HIPAA Privacy and Security at TGH Clinician Education Ron Peterson, Director Peggy Absher, Sr. Compliance Auditor Corporate Compliance and Audit

HIPAA - Background The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established the basis for the Privacy and Security Rules. Why is the knowledge of HIPAA important? Healthcare providers must be knowledgeable of HIPAA to provide reasonable safeguards to protect the privacy of patients’ protected health information (PHI). Inappropriate use or disclosure of patients’ PHI that violates HIPAA, can result in civil and criminal penalties to TGH as well as you as an employee or as an individual. We must protect the privacy of our patient’s medical records. Inappropriate access, use or disclosure of a patient’s PHI can result in personal, civil and or criminal penalties.

HIPAA - Background Privacy Rule: The Privacy Rule includes national standards for the protection of Protected Healthcare Information (PHI). Standards were developed by the Department of Health and Human Services (HHS). The Office of Civil Rights (OCR) implements and enforces the Privacy and Security Rules with respect to compliance and penalties. Security Rule: The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information in order to protect the privacy of PHI from intentional or unintentional use or disclosure.

HIPAA - Privacy Privacy Basics: To protect patient information from being used or disclosed inappropriately. To give patients greater control over sharing of their PHI. To increase patient access to information.

HIPAA- Definitions (Con’t) Notice of Privacy Practices: Each patient seen at TGH receives a written notice of privacy practices. The HIPAA privacy regulations provides that covered entities must make a good faith effort to provide the patient with its Notice of Privacy Practices and obtain a written acknowledgement of such receipt from the patient. The Notice describes: How medical information about a patient may be used and disclosed. How a patient can gain access to this information. How a patient should request amendments. How a patient should request accountings of disclosures. How a patient should request restrictions on or opt-out provisions. How a patient should request confidential communications of information. Patients can opt-out of being included in the hospital directory. Patients can also choose to be a “no information” or confidential, which means no information will be shared with anyone contacting the hospital unless they can provide the code word. Example – Patient requested to be confidential. Patient complained that a phone call was forwarded to their room. The patient was a TGH employee. A co-worker “looked” up the patient and called the room directly. This is a violation. Only “look up” or access patients you are involved in treatment, payment or operations of the hospital for.

HIPAA –Definitions (Con’t) Accounting of Disclosures Currently a patient may request a detailed written accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the accounting is requested except for the following; Information for the treatment, payment of services and health care operations (TPO). Information disclosed to the patient Signed authorizations. Information used for national security, intelligence purposes, law enforcement or correctional institutions. Information that is part of a limited data set. Once the new regulations under the Health Information Technology for Economic and Clinical Health Act (HITECH), a division of American Recovery and Reinvestment Act (ARRA), go into effect, accounting of disclosures must include disclosures for TPO. Everyone that accessed the Medical Record outside of TPO (treatment, payment or operations of the hospital). There is a proposed new rule that changes the time to 3 years. But, if requested the patient may receive a list of EVERYONE that access their medical record. Many comments have been issued regarding this provision of the proposed rule. Comments included healthcare workers safety. IE Emergency room or psych workers. Example- Patient is in the hospital and their spouse – a physician accessed the medical record. The physician was not involved with the treatment of the spouse but reviewed the medical record. Subsequently there was divorce proceedings. The spouse requested an accounting of disclosure. The husband had accessed the spouse’s PHI, which was a violation. Example – A TGH employee accessed her adult daughter’s medical record without her permission. This is a HIPAA violation. CCA receives complaints from not just the patients, but physicians, and employees.

HIPAA –Definitions (Con’t) Incidental disclosures means disclosures that are limited in nature and occur as a by-product of an otherwise permissible use or disclosure. Incidental disclosures will not be considered a violation of the privacy rule if reasonable safeguard are in place and the minimum necessary requirements are met. For example; Keep information on white boards/locator boards to a minimum. Do not discuss patients in public areas, such as elevators, corridors, cafeteria, etc. Use of cubicles, dividers, shields or curtains in areas of multiple patient-staff or physician communications, such as pre-op, admitting areas, waiting rooms, etc. Incidental disclosures are just that. Disclosures that occur in the daily caring of patients. However, TGH must have reasonable safeguards in place and appropriate training, policies and procedures. If visitors are in the room, ask the patient’s premission before discussing PHI, or if pt is in a semi-private room. This does make it more difficult is both patients are bed rest only. Speak in a quiet voice. Example- PHI disucced in hallway outside patient’s room. The family was not aware of the treatment plan. OR holding areas – obtaining history from patient. Complaints about patients being discussed in Starbucks. Even if you do not mention the patients name, a family member may recognize you as caring for their loved one. Be aware of “lurker”, visitors hanging out in the hallways and ease dropping on conversations.

