Health Insurance Portability and Accountability Act (HIPAA) Primer for Observers, Volunteers, Medical Students Dr. Michael Palumbo- Privacy Officer/ EVP Myrna Cuevas R.N., Esq - Compliance Officer

Objectives Know difference between Privacy and Security Understand your role in protecting PHI Know how to report an HIPAA concern

Health Insurance Portability and Accountability Act (HIPAA ) HIPAA Privacy Security

HIPAA- Federal Law New York Privacy Protection Law- NY State Law Purpose: –To ensure the privacy and confidentiality of patient health information (PHI) –To protect the security of PHI –To establish uniform standards for electronic transactions Compliance is Mandatory Observers, Volunteers, Medical Students must comply with HIPAA regulations

HIPAA Privacy Basics HIPAA PHI is any information relating to a person’s health status, treatment or payment for health services that is created or received by the Hospital and that may identify the individual. Includes: Oral, written and electronic records and communications. Privacy Basics

Permitted Disclosures for the Hospital’s Routine Purposes The Hospital may use and disclose PHI for its Treatment, Payment and Health Care Operations purposes without obtaining a written authorization from the patient. Do Not Forget: You still need to get all of the same consents, signatures, etc. that you are currently getting.

HIPAA Privacy Rule: Individual Rights Notice: Right to receive a notice of privacy practices of PHI Restriction: Right to request a restriction on uses and disclosures of PHI Confidential Communication: Right to request confidential communications of PHI (i.e.- contact on cell phone only) Access: Right to access and copy PHI (signed authorization form required) Amendment: Right to amend PHI Accounting: Right to receive an accounting of disclosures of PHI Complaints- Office of Civil Rights

Minimum Necessary Rule You must limit the patient information which you use or disclose to the minimum necessary to accomplish your job responsibilities

How Do You Limit Access? Do not look at a patient’s medical information unless specifically requested. Do not “look up” a patient’s information in the Hospital’s computer system unless it is necessary to do your job (role) (e.g., if a family member in the Hospital, you cannot look in the computer to see now she is doing). Do not ask your fellow employees about patients they have encountered.

How Do You Limit Access? Do not look at a patient’s medical information unless specifically requested. Do not “look up” a patient’s information in the Hospital’s computer system unless it is necessary to do your job (role) (e.g., if a family member in the Hospital, you cannot look in the computer to see now she is doing). Do not ask your fellow employees about patients they have encountered. 10

Prohibited Disclosure You may not share patient information with anyone except as required by your job. This means: –You may not discuss patients with your fellow employees except as necessary for your job. –You may not carry patient information (written, electronic or oral) out of a facility unless specifically authorized to do so by the Hospital. –You may not discuss patient information with your family and friends. –Take care when discarding patient information. 11

Examples of Prohibited Disclosures You may not talk about interesting patients, even if you see the patient’s story on the news. You may not comment about Hospital patients on social media websites, even if a patient discloses health information on his/her own site. You may not tell co-workers, friends or family about patients they may know. You may not gossip about or discuss celebrities or other famous people who are patients of the Hospital. 12

Compliance Tips Protection of patient information is everyone’s responsibility. Here is a review of a few things which were discussed in this presentation: –Do not discuss patient information in public areas. –Do not discuss patient information outside of the Hospital. –Do not share your password. –Do not leave patient information unattended (e.g., information on laptops or PDAs). –Do not access patient information unless required for your job. –Do not send patient information by Internet unless authorized. –Do inform your supervisor or the privacy officer of HIPAA concerns. 13

SECURITY REQUIREMENTS 14

Do Not Share Your Computer Password if You Have One! 15

Protect Your Work Area Be aware of who can look over your shoulder and view patient information in your possession, on the counter or on the computer screen. Do not leave patient information unattended. Turn computer screens away from public view. Do not post your password on the side of your computer or anywhere in your work area. 16

Faxing Use a confidential fax cover sheet when faxing out. Keep fax machine in non public area. Take care when faxing out to verify phone number. Take care when replacing and discarding fax carbon. 17

ing Patient information can be sent by e- mail, but if the information is not encrypted, it is susceptible to unauthorized access that may result in a security breach and required notification to patients. You should only patient information if authorized. 18

Social Media 1. Nothing is secure on social media sites. 2. Anything you post on a social media site, might be seen by ANYONE Therefore, keep #1 and #2 in mind when posting anything! You are not permitted to post any patient information that you learn at the Hospital on a social media website (even if other people are posting information or the patient himself/herself posts information). 19

Portable Devices Use of personal portable devices to create, receive maintain or transmit PHI is prohibited. For portable devices distributed by the Hospital- special measures are needed. –Safety measures related to Hospital issued portable device: Do not leave device unattended Keep device secure- trunk, lockable attaches, lock boxes or other secure containers 20

Sanctions The Hospital will take disciplinary action if it is determined that an employee failed to comply with the Hospital’s or the facility’s HIPAA policies. An employee who violates the Hospital’s or the facility’s HIPAA policies may be subject to various sanctions including written censure, suspension or termination. 21

Federal Sanctions Under HIPAA, violations may result in civil monetary penalties and criminal actions, depending on the nature and extent of the HIPAA violation. Recent changes to HIPAA under the HITECH Act have significantly increased the monetary penalties. 22

Beware of Viruses and Malicious Software Viruses and other malicious software are a serious threat to the integrity of patient information and the operations of the facility and the Hospital. To protect against viruses: –Do not bring in information from outside of the Hospital or the facility on floppy discs. –Do not download information from the Internet without the express authorization of the Privacy Officer. –Do not open s from unknown senders. 23

Civil Monetary Penalties (Fines) Lack of knowledge is not a defense Violation CategoryEach ViolationAll Identical Violations in a Calendar Year Willful Neglect- not corrected 50K1.5 million Willful Neglect- corrected $10K – 50K1.5 million Reasonable Cause 1K – 50K1.5 million Did not know$ K1.5 million 24

What’s all the fuss? HIPAA is entirely different “animal” today than when the rule was initially passed Much stiffer penalties and improved enforcement Patient’s have growing expectation that their privacy will be protected by healthcare entities Protecting privacy is good business 25

HIPAA compliance starts with you To report a HIPAA concern: –Contact either Privacy Officer- Dr. Michael Palumbo or Compliance Officer- Myrna Cuevas or HIPAA Security Officer- Elizabeth King –Call the Compliance Hotline: