Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy and Security October 20, 2009 1 Karen Pagliaro-Meyer Privacy Officer Columbia University medical Center (212) 305-7315.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "HIPAA Privacy and Security October 20, 2009 1 Karen Pagliaro-Meyer Privacy Officer Columbia University medical Center (212) 305-7315."— Presentation transcript:

1 HIPAA Privacy and Security October 20, 2009 1 Karen Pagliaro-Meyer Privacy Officer Columbia University medical Center kpagliaro@columbia.edu (212) 305-7315 Nursing Students

2 HIPAA: PRIVACY vs. SECURITY PRIVACY Refers to WHAT is protected — Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information June 27, 20152 What’s the Difference?: SECURITY SECURITY HOW Refers to HOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss

3 Consequences of Privacy or Security Failure  Disruption of Patient Care  Increased cost to the institution  Legal liability and lawsuits  Negative Publicity  Negative Patient perception  Identity theft (monetary loss, credit fraud)  Disciplinary action 3

4 HIPAA –Privacy & Security Concerns – Theft of Patient Data Identity Theft Stolen lap top – Loss of Patient Data incorrect disposal of documents Portable devices increases the possibility of data loss – Misuse of Patient Data Privacy Breach

5  A NYP employee (patient admissions representative) was charged with stealing almost 50,000 patient files and selling some of them.  The files stolen probably contained little or no medical information, but did include patient names, phone numbers and social security numbers- -fertile ground for identity theft.  Employee reported that he sold 1,000 files to a man for $750.  NYP sent letters and offered free 2 year credit monitoring to all patients 50,000 * $15 = $750,000 +++ Theft of Patient Data NewYork-Presbyterian Hospital

6 Theft of electronic devices at CUMC 6  A large fire in a NYP/CUMC building with immediate evacuation of the entire building  An outside firm was hired to assist with the clean-up and repair of the building  When staff returned it was discovered that laptops, USB drives (thumb drives) and digital cameras had been stolen  Lesson learned – All equipment must be password protected. Portable equipment that includes patient information must also be encrypted.  Consider installing software like PC phone home that may assist in locating stolen portable devices

7 Loss of Patient Data CVS Pharmacy 7 CVS Pays $2.25 Million & Toughens Disposal Practices to Settle HIPAA Privacy Case A case that involves the privacy of millions of health care consumers On January 16, 2009 the U.S. Department of Health & Human Services (HHS) reached agreement with CVS Pharmacy, Inc. to settle potential violations of the HIPAA Privacy Rule. CVS agreed to pay $2.25 million and implement a detailed Corrective Action Plan to ensure that it will appropriately dispose of protected health information such as labels from prescription bottles and old prescriptions, related medical information and credit card information.

8 Privacy Breach The Kaiser hospital in Bellflower at which Nadya Suleman gave birth eight has been hit with a $250,000 fine by California health officials.fine Kaiser Permanente spokesman Jim Anderson said that the hospital had warned employees to stay away from the Octo-Mom's files and reported the privacy violations itself, firing 15 employees. According to the state, however, the hospital did not do enough to protect Octo-Mom's privacy UCLA Medical Center disciplined 53 staff members for accessing the medical information of Britney Spears in 2007 8

9 What you need to know about HIPAA & Patient Privacy  Notice of Privacy Practices  Authorization to Release Medical Information  Patient Rights  Privacy Breaches  Business Associates  HIPAA and Research 9

10 10

11 11

12 Authorization to Release Medical Information 12 Written Authorization required to release medical information Physician or care team may share information with referring physician without an authorization “patient in common” All legal requests for release of information should be forwarded to the HIPAA Compliance Office for review Must understand who is the legal next of kin

13 13

14 Notice of Privacy Practices Patient Rights Patients have the right to: – Request restrictions on release of their PHI – Receive confidential communications – Inspect and copy medical records (access) – Request amendment to medical records – Make a complaint – Receive an accounting of any external releases. – Obtain a paper copy of the Notice of Privacy Practices on request

15 Privacy Breach 15  Privacy Breaches do not usually involve high profile patients  Most Privacy Breaches involve staff accessing medical information of friends, family members and co-workers  Audit reports are run daily to identify potential inappropriate access, use or disclosure of medical information  It is important that staff are aware that ANY access of medical information WITHOUT a business purpose will result in disciplinary action

16 Who is a Business Associate? Individuals who do business with CUMC and have access to protected health information Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen Examples of BAAs include:  billing companies or claims processing  voice mail or appointment reminder service management  transcription services or coding companies  accreditation  Software used for medical data 16

