Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office of Compliance Brody School of Medicine ECU HIPAA Privacy Office

Published byGreyson Gillim Modified over 9 years ago

Similar presentations

Presentation on theme: "Office of Compliance Brody School of Medicine ECU HIPAA Privacy Office"— Presentation transcript:

1 Office of Compliance Brody School of Medicine ECU HIPAA Privacy Office
HIPAA Privacy Rules: What’s Important to Know to Protect Your Patients, Yourself, and Your Institution Office of Compliance Brody School of Medicine ECU HIPAA Privacy Office

2 Overview Background and General Information
Use and Disclosure of Protected Health Information Patients Rights under HIPAA Security Breach Notification Requirements Penalties and Enforcement under HIPAA ECU HIPAA Privacy Violation Levels and Sanctions ECU Privacy Basics

3 Background and General Information

4 Background and General Information
HIPAA is a federal law which established a minimum level of privacy protections related to “protected health information” (PHI) Congress felt that additional privacy and security protections were necessary once transmission of health claims and other health information became uniform and electronic Required compliance with HIPAA became effective on April 14, 2003

5 Background and General Information
What is Protected Health Information (PHI)? Information that is created or received by the covered entity; Covered entity – Health plans; health care clearinghouse; and health care providers Hybrid entity – A single legal entity that is a covered entity, performs business activities that include both covered and noncovered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, nonhealth care components of a hybrid entity may be affected because the health care component is limited in how it can share PHI with the non-health care component. ECU is a hybrid entity with designated health care components Relates to past, present or future physical or mental health or condition of the individual, or related to payment for health care; and Identifies the individual or provides a reasonable basis to be used to identify the individual includes all personal demographic & health information Can be in any form: Verbal, written or electronic

6 Background and General Information
Identifiers Name Geographic location Street address, city, county, precinct, zip code, Dates DOB, date of death, admission/discharge/treatment date Phone/fax numbers address SSN Medical record number Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers Including license plates Device identifiers and serial numbers URLs IP Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying numbers, characteristic, or code

7 Background and General Information
The American Recovery and Investment Act of (ARRA) Drastically modified certain provisions under HIPAA including: Heightened Enforcement Increased penalties Periodic audits for compliance Security Breach Notification Requirements Increased Restrictions on Use and Disclosure of PHI Additional Rights for Patients Copies of PHI in electronic format Cannot disclose PHI to health plan if patient paid in full “out of pocket”

8 Test Your Privacy Knowledge #1
Which of the following pieces of information is permissible to discuss with a friend or family member? a) The mutual friend who came to your facility b) The patient you cared for with a highly unusual set of symptoms but without stating the patient’s name c) The prominent politician who is a patient at your facility d) The high number of heart disease patients you have seen this week e) The patient you cared for who lives on your block

9 Test Your Privacy Knowledge #1
Answer - d It is acceptable to talk about general trends but not about specific patients

10 Use and Disclosure of PHI

11 Use and Disclosure of PHI
HIPAA Authorization In general, required for any use or disclosure of PHI Special type of authorization that is separate from the general consent for treatment Must be in writing and include specific elements Patient must receive a copy and is permitted to revoke authorization at any time in writing. Typical uses include: Research at a covered entity Patient’s request to release PHI to an outside entity or individual Release of employment- related examination information Psychotherapy notes and other sensitive conditions Certain fundraising or marketing activities (that are not exempt from the authorization requirement)

12 Use and Disclosure of PHI
Broad exception for “treatment, payment or health care operations” “Treatment” Providing information to other providers involved in the care of the patient (e.g., other nurses, doctors, lab personnel, etc.) Does NOT allow for disclosure of psychotherapy notes and other types of sensitive conditions (i.e., HIV status); separate consent required to release that type of information “Payment” Submission of claims for services to third party payors Collection activities “Health care operations” Using and disclosing PHI for quality assurance reviews, internal auditing, peer review, outside lawyers, accountants, etc. Research is not considered to be health care operations

13 Use and Disclosure of PHI
Examples of Exceptions to the Authorization Requirement Law enforcement purposes Judicial and administrative proceedings (per court order or subpoena) Health oversight agencies (e.g., HHS) Certain public health activities (e.g., CDC, public health departments, tracking of FDA recalls, reporting of adverse events during research)

