1. LSU Health Shreveport Shreveport - EA Conway - Huey P Long HIPAA Privacy and Information Security Education Prepared by Compliance Office March 2012 1

2. CONTENTS  What is HIPAA and its relevance to you  How HIPAA affects you and your job  How you can protect patients’ health information  How to understand and reduce the risks when using and storing electronic information  What role you play in protecting our computer network  Where to get assistance with HIPAA questions 2

3. R ELEVANCE TO Y OU  Education about HIPAA and your institution’s policies and procedures related to complying with HIPAA, is required by law.  All employees under the direction of the North Louisiana Chancellor are required to complete this module and be familiar with related policies. This includes all employees of Shreveport, E.A. Conway and Huey P. Long campuses.  All campuses are designated as LSU Health Shreveport for purposes of HIPAA. 3

4. W HAT IS HIPAA?  HIPAA is a federal statute (the Health Insurance Portability and Accountability Act of 1996) which…  Established national medical privacy standards  Established security standards for individual’s health information  Established Electronic Transaction and Code Sets Standards for electronic health information and payment systems 4

5. HIPAA LAW CHANGES The American Recovery and Investment Act of 2009, otherwise known as the Stimulus Package or HITECH Act, dramatically increased HIPAA requirements and penalties. In addition to the increased financial penalties, facilities will be subject to civil and criminal penalties beginning in 2011. 5

6. HIPAA R EQUIREMENTS FOR H EALTHCARE P ROVIDERS  Must protect the privacy and security of an individual’s Protected Health Information (PHI)  Should only use the “ minimum necessary ” patient information required to accomplish the intended purpose of the patient’s treatment, payment or hospital operations  Must allow individuals, by their written authorization, to control the sharing of their protected health information 6

7. H IPAA G IVES P ATIENTS T HE RIGHT T O : review and/or receive a copy of their medical records request an accounting of disclosures request to amend their PHI request confidential communications request restrictions on disclosure of their information 7

8. W HAT INFORMATION MUST LSU H EALTH S HREVEPORT PROTECT ?  HIPAA and Louisiana State Law directs, that as a healthcare provider, LSU Health Shreveport must protect an individual’s personal health information that they create, receive, or maintain. 8

9. T ERMS Y OU S HOULD K NOW  Protected Health Information (PHI) is: Individually Identifiable Information created or received in any form (verbal, written, or electronic) by a HIPAA covered entity Information about an individual’s past, present or future physical/mental condition Information about an individual’s past, present, or future provision for payment of health care 9

10. E XAMPLES OF P ROTECTED H EALTH I NFORMATION (PHI, E PHI)  Personally identifiable information such as name, address, birth date, phone and fax numbers, e-mail address, social security numbers and other unique numbers  Billing records, claim data, referral authorizations  Medical records, diagnosis, treatment, x- rays, photos, prescriptions, laboratory, and other test results  Research records  This includes all formats of the above information --verbal, written, and electronic 10

11. I N ORDER FOR A LSU H EALTH S HREVEPORT H EALTHCARE PROVIDER TO USE OR DISCLOSE PHI:  LSU Health Shreveport must provide each patient with a Notice of Privacy Practices and obtain a patient’s signature acknowledging receipt of the notice that:  Describes how LSU Health Shreveport may use and disclose the patient’s protected health information (PHI) and  Advises the patient of his/her privacy rights 11

12. HIPAA S PECIFICALLY ALLOWS …  LSU Health Shreveport to create, use, and share a person’s protected health information as the Notice of Privacy Practices describes for the following:  Treatment  Payment  Operations including medical staff quality or peer review activities, and government reporting LSU HEALTH SCIENCES CENTER – SHREVEPORT NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. LSU HEALTH SCIENCES CENTER – SHREVEPORT NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. 12

13. W HAT DOES D ISCLOSURE M EAN ?  To release, transfer, provide access to or divulge patient information in any manner outside of LSU Health Shreveport  Only the minimum amount of necessary patient information may be disclosed for any allowed use or disclosure 13

