HIPAA/HITECH TRAINING

Why are we here?  HIPAA  HITECH  PHI  Minimum Necessary “Need to Know”  Breaches and Fines

What is HIPAA/HITECH? HIPAA: Health Insurance Portability and Accountability Act Implemented in 1996 Compliance required April 14, 2003 HITECH: Health Information Technology for Economic and Clinical Health Increased the safeguards and securities, penalties and fines Implementation in 2009

Who is Required to Follow the HIPAA Law? All Employees/Students/Volunteers of Hutchinson Regional Healthcare System

HIPAA - General Rule (45 CFR § ) A covered entity may not use or disclose protected health information, except as permitted or required…

What is a Covered Entity?? Three main types of covered entities ( § )  Health Plans – provide or pay the cost of medical care (Medicare, Medicaid, Private Ins.)  Provider – provide medical or health services, i.e., SNF’s, physician clinics, DME suppliers  Clearinghouses – process health information from non standard content to standard content (billing services, Health Information System)

Use or Disclosure ( § )  Use – the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains information  Disclosure – release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information

Protected Health Information ( § ) Health information collected from an individual, created or received by a covered entity and:  Relates to past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, future payment for the provision of health care to an individual; AND  Identifies the individual; OR  Within a reasonable basis the information could be used to determine the identity of an individual *Information can be maintained in an electronic form or any other with the exception to educational records and employment records.

Access as an Employee  You CANNOT look at, touch, pick up, share or disclose patient information UNLESS there is an exception:  Defined exception  Required by law  Authorization  The purpose for accessing the information determines which exception is used

The Minimum Necessary Rule A standard requiring covered entities to limit the amount of PHI that is used or disclosed to the “minimum necessary” to accomplish the intended purpose unless the disclosure is to the patient, the Secretary of the Department of Health and Human Services, or to another provider for treatment purposes. Simply Put: the amount necessary to complete your job and task. The amount you “Need to Know”. “Employees should only have access to data if they have a demonstrated need. When a demonstrated need is identified, then employees should be provided with only the access necessary to perform their jobs”

Disclosing PHI to Family and Friends  Four digit pass code (last 4 numbers of Acct. #) Don’t Give Out Patient Information If:  You can’t identify the caller  Caller can’t provide identifying information about the patient  Calling without pass code

What is a Breach?? Breach – The acquisition, access, use or disclosure of Protected Health Information (PHI) in a manner not permitted under the privacy rules which compromises the security or privacy of the PHI There are 7 exclusions to a breach – None of the exclusions include accessing your own medical information for personal use or that of a family member/ loved one Exclusion examples include ( § ):  Any unintentional acquisition, access, use or disclosure of PHI if made in good faith and does not further result in additional use and disclosure  Any inadvertent disclosure by a person authorized to access PHI to another person authorized to access PHI… not further used or disclosed  Incidental Disclosures

Fines Associated with Breaches HIPAA ViolationMinimum PenaltyMaximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100/violation, with annual max. of $25,000 for repeat violations $50,000/ violation, with an annual max of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000/ violation, with annual max. of $100,000 for repeat violations $50,000/ violation, with an annual max of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000/ violation, with an annual max. of $250,000 for repeat violations $50,000/ violation, with an annual max of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000/ violation, with an annual maximum of $1.5 million $50,000/ violation, with an annual max of $1.5 million

Resolution Agreements  $1.5 million – BC/BS of Tennessee – 57 unencrypted hard drives were stolen. The contained PHI for over 1 million individuals. BC/BS of Tennessee spent a total of $18.5 million to mitigate  2014 Walgreens pharmacist was sentenced to 25 months in prison for patient identity theft. Pharmacist, Audra Peterson allegedly inappropriately accessed Abigail Hinchy’s prescription data and exposed it to her husband, Davion Peterson. Hinchy was rewarded $1.44 million, Peterson, was responsible for maintaining data privacy, Hinchy is Peterson’s husbands ex-girlfriend.  First Criminal Case took place in Richard Gibson, phlebotomist for Seattle Cancer Care Alliance, obtained PHI of one individual, opened up 4 credit cards and charged $9,000 to the patients name – 16 months in prison  July 2007, Isis Machado, front desk coordinator for Cleveland Clinic sold PHI to her cousin for $5-$10 each. They filed fraudulent Medicare claims totaling $7 million for approximately 1,100 patients. Both were fined $ 2.5 million  February 2015, Joshua Hippler, former employee of East Texas hospital was sentenced to 18 months for allegations of obtaining PHI with the intent to sell for personal gain.

HIPAA asks… 1. Did you need to read the lab results to do your job? 2. Do you need to read the consult report to do your job? 3. Review PHI if the patient is a friend/fellow employee? 4. Look up Patient’s test results in computer? 5. Review a co-worker’s medical record? You should ask yourself… 1. Do I have a need to know to do my job? 2. Did I have the right to access my own personal health information? *Ongoing monitoring of employee access

Privacy/Security Policies – Compliance 360 Accounting of Disclosures Breach Investigation/Notification & Report Designated Record Set Disclosure of Health Information Documentation of Disclosure Form Documentation and Record Retention Electronic Communications HIPAA Training HIPAA Violations & Sanctions Minimum Necessary Disclosures Privacy of Health Information Use of Health Information for Treatment, Payment or Operations

Who to contact… Emily Calvillo, MHCL System Privacy Officer