Presentation on theme: "Office of Compliance Brody School of Medicine ECU HIPAA Privacy Office"— Presentation transcript:
1Office of Compliance Brody School of Medicine ECU HIPAA Privacy Office HIPAA Privacy Rules: What’s Important to Know to Protect Your Patients, Yourself, and Your InstitutionOffice of ComplianceBrody School of MedicineECU HIPAA Privacy Office
2Overview Background and General Information Use and Disclosure of Protected Health InformationPatients Rights under HIPAASecurity Breach Notification RequirementsPenalties and Enforcement under HIPAAECU HIPAA Privacy Violation Levels and SanctionsECU Privacy Basics
4Background and General Information HIPAA is a federal law which established a minimum level of privacy protections related to “protected health information” (PHI)Congress felt that additional privacy and security protections were necessary once transmission of health claims and other health information became uniform and electronicRequired compliance with HIPAA became effective on April 14, 2003
5Background and General Information What is Protected Health Information (PHI)?Information that is created or received by the covered entity;Covered entity – Health plans; health care clearinghouse; and health care providersHybrid entity – A single legal entity that is a covered entity, performs business activities that include both covered and noncovered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, nonhealth care components of a hybrid entity may be affected because the health care component is limited in how it can share PHI with the non-health care component.ECU is a hybrid entity with designated health care componentsRelates to past, present or future physical or mental health or condition of the individual, or related to payment for health care; andIdentifies the individual or provides a reasonable basis to be used to identify the individualincludes all personal demographic & health informationCan be in any form:Verbal, written or electronic
6Background and General Information IdentifiersNameGeographic locationStreet address, city, county, precinct, zip code,DatesDOB, date of death, admission/discharge/treatment datePhone/fax numbersaddressSSNMedical record numberHealth plan beneficiary numbersAccount numbersCertificate/license numbersVehicle identifiers and serial numbersIncluding license platesDevice identifiers and serial numbersURLsIPBiometric identifiers, including finger and voice printsFull face photographic images and any comparable imagesAny other unique identifying numbers, characteristic, or code
7Background and General Information The American Recovery and Investment Act of (ARRA)Drastically modified certain provisions under HIPAA including:Heightened EnforcementIncreased penaltiesPeriodic audits for complianceSecurity Breach Notification RequirementsIncreased Restrictions on Use and Disclosure of PHIAdditional Rights for PatientsCopies of PHI in electronic formatCannot disclose PHI to health plan if patient paid in full “out of pocket”
8Test Your Privacy Knowledge #1 Which of the following pieces of information is permissible to discuss with a friend or family member?a) The mutual friend who came to your facilityb) The patient you cared for with a highly unusual set of symptoms but without stating the patient’s namec) The prominent politician who is a patient at your facilityd) The high number of heart disease patients you have seen this weeke) The patient you cared for who lives on your block
9Test Your Privacy Knowledge #1 Answer - dIt is acceptable to talk about general trends but not about specific patients
11Use and Disclosure of PHI HIPAA AuthorizationIn general, required for any use or disclosure of PHISpecial type of authorization that is separate from the general consent for treatmentMust be in writing and include specific elementsPatient must receive a copy and is permitted to revoke authorization at any time in writing.Typical uses include:Research at a covered entityPatient’s request to release PHI to an outside entity or individualRelease of employment- related examination informationPsychotherapy notes and other sensitive conditionsCertain fundraising or marketing activities (that are not exempt from the authorization requirement)
12Use and Disclosure of PHI Broad exception for “treatment, payment or health care operations”“Treatment”Providing information to other providers involved in the care of the patient (e.g., other nurses, doctors, lab personnel, etc.)Does NOT allow for disclosure of psychotherapy notes and other types of sensitive conditions (i.e., HIV status); separate consent required to release that type of information“Payment”Submission of claims for services to third party payorsCollection activities“Health care operations”Using and disclosing PHI for quality assurance reviews, internal auditing, peer review, outside lawyers, accountants, etc.Research is not considered to be health care operations
