Health Insurance Portability and Accountability Act

 HIPAA: Protects health insurance coverage, improves access to care Ensures the privacy of healthcare information Restricts the use and disclosure of healthcare information

 PHI is Protected Health Information: Health information is any information whether oral, written or electronic, regarding a patient Information can be related to past, present, or future physical or mental health conditions

● Address ● Biometric Identifiers ● Full Face Photo ● Any other Unique Identifying No., Characteristic or Code ● Names ● All Dates (birth, death, admission, discharge) ● Numbers: Social Security No. Medical Record No. Account No. Encounter No. Phone/Fax Numbers Health Plan No. Vehicle Identification No./License Plate No.

 ARRA – American Recovery and Reinvestment Act of 2009: HITECH – Health Information Technology for Economic and Clinical Health Act New Breach Notification Rules Applies to covered entities and business associates Intent is to promote health information technology with increased privacy and security Increases penalties for violations “HIPAA on Steroids” 6

 Effective September 1, 2012  Expands definition of covered entity to include any individual, business or organization that: Engages in the practice of assembling, collecting analyzing, storing or transmitting PHI; comes into possession of PHI; Obtains or stores PHI; or Is an employee, agent, or contractor of a person described in numbers 1-3 above. 7

 Education:  Training tailored to the associate’s responsibilities and the entity’s contacts with PHI  Complete training within 60 days of hire  Must maintain records of training 8

 Increased Penalties:  $5,000 to $1.5 million per year for unlawful disclosure of a patient’s PHI  In addition to similar penalties that can be assessed by Health & Human Services (HHS) under HITECH  May also include license revocation, civil action from the Attorney General(AG), and the AG can request an HHS audit 9

 A breach is an unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the privacy, security, or integrity of the PHI  PHI is unsecured if it is NOT encrypted or rendered unusable, unreadable, or indecipherable to unauthorized individuals 10

 Student/faculty accessing medical records for information on friends or family members out of curiosity/without a business-related purpose  Student/faculty access to the medical record of a celebrity who is treated at any facility  Stolen/lost laptop or PDA containing unsecured PHI  Posting of patient’s PHI on social media site by student/faculty  Misdirected containing PHI to an external group list  Lost flashdrive containing database of patients participating in a clinical study 11

 Some HIPAA sensitive student service areas might include: Lobby information desks Family waiting rooms Patient care areas Clerical/office support

 Passwords are like bubblegum: ◦ Strongest when fresh ◦ Should not be shared ◦ Should not be kept under keyboards ◦ If left lying around, can create a sticky mess!

 HIPAA rules apply to PHI: When you use it When you disclose it When you store it When you see it on your computer When you share it with another provider When it is lying on your desk When you are talking about it in any public area When you are talking about it over the phone

 Covered entities may use or disclose protected health information for their own TPO: Treatment Payment or health care Operations activities

 Incidental Use and Disclosure covers communication needed to provide effective patient care, such as: Whiteboards at nurses stations Doctors conferring with patients’ families Waiting room sign-in sheets Patient charts at bedside

 Printed or electronic information left in public view  Patient charts left on counters  PHI in regular trash  Records accessed without a “need to know”  Unauthorized individuals hearing sensitive patient information such as diagnosis or treatment

 Incorrect phone number when sending a fax  Laptop or PDA unattended/lost/stolen  Sending PHI outside of hospital system without encryption  Not signing off, sharing passwords

 Access to confidential patient information is allowed if you follow the simple “NEED TO KNOW” rule: If you need to see patient information to perform your job, access to this information is OK If you do not “need to know” confidential information to perform your job, you are NOT permitted to access it If you access confidential patient information, even your own or that of a family member, you can be subject to corrective action, including termination or dismissal from an educational program

 Written notice provided to all patients: Describes patient rights Details PHI uses and disclosures States how PHI is maintained  Posted in prominent locations

 If a patient is asked for by their first and last name: At Seton, the patient’s location in the facility and general condition may be shared At St. David’s HealthCare the caller will be transferred to the patient’s location and the patient’s general condition may only be provided by Clinical Staff only if the patient is unable to communicate * NOTE: Unless the patient has opted out of the directory

