPAA apply to?) Health PlansHealth Plans ClearinghousesClearinghouses ProvidersProviders, if they conduct covered electronic transactions (or have someone conduct them on their behalf) Employers who act as providers or health plans or who simply choose to comply Other organizations that receive health data from those listed above and have formal agreements to protect the data (Business Associates)

6 6 COVERED ENTITIES –Health Care Providers (physicians, nurses, allied health practitioners, counselors) –Health Care Facilities (hospitals, clinics) –Health Plans (HMOs, insurers) –Health Information Clearinghouses

7 7 UCONN is a Hybrid Entity Covered components: –Student Health Services –Speech & Hearing Clinic –EMS/Fire (within Public Safety) as first responders –Nayden Physical Therapy Clinic

8 8 Health Insurance Portability and Accountability Act of 1996 Transactions Code Sets Identifiers Insurance Portability Administrative Simplification Fraud and Abuse Medical Liability Reform Title I Title II Title III Title IV Title V Privacy Security Electronic Data Electronic Data Tax Related Health Provision Group Health Plan Requirements Revenue Off-sets

9 9 The 4 components in HIPAA Title II are: Health Insurance Portability and Accountability Act of 1996 Privacy Transactions & Code Sets Transactions & Code Sets Security Identifiers

10 10 HIPAA Privacy Rule (Regulations)

11 11 Privacy Regulation Application The HIPAA Privacy rule applies to any covered entity that maintains or transmits protected health information in any form: Electronic Oral Written Faxed etc.

12 12 A Look At Privacy The Privacy Regulation includes: Client/Patient rights Regulatory authorizations for treatment, payment and health care operations Minimum necessary for intended use Business Associate requirements Required authorizations Review processes, restriction requests, and correction process

13 13 What information is protected by the HIPAA Privacy Rule?

14 14 Individually Identifiable Health Information (IIHI) Any health information that is created or received by a health care provider, health plan, clearinghouse or an employer –Identifies the individual –Provides a reasonable basis to believe that the information can be used to identify the individual –Pertains to the health of an individual –Pertains to the provision of or payment of healthcare to an individual.

15 15 Protection of PHI What is PHI? (Protected Health Information) –Individually identifiable health information--IIHI: (relating to past, present, future health care or payment for health care) ORAL WRITTEN ELECTRONIC –but NOT student IIHI in the hands of Student Health Services (broad FERPA/HIPAA exemption) –and NOT employee IIHI in the hands of the Employer (HIPAA exemption)

16 16 Name Address; street, city, county, zip code Social security number Birth date Account number Name of employers Telephone/Fax numbers Electronic mail addresses Names of relatives Any other unique identifying number or code that could be used to identify an individual (applies to a small cell) Scope of data covered HIPAA places considerable emphasis on the definition, use and disclosure of IIHI. Below are just a few key data elements which require de-identification in certain situations when related or linked to health information:

17 17 Privacy Applicability and Scope Does not preclude stricter state standards that apply to certain types of information (preemption) Makes no distinction about the presumed sensitivity of information Demographic info should be treated the same as clinical info Protects the information itself, not the physical record, regardless of where the information appears

18 18 Records not covered by HIPAA Privacy Rule Employment Records FMLA certifications ADA disability/accommodation records Attendance/sick leave records Employment physicals Workers Compensation records Enrollment/disenrollment/COBRA records

19 19 Records not covered by HIPAA Privacy Rule Student Records excludes The definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), specifically excludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g). FERPA provides privacy protections for student health records held by federally funded educational institutions.

20 20 HIPAA Excludes FERPA We have excluded educational records covered by FERPA [f]rom the definition of protected health information… because FERPA also provided a specific structure for the maintenance of these records. U.S. Department of Health and Human Services, 65 Federal Register 82,483 (December 28, 2000)

21 21 FERPA (not HIPAA) protected records Student immunization/medical history records Student disability/accommodation records Student health clinic/counseling records Student health insurance enrollment/disenrollment information submitted by student to University

22 22 Requirements to Protect Privacy FERPA No set, specific requirements No clear consensus in higher ed on what is needed No court decisions on third party breach HIPAA Administrative Safeguards: (Processes, procedures, training, Risk Analysis) Physical Safeguards: (Facility, workstations, etc.) Technical Safeguards: (Access, audit control, data integrity, etc.)