13Use and Disclosure of PHI Examples of Exceptions to the Authorization RequirementLaw enforcement purposesJudicial and administrative proceedings (per court order or subpoena)Health oversight agencies (e.g., HHS)Certain public health activities (e.g., CDC, public health departments, tracking of FDA recalls, reporting of adverse events during research)
14Use and Disclosure of PHI Disclosure of PHI to Patient’s Family and Others Involved in CareMay disclose PHI directly relevant to such person’s involvement in the careMay disclose PHI to notify a family member, a personal representative or others involved in the patient’s care of:Patient’s location, general condition, or deathIf the patient is present:Obtain the patient’s agreement to involve family members or othersIf patient is not present or otherwise incapacitated:Exercise of professional judgment to determine whether the disclosure is in the best interests of the individual, and, if so, disclose only the PHI that is directly relevant to the person’s involvement with the individual’s care
15The Minimum Necessary Requirement 45 C.F.R 164.502 (b) and 164.514 (d) Family Member or FriendOther PersonsPatient is present and has the capacity to make health care decisionsProvider may disclose relevant information if the provider does one of the following:Obtain the patient’s agreement;Gives the patient an opportunity to object and the patient does not object;Decides from the circumstances, based on professional judgment, that the patient does not objectDisclosure may be made in person, over the phone, or in writingPatient is not present or is incapacitatedProvider may disclose relevant information if, based on professional judgment, the disclosure is in the patient’s best interest.Disclosure may be made in person, over the phone, or in writing.Provider may use professional judgment and experience to decide if it is in the patient’s best interest to allow someone to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of health information for the patient.Provider may disclose relevant information if the provider is reasonably sure that the patient has involved the person in the patient’s care and in his or her professional judgment, the provider believes the disclosure to be in the patient’s best interest.Disclosure may not be made in person, over the phone, or in writing.The Minimum Necessary Requirement 45 C.F.R (b) and (d)
16Test Your Privacy Knowledge #2 PHI may be disclosed without authorization or waiver to government agencies as required by law.TrueFalse
17Test Your Privacy Knowledge #2 Answer – a) TrueFor example – child abuse and neglect reporting to health authorities
18Use and Disclosure of PHI “Minimum Necessary” RuleIn general, the amount and types of PHI used or disclosed is restricted to the minimum amount of PHI necessary to satisfy the request.“Reasonable efforts” must be taken not to disclose more than the minimum amount of PHI necessary to accomplish the intended purpose.Does not apply in disclosures for treatment purposes to other providers or for release of PHI to patient pursuant to their own authorization.
19Test Your Privacy Knowledge #3 You are a billing clerk and routinely look at medical records to know if laboratory tests are performed. Are you permitted to view the results of the lab tests?YesNo
20Test Your Privacy Knowledge #3 Answer – b) NoViewing the results would exceed the scope of job duty for the billing clerk.
21Use and Disclosure of PHI Contacting PatientsMake every effort to speak to patient directlyNever leave voice messages containing information regarding condition, test results, etc.If you must leave a message, leave your name, ECU Physicians, and your phone number only. Do not state the reason for the call.
22Use and Disclosure of PHI Verification of Identity of Individual Requesting PHI by PhoneReasonable efforts must be made to verify identity of caller or individual requesting PHIReasonable questions include knowing certain personal information regarding patient, such as DOB, maiden name, etc. (not easy to find information such as telephone number, address, etc.)
23Use and Disclosure of PHI Incidental DisclosuresThose types of disclosures are not protected under HIPAADisclosures that occur even after proper safeguards have been takenExamples: Waiting room sign-in sheets, calling out a patient’s last name in waiting room (e.g., Mr. Smith and Mrs. Jones), shared hospital rooms, teaching rounds
25Use and Disclosure of PHI Commonsense SafeguardsDo not discuss patient information in hallways, elevators, restaurants, or other public places where others may overhear your conversationNever post or share information about a patient on social media sitesDo not access any medical record or other PHI unless you have a legitimate business or patient care purposeFor example, never access a medical record or other PHI to learn of a friend’s condition, birth date, status of newly delivered baby, etc.
