Transcript HIPAA Education - Tampa General Hospital

HIPAA Privacy and
Security at TGH
Clinician Education
Ron Peterson, Director
Peggy Absher, Sr. Compliance Auditor
Corporate Compliance and Audit
1
HIPAA - Background
The Health Insurance Portability and Accountability
Act (HIPAA) of 1996 established the basis for the
Privacy and Security Rules.
Why is the knowledge of HIPAA important?
Healthcare providers must be knowledgeable of HIPAA to
provide reasonable safeguards to protect the privacy of
patients’ protected health information (PHI). Inappropriate
use or disclosure of patients’ PHI that violates HIPAA, can
result in civil and criminal penalties to TGH as well as you
as an employee or as an individual.
2
HIPAA - Background


Privacy Rule: The Privacy Rule includes national
standards for the protection of Protected Healthcare
Information (PHI). Standards were developed by the
Department of Health and Human Services (HHS). The
Office of Civil Rights (OCR) implements and enforces the
Privacy and Security Rules with respect to compliance and
penalties.
Security Rule: The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic
protected health information in order to protect the privacy
of PHI from intentional or unintentional use or disclosure.
3
HIPAA - Privacy

Privacy Basics:



To protect patient information from being used
or disclosed inappropriately.
To give patients greater control over sharing of
their PHI.
To increase patient access to information.
4
HIPAA- Definitions

(Con’t)
Notice of Privacy Practices:
Each patient seen at TGH receives a written notice of privacy practices.

The HIPAA privacy regulations provides that covered entities must
make a good faith effort to provide the patient with its Notice of
Privacy Practices and obtain a written acknowledgement of such
receipt from the patient. The Notice describes:






How medical information about a patient may be used and
disclosed.
How a patient can gain access to this information.
How a patient should request amendments.
How a patient should request accountings of disclosures.
How a patient should request restrictions on or opt-out provisions.
How a patient should request confidential communications of
information.
5
HIPAA –Definitions

Accounting of Disclosures Currently a patient may request a
detailed written accounting of disclosures of PHI made by a covered
entity in the six years prior to the date on which the accounting is
requested except for the following;






(Con’t)
Information for the treatment, payment of services and health care
operations (TPO).
Information disclosed to the patient
Signed authorizations.
Information used for national security, intelligence purposes, law
enforcement or correctional institutions.
Information that is part of a limited data set.
Once the new regulations under the Health Information Technology for
Economic and Clinical Health Act (HITECH), a division of American
Recovery and Reinvestment Act (ARRA), go into effect, accounting of
disclosures must include disclosures for TPO.
6
HIPAA –Definitions

(Con’t)
Incidental disclosures means disclosures that are limited in
nature and occur as a by-product of an otherwise permissible
use or disclosure. Incidental disclosures will not be considered
a violation of the privacy rule if reasonable safeguard are in
place and the minimum necessary requirements are met. For
example;



Keep information on white boards/locator boards to a
minimum.
Do not discuss patients in public areas, such as elevators,
corridors, cafeteria, etc.
Use of cubicles, dividers, shields or curtains in areas of
multiple patient-staff or physician communications, such as
pre-op, admitting areas, waiting rooms, etc.
7
HIPAA –Definitions

(Con’t)
Minimum necessary standard requires that health
care staff must make a reasonable effort to disclose or
use only the minimum amount of PHI needed to provide
patient care, the PHI they “need to know”.


For example, records compiled in response to a PHI request for a
specific date of service should not include treatment records for
other dates of service.
However, the minimum necessary limitation does not apply when
the disclosure is for treatment purposes.
8
Key Provisions of
TGH’s HIPAA Policies


(Con’t)
If you are not involved in the provision of care to a patient
then you have no right to access, use or disclose protected
health information (PHI) related to that patient’s care. Your
access to patient information must be
in the context of providing direct or
indirect patient treatment.
Viewing or accessing the medical records of a family
member, friend or associate without written authorization,
for which you are not involved in the treatment of is a
violation of HIPAA. Such violations are subject to
disciplinary actions, up to and including termination.
9
Key Provisions of
TGH’s HIPAA Policies



(Con’t)
You must be careful in communicating or discussing
PHI.
Prior to speaking to a patient in the presence of
others, ask the patient if it is okay to discuss their
patient information in the presence of others.
Take the patient to a conference room; or ask others
to wait outside of the room during confidential
discussions.
10
Key Provisions of
TGH’s HIPAA Policies



(Con’t)
Do not leave patient records or other
confidential information out and available for
anyone to see.
Do not put PHI to be disposed of in
trashcans, place it in confidential trash bins.
Do not discuss patient information outside of
TGH
11
Key Provisions of
TGH’s HIPAA Policies
(Con’t)
Medical Identity Theft
Medical identity theft occurs when someone uses a
person’s name and sometimes other parts of their
identity, such as insurance information, without the
person’s knowledge or consent to obtain medical
services or goods; or uses the person’s identity
information to make false claims for medical services or
goods. Medical identity theft frequently results in
erroneous entries being put into existing medical records
and can involve the creation of fictitious medical records
in the victim’s name.
12
Key Provisions of
TGH’s HIPAA Policies
(Con’t)
Medical Identity Theft (con’t)
Employees should be alert for Red Flags which are indicators of
possible identity theft. Potential indicators of identity theft include:
Any patient appearing and giving an identity that has been flagged in
TGH’s Information System;
A patient providing photo ID that does not match the patient;
A patient giving a social security number different than one used on a
previous visit;
A patient giving information that conflicts with information in the
patient’s file or a previous visit;
Family members/friends calling the patient by a name different than
that provided by the patient at registration.
13
Key Provisions of
TGH’s HIPAA Policies
Medical Identity Theft (con’t)

Observe employee accessing patient information through a information
systems applications; writing or printing the information and leaving
work with it.

Observe employee going through trash that has patient information in
it. Removing it and taking it home .
Just because Red Flag indicators are present, does not
necessarily mean identity theft has occurred. Staff must be
objective in evaluating each case. If an employee reasonably
believes identity theft has occurred or may be occurring, the
employee should immediately notify their Supervisor and an
incident Report should be completed.
14
HIPAA – Security

Security Basics:




Ensure confidentiality, integrity and availability of
electronic PHI.
Protect against threat or hazards.
Protect against unauthorized uses of disclosures.
Use of flash drives is STRONGLY discouraged.
15
HIPAA
(Con’t)
TGH-issued equipment, such as laptop computers, cell phones, and
pagers, must be protected from theft or damage.





Never leave equipment unsecured or unattended in public areas.
Equipment left in a car should be concealed and the car is locked when
unattended.
Locking equipment in file cabinets/drawers when not in use.
Data stored on TGH’s equipment, such as laptops, PDAs, cell phones, and
so forth, are the property of TGH. In order to prevent unauthorized access
to the data, users are required to enable the password protection or lock
code functions available on the equipment.
Airport Travel - TGH requires that users retain physical custody of laptops
and other mobile computers as carry-on luggage when traveling by airplane.
16
HIPAA Security

(Con’t)
Things you can do to safeguard security:





Log on and log off of your computer.
Never let others use your log-on and/or
password, all users are required to have a
unique user ID and password.
Follow guidelines for password use.
Never disable anti-virus software.
Never install unapproved software.
17
Key Provisions of
TGH’s HIPAA Policies


(Con’t)
Automatic forwarding from a TGH-owned e-mail account to an external
network account is prohibited.
Faxing of Medical Information (Refer to Policy IM-31, Faxing of Medical
Information) :







Releases of medical information should be through the Health Information
Management (HIM) department.
Limited to use by healthcare providers for immediate and/or
emergency patient care purposes.
Fax only when the original document or mail delivered photocopies
will not serve the purpose.
A signed patient authorization is required.
Ensure that the fax is sent to the appropriate destination, verify the
fax number.
A fax cover sheet (form F-561) must precede the transmission.
Report misdirected faxes to Corporate Compliance immediately by
completing an Incident Report.
18
Key Provisions of
TGH’s HIPAA Policies
(Con’t)
No PHI, including photographs, should be
disclosed through the use of social networks, such
as Facebook, MySpace, Twitter or other on-line
personal communications networks. Social
networks are considered public. Disclosures of
PHI would potentially violate the HIPAA privacy
rules.
19
Key Provisions of
TGH’s HIPAA Policies
(Con’t)
All electronic mail messages and the data contained
therein are the property of TGH.


Users should not expect privacy of any messages
created, sent, stored, or received using the system.
TGH reserves the right to monitor e-mail with the
express authorization by the CEO.
20
Key Provisions of
TGH’s HIPAA Policies

(Con’t)
Internet usage is provided by TGH and is intended
primarily for business use. Incidental and occasional use
of the Internet for personal reasons is permitted.

TGH reserves the right to monitor Internet usage.

Computer Audit access logs for TGH’s applications records
each user’s access of a patient’s PHI.
21
Key Provisions of
TGH’s HIPAA Policies



(Con’t)
Check files for viruses before loading CDs, diskettes, or
downloading files on TGH computers.
Contact the Technology Support Center at extension
7490 to acquire or load software programs on TGH
computers.
Downloading movies, music and books, reports and other
such files for personal use are not permitted.
22
Key Provisions of
TGH’s HIPAA Policies

(Con’t)
TGH management reserves and retains the authority
to:



Restrict or revoke any user's access to computerized
information,
Inspect, copy, remove or otherwise alter any data, program
or other system resource that may undermine hospital
policies directed to the protection of PHI,
Take any other steps deemed necessary to manage and
protect all protected health information on TGH information
systems. This authority may be exercised with or without
notice to the involved users. TGH disclaims any
responsibility for loss or damage to data or software that
results from its efforts to meet these security objectives.
23
HIPAA



(Con’t)
Health care professionals, who fail to comply with TGH’s
policies, procedures, or federal and state laws, shall be
subject to disciplinary action in accordance with TGH
administrative policies; which includes possible
termination of employment.
In certain circumstances you can be personally subject to
civil and/or criminal prosecution for violations of HIPAA
including monetary penalties.
Refer to TGH policy RI-54, “Information Privacy and
Security Compliance “.
24
HIPAA IN AN EPIC WORLD






EPIC will log the actions of all users as they routinely view and interact within
the EMR.
Break the Glass (BTG) – Is an event tracking feature for specialized groups
of patients and encounters. Your Password and a Reason are required to
proceed into the record.

Confidential Patient

Private Encounter

Behavioral Health Unit (7F)
BTG prompts users with a warning that they are entering a “restricted” patient
record.
BTG provides enhanced reporting/audit review of what is done after a BTG
event.
EPIC can also limit visibility of special unit lists (Behavioral Health).
EPIC is configured for SSN masking (XXX-XX-1234).
25
What else will EPIC do?

The Patient Station activity in EPIC will display red text for patients marked with a
“CONFIDENTIAL” patient type and a private encounters set to “Yes”. This alerts TGH
staff and physicians to the confidential status of the patient and that the patient’s
presence in the hospital should not be acknowledged if they are asked by a visitor to
assist in locating a patient.




Census Lists will either hide or highlight (in yellow) the patient, depending on the user’s
security to see these patients in the list.
The Private Encounter field will default to “Yes” for all subsequent registrations on
patients marked as “Confidential” patient types.
The Private Encounter and Patient Type fields will be clearly visible in the patient’s
header highlight (in yellow) if it is populated with any value.
The Patient Type field will be clearly visible in all activities that require patient
search…i.e. “CONFIDENTIAL” will be right next to the patient’s name.
26
What will EPIC not do?



EPIC will not…Prevent all intentional and inappropriate
access to the record
EPIC’s recommendation is to use BTG to inform users, but
users must understand—and are accountable for—the
“appropriateness” of viewing a patient’s record.
EPIC will not…Mask a patient’s identity without changing
their name.
USERS are responsible for their actions
in using any system containing PHI.
27
HIPAA Headline News Stories

Minnesota Health System Fires 32 Employees for snooping in records In another
example of a spectacle that’s so intriguing that some health care workers will risk
their jobs for a peek, Allina Hospitals and Clinics in Minnesota fired 32 employees
recently for improperly accessing the records of patients involved in a headlinemaking incident.

Jackson Health System (JHS) in Miami is conducting an internal investigation and
cooperating with law enforcement after an employee inappropriately accessed
patient information, it says in a June 13 statement. JHS has terminated the
individual’s employment and notified the affected patients.

Richard Charette, who pleaded guilty in February to violating HIPAA, was
sentenced to 33 months in prison on May 4, according to the U.S. Attorney’s
Office for the District of Nevada. Charette participated in a scheme to receive and
disclose records of trauma patients treated at the University Medical Center of
Southern Nevada.
28
HIPAA Headline News Stories

University Medical Center (UMC) in Tucson, Ariz., said Jan. 12 that three
employees and a contract nurse inappropriately accessed patients’ electronic
medical records in the wake of the shootings involving a U.S. Congresswoman and
18 others. The three clinical support staff members and the contracted nurse all
have been terminated from their jobs by their employers.

Hospital staffers fired for sending photo of patient's wounds . The Hospital of Saint
Raphael in New Haven Connecticut recently fired three workers and disciplined
four others after a clinician took a photo of a 17-year-old gunshot victim in the ED
and sent it to others, the New Haven Register/Boston Globe reports.
Hospital employee sentenced to 1 year in prison for accessing patient’s PHI and
posting HIV status on website. Also, received 5 years probation and 200 hours of
community service.