14. F OR D ISCLOSURES OTHER THAN TPO  For disclosures other than for treatment, payment, and operations (TPO)… LSU Health Shreveport must obtain a written patient authorization or receive a subpoena to disclose information  Non routine disclosure requests should be sent to the Compliance Office for review before processing 14

15. T EACHING H OSPITALS In an academic institution teaching is a key part of operations. Bedside rounds, teaching rounds, conferences, etc are all permissible. On the wards or in the clinics, staff should take measures to minimize incidental disclosures, such as speaking softly. 15

16. T EACHING H OSPITALS At teaching conferences minimize disclosure of patient identifiers as much as possible. LSU Health Shreveport attempts to “de ‑ identify” patient information used in lectures and other teaching activities. 16

17. D ISCLOSURE L OGS  Any disclosure that is not authorized by the patient or not made as a part of treatment or payment must be entered into the online disclosure logs which can be accessed by anyone with their LSU Health Shreveport system user id and password at the following URL:  http://www.compliance.lsuhscshreveport.edu/secure/disclosures/ http://www.compliance.lsuhscshreveport.edu/secure/disclosures/ 17

18. I NCIDENTAL DISCLOSURES AND HIPAA  Incidental uses and disclosures are permitted if reasonable safeguards are used to protect PHI such as talking in a low voice. Example: discussions during teaching rounds; calling out a patient’s name in the waiting room; sign in sheets in hospital and clinics.  Patients may see normal clinical operations as violating their privacy ( incidental disclosure )  Ask yourself - ”What if it were my information being discussed in this place or in this manner?” 18

19. HIPAA V IOLATIONS C AN C ARRY P ENALTIES  Criminal Penalties  $50,000 - $250,000 fines  Jail Terms up to10 years  Civil Monetary Penalties  $100 - $25,000/yr fines  Up to 1.5 million dollars per calendar year for multiples of the same violation  LSU Health Shreveport corrective & disciplinary action  Up to & including job loss 19

20. B E AWARE THAT PHI AND E -PHI ARE EVERYWHERE 20

21. D ISPOSAL OF PAPER RECORDS All papers that have any patient information on them should be shredded before they are discarded.  If your department is using a shredding bin from a company that the hospital has a contract with, put the papers inside the bins. Do not put papers beside the bins. 21

22. P HYSICAL AND E LECTRONIC I NFORMATION CAN BE LOST OR STOLEN  Lost or stolen physical items such as paper copies, films, tapes, PDAs, CDs, cell phones, laptops, flash drives, etc…  Lost anywhere - streets, restrooms, coffee houses etc..  Stolen because items not properly secured  User not logged off and an unwanted person uses their computer  Unprotected systems hacked  Misdirected to outside world…  Mislabeled mail, wrong fax number, wrong phone number, wrong email address, misplaced on intranet  Not using secured email  Verbal release of information without patient signed approval 22

23. P ASSWORDS  The use of a strong password is critical to secure protected information  Your password is like the lock on your house (you want it to be as strong as possible) 23

24. I F S OMEONE K NOWS Y OUR P ASSWORD T HEY C AN :  Read your emails  Respond to your emails as if they were you  Inspect your files  Have access to all the your information  Have you blamed for their offenses  In other words; they have stolen your identity! 24

25. T IPS FOR C REATING A S TRONG P ASSWORD  Make it lengthy  Each character added increases protection many times over. Ideally 8 – 14 characters  Combine letters, numbers and symbols  The greater the variety of characters the harder it is to guess  Use the entire keyboard not just the most common characters  Use phrases that are easy for you to remember but difficult for others to guess 25

26. W HAT DO I DO IF I THINK MY PASSWORD HAS BEEN COMPROMISED ?  Notify the Help Desk ( 5-5470 option 2 ) or your computer support personnel  Change your password immediately (If you need assistance changing your password, ask your computer supporter)  Remember: you are responsible for all activities occurring under your LSU Health Shreveport login ID 26

27. M ALWARE V IRUSES /W ORMS /S PYWARE  Malware is any software that causes unintended results  Viruses/Worms are programs that attempt to spread throughout your system and the entire network Prevention : antivirus software should be installed and updated on your computer  Spyware are programs that are installed with little or no notification during the installation of another program or while browsing the Internet Prevention: install and run an updated spyware scanner 27

28. S USPICIOUS E MAIL  Steps to prevent malware sent by email:  Don’t open e-mail attachments or click on website addresses contained in an e-mail  Save all attachments to your computer and scan them with your antivirus product before opening them  Don’t open, forward, or reply to suspicious e-mails  Delete spam  If you suspect malware has been installed, contact your computer supporter or the Helpdesk as soon as possible. 28

29. I NAPPROPRIATE USE OF THE I.T. INFRASTRUCTURE  Computer users (employees, students, etc.) shall NOT :  Engage in any activity that jeopardizes the availability, performance, integrity or security of the I.T. infrastructure  Use computing resources in a wasteful manner  Use I.T. resources for personal gain or commercial purposes not directly related to your job  Install, copy, or use any software in violation of licensing agreements, copyrights, or contracts 29

30. I NAPPROPRIATE U SE CONT …  Computer users (employees, students, etc.) shall NOT:  Obtain or attempt to access the files or electronic mail of others unless authorized by the owner  Send, forward, or reply to E-mails chain letters  Create or transmit any offensive, obscene, or indecent images, data, or other material  Play “Internet radio or “web radio” 30

31. C ONFIDENTIALITY / S AFEGUARDS  Extra precautions must be taken when protected information (health or financial information) is stored on a local computer:  Data must be stored using encryption in case your laptop is lost or stolen  Lock your computer if you leave your machine unattended  Written backup and disaster plans must be in place 31

32. C ONFIDENTIALITY / S AFEGUARDS PHI must NOT be emailed or “texted” outside the LSU Health Shreveport intranet system unless it is encrypted. 32

33. G OOD C OMPUTING P RACTICES P ORTABLE D EVICE S ECURITY  Don’t keep restricted data on portable devices (this includes any patient information)  Back-Up your data  Make backups a regular task, ideally at least once a day.  Backup data to your department’s secure server.  Store backup media safely and separately from the equipment. 33

34. G OOD C OMPUTING P RACTICES D ATA M ANAGEMENT  Managing Restricted Data  Know where this data is stored.  Destroy restricted data which is no longer needed  Shred or otherwise destroy restricted data before throwing it away  Erase/degauss information before disposing of or re-using drives 34

35. G OOD C OMPUTING P RACTICES S AFE INTERNET U SE  Practice safe internet use  Accessing any site on the internet could be tracked back to your name and location.  Accessing sites with questionable content often results in spam or release of viruses. And it bears repeating …  Don’t download unknown or unsolicited programs! 35

36. I NCIDENT R EPORTING  Notify your local computer supporter or Helpdesk if:  You suspect your password has been compromised  You suspect your files have been tampered with  Your computer behaves abnormally  You suspect someone has obtained or is trying to obtain unauthorized access 36

37. R EPORTING D EVICE L OSS OR T HEFT  Report lost or stolen laptops, blackberries, PDAs, cell phones, flash drives, etc… Loss or theft of any computing device MUST be reported immediately to the University Police Department. 5-6165 37

38. R EPORTING P RIVACY AND S ECURITY I NCIDENTS /B REACH  Immediately report anything unusual, suspected privacy breaches or security incidents, to IT Security and the Compliance Office.  This includes loss/theft of PHI in hardcopy format (paper, films etc).  If no one is available to receive your report please call the Computer Helpdesk 24/7  You can also e-mail or go to the LSU Health Shreveport website: email: SHV IT Security SHV Compliance 38

39. P ATIENT B REACH N OTIFICATION As of September 23, 2009 patients must be notified if there is a breach involving their information. Annually all breaches must be reported, to the CMS Office of Civil Rights, by the Compliance Office. Remember to call the Compliance Office at 675-8503 if you identify a breach. 39

40. Y OU ARE RESPONSIBLE FOR :  Complying with LSU Health Shreveport security and privacy policies  Accessing or using PHI only if necessary to perform your job duties  Accessing only the minimum necessary information you need to perform your job  Using computer resources responsibly and for authorized purposes only 40

41. R ESOURCES : WITH P RIVACY AND C ONFIDENTIALITY  HIPAA website: http://myhsc.lsuhscshreveport.edu/Compliance/ComplianceHipaa. aspx http://myhsc.lsuhscshreveport.edu/Compliance/ComplianceHipaa. aspx  LSU Health Shreveport Privacy Officer: Debbie Hall Miller 318-675-8503 dmille@lsuhsc.edu  EA Conway Privacy Official: Ken Roark 318-330-7418 kroark@lsuhsc.edu  Huey P Long Privacy Official: Debbie Hall Miller 318-675-8503 dmille@lsuhsc.edu 41

42. R ESOURCES : I NFORMATION S ECURITY Information Security Officer for Shreveport: Jeff Laughlin 318-675-4609 jlaugh@lsuhsc.edujlaugh@lsuhsc.edu Information Security Officer for E A Conway: Todd Walters 318-330-7544 twalte@lsuhsc.edutwalte@lsuhsc.edu Information Security Officer for H P Long: Mickey Roberts 318-473-6228 mrober@lsuhsc.edumrober@lsuhsc.edu 42

43. C ONFIDENTIAL H OTLINE Confidential Hotline 1-800-465-1923 43

44. LSU H EALTH S HREVEPORT C ONFIDENTIALITY A GREEMENT  LSU Health Shreveport has a legal and ethical responsibility to safeguard the privacy of all patients and protect information that is defined as confidential. Confidential information includes information contained in manual documentation as well as information stored in the facilities computer systems. Patient, personnel, financial and other business records contain confidential information. 44

45. C ONFIDENTIALITY A GREEMENT C ONTINUED  I, understand that information regarded as confidential must be maintained in the strictest of confidence. As a condition of my affiliation with LSU Health Shreveport, I hereby agree that I will not at any time during or after my affiliation with LSU Health Shreveport, disclose any confidential information to any person, other than as necessary in the course of my affiliation with LSU Health Shreveport. Release of any information must be provided by the appropriate, authorized personnel.  Institutional computer systems and the data in those systems may be accessed only by authorization from Administration. 45

46. C ONFIDENTIALITY A GREEMENT C ONTINUED  Computer system access is granted only to persons who have been issued user identification codes. All user identification codes and passwords are confidential. I understand that I am directly responsible for the accuracy and completeness of data entries which are entered into the LSU Health Shreveport computer systems.  Revealing user identification codes or passwords is a crime, punishable by fine and/or imprisonment (La.R.S. 14.73.1 et seq.). Using another employee ’ s user identification code/password or giving my user identification code/password to another person may result in disciplinary action, fine or imprisonment. 46

47. C ONFIDENTIALITY A GREEMENT C ONTINUED  Security violations may include but are not limited to failing to sign off when leaving the computer unattended; modifying my own medical or employment record; requesting another employee access my employment or medical record; allowing another employee to use my password; accessing medical or employment records without having a legitimate reason; allowing anyone else to view confidential information while I am signed-on to a computer system; using another employee ’ s access code; revealing confidential information or business/financial details of patients or employees. 47

48. C ONFIDENTIALITY A GREEMENT C ONTINUED  All privacy and security violations will be reported to and investigated by the appropriate authorities.  The failure to abide by this agreement may result in disciplinary action, including dismissal from employment, fine and/or imprisonment, according to the Civil Service Rules and Regulations, LSU System Guidelines, applicable Medical Staff By Laws, Federal Law and Louisiana State Law. 48

49. A TTESTATION C ONFIDENTIALITY A GREEMENT I certify that I have read the HIPAA Privacy and Security education and agree to the terms of the LSU Health Shreveport Confidentiality Agreement. 49