14 Use and Disclosure of PHI
Disclosure of PHI to Patient’s Family and Others Involved in Care May disclose PHI directly relevant to such person’s involvement in the care May disclose PHI to notify a family member, a personal representative or others involved in the patient’s care of: Patient’s location, general condition, or death If the patient is present: Obtain the patient’s agreement to involve family members or others If patient is not present or otherwise incapacitated: Exercise of professional judgment to determine whether the disclosure is in the best interests of the individual, and, if so, disclose only the PHI that is directly relevant to the person’s involvement with the individual’s care

15 The Minimum Necessary Requirement 45 C.F.R 164.502 (b) and 164.514 (d)
Family Member or Friend Other Persons Patient is present and has the capacity to make health care decisions Provider may disclose relevant information if the provider does one of the following: Obtain the patient’s agreement; Gives the patient an opportunity to object and the patient does not object; Decides from the circumstances, based on professional judgment, that the patient does not object Disclosure may be made in person, over the phone, or in writing Patient is not present or is incapacitated Provider may disclose relevant information if, based on professional judgment, the disclosure is in the patient’s best interest. Disclosure may be made in person, over the phone, or in writing. Provider may use professional judgment and experience to decide if it is in the patient’s best interest to allow someone to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of health information for the patient. Provider may disclose relevant information if the provider is reasonably sure that the patient has involved the person in the patient’s care and in his or her professional judgment, the provider believes the disclosure to be in the patient’s best interest. Disclosure may not be made in person, over the phone, or in writing. The Minimum Necessary Requirement 45 C.F.R (b) and (d)

16 Test Your Privacy Knowledge #2
PHI may be disclosed without authorization or waiver to government agencies as required by law. True False

17 Test Your Privacy Knowledge #2
Answer – a) True For example – child abuse and neglect reporting to health authorities

18 Use and Disclosure of PHI
“Minimum Necessary” Rule In general, the amount and types of PHI used or disclosed is restricted to the minimum amount of PHI necessary to satisfy the request. “Reasonable efforts” must be taken not to disclose more than the minimum amount of PHI necessary to accomplish the intended purpose. Does not apply in disclosures for treatment purposes to other providers or for release of PHI to patient pursuant to their own authorization.

19 Test Your Privacy Knowledge #3
You are a billing clerk and routinely look at medical records to know if laboratory tests are performed. Are you permitted to view the results of the lab tests? Yes No

20 Test Your Privacy Knowledge #3
Answer – b) No Viewing the results would exceed the scope of job duty for the billing clerk.

21 Use and Disclosure of PHI
Contacting Patients Make every effort to speak to patient directly Never leave voice messages containing information regarding condition, test results, etc. If you must leave a message, leave your name, ECU Physicians, and your phone number only. Do not state the reason for the call.

22 Use and Disclosure of PHI
Verification of Identity of Individual Requesting PHI by Phone Reasonable efforts must be made to verify identity of caller or individual requesting PHI Reasonable questions include knowing certain personal information regarding patient, such as DOB, maiden name, etc. (not easy to find information such as telephone number, address, etc.)

23 Use and Disclosure of PHI
Incidental Disclosures Those types of disclosures are not protected under HIPAA Disclosures that occur even after proper safeguards have been taken Examples: Waiting room sign-in sheets, calling out a patient’s last name in waiting room (e.g., Mr. Smith and Mrs. Jones), shared hospital rooms, teaching rounds

24 Use and Disclosure of PHI
After review and approval, de-identified information can be used if 18 specific identifiers are removed from the information such as: Names All geographic subdivisions smaller than a State including address, city, county, zip code All elements of dates except year that relate to health care treatment including age Telephone numbers, fax numbers, addresses Numbers – SSN, MRN, health plan beneficiary, account, certificate/licenses, vehicle ID and serial, device ID and serial URLs or IP numbers Fingerprints, full face photos, or other comparable images Any unique identifying number, code, or characteristic Privacy Policy # 0013

25 Use and Disclosure of PHI
Commonsense Safeguards Do not discuss patient information in hallways, elevators, restaurants, or other public places where others may overhear your conversation Never post or share information about a patient on social media sites Do not access any medical record or other PHI unless you have a legitimate business or patient care purpose For example, never access a medical record or other PHI to learn of a friend’s condition, birth date, status of newly delivered baby, etc.