26Use and Disclosure of PHI Commonsense SafeguardsNever share your EMR password with anyone for any purposeFaxes: Verify fax numbers prior to sending PHI, use an approved fax cover sheet, and ask if someone will be waiting for the information (especially if you do not know the location of the fax machine)Computer screens: To the extent possible, turn away from visitors, use a privacy screen, etc.; always lock computer when leaving workstation if you are viewing PHI
32Patient Rights under HIPAA Right to Access PHIPatients may request to receive a copy of their medical recordRequest must be in writing using approved formRequests may be denied in certain circumstancesECU employees are not permitted to access their own PHI without first going through Health Information Systems Services
33Patient Rights under HIPAA Patients may Request an Accounting of Disclosures of their ECU maintained PHI which has been made during the past six yearsPatients are permitted to request a listing showing to whom their PHI has been disclosedDoes not include disclosures made for treatment, payment, or health care operations; disclosures made pursuant to patient’s own authorization or disclosures prior to April 14, 2003 (effective date of rule)Does not include disclosures made for national security or intelligence purposes, or law enforcement purposes
34Patient Rights under HIPAA Right to Confidential and Alternative CommunicationsPatients have the right to request the method whereby they will be contacted (e.g., what telephone number, location, etc.)Any requests to communicate PHI by alternate means must be submitted in writing using the ECU Request for Alternate Communication Form
35Patient Rights under HIPAA Right to Further Restrict Disclosure of PHIPatients may request that their PHI not be disclosed in a certain manner, even if it is permitted under HIPAACommon requests include no disclosure for fundraising purposes (institutions are otherwise permitted to use minimal PHI for fundraising purposes), no disclosure to certain government agencies, or certain family membersRequests must be made in writing using ECU’s Request for Restriction on the Use and Disclosure of PHI FormECU may accept or decline request
36Patient Rights under HIPAA Right to Request Amendment to Medical RecordPatients may request a correction to the medical recordProvider is not required to amend; however, must notify patient regarding decisionTypically happens with sensitive types of conditions: Obesity, mental illness conditions, etc.
37Patient Rights under HIPAA Complaints about Privacy and Security PracticesAny individual may file a complaint regarding suspicion of a potential privacy violationIndividuals may file privacy complaints with:ECU Privacy OfficerBSOM Compliance Hotline (866)The United States Office for Civil RightsNo intimidation or retaliatory actions taken against any individual making a complaint
39Security Breach Notification Requirements First federal notification law established under ARRAFor breach of any “unsecured PHI,” the covered entity is required to notify within 60 days each individual whose PHI has been accessed, acquired or disclosed as a result of such breach.Annual disclosure requirement to HHS regarding all notificationsIf breach involves 500 or more individuals, notice to HHS must be immediate; “prominent” local media must also be notified.Excludes certain inadvertent or unintentional disclosures
41Penalties under HIPAAPrivacy Rule Enforcement Highlights from Health and Human Services (HHS) & Office of Civil Rights (OCR)92,975 HIPAA complaints received from April through February 201494% have been resolved through:Investigation and enforcement (22,222)Investigation and finding no violation (10,005)Closure of cases not eligible for enforcement (54,944)OCR lacks jurisdiction under HIPAAComplaint is untimely, withdrawn, or not pursued by filerActivity described does not violate the rulesEnforcement highlights as of February 28, 2014: (accessed March 25, 2014)
42Penalties under HIPAA OCR Most Frequent Compliance Issues in order of frequency:Impermissible use and disclosure of PHILack of safeguards of PHILack of patient access to PHIViolation of “minimum necessary” ruleLack of administrative safeguards of electronic PHIOCR has referred 522 cases to the Department of Justice for criminal investigationEnforcement highlights as of February 28, 2014: (accessed March 25, 2014)
43Penalties under HIPAA Civil Penalties Penalty Amount Calendar Year Cap For violations occurring on or after 2/18/2009$100 to $50,000 or moreper violation$1,500,000For violations occurring prior to 2/18/2009Up to $100$25,000Summary of HIPAA Privacy Rule: (accessed June 22, 2012)
