Transcript Document
Duke University SOM
HIPAA Privacy Training
Lawrence H. Muhlbaier, PhD
Tasha Carmon, CHPC, CCRC, CCRP
Associate Professor, B&B
DCRI
Senior Compliance Auditor
SOM Compliance Office
Purpose of HIPAA Training
• This training will:
– Briefly define HIPAA and PHI
– Provide general education regarding access, use, and
disclosure of health information in compliance with the
Privacy & Security Rules
– Outline your responsibilities as faculty and staff in the
proper use, disclosure and protection of health
information.
– Describe your responsibilities and resources when
there is a question, concern or violation.
– Omnibus Rule Update - January 2013
2
All Rights Reserved, Duke Medicine 2007
What is the SOM Compliance Office
• Clinical Trials Quality Assurance (CTQA)
– Human Subjects Research Compliance, Clinical Trials Billing
Compliance
• Compliance Review Services (CRS)
– Financial Compliance, COI, Departmental reviews
http://medschool.duke.edu/research/compliance-office/staff
3
All Rights Reserved, Duke Medicine 2007
Why do I need HIPAA Training?
• Your duties may require you to have contact with
Duke University Health System (DUHS) health
information. Due to this contact, you have an
obligation to maintain the privacy and security of this
health information.
4
All Rights Reserved, Duke Medicine 2007
Our Responsibility as a Covered Entity
• Under the HIPAA Privacy and Security Rules, Duke
must have policies and procedures in place to protect
the privacy and confidentiality of both PHI and
electronic PHI (ePHI).
– Covered entity: Healthcare provider, Healthcare
plan, or Health care clearinghouse that handles
protected health information.
5
All Rights Reserved, Duke Medicine 2007
Duke Community members who must
comply with HIPAA
6
All Rights Reserved, Duke Medicine 2007
What is HIPAA?
7
All Rights Reserved, Duke Medicine 2007
Health Insurance Portability &
Accountability Act (HIPAA)
• Enacted in 1996, HIPAA covers:
• Insurance Portability (allows one to take insurance to
their next job)
• Accountability (fraud Prevention)
• Administrative Simplification
• Security
• Privacy
8
All Rights Reserved, Duke Medicine 2007
Health Information Technology for
Economic and Clinical Health (HITECH) Act
•
•
HITECH Act, enacted as part of the American Recovery and
Reinvestment Act ARRA) of 2009.
Addresses the privacy and security concerns associated with the
electronic transmission of health information, in part, through several
provisions that strengthen the civil and criminal enforcement of the
HIPAA rules.
– Four categories of violations that reflect increasing levels of
culpability;
– Four corresponding tiers of penalty amounts that significantly
increase the minimum penalty amount for each violation; and
– A maximum penalty amount of $1.5 million for all violations of an
identical provision.
9
All Rights Reserved, Duke Medicine 2007
HIPAA Privacy
• The Privacy Rule:
• Protects information about an individual’s health,
health care, or payment for care; past, present, or
future (PHI).
•
Identifies permitted uses and disclosures of this PHI
•
Gives patients some control over their health
information (Patient’s Rights)
10
All Rights Reserved, Duke Medicine 2007
What is considered Protected Health
Information (PHI)?
HIPAA defines 18 identifiers of PHI, including:
1. Names.
2. All geographic subdivisions smaller than a state, including
street address, city, county, precinct, ZIP Code, and their
equivalent geographical codes, except for the initial three digits of
a ZIP Code if, according to the current publicly available data from
the Bureau of the Census:
• The geographic unit formed by combining all ZIP Codes
with the same three initial digits contains more than
20,000 people.
• The initial three digits of a ZIP Code for all such
geographic units containing 20,000 or fewer people are
changed to 000.
11
All Rights Reserved, Duke Medicine 2007
18 identifiers of PHI (cont.)
3. All elements of dates (except year) for dates directly related to
an individual, including birth date, admission date, discharge
date, date of death; and all ages over 89 and all elements of
dates (including year) indicative of such age, except that such
ages and elements may be aggregated into a single category of
age 90 or older.
4. Telephone numbers.
5. Facsimile numbers.
6. Electronic mail addresses.
7. Social security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
12
All Rights Reserved, Duke Medicine 2007
18 identifiers of PHI (cont.)
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plate
numbers.
13. Device identifiers and serial numbers.
14. Web universal resource locators (URLs).
15. Internet protocol (IP) address numbers.
16. Biometric identifiers, including fingerprints and voiceprints.
17. Full-face photographic images and any comparable images.
18. Any other unique identifying number, characteristic, or code,
unless otherwise permitted by the Privacy Rule for reidentification.
Note: In combination with health information
13
All Rights Reserved, Duke Medicine 2007
Use & Disclosure of PHI
• Use:
– Sharing PHI within Duke Medicine and
designated Duke University
departments.
• Disclosure:
– Sharing health information with others
or entities outside of Duke Medicine.
14
All Rights Reserved, Duke Medicine 2007
Appropriate
Use & Disclosure of PHI
• Use and disclosure of PHI:
– As authorized by the patient
• (informed consent)
– For treatment, payment, or operations (TPO)
– For other certain circumstances as detailed in
the Privacy Rule (including Public Health
disclosures)
15
All Rights Reserved, Duke Medicine 2007
What is needed in an Authorization to
Use or Disclose PHI
– Description of PHI to be used or disclosed
– Person(s) authorized to use or disclose the PHI
– Person(s) to whom the covered entity may
disclose PHI
– Each purpose for the use or disclosure
– Expiration date or study event
– Signed copy given to individual
16
All Rights Reserved, Duke Medicine 2007
Other HIPAA documents to consider
• Notice of Review Preparatory to Research
– I will look but not record and/or allow to leave Duke.
