Presentation on theme: "HIPAA 101: The Whos, Whats & Whys of Protecting Patient Privacy"— Presentation transcript:
1 HIPAA 101: The Whos, Whats & Whys of Protecting Patient Privacy Krista Barnes, Senior Compliance AttorneyInstitutional Compliance Office at MD Anderson Cancer CenterGSBS New Student OrientationAugust 14, 2013
3 HI…what? Health Insurance Portability & Accountability Act (HIPAA) Define “protected health information” (PHI) and how we need to protect itGives patients certain rights with respect to PHI (see our Notice of Privacy Practices)Only applies to “covered entities” (health care providers, insurers, and healthcare clearinghouses)Health Information Technology for Economic and Clinical Health (HITECH) ActImposes breach reporting obligations on covered entitiesGave HIPAA “teeth”
4 What is PHI? Protected Health Information Health information + Identifying InformationHealth Information: diagnosis, treatment, lab results, imaging studies, arguably even the fact that someone is a patient here because our name suggests a cancer diagnosisIdentifying Information: 18 types of identifying information (see next slide).
5 What are the 18 HIPAA Identifiers? Identifying information includes the following EIGHTEEN items for an individual and the individual’s relatives, employers, or household members:Names (including initials);All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code as long as there are more than 20,000 people in the area for those initial three digits;All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, treatment dates; and all ages over 89 (can be combined into a “90 and over” category);Phone numbers;Fax numbers;addresses;Social security numbers;Medical record numbersHealth plan beneficiary numbers;Account numbers;Certificate/license numbers;Vehicle identifiers and serial numbers, including license plate numbers;Device identifiers and serial numbers;Web Universal Resource Locators (URLs);Internet Protocol (IP) address numbers;Biometric identifiers, including finger and voice prints;Full face photographic images and any comparable images; andAny other unique identifying number, characteristic, or code (unless totally unrelated to any other identifying info and cannot be re-identified except by person who holds the key)
6 POP QUIZYou’re working on a research study. The protocol calls for blood samples to be sent to the study’s sponsor for banking. The samples are labeled with date and medical record number (no names). The informed consent promises that all samples will be “de-identified.” Can you send the samples out like this?NO.Dates and MRNs are “identifiers”You aren’t authorized to send any identifiers
7 What does HIPAA say?HIPAA General Rule: You may not use or disclose PHI without the patient’s Authorization, unless it falls under a regulatory exception, which include:Treatment (e.g., nurse talking to a doctor, talking to another physician about a common patient)Payment (e.g., billing insurance)Healthcare Operations (e.g., for formal internal training programs, quality improvement)Certain research purposes (IRB waiver, preparatory to research)De-identified dataResearch uses and disclosures of PHI are governed by the protocol, informed consent and authorization document, and/or an IRB waiver
8 Who can look at PHI?Can only access PHI if you have a legitimate work-related reason for doing so.Six Fired for Keeping up with the KardashianHarris Hospital District Fires 16 Over Privacy
9 POP QUIZ Have you violated HIPAA? You are entering data for a study into a spreadsheet. You notice that the mom of your best friend from Junior High is one of the subjects. You didn’t even know she had cancer! You feel awful and want to help your friend’s family, maybe by sending flowers or taking dinner over. You log into ClinicStation to see when her last appointment was and how she is doing. You’re very sad to learn that she passed away last month. You post on your friend’s Facebook page, “I just heard about your mom passing away, I’m so sorry.”Have you violated HIPAA?A. No. There’s no way anyone would know that you learned about her death from looking in her medical record.B. No. HIPAA doesn’t apply after death.Yes. People who work at covered entities can’t use social media.Yes. You accessed the mom’s record without authorization, and then disclosed her PHI on Facebook.Answer: D.
