HIPAA Privacy and Security October 20, Karen Pagliaro-Meyer Privacy Officer Columbia University medical Center (212) Nursing Students
HIPAA: PRIVACY vs. SECURITY PRIVACY Refers to WHAT is protected — Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information June 27, What’s the Difference?: SECURITY SECURITY HOW Refers to HOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss
Consequences of Privacy or Security Failure Disruption of Patient Care Increased cost to the institution Legal liability and lawsuits Negative Publicity Negative Patient perception Identity theft (monetary loss, credit fraud) Disciplinary action 3
HIPAA –Privacy & Security Concerns – Theft of Patient Data Identity Theft Stolen lap top – Loss of Patient Data incorrect disposal of documents Portable devices increases the possibility of data loss – Misuse of Patient Data Privacy Breach
A NYP employee (patient admissions representative) was charged with stealing almost 50,000 patient files and selling some of them. The files stolen probably contained little or no medical information, but did include patient names, phone numbers and social security numbers- -fertile ground for identity theft. Employee reported that he sold 1,000 files to a man for $750. NYP sent letters and offered free 2 year credit monitoring to all patients 50,000 * $15 = $750, Theft of Patient Data NewYork-Presbyterian Hospital
Theft of electronic devices at CUMC 6 A large fire in a NYP/CUMC building with immediate evacuation of the entire building An outside firm was hired to assist with the clean-up and repair of the building When staff returned it was discovered that laptops, USB drives (thumb drives) and digital cameras had been stolen Lesson learned – All equipment must be password protected. Portable equipment that includes patient information must also be encrypted. Consider installing software like PC phone home that may assist in locating stolen portable devices
Loss of Patient Data CVS Pharmacy 7 CVS Pays $2.25 Million & Toughens Disposal Practices to Settle HIPAA Privacy Case A case that involves the privacy of millions of health care consumers On January 16, 2009 the U.S. Department of Health & Human Services (HHS) reached agreement with CVS Pharmacy, Inc. to settle potential violations of the HIPAA Privacy Rule. CVS agreed to pay $2.25 million and implement a detailed Corrective Action Plan to ensure that it will appropriately dispose of protected health information such as labels from prescription bottles and old prescriptions, related medical information and credit card information.
Privacy Breach The Kaiser hospital in Bellflower at which Nadya Suleman gave birth eight has been hit with a $250,000 fine by California health officials.fine Kaiser Permanente spokesman Jim Anderson said that the hospital had warned employees to stay away from the Octo-Mom's files and reported the privacy violations itself, firing 15 employees. According to the state, however, the hospital did not do enough to protect Octo-Mom's privacy UCLA Medical Center disciplined 53 staff members for accessing the medical information of Britney Spears in
What you need to know about HIPAA & Patient Privacy Notice of Privacy Practices Authorization to Release Medical Information Patient Rights Privacy Breaches Business Associates HIPAA and Research 9
10
11
Authorization to Release Medical Information 12 Written Authorization required to release medical information Physician or care team may share information with referring physician without an authorization “patient in common” All legal requests for release of information should be forwarded to the HIPAA Compliance Office for review Must understand who is the legal next of kin
13
Notice of Privacy Practices Patient Rights Patients have the right to: – Request restrictions on release of their PHI – Receive confidential communications – Inspect and copy medical records (access) – Request amendment to medical records – Make a complaint – Receive an accounting of any external releases. – Obtain a paper copy of the Notice of Privacy Practices on request
Privacy Breach 15 Privacy Breaches do not usually involve high profile patients Most Privacy Breaches involve staff accessing medical information of friends, family members and co-workers Audit reports are run daily to identify potential inappropriate access, use or disclosure of medical information It is important that staff are aware that ANY access of medical information WITHOUT a business purpose will result in disciplinary action
Who is a Business Associate? Individuals who do business with CUMC and have access to protected health information Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen Examples of BAAs include: billing companies or claims processing voice mail or appointment reminder service management transcription services or coding companies accreditation Software used for medical data 16