HIPAA –Definitions (Con’t) Minimum necessary standard requires that health care staff must make a reasonable effort to disclose or use only the minimum amount of PHI needed to provide patient care, the PHI they “need to know”. For example, records compiled in response to a PHI request for a specific date of service should not include treatment records for other dates of service. However, the minimum necessary limitation does not apply when the disclosure is for treatment purposes. ONLY view PHI necessary to perform your job duties!! Role based access. Laboratory, radiology techs, dietary personnel do not need to see the entire medical record to do their job. Example Fax coversheet provided too much information. NO PHI on fax coversheet.

Key Provisions of TGH’s HIPAA Policies (Con’t) If you are not involved in the provision of care to a patient then you have no right to access, use or disclose protected health information (PHI) related to that patient’s care. Your access to patient information must be in the context of providing direct or indirect patient treatment. Viewing or accessing the medical records of a family member, friend or associate without written authorization, for which you are not involved in the treatment of is a violation of HIPAA. Such violations are subject to disciplinary actions, up to and including termination. Example We have had incidences employees accessing family member’s PHI, boy/girl friends PHI. Do not access your own record. Go to HIM release of information. Currently there is no policy but it is strongly discouraged. No policy as yet due to differing point of views. Arguments against include some employees could enter or alter information in their MR. Its not fair because not every employee has access. Future plans for EPIC Mychart – access to portions of your medical record via a portal. You will have a user name and password.

Key Provisions of TGH’s HIPAA Policies (Con’t) You must be careful in communicating or discussing PHI. Prior to speaking to a patient in the presence of others, ask the patient if it is okay to discuss their patient information in the presence of others. Take the patient to a conference room; or ask others to wait outside of the room during confidential discussions. Very difficult but necessary. Example Resident upon entering patient’s room, with family presents, discussed the patient’s HIV status. The patient had not disclosed this to his family at that time.

Key Provisions of TGH’s HIPAA Policies (Con’t) Do not leave patient records or other confidential information out and available for anyone to see. Do not put PHI to be disposed of in trashcans, place it in confidential trash bins. Do not discuss patient information outside of TGH Do not leave any papers with PHI in conference rooms, on fax machines, copiers, printers, etc. Dispose of PHI in CONFIDENTIAL TRASH BINS. Example Office did not have the “official” confidential bin. They were using a blue “recycle” bin for shred items and thought it was ok as long as they emptied it into the confidential bin at the end of the day. Consequently, Environment emptied the bin – noticed and reported PHI in a recycle bin. This office now has a confid. Bin.

Key Provisions of TGH’s HIPAA Policies (Con’t) Medical Identity Theft Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity, such as insurance information, without the person’s knowledge or consent to obtain medical services or goods; or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records and can involve the creation of fictitious medical records in the victim’s name. We have patients come to the hospital and use someone else’s social security number, insurance card, or an altered card. Example Admitting staff notices that the ink from the SS card is coming off on their hands. A number was altered on a SS Card – 6 to an 8. This pt had an outstanding bill and was here for non emergency services.

Key Provisions of TGH’s HIPAA Policies (Con’t) Medical Identity Theft (con’t) Employees should be alert for Red Flags which are indicators of possible identity theft. Potential indicators of identity theft include: Any patient appearing and giving an identity that has been flagged in TGH’s Information System; A patient providing photo ID that does not match the patient; A patient giving a social security number different than one used on a previous visit; A patient giving information that conflicts with information in the patient’s file or a previous visit; Family members/friends calling the patient by a name different than that provided by the patient at registration. May notice that information obtained from the patient does not match old records. IE different blood type, or perhaps old records note a caesarean delivery, but patient has no scars. Or pt in with appendicitis and old records indicate the appendix was already removed.