26 Use and Disclosure of PHI
Commonsense Safeguards Never share your EMR password with anyone for any purpose Faxes: Verify fax numbers prior to sending PHI, use an approved fax cover sheet, and ask if someone will be waiting for the information (especially if you do not know the location of the fax machine) Computer screens: To the extent possible, turn away from visitors, use a privacy screen, etc.; always lock computer when leaving workstation if you are viewing PHI

27 Designated Shred Containers

28 Designated Shred Containers
If a container is marked “Confidential”, “Not Trash”, or “Shred” then it is for shred material only. Do not empty these containers.

29 Test Your Privacy Knowledge #4
You can post information about a patient on a social media site as long as your settings are set to friends/private? a) True b) False

30 Test Your Privacy Knowledge #4
Answer – b) False You should never post or share information about a patient on social media sites

31 Patient Rights under HIPAA

32 Patient Rights under HIPAA
Right to Access PHI Patients may request to receive a copy of their medical record Request must be in writing using approved form Requests may be denied in certain circumstances ECU employees are not permitted to access their own PHI without first going through Health Information Systems Services

33 Patient Rights under HIPAA
Patients may Request an Accounting of Disclosures of their ECU maintained PHI which has been made during the past six years Patients are permitted to request a listing showing to whom their PHI has been disclosed Does not include disclosures made for treatment, payment, or health care operations; disclosures made pursuant to patient’s own authorization or disclosures prior to April 14, 2003 (effective date of rule) Does not include disclosures made for national security or intelligence purposes, or law enforcement purposes

34 Patient Rights under HIPAA
Right to Confidential and Alternative Communications Patients have the right to request the method whereby they will be contacted (e.g., what telephone number, location, etc.) Any requests to communicate PHI by alternate means must be submitted in writing using the ECU Request for Alternate Communication Form

35 Patient Rights under HIPAA
Right to Further Restrict Disclosure of PHI Patients may request that their PHI not be disclosed in a certain manner, even if it is permitted under HIPAA Common requests include no disclosure for fundraising purposes (institutions are otherwise permitted to use minimal PHI for fundraising purposes), no disclosure to certain government agencies, or certain family members Requests must be made in writing using ECU’s Request for Restriction on the Use and Disclosure of PHI Form ECU may accept or decline request

36 Patient Rights under HIPAA
Right to Request Amendment to Medical Record Patients may request a correction to the medical record Provider is not required to amend; however, must notify patient regarding decision Typically happens with sensitive types of conditions: Obesity, mental illness conditions, etc.

37 Patient Rights under HIPAA
Complaints about Privacy and Security Practices Any individual may file a complaint regarding suspicion of a potential privacy violation Individuals may file privacy complaints with: ECU Privacy Officer BSOM Compliance Hotline (866) The United States Office for Civil Rights No intimidation or retaliatory actions taken against any individual making a complaint

38 Security Breach Notification Requirements

39 Security Breach Notification Requirements
First federal notification law established under ARRA For breach of any “unsecured PHI,” the covered entity is required to notify within 60 days each individual whose PHI has been accessed, acquired or disclosed as a result of such breach. Annual disclosure requirement to HHS regarding all notifications If breach involves 500 or more individuals, notice to HHS must be immediate; “prominent” local media must also be notified. Excludes certain inadvertent or unintentional disclosures

40 Penalties and Enforcement under HIPAA

41 Penalties under HIPAA Privacy Rule Enforcement Highlights from Health and Human Services (HHS) & Office of Civil Rights (OCR) 92,975 HIPAA complaints received from April through February 2014 94% have been resolved through: Investigation and enforcement (22,222) Investigation and finding no violation (10,005) Closure of cases not eligible for enforcement (54,944) OCR lacks jurisdiction under HIPAA Complaint is untimely, withdrawn, or not pursued by filer Activity described does not violate the rules Enforcement highlights as of February 28, 2014: (accessed March 25, 2014)

42 Penalties under HIPAA OCR Most Frequent Compliance Issues
in order of frequency: Impermissible use and disclosure of PHI Lack of safeguards of PHI Lack of patient access to PHI Violation of “minimum necessary” rule Lack of administrative safeguards of electronic PHI OCR has referred 522 cases to the Department of Justice for criminal investigation Enforcement highlights as of February 28, 2014: (accessed March 25, 2014)

43 Penalties under HIPAA Civil Penalties Penalty Amount Calendar Year Cap
For violations occurring on or after 2/18/2009 $100 to $50,000 or more per violation $1,500,000 For violations occurring prior to 2/18/2009 Up to $100 $25,000 Summary of HIPAA Privacy Rule: (accessed June 22, 2012)

44 Penalties under HIPAA Criminal Penalties Penalty Amount Prison Term
Knowingly obtains or discloses PHI in violation of Privacy Rule Up to $50,000 Up to 1 year Wrongful conduct involves false pretenses Up to $100,000 Up to 5 years Wrongful conduct involves intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm Up to $250,000 Up to 10 years Summary of HIPAA Privacy Rule: (accessed June 22, 2012)

45 ECU HIPAA Privacy Violation Levels & Sanctions

46 ECU HIPAA Privacy Violation Levels & Sanctions
Under HIPAA, ECU is required to have and apply internal sanctions against its workforce who fail to comply with its policies and procedures Specific internal sanctions are outlined in East Carolina University Privacy Regulation: HIPAA Sanctions

47 ECU HIPAA Privacy Violation Levels & Sanctions
Failure to demonstrate appropriate care Examples: Failing to log off a computer Leaving PHI in a non-secure location Inappropriate hallway conversation

48 ECU HIPAA Privacy Violation Levels & Sanctions
Intentional or unintentional exposure of PHI internally Unauthorized access to PHI Repeated Level 1 violations Examples: Providing passwords to unauthorized users Accessing PHI for which you have no job duty

49 ECU HIPAA Privacy Violation Levels & Sanctions
Intentional or unintentional exposure of PHI internally or externally Repeated Level 2 violations Examples: Sharing PHI with unauthorized individuals Failing to perform necessary actions to prevent disclosure Disclosing PHI external to ECU’s designated health care components

50 ECU HIPAA Privacy Violation Levels & Sanctions
Intentional abuse of PHI Examples: Large scale disclosure Use for personal gain Destroying PHI

51 ECU HIPAA Privacy Violation Levels & Sanctions
Violations can result in local sanctions ranging from documented counseling, in accordance with ECU’s disciplinary policies, up to and including dismissal. Other Federal sanctions may result including fines and/or imprisonment.

52 ECU HIPAA Privacy Policies

53 Training All workforce members must receive annual HIPAA Training to protect the privacy and security of individually identifiable health information. Annual HIPAA Training is located in Cornerstone.

54 HIPAA Privacy and E-mail
and PHI: Within University faculty/staff system You do not need to encrypt containing PHI if it is from your account on ECU’s e- mail system to another faculty/staff account on the system but must limit PHI to the minimum necessary amount to perform the intended function Outside of University system sent to an address outside of ECU’s system must be encrypted but must limit PHI to the minimum necessary amount to perform the intended function Vidant is not part of ECU’s system ECU student accounts sent to a student account is not encrypted and does not support the University’s encryption software. If you have a student in your department who needs to PHI please contact your department EPAF administrator. Wireless Networking and PHI: Do not access or send PHI over a wireless network, unless the data is encrypted prior to transmission. Data sent over a wireless network can be captured by unauthorized persons in nearby buildings, parking lots, and streets. This includes personal smartphones and other portable devices Contact the ITCS Security Department: prior to purchasing any system that will store or transmit PHI to ensure that the appropriate measures are in place.

55 Test Your Privacy Knowledge #5
You need to send an containing PHI to someone in the billing department but you don’t know which specific person to send it to. You should: a) Send the to the department’s group in the hopes that it will reach the correct person. b) the PHI to one person in the department and ask them to please forward the to the appropriate person if they cannot assist you. c) Contact the department before sending the containing PHI to ensure that you send the PHI to the correct person.

56 Test Your Privacy Knowledge #5
Answer – c) Sending PHI to an employee who is not authorized to view the information is a HIPAA violation

57 Test Your Privacy Knowledge #6
You may use your personal smartphone or other device to read and send s containing PHI: a) True b) False

58 Test Your Privacy Knowledge #6
Answer – b) False You should not use a personal device to store or transmit PHI Please review the HIPAA Security Portable Device Security Standard: standards.cfm

59 ECU HIPAA Privacy Officer and Policies
Interim ECU HIPAA Privacy Officer Kenneth De Ville, PhD, JD (252) Complete HIPAA Privacy and Security Policies are available at the following website:

60 Questions?

Download ppt "Office of Compliance Brody School of Medicine ECU HIPAA Privacy Office"

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.

The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
HIPAA Privacy Keys to Success Education for Nursing and all other Clinical Students Effective January 2010 HIPAA Job Specific Education1.

HIPAA Privacy Keys to Success Education for Nursing and all other Clinical Students Effective January 2010 HIPAA Job Specific Education1.

Similar presentations

Ads by Google