29
Professional Accountability
HIPAA and American Recovery and Reinvestment Act/Health Information Technology for Economic and
Clinical Health (ARRA/HITECH ) are federal regulations that have been designed to protect the identity,
and confidential nature of patients’ PHI.
These regulations provide guidelines regarding the intended use and sharing to remain among those
directly and indirectly involved in the patient’s care, and those individuals the patient indicates it is
appropriate to share information with. Your access is based on your “need to know” in the context of
performing your duties and responsibilities .
TGH has guidelines and policies in place that addresses employees inappropriate use or disclosure of
PHI. Disciplinary action ranges from verbal warnings and can result in termination.
Abusers of PHI can also be held personally responsible—up to and including penalties/fines and
criminal prosecution —for not abiding by these federal regulations.
Please don’t make TGH a negative headline…
PROTECT the information of our patients
30
Key Provisions of
TGH’s HIPAA Policies

(Con’t)
If you believe a breach of patient privacy or security of information
incident has occurred, complete an incident report. Check with a
manager if you need assistance. You may also call the Corporate
Compliance Line 800-352-6875 or the TGH Privacy or Security
Officers.

TGH’s Privacy Officer is Ron Peterson. His office number is
844-4813.

TGH’s Security Officer is Balaji Ramadoss. His office number is
844-3286.
31
HIPAA Case Studies-Privacy
Scenario #1
Case Studies
A friend contacts you. The friend has a fellow employee or
friend scheduled to have surgery at TGH. The friend asks if
you would periodically check on their friend during and after
surgery and provide updates. The friend pre-registered and
did not opt-out of disclosing general condition information or
directory information. You have no involvement with the care
of the patient. During and after the surgery you find out
information on the patient and provide more than general
conditions or directory information to your colleague at
Hospital A.
32
HIPAA Case Studies-Privacy
(Con’t)
Question ?
Have you violated
HIPAA?
33
HIPAA Case Studies
(Con’t)
Have You Violated HIPAA?
Answer: YES!
You have, if you provide more than general conditions updates.
If as a clinician you have no involvement in the patient’s care, you should
not access any information associated with the patient. HIPAA’s minimum
necessary rule says that you can access information on patients that you
are involved in providing care to.
In that context you have a “need to know” the medical information
necessary to provide care to the patient. Since you have no involvement
with the patient you have no need to know anything about this patient.
Disclosing more than general condition or directory information would be a
violation of HIPAA and could subject you to potential disciplinary actions.
34
HIPAA Case Studies-Privacy
Scenario #2
Two patients are in a semi-private room. In
addition both patients have family members and
friends present in the room.
You enter the room and immediately begin to
discuss patient A’s medical information in a voice
loud enough for all present in the room to over
hear the conversation.
35
HIPAA Case Studies-Privacy
(Con’t)
Question ?
Have you violated HIPAA?
What could you have done differently?
36
HIPAA Case Studies-Privacy
(Con’t)
Answer: YES!
You may have, if you did not take reasonable
safeguards to minimize the disclosures overheard by
the persons present. Reasonable safeguards, such as:
1.
2.
3.
4.
ask the patient prior to any discussion of their medical information, whether it is
okay to discuss it in front of the persons present in the room,
ask the persons, including the patient in the adjacent bed, if practical, to
temporarily leave the room
taking the patient to a conference room to discuss the medical information, and
speaking in a quiet voice so that no one other than the patient could have heard
the conversation, are a few examples of what might be considered reasonable
safeguards. What if this was a waiting room, would this change your approach?
37
HIPAA Case Studies-Security
Case Studies
Scenario #1
You receive an email with an attachment from an
unknown source. The email reads that your
computer has been infected with a virus and you
need to follow the directions and open the
attachment to get rid of it.
Question ?
Should you follow the instructions?
38
HIPAA Case Studies-Security
(Con’t)
Answer: No!
Never open unexpected attachments from
unknown sources.
If you are unsure about whether you should
open something, contact the Technology
Support Center at ext 7490.
39
HIPAA Case Studies-Security
Scenario #2
A new resident hasn’t yet been given a username
and password for the computer system. The
resident needs to access the computer system.
Question ?
Should you just let the resident use your username
and password until one is assigned?
40
HIPAA Case Studies-Security
(Con’t)
Answer: No!
You should never allow anyone to use your
username and password to log on to the system.
Have the new resident contact a manager or the
Help Desk at ext. 7490 to inquire about when to
expect to receive his or her own username and
password and what interim actions can be taken
until one is assigned.
41
HIPAA
Questions?
42