23 23 A Look At Privacy The Privacy Regulation includes: Client/Patient rights Regulatory authorizations for treatment, payment and health care operations Minimum necessary for intended use Business Associate requirements Required authorizations Review processes, restriction requests, and correction process

24 24 Some Administrative Requirements Notice of Privacy Practices Individual Rights Business Associate Agreements

25 25 First Date of Service Acknowledgment Notice of Privacy Practices

26 26 Basic Individual Rights Right to privacy of PHI –Treatment, Payment, Health Care Operations Uses –Specified disclosures allowed (public health, subpoenas, etc.) –Other disclosures with authorization Individual right to access, amendment, accounting Individual right to request restricted communications and uses/disclosures

27 27 Business Associate Agreements Covered entities must have agreements with vendors, administrators, brokers, accountants, etc. that need PHI to perform services on behalf of or with the covered entity Agreement must ensure business associates compliance with HIPAA Privacy Rule

28 28 Other Administrative Requirements Designate a Privacy Officer Create policies and procedures Provide privacy training Provide a means for individuals to lodge complaints Process for responding to complaints

29 29 Other Administrative Requirements (contd) safeguardsAdministrative, technical, and physical safeguards to protect PHI 6Maintain HIPAA documentation for 6 years SanctionsSanctions for HIPAA privacy violations MitigateMitigate harmful effects from violations Avoid retaliation or waiver of HIPAA rights

30 30 Authorization Obtain an authorization when appropriate Usually a customized document Used for specified purposes, other than TPO Covers only the PHI for uses and disclosures specified in the authorization uses and disclosuresRequired for uses and disclosures of PHI not otherwise allowed by the rule

31 31 Uses Requiring Authorization Marketing Insurance pre-enrollment activities Employer/uses for employment Fund raising Other uses not exempted by these rules

32 32 TPO Uses & Disclosures Exceptions -- TPO T Treatment P Payment O Health Care Operations

33 33 Health Care Operations Quality assessment/improvement Determining clinical privileges Reviewing plan performance Insurance rating, underwriting, etc. Medical review and auditing Fraud and abuse detection Compiling PHI for legal proceedings

34 34 Other Permissible Uses Without Consent Based on capacity or authority Public health activities Health care oversight Judicial/administrative proceedings Coroners/medical examiners Law enforcement, banking, or payment Research, emergencies, and next of kin

35 35 Minimum Necessary Only disclose the PHI needed to accomplish a function Case-by-case determination Designated decision maker Exceptions for: –DHHS access –plan audit and as required by law

36 36 Why Should You Care? Civil penalties for improper PHI disclosure: –$100 per day, up to $25,000 per year for identical violations –Penalty may be avoided if disclosure was for reasonable cause, not willful neglect

37 37 Criminal Sanctions Criminal penalties for knowing wrongful disclosure of PHI: –Fine of not more than $50,000/imprisonment for one year/both –If committed under false pretenses, fine of not more than $100,000/imprisonment for not more than five years/both –If committed with intent to sell, transfer or use such health information for gain or malicious harm, fine of not more than $250,000/imprisonment of ten years/both

38 38 The Bottom Line... Know Your Permitted Uses and Disclosures of PHI Limit Access/Disclosure to Permitted Group Safeguard PHI Keep PHI Out of Employment-Related Actions and Decisions most importantly…

39 39 Dont be afraid to ask questions!

40 40 Questions? Rachel Krinsky Rudnick, JD, CIPP University Privacy Officer Office of Audit, Compliance & Ethics (860)

41 41 HIPAA Security Awareness Training Elaine David, Director of IT Security, Policy & Quality Assurance

42 42 HIPAA SECURITY AWARENESS TRAINING HIPAA Security Rule: The purpose of the final HIPAA rule is to adopt national standards for safeguards to protect the confidentiality, integrity and availability of electronic protected health information. These standards require measures to be taken to secure ePHI while in the custody of covered entities as well as in transit between covered entities and from covered entities to others.

43 43 HIPAA SECURITY AWARENESS TRAINING HIPAA Security Rule Requirements: oAdministrative Safeguards oPhysical Safeguards oTechnical Safeguards

44 44 HIPAA SECURITY AWARENESS TRAINING Administrative Safeguards: oSecurity Management (Risk Analysis, Sanctions, Activity Review) oWorkforce Security oAccess Management oAwareness & Training oIncident Response & Reporting oBusiness Associate Contracts oEvaluation of Compliance

45 45 HIPAA SECURITY AWARENESS TRAINING Physical Safeguards: oFacility Access controls oWorkstation Acceptable Use & Responsibility oWorkstation/Server and Mobile Systems security oDevice and Media Control Security