 A patient may “opt out” of the patient directory, also known as “Not for Publication” (NFP) status at Seton and “Confidential Patient” at St. David’s HealthCare  At Seton, if a patient opts out, the letters NFP will appear under the NFP status column on the patient screen  At St. David’s HealthCare, if a patient opts out, the letter “c” should appear next to the patient’s name. In addition, a notification will appear on the computer screen indicating you are attempting to access a confidential patient and your activities will be monitored and actions taken if inappropriate  These patients will not receive mail, phone calls, flowers, or visitors as we cannot confirm or deny the patient is in the facility

 Because social media sites, such as Facebook and Twitter, enable people to easily and instantly share information with friends, family and others around the world, we all must remember to protect patient information  Even the smallest amount of information that could possibly identify a patient may not be shared

 Wisconsin – a patient was brought into the ER where 2 RN’s, independently, took cell phone photos of the patient’s body part. One of the RN’s posted it on her Facebook page. Both RN’s were fired. The FBI is investigating this case for HIPAA violations.  Washington – Two certified nurses assistants and an LVN were fired from their positions for taking cell phone photos of nude nursing home residents, most of whom had dementia. These individuals have also put the nursing facility in jeopardy of losing their Medicare/Medicaid funding.

 Cell phone use can represent a security and privacy risk: Cell phones may not be used to photograph patients Text messaging is not secure and represents a security risk if the text message includes PHI

 Protecting the confidential health information of patients is the responsibility of everyone involved  Be sensitive to confidential information  Think before you talk about patient-specific information  Keep information to yourself if you see or overhear PHI  Elevators, hallways, cafeterias, gift shops or other common areas are not appropriate places to share PHI

Hospitals must protect the information we collect on patients and their care

Assure proper disposal of PHI by placing in secure containers for future shredding:  Examples: Surgery Schedules Daily Patient Census

 ALWAYS log off or lock your computer whenever you leave your workstation  Use a password protected screensaver as an additional safeguard  Lock office doors when you’re going to be away from your workstation for long periods of time Safeguard Workstations

 Malicious software can alter data, destroy files or bring down the entire computer network  All computers must have virus protection  Software and should only be installed/opened by trusted sources  Suspicious software must be reported to IS Safeguard Workstations

You are responsible for any activity done with your Logon User ID You are responsible for keeping your password secure NEVER share your Logon ID or password Protect your computer access  User Identification and Passwords:

 Civil and criminal penalties (hospital and individual)  Loss of license/privileges  Exclusion from participation in state and federal health care programs  Damaged reputation  Place accreditation at risk

Violation CategoryEach ViolationAll such violation of an identical provision in a calendar year Did Not Know$100 - $50,000$1,500,000 Reasonable Cause$1,000 - $50,000$1,500,000 Willful Neglect – Corrected $10,000 - $50,000$1,500,000 Willful Neglect – Not Corrected $50,000$1,500,000

 For health plans, providers, clearinghouses and business associates that: Knowingly and improperly disclose information Obtain information under false pretenses  Penalties can apply to any ‘person’  Penalties are higher for actions designed to generate monetary gain

ActionFinePrison Obtaining/disclosing PHI Up to $50,000Up to 1 year Obtaining PHI under ‘false pretenses’ Up to $100,000Up to 5 years Obtaining/disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm Up to $250,000Up to 10 years

 Former UCLA Health System employee first person to be sentenced to prison 4/2010: China-licensed cardiothoracic surgeon performing research at UCLA School of Medicine Received notice of intent to terminate Accessed supervisor’s, co-workers’ and celebrities’ medical records – no legitimate reason No attempt to improperly use or sell any information Incarcerated on misdemeanor counts; fined $2,000

 Individuals committing HIPAA violations can: Lose opportunities to participate in educational programs Lose professional licenses Be subject to criminal conviction Be fined Be subject to civil suit  HIPAA violations can ruin careers

 HIPAA and IS Intranet sites  Policies and Procedures  Hotline: Seton Values Line: St. David’s Corporate Ethics Hot Line:

 Seton Healthcare Family Seton’s Privacy Officer, Vickie Saucedo Seton’s IS Security Officer, Patricia Perry-Williams  St. David’s HealthCare Margie Novak, St. David’s Round Rock Medical Center ( ) and St. David’s Medical Center / Georgetown Campus ( ) Chelsea Martel, St. David’s South Austin Medical Center ( ) Cynthia Colovas, St. Davids Medical Center ( ) and St. David’s North Austin Medical Center ( )  Central Texas Medical Center