Key Provisions of TGH’s HIPAA Policies Medical Identity Theft (con’t) Observe employee accessing patient information through a information systems applications; writing or printing the information and leaving work with it. Observe employee going through trash that has patient information in it. Removing it and taking it home . Just because Red Flag indicators are present, does not necessarily mean identity theft has occurred. Staff must be objective in evaluating each case. If an employee reasonably believes identity theft has occurred or may be occurring, the employee should immediately notify their Supervisor and an incident Report should be completed. Example A former employee of Cedars-Sinai Medical Center, LA was sentenced to 4 years and 8 months in prison after pleading guilty to stealing patient information and using it to defraud insurance companies. At Johns Hopkins Medicine in Baltimore a former patient services coordinator was sentenced to 18 months in prison for stealing patient information to make credit card purchases and obtain cash.

HIPAA – Security Security Basics: Ensure confidentiality, integrity and availability of electronic PHI. Protect against threat or hazards. Protect against unauthorized uses of disclosures. Use of flash drives is STRONGLY discouraged.

HIPAA (Con’t) TGH-issued equipment, such as laptop computers, cell phones, and pagers, must be protected from theft or damage. Never leave equipment unsecured or unattended in public areas. Equipment left in a car should be concealed and the car is locked when unattended. Locking equipment in file cabinets/drawers when not in use. Data stored on TGH’s equipment, such as laptops, PDAs, cell phones, and so forth, are the property of TGH. In order to prevent unauthorized access to the data, users are required to enable the password protection or lock code functions available on the equipment. Airport Travel - TGH requires that users retain physical custody of laptops and other mobile computers as carry-on luggage when traveling by airplane. A breach involving more than 500 patients results in notification to Media, notifying all patients involved and posting to the hospital’s web site.

HIPAA Security (Con’t) Things you can do to safeguard security: Log on and log off of your computer. Never let others use your log-on and/or password, all users are required to have a unique user ID and password. Follow guidelines for password use. Never disable anti-virus software. Never install unapproved software. We have had more than one occasion where an employee did not log off. This was verified as the log on was active for almost 24 hours. LOG OFF!!! In EPIC anyone entering information into EPIC is electronically “signed” as the person that is logged on. Do not access patient’s information that is not in your care!! Even for a physician, physicians have their own usr name and password. If this happens please contact the Chief Medical Officer – Dr. Sally Houston.

Key Provisions of TGH’s HIPAA Policies (Con’t) Automatic forwarding from a TGH-owned e-mail account to an external network account is prohibited. Faxing of Medical Information (Refer to Policy IM-31, Faxing of Medical Information) : Releases of medical information should be through the Health Information Management (HIM) department. Limited to use by healthcare providers for immediate and/or emergency patient care purposes. Fax only when the original document or mail delivered photocopies will not serve the purpose. A signed patient authorization is required. Ensure that the fax is sent to the appropriate destination, verify the fax number. A fax cover sheet (form F-561) must precede the transmission. Report misdirected faxes to Corporate Compliance immediately by completing an Incident Report. When printing information – for example for patient discharge or discharge to SNF, be sure to check that each page is ONLY for the patient you are working with and does not include any other documents that may have been printed by someone else on the unit for another patient.

Key Provisions of TGH’s HIPAA Policies (Con’t) No PHI, including photographs, should be disclosed through the use of social networks, such as Facebook, MySpace, Twitter or other on-line personal communications networks. Social networks are considered public. Disclosures of PHI would potentially violate the HIPAA privacy rules. NO PHOTOS WITH CELL PHONES!!!!!!!

Key Provisions of TGH’s HIPAA Policies (Con’t) All electronic mail messages and the data contained therein are the property of TGH. Users should not expect privacy of any messages created, sent, stored, or received using the system. TGH reserves the right to monitor e-mail with the express authorization by the CEO.

Key Provisions of TGH’s HIPAA Policies (Con’t) Internet usage is provided by TGH and is intended primarily for business use. Incidental and occasional use of the Internet for personal reasons is permitted. TGH reserves the right to monitor Internet usage. Computer Audit access logs for TGH’s applications records each user’s access of a patient’s PHI. Access logs are pulled at a patient’s request and periodic random audits.

Key Provisions of TGH’s HIPAA Policies (Con’t) Check files for viruses before loading CDs, diskettes, or downloading files on TGH computers. Contact the Technology Support Center at extension 7490 to acquire or load software programs on TGH computers. Downloading movies, music and books, reports and other such files for personal use are not permitted.

Key Provisions of TGH’s HIPAA Policies (Con’t) TGH management reserves and retains the authority to: Restrict or revoke any user's access to computerized information, Inspect, copy, remove or otherwise alter any data, program or other system resource that may undermine hospital policies directed to the protection of PHI, Take any other steps deemed necessary to manage and protect all protected health information on TGH information systems. This authority may be exercised with or without notice to the involved users. TGH disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives.

HIPAA (Con’t) Health care professionals, who fail to comply with TGH’s policies, procedures, or federal and state laws, shall be subject to disciplinary action in accordance with TGH administrative policies; which includes possible termination of employment. In certain circumstances you can be personally subject to civil and/or criminal prosecution for violations of HIPAA including monetary penalties. Refer to TGH policy RI-54, “Information Privacy and Security Compliance “.

HIPAA IN AN EPIC WORLD EPIC will log the actions of all users as they routinely view and interact within the EMR. Break the Glass (BTG) – Is an event tracking feature for specialized groups of patients and encounters. Your Password and a Reason are required to proceed into the record. Confidential Patient Private Encounter Behavioral Health Unit (7F) BTG prompts users with a warning that they are entering a “restricted” patient record. BTG provides enhanced reporting/audit review of what is done after a BTG event. EPIC can also limit visibility of special unit lists (Behavioral Health). EPIC is configured for SSN masking (XXX-XX-1234).

What else will EPIC do? The Patient Station activity in EPIC will display red text for patients marked with a “CONFIDENTIAL” patient type and a private encounters set to “Yes”. This alerts TGH staff and physicians to the confidential status of the patient and that the patient’s presence in the hospital should not be acknowledged if they are asked by a visitor to assist in locating a patient. Census Lists will either hide or highlight (in yellow) the patient, depending on the user’s security to see these patients in the list. The Private Encounter field will default to “Yes” for all subsequent registrations on patients marked as “Confidential” patient types. The Private Encounter and Patient Type fields will be clearly visible in the patient’s header highlight (in yellow) if it is populated with any value. The Patient Type field will be clearly visible in all activities that require patient search…i.e. “CONFIDENTIAL” will be right next to the patient’s name.

What will EPIC not do? EPIC will not…Prevent all intentional and inappropriate access to the record EPIC’s recommendation is to use BTG to inform users, but users must understand—and are accountable for—the “appropriateness” of viewing a patient’s record. EPIC will not…Mask a patient’s identity without changing their name. USERS are responsible for their actions in using any system containing PHI.

HIPAA Headline News Stories Minnesota Health System Fires 32 Employees for snooping in records In another example of a spectacle that’s so intriguing that some health care workers will risk their jobs for a peek, Allina Hospitals and Clinics in Minnesota fired 32 employees recently for improperly accessing the records of patients involved in a headline-making incident.   Jackson Health System (JHS) in Miami is conducting an internal investigation and cooperating with law enforcement after an employee inappropriately accessed patient information, it says in a June 13 statement. JHS has terminated the individual’s employment and notified the affected patients.  Richard Charette, who pleaded guilty in February to violating HIPAA, was sentenced to 33 months in prison on May 4, according to the U.S. Attorney’s Office for the District of Nevada. Charette participated in a scheme to receive and disclose records of trauma patients treated at the University Medical Center of Southern Nevada.

HIPAA Headline News Stories   University Medical Center (UMC) in Tucson, Ariz., said Jan. 12 that three employees and a contract nurse inappropriately accessed patients’ electronic medical records in the wake of the shootings involving a U.S. Congresswoman and 18 others. The three clinical support staff members and the contracted nurse all have been terminated from their jobs by their employers. Hospital staffers fired for sending photo of patient's wounds . The Hospital of Saint Raphael in New Haven Connecticut recently fired three workers and disciplined four others after a clinician took a photo of a 17-year-old gunshot victim in the ED and sent it to others, the New Haven Register/Boston Globe reports. Hospital employee sentenced to 1 year in prison for accessing patient’s PHI and posting HIV status on website. Also, received 5 years probation and 200 hours of community service.