10 What’s the big deal?Use or disclosure of protected health information (“PHI”) in a manner that doesn’t comply with HIPAA is a violation of federal (and probably state) lawAn unauthorized use or disclosure that compromises the patient’s privacy may be a “breach” of PHIBreaches are reported to the patient, the government, and if big enough, the mediaBreaches compromise patient privacy; patients’ trust in the hospital/institution; the hospital’s reputation; can cost big $$, and may cost you your careerFines for HIPAA violations: $100 to $50,000 per day, up to a maximum of $1.5 million for the same violation in any one year
11 What is at stake? Alaska Medicaid Massachusetts hospital UCLA Unencrypted USB hard drive stolen from employee’s car$1.7 million settlementMassachusetts hospitalTheft of unencrypted laptop containing prescription & clinical information$1.5 million settlementUCLAResearcher accessed coworkers’ and celebrities’ medical records without authorizationProsecuted and sentenced to 4 months in prisonMD Anderson examples
12 What happened here2012: laptop stolen from researcher’s home contained 30,000 patients’ data2012: lost jump drive contained 2200 research subjects’ data2013: lost jump drive contained 3600 research subjects’ dataPop Quiz: What would have prevented all 3 of these breaches?Answer: ENCRYPTION
13 What you can do to protect PHI Accessing PHIAccess PHI on encrypted devices only (laptops, jump drives, BlackBerry).Never access the medical record of a celebrity, friend, family member, or coworker (unless it is your job to do so).Storing PHIDo not store PHI in the cloud unless sanctioned by the institution (e.g., MDACC box.com account)Limit physical access to PHI (lock cabinets, use folders).Shred (do not recycle!) paper and wipe devices when finished.Transporting PHIDo not leave devices or paper files in your car.ENCRYPTED DEVICES ONLY!Encrypt s in transit.Don’t PHI to your personal account.Social MediaNever post about a patient/subject on social media
14 ONE LAST POP QUIZYou’re helping an MD Anderson PI and a collaborator from UT Health Science Center on a research study. The data relates to live human subjects, and is stored in a spreadsheet that you saved to the MD Anderson server. It contains medical record numbers, study ID numbers, treatment dates, diagnoses, and drugs administered.The collaborator wants you to send him the data on a CD. Should you?First, is it PHI?Yes (treatment dates, maybe study ID numbers, maybe genomic sequencing data = identifiers)Second, is the data allowed to leave MD Anderson?Check the protocol and informed consent document to see if PHI can leave MD Anderson and be shared with an outside collaborator.Is the CD a permissible way to send PHI?Send on an encrypted CD and send the password separately, or ask InfoSec for more options.The MD Anderson PI is on vacation and wants you to put it on Dropbox (online cloud sharing/storage) so she can view it remotely while on vacation. Should you?No. Dropbox is not necessarily secure, your consent probably doesn’t say that you’ll be storing data on that site, and we do not have a Business Associate Agreement with Dropbox. Box.com is the only option right now (through MD Anderson’s institutional box.com account).
15 Reporting Privacy Incidents What to do if a privacy incident occurs:Report incidents quickly to:Institutional Compliance Office at or Privacy Hotline atDocument everythingReport to IRB as unanticipated problem (if research)Report lost or stolen computers, BlackBerrys, jump drives to:UTPD:4-INFO:Departmental asset manager
16 State Auditor’s Office Hotline (1-800-892-8348). Compliance ConcernsIt is every Workforce Member’s responsibility to report a violation or a potential violationFailure to report a violation or potential violation may subject you to disciplinary actionTo report compliance concerns:- Call the Institutional Compliance Office ( )- Page the Chief Compliance Officer ( )- Call the Fraud and Abuse Hotline ( )- Call the Privacy Hotline ( )IMPORTANT: All discussions and reports are treated confidentially and may be made anonymouslySuspected fraud, waste, and abuse involving state resourcesState Auditor’s Office Hotline ( ).
17 Non-RetaliationWorkforce Members should not hesitate to report any suspected violations out of fear of retaliationNon-Retaliation Policy(UTMDACC Institutional Policy #ADM0254)