46 46 HIPAA SECURITY AWARENESS TRAINING Technical Safeguards: oAccess controls (e.g. unique id, password structure, firewall use, wireless access, remote access, etc.) oSecurity Audit controls oAuthentication oTransmission security

47 47 HIPAA SECURITY AWARENESS TRAINING Compliance with HIPAA Security Rule: Development and dissemination of many security and data policies. See or

48 48 HIPAA SECURITY AWARENESS TRAINING What is information security? The steps taken to protect the confidentiality, integrity and availability of our information resources. Confidentiality: assurance that information can only be seen or used by those who are authorized to access the information. Integrity: assurance that information that we use has not been modified inappropriately during storage, transmission, etc. Availability: assurance that computer resources are available when we expect them to be.

49 49 HIPAA SECURITY AWARENESS TRAINING What is security awareness? oRecognizing the various types of security issues; oKnowing how to prevent a breach; oKnowing how to react to a breach.

50 50 Good Computing Practices - Safeguards for Users #1: Passwords: - Choose your password carefully oUse at least 8 characters oDo not use repetitive characters oCombine alpha, numeric and non-alpha numeric characters, upper and lower-case oDo not base password on familiar words or words/names that can be associated with you oChoose one that is easy to remember and easy to type

51 51 Good Computing Practices - Safeguards for Users #1: Passwords cont. : Keep your password safe Securely file or destroy paperwork that includes user-id and password information. Do not post, write or share passwords with anyone

52 52 Good Computing Practices - Safeguards for Users #2: Control Access to Confidential Information oUse a Password protected screensaver for your workstation (on- site, laptop, home, etc.) oLock your screen oFor a PC: oFor a MAC: oConfigure a screensaver with your password; Create a shortcut to activate screensaver oUse a password to start up or wake-up your computer oAlways log off shared workstations oIf you dont log off, someone else could use your ID to illegally access confidential information

53 53 Good Computing Practices - Safeguards for Users #2: Control Access to Confidential Information cont oJust say No when a program ask: Do you want me to remember your password? oWhen your password is saved on your hard drive, it makes you and your data vulnerable to hackers who can steal you Password.

54 54 Good Computing Practices - Safeguards for Users #3: Physical Access Protect your computer, laptop, PDA, electronic media from being stolen or accessed by others Secure computers with a lockdown cable Store backup media safely and separately from the equipment Dont leave portable devices unattended, even for a moment

55 55 Good Computing Practices - Safeguards for Users #4: Anti Virus oMake sure your computer has antivirus and all necessary security patches oSee oSchedule and run regular virus scans of all your files oAlways close pop-ups when they solicit a response to advertisements or other messages oClick the x box to close the pop-up ad oClicking no is the same as yes and allows the virus or hacker access to your computer

56 56 Good Computing Practices - Safeguards for Users #5: Data Backup and Restoration oMake backups a regular task oBack up data to your departments secure server or store on removable media oStore backup media safely and separately from the equipment oTest that backup data can be restored if necessary

57 57 Good Computing Practices - Safeguards for Users #6: Operating System and Network Applications Update operating systems and network applications of your computers with current patches See

58 58 Good Computing Practices - Safeguards for Users #7: Information Security Use good judgment about the amount of confidential data that you store on university-owned or personally-owned devices delete files containing confidential data from devices as soon as they are no longer needed Use encryption for transmitting and storing confidential data

59 59 Good Computing Practices - Safeguards for Users #7: Information Security – cont Ensure that your computer and other devices are wiped clean of all confidential data using the Universitys procedures before being surplused or redeployed to another individual. See

60 60 Good Computing Practices - Safeguards for Users #8: Practice safe ing Do not open, forward or reply to suspicious s Keep your inbox preview pane closed to prevent certain types of malicious code from executing Turn off the Automatic download HTML graphics and Display graphics in messages options Delete spam Dont open attachments or click on website addresses without being certain of their safety.

61 61 Good Computing Practices - Safeguards for Users #8: cont Be Aware: is NEVER 100% secure Do not use to send, receive or store confidential information unless required by your job Always limit the amount of confidential information sent by to the minimum necessary Never send, reply or forward UConn confidential information from a non UConn account

62 62 Good Computing Practices - Safeguards for Users #9: Computer Security oDont install unknown or unsolicited programs on your compute oDo not install any programs on your University computer that are not authorized by your department and licensed to use on a University computer oBe cautious about installing any unknown or unsolicited program on any computer that is used with confidential data.