Professional Accountability HIPAA and American Recovery and Reinvestment Act/Health Information Technology for Economic and Clinical Health (ARRA/HITECH ) are federal regulations that have been designed to protect the identity, and confidential nature of patients’ PHI. These regulations provide guidelines regarding the intended use and sharing to remain among those directly and indirectly involved in the patient’s care, and those individuals the patient indicates it is appropriate to share information with. Your access is based on your “need to know” in the context of performing your duties and responsibilities . TGH has guidelines and policies in place that addresses employees inappropriate use or disclosure of PHI. Disciplinary action ranges from verbal warnings and can result in termination. Abusers of PHI can also be held personally responsible—up to and including penalties/fines and criminal prosecution —for not abiding by these federal regulations. Please don’t make TGH a negative headline… PROTECT the information of our patients

Key Provisions of TGH’s HIPAA Policies (Con’t) If you believe a breach of patient privacy or security of information incident has occurred, complete an incident report. Check with a manager if you need assistance. You may also call the Corporate Compliance Line 800-352-6875 or the TGH Privacy or Security Officers. TGH’s Privacy Officer is Ron Peterson. His office number is 844-4813. TGH’s Security Officer is Balaji Ramadoss. His office number is 844-3286.

HIPAA Case Studies-Privacy Scenario #1 A friend contacts you. The friend has a fellow employee or friend scheduled to have surgery at TGH. The friend asks if you would periodically check on their friend during and after surgery and provide updates. The friend pre-registered and did not opt-out of disclosing general condition information or directory information. You have no involvement with the care of the patient. During and after the surgery you find out information on the patient and provide more than general conditions or directory information to your colleague at Hospital A.

HIPAA Case Studies-Privacy (Con’t) Question ? Have you violated HIPAA?

HIPAA Case Studies (Con’t) Have You Violated HIPAA? Answer: YES! You have, if you provide more than general conditions updates. If as a clinician you have no involvement in the patient’s care, you should not access any information associated with the patient. HIPAA’s minimum necessary rule says that you can access information on patients that you are involved in providing care to. In that context you have a “need to know” the medical information necessary to provide care to the patient. Since you have no involvement with the patient you have no need to know anything about this patient. Disclosing more than general condition or directory information would be a violation of HIPAA and could subject you to potential disciplinary actions.

HIPAA Case Studies-Privacy Scenario #2 Two patients are in a semi-private room. In addition both patients have family members and friends present in the room. You enter the room and immediately begin to discuss patient A’s medical information in a voice loud enough for all present in the room to over hear the conversation.

HIPAA Case Studies-Privacy (Con’t) Question ? Have you violated HIPAA? What could you have done differently?

HIPAA Case Studies-Privacy (Con’t) Answer: YES! You may have, if you did not take reasonable safeguards to minimize the disclosures overheard by the persons present. Reasonable safeguards, such as: ask the patient prior to any discussion of their medical information, whether it is okay to discuss it in front of the persons present in the room, ask the persons, including the patient in the adjacent bed, if practical, to temporarily leave the room taking the patient to a conference room to discuss the medical information, and speaking in a quiet voice so that no one other than the patient could have heard the conversation, are a few examples of what might be considered reasonable safeguards. What if this was a waiting room, would this change your approach?

HIPAA Case Studies-Security Scenario #1 You receive an email with an attachment from an unknown source. The email reads that your computer has been infected with a virus and you need to follow the directions and open the attachment to get rid of it. Question ? Should you follow the instructions?

HIPAA Case Studies-Security (Con’t) Answer: No! Never open unexpected attachments from unknown sources. If you are unsure about whether you should open something, contact the Technology Support Center at ext 7490.

HIPAA Case Studies-Security Scenario #2 A new resident hasn’t yet been given a username and password for the computer system. The resident needs to access the computer system. Question ? Should you just let the resident use your username and password until one is assigned?

HIPAA Case Studies-Security (Con’t) Answer: No! You should never allow anyone to use your username and password to log on to the system. Have the new resident contact a manager or the Help Desk at ext. 7490 to inquire about when to expect to receive his or her own username and password and what interim actions can be taken until one is assigned.

HIPAA Questions?