44Penalties under HIPAA Criminal Penalties Penalty Amount Prison Term Knowingly obtains or discloses PHI in violation of Privacy RuleUp to $50,000Up to 1 yearWrongful conduct involves false pretensesUp to $100,000Up to 5 yearsWrongful conduct involves intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harmUp to $250,000Up to 10 yearsSummary of HIPAA Privacy Rule: (accessed June 22, 2012)
46ECU HIPAA Privacy Violation Levels & Sanctions Under HIPAA, ECU is required to have and apply internal sanctions against its workforce who fail to comply with its policies and proceduresSpecific internal sanctions are outlined in East Carolina University Privacy Regulation: HIPAA Sanctions
47ECU HIPAA Privacy Violation Levels & Sanctions Failure to demonstrate appropriate careExamples:Failing to log off a computerLeaving PHI in a non-secure locationInappropriate hallway conversation
48ECU HIPAA Privacy Violation Levels & Sanctions Intentional or unintentional exposure of PHI internallyUnauthorized access to PHIRepeated Level 1 violationsExamples:Providing passwords to unauthorized usersAccessing PHI for which you have no job duty
49ECU HIPAA Privacy Violation Levels & Sanctions Intentional or unintentional exposure of PHI internally or externallyRepeated Level 2 violationsExamples:Sharing PHI with unauthorized individualsFailing to perform necessary actions to prevent disclosureDisclosing PHI external to ECU’s designated health care components
50ECU HIPAA Privacy Violation Levels & Sanctions Intentional abuse of PHIExamples:Large scale disclosureUse for personal gainDestroying PHI
51ECU HIPAA Privacy Violation Levels & Sanctions Violations can result in local sanctions ranging from documented counseling, in accordance with ECU’s disciplinary policies, up to and including dismissal.Other Federal sanctions may result including fines and/or imprisonment.
53TrainingAll workforce members must receive annual HIPAA Training to protect the privacy and security of individually identifiable health information.Annual HIPAA Training is located in Cornerstone.
54HIPAA Privacy and E-mail and PHI:Within University faculty/staff systemYou do not need to encrypt containing PHI if it is from your account on ECU’s e- mail system to another faculty/staff account on the system but must limit PHI to the minimum necessary amount to perform the intended functionOutside of University systemsent to an address outside of ECU’s system must be encrypted but must limit PHI to the minimum necessary amount to perform the intended functionVidant is not part of ECU’s systemECU student accountssent to a student account is not encrypted and does not support the University’s encryption software. If you have a student in your department who needs to PHI please contact your department EPAF administrator.Wireless Networking and PHI:Do not access or send PHI over a wireless network, unless the data is encrypted prior to transmission. Data sent over a wireless network can be captured by unauthorized persons in nearby buildings, parking lots, and streets.This includes personal smartphones and other portable devicesContact the ITCS Security Department: prior to purchasing any system that will store or transmit PHI to ensure that the appropriate measures are in place.
55Test Your Privacy Knowledge #5 You need to send an containing PHI to someone in the billing department but you don’t know which specific person to send it to. You should:a) Send the to the department’s group in the hopes that it will reach the correct person.b) the PHI to one person in the department and ask them to please forward the to the appropriate person if they cannot assist you.c) Contact the department before sending the containing PHI to ensure that you send the PHI to the correct person.
56Test Your Privacy Knowledge #5 Answer – c)Sending PHI to an employee who is not authorized to view the information is a HIPAA violation
57Test Your Privacy Knowledge #6 You may use your personal smartphone or other device to read and send s containing PHI:a) Trueb) False
58Test Your Privacy Knowledge #6 Answer – b) FalseYou should not use a personal device to store or transmit PHIPlease review the HIPAA Security Portable Device Security Standard: standards.cfm
59ECU HIPAA Privacy Officer and Policies Interim ECU HIPAA Privacy OfficerKenneth De Ville, PhD, JD(252)Complete HIPAA Privacy and Security Policies are available at the following website: