Privacy & Information Security Basics February 2017 This training is funded by Department of Children and Families, Office of Substance Abuse and Mental Health

Objectives By the end of this presentation, you will be able to: Understand the basics of Privacy & Information Security (PI) Understand how Protected Health Information (PHI) may be used and disclosed Identify general rules for sharing PHI including sensitive information Recognize the changing risk landscape

Why is PI so important? Patients trust us with their information Protecting our patients Federal and state regulations Risk landscape Patients have a choice of where to go Maintaining privacy and confidentiality protects from emotional, social and financial harm Such as HIPAA Sophistication and frequency of threats are increasing every day

What is HIPAA and Who is Covered? Health Insurance Portability and Accountability Act of 1996 Modified by the HITECH Act

What is HIPAA and Who is Covered? Covered Entities Health plans Health care clearinghouses Health care providers who transmit health information electronically for covered transactions Health plans Health care clearinghouses Health care providers who transmits health information electronically for covered transactions

Business Associates Business Associates: Person or entity that creates, receives, maintains, or transmits PHI for or on behalf of a covered entity Business associates must enter into written agreements with covered entities and subcontractors Examples: legal services, accounting services, claims processing, data analysis, utilization reviews Covered entities and business associates must enter into written agreements Business associates must enter into written agreements with all subcontractors

What is Risk Management? Identify Assess Reduce The process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level

Protected Health Information Protected Health Information (PHI)* Any individually identifiable health information relating to physical or mental health status, provision of health care, or the payment of health care PHI can be written, spoken, or in electronic form Omitting names does not mean it is no longer PHI * State laws have broader definitions that may apply * State laws have broader definitions that may apply

PHI Identifier Examples Personal identifiers Diagnosis Specific dates Social Security Number Medical records (paper & electronic) Spoken or written communications regarding patients Patient information on white boards Patient identification bands CPXXXXXXX XXXXX, X XX XX-XX-XXXX

Use & Disclosure of PHI Patients may need to sign an authorization before disclosure of information In most cases, authorization is not required for: Treatment Payment Health care operations In most situations, a patient must complete and sign an authorization to release information before patient information can be disclosure Generally, an authorization is not needed to share information related to: Treatment Payment Health care operations

Use & Disclosure of PHI Disclosures not for treatment, must be limited to the minimum amount necessary Uses and disclosures must be for Treatment, Payment, Healthcare Operations Disclosures not for treatment, must be limited to the minimum amount necessary Other uses and disclosures permitted only if specific criteria are met

Allowable Uses and Disclosures: Treatment Under HIPAA: The workforce/facility may use PHI to provide or facilitate treatment of the patient Examples include: Taking the patient’s medical history and relying on it in diagnosing or referring the patient. Using patient health information to order procedures or prescribe medication for the patient

Allowable Uses and Disclosures: Treatment Under HIPAA: The workforce/facility may disclose PHI to provide or facilitate treatment of the patient: To healthcare facility or provider for ongoing care to the patient To respond to a medical emergency when the patient’s condition makes them unable to agree to the disclosure The workforce/facility may disclose PHI to provide or facilitate treatment of the patient: to another healthcare facility or provider for ongoing care to the patient, such as obtaining current diagnostic information or treatment recommendations. as needed to respond to a medical emergency when the patient’s condition makes the patient unable to agree to the disclosure. Workforce/facility must have reasonable safeguards to prevent incidental uses/disclosures. Workforce/facility must have reasonable safeguards to prevent incidental uses/disclosures

Allowable Uses and Disclosures: Operations HIPAA generally permits use and disclosure of PHI that relate to work as a health care provider HIPAA generally permits use and disclosure of patient PHI that relate to work as a health care provider Examples: Quality improvement/assessment Internal auditing and compliance Accreditation activities (e.g., Joint Commission) Facility financial planning and cost-reduction initiatives Patient safety activities

Minimum Necessary Minimum Necessary The least amount of information you need to do your job function. If your job function requires access to PHI, remember to request, share and disclose only the minimum amount necessary to complete the task

