1 HIPAA Privacy and Security Cindy Cummings, RHIT

2 Authorization – STILL NEED IT Facilities must obtain authorization from patients before using or sharing their PHI for reasons other than treatment, payment, or health care operations.

3 What is Confidential? Medical Record # Name Address Telephone Number Age Social Security # address Medical History Diagnosis Medications Observations And More

4 Breach Notification Requirements – This is New 2010 Individual Notices Media Notices Notice to the Secretary Notification of a Business Associate

5 Individual Notice Covered entities… That’s HOB Must notify affected individuals once we discover a breach of unsecured protected health information. Must provide this individual notice in writing by first-class mail, or alternatively, by if the affected individual has agreed to receive that way. If HOB has insufficient/ out-of-date contact information for 10 or more individuals, we must provide substitute individual notice –Post the notice on the home page of its web site –Or provide the notice in major print/ broadcast media to where the affected individuals likely reside. –Must include a toll-free number for individuals to contact HOB to determine if their protected health information was involved in the breach. – If fewer than 10 individuals, HOB may provide substitute notice by an alternative form of written, telephone, or other means.

6 The individual notifications must be provided without unreasonable delay –No later than 60 days following the discovery of a breach –Must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the HOB is doing to investigate the breach, mitigate the harm, and prevent further breaches, contact information for the HOB Individual Notice

7 Media Notice IF HOB has a breach affecting more than 500 residents of a State/ jurisdiction/area….. –Besides notifying the affected individuals, HOB is required to.. –Provide notice to prominent media outlets serving the State or jurisdiction. –HOB would likely provide this notification in the form of a press release to appropriate media outlets serving the affected area Like individual notice, this media notification must be provided without unreasonable delay –No case later than 60 days following the discovery of a breach –Must include the same information required for the individual notice Notify the Secretary

8 Notice to the Secretary HHS In addition to notifying affected individuals and the media (where appropriate), HOB must notify the Secretary of breaches of unsecured protected health information. HOB notifies the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.

9 Notification by a Business Associate If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify HOB following the discovery of the breach. A business associate must provide notice to HOB without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide HOB with the identification of each individual affected by the breach as well as any information required to be provided by HOB in its notification to affected individuals.

10 No Big Deal Right? Wrong!!!!!

11 Kentucky Hospital The Bowling Green Medical Center had a hard drive stolen that contained information on 5,418 patients. Information contained on hard drive: –Patient’s name-Weight –Birthdate- Height –Address- Menopause age –MR # –SS #

12 Massachusetts General Hospital The impermissible disclosure of PHI involved the loss of documents consisting of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients. These documents were lost on March 9, 2009, when a Mass General employee, while commuting to work, left the documents on the subway train that were never recovered. The General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General) has agreed to pay the U.S. government $1,000,000 to settle potential violations.

13 Federal Penalties for not Complying For the misuse of personally identifiable health information: Fines up to $50,000 and/or imprisonment for a term up to 1 Year For the misuse under false pretenses: Fines up to $100,000 and/or imprisonment for a term up to 5 Years For the misuse with the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm: Fines up to $250,000 and/or imprisonment for a term up to 10 Years

14 First Person Goes to Jail for HIPAA Violation Researcher from UCLA School of Medicine sentenced to 4 months in federal prison. Accessed confidential medical records without a valid reason.

Breach Notifications 137 breaches occurred for Hospice of the Bluegrass 19 of those breaches required the patient as well as the Secretary for the Dept. of Health and Human services to be notified. So How did HOB do in 2010?

16 Patient Variances 110 variances were related 3 variances involved other patient names included within a mailing 6 variances involved medications sent to wrong patient 12 variances involved a lost pager 2 variances involved staff members allowing non staff members to ride along on patient visits 1 variance involved a page sent to an entire site location rather than supervisor 137 breaches.. The breakdown

17 How to Protect Patient Privacy

18 What is Information Security? All the protections put into place to ensure ePHI is: –Kept confidential –Is not improperly altered or destroyed –And readily available to those who are authorized

19 Protect Patients’ Privacy Do not discuss patients in public areas such as elevators and cafeteria lines Do not leave information about a patient’s health on an answering machine

20 Always close curtains and speak softly when discussing treatments in semi-private rooms Always log off the computer when you’re finished Always dispose of patient information only in locked containers Protect Patients’ Privacy

21 Protecting Patient Information Keep your computer login and passwords a secret.

22 Rules for Using Computers Do not log into the system using someone else’s password Only access patient information that you need to do your job. Keep computer screens pointed away from the public Do not copy PHI onto a removable device such as a thumb drive, disc, etc. Protecting Patient Information

23 Hospice of the Bluegrass DOES NOT have encryption software that is needed to PHI outside of the HOB network. If the address does not end with “hospicebg.org” you CANNOT include PHI.

24 Practice Common Sense Security Keep Laptops and other portable devices locked when not in use Keep cell phones and pagers on your person at all times. Make sure doors and desks are locked as appropriate Physical Security

25 The most frequent risk to using PDAs and laptops is theft. When transporting laptops (or any patient information) it should be stored in the floorboard area or in the trunk. Keep your car locked at all times. X Physical Security

26 Sanctions Hospice of the Bluegrass takes seriously the responsibility of privacy/security of all PHI in its care. Failure to adequately ensure the privacy/security of PHI can result in disciplinary action against you, up to and including: Dismissal Termination of Business Contract Reporting the violation to licensing agencies and law enforcement officials.

27 Scenarios You’re at the grocery store……. You’re at church…….. You’re at the gas station…….. Your cell phone rings at home ……..