17 HIPAA and Research Medical Record Research or identification of potential research subjects must be approved by the IRB which includes a review of HIPAA Research requirements Two main avenues of HIPAA Research — – Form A HIPAA Clinical Research Authorization—required elements – Form B HIPAA Application for Waiver of Authorization—subject to approval of the IRB Some exceptions: – Research using solely Decedent Information – Research using solely De-identified Information – Activities prior to research or preparatory to research

18 HIPAA Privacy Guidance – Top 10 1.Provide patients with the Notice of Privacy Practices 2.Shred patient information 3.Follow Electronic Security Policies 4.Telephone Guidance – messages and requests for info 5.Use and Disclose Medical Information Correctly 6.Fax patient information utilizing a cover sheet 7.Verify patient at the time of new registration 8.Avoid unintentional disclosures (hallway – email - mail) 9.Report and manage Privacy Breaches 10.Notify Privacy Office of Complaints

19 What you need to know about Information Security 19

20 Good Computing Practices 10 Safeguards for Users 1. User ID or Log-In Name (aka. User Access Controls) 2. Passwords 3. Workstation Security 4. Portable Device Security – USB, Laptops 5. Data Management, e.g., back-up, archive, restore. 6. Remote Access - VPN 7. Recycling Electronic Media & Computers 8. E-Mail – Columbia email account ONLY 9. Safe Internet Use – virus 10. Reporting Security Incidents / Breach

21 Security Controls Laptop and File Encryption WinZip (password protect + encrypt) 7-zip (free, password protect + encrypt) Truecrypt (free, complete folder encryption) FileVault (folder encryption on Macintosh) Encrypted USB Drives Kingston Data Traveler Iron Key (Fully encrypted) 21

22 Types of Security Failure  Sharing Passwords – You are responsible for your password. If you shared your password, you will be disciplined even if other person does no inappropriate access  Not signing off systems – You are responsible and will be disciplined if another person uses your ‘not- signed-off’ system and application  Sending EPHI outside the institution without encryption – Under HITECH you may be personally liable for losing EPHI data  Losing PDA and Laptop in transit with unencrypted PHI or PII – Under HITECH and NY State SSN Laws, you may be personally liable, and you will be disciplined for loss of PHI or PII 22

23 New Regulation: HITECH Act (ARRA) 23 (Health Information Technology for Economic and Clinical Health)  New Federal Breach Notification Law – Effective Sept 2009  Applies to all electronic “unsecured PHI”  Requires immediate notification to the Federal Government if more than 500 individuals effected  Requires notification to a major media outlet  Will be listed on a public website  Requires individual notification to patients  Criminal penalties apply to individual or employee of a covered entity  State Attorneys General will have enforcement authority and may sue for damages and injunctive relief

24 New York State SSN/PII Laws Social Security Number Protection Law  Effective December 2007  Recognizes SSN to be a primary identifier for identity theft  It is Illegal to communicate this information to the general public  Access cards, tags, etc. may not have SSN  SSN may not be transmitted over Internet without encryption  SSN may not be used as a password  SSN may not be printed on envelopes with see-through windows  SSN may not be requested unless required for a business purpose  Fines and Penalties 24

25 New York State SSN/PII Laws Information Security Breach and Notification Act  Effective December 2005  IF… Breach of Personally Identifiable Information occurs o SSN o Credit Card o Driver’s License  THEN… Must notify o patients / customers / employees o NY State Attorney General o Consumer reporting agencies 25

26 New Regulations – Red Flag rule 26 Red Flag – Identity Theft Prevention Program  Requires healthcare organizations to establish written program to identify, detect and respond to and correct reports of potential identity theft  Educate all staff how to identify Red Flags and report them  Appoint program administrator & Report to leadership  FTC law includes fines and penalties $2,500 per violation  Business Associate Agreements will have to be revised to inform CUMC of any Red Flags involving CUMC data

27 27 http://www.cumc.columbia.edu/hipaa

28 What Is My Role in Protecting Medical Information? Good Security Standards follow the “90 / 10” Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices – Example: The lock on the door is the 10%. – You remembering to lock, – check to see if it is closed, – ensuring others do not prop the door open, – keeping controls of keys is the 90%. – 10% security is worthless without YOU!

29 29 PATIENT PRIVACY At some point in our lives we will all be a patient Treat all information as though it was your own

30 Questions & Answers Karen Pagliaro-Meyer Privacy Officer Columbia University Medical Center 212-305-7315 kpagliaro@columbia.edu HIPAA@columbia.edu

Download ppt "HIPAA Privacy and Security October 20, 2009 1 Karen Pagliaro-Meyer Privacy Officer Columbia University medical Center (212) 305-7315."

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Confidentiality and HIPAA

Confidentiality and HIPAA
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA

Similar presentations

Ads by Google