• Waiver or Alteration of Consent and HIPAA
Authorization (Recording identifiable private information w/out
written/verbal authorization)
• Notice of Decedent Research
• Deidentification
–
(All 18 identifiers are removed)
• Limited Data Set with a Data Use agreement
– Contact Gill Smith’s office
17
All Rights Reserved, Duke Medicine 2007
Limited Data Set with DUA
• Limited Data Set with a Data Use agreement
– All identifiers except:
• Dates (DOB, DOD, Service dates), demographic (city,
state, Zip, Zip +4)
– A contract must be signed between the
disclosure and recipient.
18
All Rights Reserved, Duke Medicine 2007
Minimum Necessary
The Privacy Rule instructs that we follow the “minimum
necessary” requirements when using, disclosing, or
accessing PHI for anything other than treatment of a patient.
– Only the amount of PHI needed to perform the task should
be used or reviewed by staff or disclosed to others.
– If asked to disclose PHI and this is outside your job
responsibilities, contact your supervisor or the SOM Privacy
Officer before releasing the information.
– If requested to give PHI to a third party (e.g., sponsor )
contact your supervisor or the SOM Privacy Officer for
direction.
19
All Rights Reserved, Duke Medicine 2007
What can you do to help protect PHI?
•
•
•
•
•
•
•
•
Do Not discuss PHI in public or discuss with anyone unrelated to the task at
hand.
Do Not access PHI if not needed for your job.
Do Not leave papers containing PHI unattended. Place papers face face down
or conceal to avoid access by unauthorized persons. Theft or loss of any paper
record should be reported immediately to the SOM
Do Not send unencrypted electronic PHI
Use a cover sheet when faxing confidential information; verifying fax number
Paper, images and other printed materials containing PHI should be destroyed
by shredding or striking out (redaction) so that it cannot be read or
reconstructed.
Please confirm if a DUA is needed for your research (BAAs are typically not
needed for research)
If you must retain SSNs for your research, please contact the SOM Compliance
Office and/or the ISO.
20
All Rights Reserved, Duke Medicine 2007
Common Violations/Hot button issues
• Not offering the Notice of Privacy Practices to Healthy
subjects.
• Retention of SSNs
– Duke Policies: Collection, Storage, and Use of Social
Security Numbers
• The disclosure of PHI to a third party without
authorization.
• Non-existence of DUA and/or BAA, when needed
• International Data
• Use of personal email for Duke business
– Electronic Communication
21
All Rights Reserved, Duke Medicine 2007
Duke Privacy Policy
• Please review the Duke Breach of Protected
Health Information/Patient Privacy Policy
22
All Rights Reserved, Duke Medicine 2007
What’s New!!
• Omnibus Rule
• Data Loss Prevention (DLP)
– Diane Padgett, Compliance Auditor
23
All Rights Reserved, Duke Medicine 2007
Omnibus Rule – September 20, 2013
Final modifications to the HIPAA Privacy, Security,
and Enforcement Rules require:
•
Modifications to individual authorization (allows “opt in” check boxes to be used
in Consent and Authorization forms)
•
Modifications to the NOPP and redistribution
•
Business associates of covered entities are now responsible for HIPAA
Privacy/Security breaches and reporting. (New business associate agreements)
•
Individual rights to request e-copies of their health record and to restrict
disclosures to a health plan concerning treatment for which one has paid out of
pocket.
•
New breach reporting requirements
•
Privacy rule copies Genetic Information Nondiscrimination Act (GINA) to prohibit
health plans from using or disclosing genetic information for underwriting
purposes.
•
Individuals deceased longer than 50 years are not longer covered
24
All Rights Reserved, Duke Medicine 2007
REPORTING A SUSPECTED
EVENT
Why is it important?
25
All Rights Reserved, Duke Medicine 2007
How to report
•
If a suspected privacy event occurs, please contact the SOM
Compliance Office immediately (919-684-2475).
• Examples including accidentally releasing patient information to
the wrong person, losing PHI such as a spreadsheet, etc.
• The Privacy Officer should also be notified if someone
incorrectly discloses PHI to you
•
If you wish to make an anonymous report or feel uncomfortable
calling the DUHS Privacy Officer directly, you can call Duke
Medicine’s Privacy Line 1-800-688-1867
26
All Rights Reserved, Duke Medicine 2007
What happens to me when I report a
HIPAA concern?
Non-Retaliation/Non-Retribution Policy
• If you report a concern in “good faith”* no retaliation or
retribution may be taken against you even if the investigation
determines that a problem does not exist.
• Supervisors will be disciplined for any attempts to punish or
retaliate against anyone acting in good faith in reporting a
privacy violation.
*Good faith means that the person reporting the concern believes
that the problem exists.
27
All Rights Reserved, Duke Medicine 2007
Resources
•
•
•
•
Duke SOM Compliance Office
Duke Medicine’s Privacy Line: 1-800-688-1867
Duke IRB
DUHS Policies:
http://marlowe.mc.duke.edu/accred/duhspol.nsf/fb44e3dd791dbda0852
567910047d969?OpenView
28
All Rights Reserved, Duke Medicine 2007
Thank You
Duke School of Medicine
Compliance Office
Lawrence H. Muhlbaier, PhD
919-668-8774
[email protected]
Tasha Carmon, CCRC, CCRP
919-684-6456
[email protected]