63 63 Good Computing Practices - Safeguards for Users #10: Mobile Devices oMaintain the tracking number for the mobile device in a safe location. oThis will assist police in locating the device in case of loss or theft oOnly use devices that can restrict access by way of a password or other authentication method oEnable all security features the device may have oRemove all Personal Identifiers when possible oIf you use a mobile, wireless device for backup then encrypt all sensitive data and store separately. oWhen available, always save and store to a secure server.

64 64 Good Computing Practices - Safeguards for Users #11: Reporting Security Incidents/Breach oWhat to Report: oLost or stolen devices especially if they contain confidential data oErratic computer behavior or unusual messages to your department manager, department IT resource, or UITS Help Center oSuspected issues or incidents to a manager or Security Office

65 65 Good Computing Practices - Safeguards for Users #11: Reporting Security Incidents/Breach cont oLoss of Equipment oReport lost or stolen laptops, Blackberries, PDAs, cell phones, flash drives, etc. to the UCONN Police Department

66 66 Good Computing Practices - Safeguards for Users #11: Reporting Security Incidents/Breach cont oOther Security Incidents/Breaches oYour Supervisor/Manager oYour Departments IT person oPrivacy Office (Rachel Krinsky Rudnick): o(860) oSecurity Office (Elaine David): o(860) oUITS Help Center o(860)

67 67 HIPAA SECURITY AWARENESS TRAINING What about paper records? Important to consider not only electronic records, but paper records as well. See: Best Practice Office Procedures for Dealing with Confidential and Registered Confidential Data html html

68 68 HIPAA SECURITY AWARENESS TRAINING Paper Records: Limit sign-in sheets to first name only. Do not post lists containing confidential information. Remove confidential data from reports where it is not required. Shred or store securely for shredding all reports no longer required that contain confidential. Account for any lists, records and reports containing confidential information.

69 69 What Does HIPAA Mean for UConn? The UConn Speech & Hearing Clinic is HIPAA-tized

70 70 Clinic Operations Clinical Education HIPAAs Impact

71 71 Brief History University of Connecticut Speech & Hearing Clinic – began in the late 1940s to support clinical training of students becoming speech-language pathologists and audiologists University of Connecticut Speech & Hearing Clinic – began in the late 1940s to support clinical training of students becoming speech-language pathologists and audiologists 1976 – began to charge fees for services provided; billed through a clearinghouse 1976 – began to charge fees for services provided; billed through a clearinghouse 2001 – determined to be a HIPAA covered entity because billing was managed electronically 2001 – determined to be a HIPAA covered entity because billing was managed electronically

72 72 Getting ready for the Privacy Rule Confidentiality practices in the clinic were always governed by the standards set forth by the American Speech-Language-Hearing Association Confidentiality practices in the clinic were always governed by the standards set forth by the American Speech-Language-Hearing Association Released information only when given permission by the clients except in specific situations Released information only when given permission by the clients except in specific situations Discussions about clients and their communication disorder were limited to conferences with other professionals related to client care AND to clinical teaching Discussions about clients and their communication disorder were limited to conferences with other professionals related to client care AND to clinical teaching Forbidden to remove files from the Speech & Hearing Clinic (ACLU influence) Forbidden to remove files from the Speech & Hearing Clinic (ACLU influence)

73 73 Safeguards pre-HIPAA Depended on students, clinical service providers, and staff to uphold the ASHA Code of Ethics Depended on students, clinical service providers, and staff to uphold the ASHA Code of Ethics Sanctions built in when violations to the Code occurred, but only applied to persons who were affected by the Code Sanctions built in when violations to the Code occurred, but only applied to persons who were affected by the Code ASHA issued sanctions and the process is lengthy and cumbersome ASHA issued sanctions and the process is lengthy and cumbersome Dependent on students and clinical service providers to use good judgment to determine whether they were maintaining confidentiality Dependent on students and clinical service providers to use good judgment to determine whether they were maintaining confidentiality

74 74 From August 2001 until April 14, 2003 Conduct gap analysis – where were the gaps between what we were doing and what we needed to do to comply with the Privacy Rule of HIPAA? Conduct gap analysis – where were the gaps between what we were doing and what we needed to do to comply with the Privacy Rule of HIPAA? Examples of gaps: PHI visible on the secretarys computer and computer was easily viewed; PHI released to school systems as the payer of services Examples of gaps: PHI visible on the secretarys computer and computer was easily viewed; PHI released to school systems as the payer of services Prepare a budget of what it would cost to become compliant Prepare a budget of what it would cost to become compliant Develop a plan of how to proceed Develop a plan of how to proceed State of Connecticut DoITs role State of Connecticut DoITs role