HIPAA and Research Medical Record Research or identification of potential research subjects must be approved by the IRB which includes a review of HIPAA Research requirements Two main avenues of HIPAA Research — – Form A HIPAA Clinical Research Authorization—required elements – Form B HIPAA Application for Waiver of Authorization—subject to approval of the IRB Some exceptions: – Research using solely Decedent Information – Research using solely De-identified Information – Activities prior to research or preparatory to research
HIPAA Privacy Guidance – Top 10 1.Provide patients with the Notice of Privacy Practices 2.Shred patient information 3.Follow Electronic Security Policies 4.Telephone Guidance – messages and requests for info 5.Use and Disclose Medical Information Correctly 6.Fax patient information utilizing a cover sheet 7.Verify patient at the time of new registration 8.Avoid unintentional disclosures (hallway – - mail) 9.Report and manage Privacy Breaches 10.Notify Privacy Office of Complaints
What you need to know about Information Security 19
Good Computing Practices 10 Safeguards for Users 1. User ID or Log-In Name (aka. User Access Controls) 2. Passwords 3. Workstation Security 4. Portable Device Security – USB, Laptops 5. Data Management, e.g., back-up, archive, restore. 6. Remote Access - VPN 7. Recycling Electronic Media & Computers 8. – Columbia account ONLY 9. Safe Internet Use – virus 10. Reporting Security Incidents / Breach
Security Controls Laptop and File Encryption WinZip (password protect + encrypt) 7-zip (free, password protect + encrypt) Truecrypt (free, complete folder encryption) FileVault (folder encryption on Macintosh) Encrypted USB Drives Kingston Data Traveler Iron Key (Fully encrypted) 21
Types of Security Failure Sharing Passwords – You are responsible for your password. If you shared your password, you will be disciplined even if other person does no inappropriate access Not signing off systems – You are responsible and will be disciplined if another person uses your ‘not- signed-off’ system and application Sending EPHI outside the institution without encryption – Under HITECH you may be personally liable for losing EPHI data Losing PDA and Laptop in transit with unencrypted PHI or PII – Under HITECH and NY State SSN Laws, you may be personally liable, and you will be disciplined for loss of PHI or PII 22
New Regulation: HITECH Act (ARRA) 23 (Health Information Technology for Economic and Clinical Health) New Federal Breach Notification Law – Effective Sept 2009 Applies to all electronic “unsecured PHI” Requires immediate notification to the Federal Government if more than 500 individuals effected Requires notification to a major media outlet Will be listed on a public website Requires individual notification to patients Criminal penalties apply to individual or employee of a covered entity State Attorneys General will have enforcement authority and may sue for damages and injunctive relief
New York State SSN/PII Laws Social Security Number Protection Law Effective December 2007 Recognizes SSN to be a primary identifier for identity theft It is Illegal to communicate this information to the general public Access cards, tags, etc. may not have SSN SSN may not be transmitted over Internet without encryption SSN may not be used as a password SSN may not be printed on envelopes with see-through windows SSN may not be requested unless required for a business purpose Fines and Penalties 24
New York State SSN/PII Laws Information Security Breach and Notification Act Effective December 2005 IF… Breach of Personally Identifiable Information occurs o SSN o Credit Card o Driver’s License THEN… Must notify o patients / customers / employees o NY State Attorney General o Consumer reporting agencies 25
New Regulations – Red Flag rule 26 Red Flag – Identity Theft Prevention Program Requires healthcare organizations to establish written program to identify, detect and respond to and correct reports of potential identity theft Educate all staff how to identify Red Flags and report them Appoint program administrator & Report to leadership FTC law includes fines and penalties $2,500 per violation Business Associate Agreements will have to be revised to inform CUMC of any Red Flags involving CUMC data
27
What Is My Role in Protecting Medical Information? Good Security Standards follow the “90 / 10” Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices – Example: The lock on the door is the 10%. – You remembering to lock, – check to see if it is closed, – ensuring others do not prop the door open, – keeping controls of keys is the 90%. – 10% security is worthless without YOU!
29 PATIENT PRIVACY At some point in our lives we will all be a patient Treat all information as though it was your own
Questions & Answers Karen Pagliaro-Meyer Privacy Officer Columbia University Medical Center