Notice of Privacy (NPP) and Patient Rights Health care providers and health plans are required to provide NPP to patients Details patient privacy rights Healthcare providers and health plans are required to provide a Notice of Privacy Practices (NPP) to their patients. It also details the patient’s rights which are important to keep in mind when providing care to the patient. Patient’s Privacy Rights Access to Medical Records Accounting of Disclosures Request for Amendments Restrictions including self pay Authorization / Revocation Confidential Communication

HIPAA Privacy Rule Administrative Requirements Assign a Privacy Officer Policies and procedures Workforce training Safeguards Mitigation Workforce sanctions Complaint process Prohibition of retaliation Prohibition of waiver of rights Document retention

Heightened Privacy Regulation PHI related to treatment in certain circumstances is governed by additional privacy regulations PHI related to treatment for certain medical conditions and/or for certain patients is governed by additional privacy regulations or organizational policies: Minors HIV/AIDs Sexually transmitted infections Mental Health Drug and alcohol treatment Genetic

Breach Notification “Breach” creates a presumption that an impermissible use or disclosure of PHI is a reportable breach, unless the organization can demonstrate a low probability that PHI has been compromised by evaluating factors Timeline for reporting the breach depends on how many patients were impacted * Many states have breach laws that may be triggered * Many states have breach laws that may be triggered

Research PHI may be used for research only with either: Patient’s written authorization Waiver by the research organization’s IRB Research PHI may be used only in accordance with IRB-approved protocols Compound authorization PHI may be used for research, including recruitment, only with the patient’s written authorization or a waiver by the research organization’s IRB Research PHI may be accessed, used and disclosed only in accordance with IRB-approved protocols Compound authorization

Information Security Ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) Protect against any reasonably anticipated: Threats to the security or integrity of such information Uses or disclosures not permitted Ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity or business associate creates, receives, maintains, or transmits. Protect against any reasonably anticipated: Threats or hazards to the security or integrity of such information; and uses or disclosures not permitted

Administrative Safeguards Information Security Three sets of safeguards implemented through standards and required addressable implementation specifications Addressable ≠ Optional Administrative Safeguards Technical Safeguards Physical Safeguards

Mobile Device* Security – Best Practices PHI should be stored on mobile devices only when necessary Device must be encrypted – you are responsible for ensuring it is Others may not access your encrypted mobile devices Do not leave mobile devices unattended Do not copy PHI to a non- secured device Best practice-do not store PHI on mobile devices When necessary to store PHI on a mobile device Device must be encrypted according to organizational standards You are responsible for ensuring your device is encrypted Do not let others access your encrypted mobile devices Do not leave mobile devices unattended Do not copy PHI from a mobile device to a non-secured device, like your home PC *Laptop, cell phone, flash drive, digital camera, tablet

Emailing Send PHI via email securely [encrypted] Email from your organization email account to an external recipient, is NOT secure unless you encrypt the message Do NOT put PHI in the subject line Be careful of phishing, spear phishing and whaling Do not click suspicious links Do not provide your password to anyone Avoid using personal email accounts Email sent from your organization’s email account to a recipient within the organization is secure

Secure Disposal of PHI Ensure that all PHI is disposed of in a secure manner Paper documents should be cross shredded Ensure that all PHI, in any medium, is disposed in a secure manner Paper documents containing confidential information should be cross shredded

Enforcement of HIPAA Enforcement authorities Types of investigations HHS, Office for Civil Rights, state attorneys general Role of the FTC and DOJ Types of investigations Penalties Audit program Enforcement Authorities HHS, Office for Civil Rights, state attorneys general Role of the FTC and DOJ Types of Investigations Penalties Audit Program: Not an OCR investigation but could lead to one

Thank You

Contact Information Jacki Monson VP, Chief Privacy and Information Security Officer MonsonJA@sutterhealth.org (916) 286-6616 Anna Watterson Registered In-House Counsel, Privacy and Information Security WatterA1@sutterhealth.org (916) 286-6744