2015 Privacy & Security Refresher

Presenters  Dana Williams  Privacy Officer  (501)  Stephen Yarberry  Chief Information Security Officer  (501)

Definitions  HIPAA  Health Insurance Portability and Accountability Act of 1996  HITECH  Health Information Technology for Economic and Clinical Health  PHI  Protected health information  IIHI  Individually identifiable health information “If you can identify, HIPAA applies!”

Notice of Privacy Practices  Core document that informs patients about HIPAA  Given at first admission  Posted on website  Patients can request an additional copy

Patient Rights  Receive Notice of Privacy Practices  Opt out of facility directory (confidential)  Inspect and obtain a copy  Request restriction  Receive confidential communication  Request an amendment  Accounting of disclosures  Receive breach notification  Right to file a complaint

Patient Awareness

Use and Disclosure  Treatment  Payment  Healthcare operations  Required by law  Authorized by the patient  Any use/access or disclosure outside of this is a violation  Remember your role!!!

Interested vs Involved Chicken  Interested in patient’s condition and/or prognosis  “Concerned”  No real commitment Pig  Involved in patient’s care prior to arrival, discharge plan, etc  “Committed”  Does not have to be a family member Unless the patient objects……

Personal Electronic Devices & Social Media  HR policy V-45 recently updated  Social Media Violation Examples  Patients posts negative information about ER visit on FB. Employee sends patient a “message” to dispute posting.  L&D employee posts pics to FB and tags her friend/our patient.  Students take video of patients/visitors walking in hallway (from the neck down) and posts to social media

Violation Examples  Fax to wrong #, fax with no cover sheet  Discharge instructions (AVS) to wrong patient  RX to wrong patient  Second letter/form included in patient’s  Letters/envelopes mixed up  Schedule/work list lost (left in bathroom)  Employee accesses family/friend record  sent without Safe!

Breach Notification  Required to provide notification following a breach of unsecured PHI  Must notify patient in writing within 60 days of discovery of the breach  If breach involves more than 500 people, media must be notified  All breaches must be reported to OCR annually

Disciplinary Action  Not eligible for verbal counseling  Written counseling  Written warning  Suspension  Termination  Employees terminated for privacy violations are NOT eligible for rehire and will NOT be issued an external ID

Discipline Policy OLD  Written Counseling  Accident  Written Warning  Deliberate NEW  Written Counseling  No breach notify  Written Warning  Breach notify

Office for Civil Rights  Enforces  HIPAA Privacy Rule  HIPAA Security Rule  HIPAA Breach Notification Rule  Was historically complaint driven  Moving to a new era of proactive auditing  Able to leverage fines  Maintains webpage of all breaches affecting 500 or more individuals  eport.jsf

Office for Civil Rights cont’d  Maintains webpage of all breaches affecting 500 or more individuals   University of Arkansas for Medical Sciences,10/18/2010, Theft Other Portable Electronic Device  Health Resources of Arkansas, 08/05/2013, Theft Laptop  Health Resources of Arkansas, 5/23/2013, Theft, Unauthorized Access/Disclosure Other  Health Advantage, 12/20/2012, Other Paper/Films  University of Arkansas for Medical Sciences, 4/20/2012, Unauthorized Access/Disclosure Other  Conway Regional Medical Center, 10/21/2011, Loss Other  NEA Baptist Clinic, 09/07/2011, Hacking/IT Incident Network Server

Best Practice Advice - Privacy  Talk with the patient  Document patient’s wishes  Be careful with social media  Patients can post almost anything they want (but not employees)

Security Measures  Combination of Administrative, Technical & Physical Controls  Keep Abreast of Policy Changes (e.g., General Responsibilities of Computer Users)  Make sure to use Technical Controls when appropriate e.g., Safe! On an subject line  Be aware of Physical Controls e.g., locking cabinets on Epic Business Continuity workstations

Business Associates  HIPAA holds BAs to the same privacy and security standards as Baptist Health, but breach notification is still our responsibility even if they are the ones with a breach  Vendors usually know about HIPAA, but are often unaware of the HITECH safe harbor provisions  Involve Information Security early on in the contracting and procurement processes

Auditing and Monitoring  All EPHI systems require an approved audit plan  Audit results must be reported to Corporate Compliance on a quarterly basis  Failure to adhere to these requirements must be explained in detail to the Routine Audit subcommittee of the Board and presented along with a mitigation plan

Best Practice Advice - Security  Don’t text PHI  Use Safe! for to external addresses  Be cautious of photos and video  Don’t store data on any personal device/media  Be wary of s soliciting confidential information (regardless of what it look like)  Information Security is a tool for all to use, please don’t hesitate to call or any questions

Questions?