75 75 Highlights of the process toward compliance with the Privacy Rule Upgrade the clinic lobby to insure that personal health information (PHI) was protected Upgrade the clinic lobby to insure that personal health information (PHI) was protected Create a comprehensive Policy and Procedures Manual that detailed the Clinics implementation of HIPAA Create a comprehensive Policy and Procedures Manual that detailed the Clinics implementation of HIPAA Create a Notice of Privacy Practices and a procedure for disseminating this information (translated into Spanish) Create a Notice of Privacy Practices and a procedure for disseminating this information (translated into Spanish) Create a new set of forms and procedures for documentation all relevant aspects of HIPAA to the care of clients with communication disorders Create a new set of forms and procedures for documentation all relevant aspects of HIPAA to the care of clients with communication disorders

76 76 More highlights… Devise a training tool for all students and anyone having contact with clients and client records. Issue a certificate following training that students take with them. Devise a training tool for all students and anyone having contact with clients and client records. Issue a certificate following training that students take with them. Issue Business Associate Agreements with all vendors and unions with whom we have contracts Issue Business Associate Agreements with all vendors and unions with whom we have contracts Gain an office that is self-contained Gain an office that is self-contained

77 77 New Speech & Hearing Clinic Office

78 78 Security Rule Compliance date: April 17, 2005 Compliance date: April 17, 2005 Risk analysis revealed numerous compliance issues: transmission and storage of electronic data, buildings wireless capability and students access to that, encryption (and lack of), computer accessibility Risk analysis revealed numerous compliance issues: transmission and storage of electronic data, buildings wireless capability and students access to that, encryption (and lack of), computer accessibility Plan put into place; work closely with UITS and CLAS computer support teams. Budget and ways to cover the costs of becoming compliant. Plan put into place; work closely with UITS and CLAS computer support teams. Budget and ways to cover the costs of becoming compliant. Procedures for closing out computer access for students and others when they leave the program Procedures for closing out computer access for students and others when they leave the program

79 79 HIPAAs impact on clinical education Students are provided with a model of the implementation of HIPAA Rules Students are provided with a model of the implementation of HIPAA Rules HIPAA training and certificates are often recognized by the host facility when students go to off-campus practicum sites HIPAA training and certificates are often recognized by the host facility when students go to off-campus practicum sites Increased awareness of the procedural nature of maintaining privacy; documentation Increased awareness of the procedural nature of maintaining privacy; documentation

80 80 Outcomes for students… Awareness of consequences of non-compliance both at federal and local levels Awareness of consequences of non-compliance both at federal and local levels When files are removed from the building, the infraction is now treated and reported as theft When files are removed from the building, the infraction is now treated and reported as theft Increased understanding about PHI and need for complying with procedures intended to protect information and confidentiality Increased understanding about PHI and need for complying with procedures intended to protect information and confidentiality Exposure to the model of HIPAA implementation that is similar to other settings where they will be Exposure to the model of HIPAA implementation that is similar to other settings where they will be

81 81 What it has meant… Increasing vigilance to maintaining PHI Increasing vigilance to maintaining PHI - ensuring that PHI does not exist on hard drives, on reports that students might use for models to write their own reports - ensuring that PHI does not exist on hard drives, on reports that students might use for models to write their own reports - clinicians compliance with maintaining confidentiality Increasing amounts of paper Increasing amounts of paper Increasing amounts of time spent in training, monitoring, and updating Increasing amounts of time spent in training, monitoring, and updating Increasing operating expenses as a result Increasing operating expenses as a result

82 82 Also has meant… Development of a Business Continuity Plan as part of complying with the Security Rule Development of a Business Continuity Plan as part of complying with the Security Rule Increased vigilance in making sure that the release of any information has been authorized by the client and/or the designee Increased vigilance in making sure that the release of any information has been authorized by the client and/or the designee An entirely new vocabulary! An entirely new vocabulary! UConn Speech & Hearing Clinic is regarded as a model of implementation among similar training programs UConn Speech & Hearing Clinic is regarded as a model of implementation among similar training programs

83 83 Procedural safeguards have been prescribed and are clearly defined Client records provide a rich database; OK to use the data as long as the client has been de-identified (meant, too, that researchers and teaching faculty had to go through HIPAA training) Installation of a scheduling system that was HIPAA compatible for storing client information Installation of a server that was dedicated to clinic operations; increased efficiency in backing up data regularly

84 84 Service providers became more HIPAA-savvy consumers!

85 85 HIPAA AT STUDENT HEALTH SERVICES JANE DESROSIERS, RHIT INFORMATION COORDINATOR PRIVACY OFFICER October 2007

86 86 STUDENT HEALTH SERVICES Who are we? What do we do? We are the Hospital for our students and also for employees who have been injured on the job. Our 2006 – 2007 service numbers Advice Nurse 13,471 visits to 7076 patients Primary Care 13,169 visits to 7085 patients Womens Clinic 3,508 visits to 1892 patients CMHS 7,487 visits to 1289 patients Other Areas 2290 visits to 1005 patients More than 25,000 individual patient records

87 87 PRIVACY - HIPAA IMPACT ON STUDENT HEALTH SERVICES Prior to 2003 Physical renovations, new wiring, installing card accessible lock systems for file rooms, doors for patient check-in windows. Creation of Notice of Privacy Practices & Policies Staff training, both permanent and student staff HIPAA – tizing forms and procedures Determining Business Associates & Agreements Communicating to UCONN Departments Paper, Paper, Paper!

88 88 PRIVACY - HIPAA IMPACT ON STUDENT HEALTH SERVICES April 2003 & Beyond Distributing NPP to all of our patients! Continuing with education updates to new and seasoned staff Enforcement of HIPAA policies for release of information, who gets what and how Providing HIPAA course to all students in Allied Health, Nursing, Pharmacy, Physical Therapy prior to their Clinical site study. IRB (Independent Review Board) approves all Drug Study trials. Paper, Paper, Paper!

89 89 SECURITY - HIPAA IMPACT ON STUDENT HEALTH SERVICES Prior to 2005 Risk assessment performed to identify security vulnerabilities Security awareness training Workforce clearance procedures for access to electronic PHI Servers moved from SHS building to UITS server farm Physical Security (theft) Data Security (firewall) Data backup and backup storage

90 90 SECURITY - HIPAA IMPACT ON STUDENT HEALTH SERVICES Prior to 2005 Created isolated environment to test applications before using in production Data disposal policies & procedures Automatic log-off/password protected screensaver procedures

91 91 SECURITY - HIPAA IMPACT ON STUDENT HEALTH SERVICES 2005 & Beyond Vigilance to continue with recommendations of the risk assessment.

92 92 HIPAA IMPACT ON STUDENT HEALTH SERVICES And now…… Any violations? Over 2200 complaints have been logged with DHHS Where are the HIPAA police? 7 staff members of DHHS were appointed to police the HIPAA regulation

93 How HIPAA Changed My Life Jeffrey M. Anderson, MD Director of Sports Medicine Services University of Connecticut Student Health Services/Division of Athletics

94 How Does HIPAA Affect Me in the Patient Room? Truth is, it really doesnt Truth is, it really doesnt Privacy has always been a hallmark of the physician-patient interaction Privacy has always been a hallmark of the physician-patient interaction My relationship with my patient depends on my discretion, whether the law dictates it, or not. My relationship with my patient depends on my discretion, whether the law dictates it, or not. Its real impact… Its real impact…

95

96 How Does HIPAA Affect the UConn Student-Athlete? Information to athletic trainers Information to athletic trainers Information to strength and conditioning coaches Information to strength and conditioning coaches Information to sport coaches Information to sport coaches Information to parents Information to parents Information to the media Information to the media

97 Consent for Disclosure of Protected Information Signed each year by every student- athlete Signed each year by every student- athlete Information related to the student- athletes ability to train, practice, and compete Information related to the student- athletes ability to train, practice, and compete Nature and type of injury/illness, duration of expected recovery, treatment methods, and related rehab progress Nature and type of injury/illness, duration of expected recovery, treatment methods, and related rehab progress Essential to the protection of the student- athletes health while participating here. Essential to the protection of the student- athletes health while participating here.

98 HIPAA and Media Interaction HIPAA can actually be helpful in this area HIPAA can actually be helpful in this area Does affect sideline discussion Does affect sideline discussion Interaction is entirely mediated by Athletic Communications Interaction is entirely mediated by Athletic Communications Official releases written by them and approved by both the student-athlete and the head coach Official releases written by them and approved by both the student-athlete and the head coach


Download ppt "1 HIPAA at UCONN: Protecting Health-Related Information in Educational Settings University of Connecticut October 4, 2007."

Similar presentations


Ads by Google