Transcript HIPAA (Health Insurance Portability & Accountability Act

Columbia University Medical Center
Health Insurance Portability and
Accountability Act of 1996
(“HIPAA”)
Privacy & Information Security
Training
2009
HIPAA OVERVIEW
Health Insurance
Portability and Accountability
Act (HIPAA)
Administrative
Simplification
Insurance
Reform
[Portability]
[Accountability]
Transactions,
Code Sets, &
Identifiers
Compliance Date:
10/16/2002
and 10/16/03
Privacy
Security
Compliance Date:
4/14/2003
Compliance Date:
4/20/2005
Fraud and
Abuse
(Accountability)
Who Needs HIPAA Training?
All staff working at CUMC should receive
HIPAA training

Clinical –

Research –

Administration –
Patient Care requirements
HIPAA research requirements
Billing, Fundraising, Marketing, Public
Relations & other Business functions
Privacy & Security Concerns
 Theft of Patient Data
Identity Theft
 Stolen lap top
 USB Drives
Loss of Patient Data




Incorrect disposal
Misuse of Patient Data
 Privacy Breach
In the News……



An employee from the Admissions Department at a
prestigious NYC hospital has been accused of stealing
and selling information of nearly 50,000 patients
CVS Caremark Corp. has agreed to pay $2.25 million
to settle allegations by the government that it dumped
credit-card data, Social Security numbers and
customer medical records into garbage containers
outside a number of its stores.
53 staff members disciplined for accessing Britney
Spears medical records at UCLA medical center
HIPAA Guidance – Top 10
Privacy Guidance
1.
2.
3.
4.
5.
Provide patient with the Notice of Privacy Practices
Shred patient information – disposal
Telephone Guidance –
 messages and requests for patient information
Use and Disclose Medical Information Correctly
 Release of medical information
 Minimum necessary
Fax patient information utilizing a cover sheet
HIPAA Guidance – Top 10
Information Security Guidance
1.
Never share your password
2.
Secure (password / encrypt) electronic devices with patient information
3.
SS# number should not be included in databases when not required
4.
5.
Do not access records of co-workers, family members, friends or high
profile patients
Promptly Report loss or theft of electronic devices with protected health
information and inform Privacy Officer of improper use/ privacy breach
Privacy/Security Breaches
Ponemon Study on Data Breaches (Nov 2007)
Malicious code
4%
Undisclosed
2%
Hacked system
5%
Electronic backup
7%
Malicious insider
9%
Lost laptop/Device
48%
Paper records
9%
Third Party/Outsourcer
16%
9
Information Security & Privacy Failures
Employee Carelessness








Sharing Passwords
Loss / theft of USB drive, blackberry,
disc or Laptop with patient information
Failure to use passwords/encryption
to protect portable devices
Mailing medical records
Incorrect patient registration
Failing to log off systems (CROWN, WebCIS, Eclipsys, IDX etc.)
Sending ePHI (electronic protected health information) outside the
institution without encryption
Using a non-CUMC email account to communicate patient information
DO NOT USE PERSONAL EMAIL ACCOUNTS FOR WORK PURPOSE
New Requirements for Patient’s



Notice of Privacy Practices must
be offered to the patient at the
time of their first visit. On first
visit only, not every visit.
Tells patients their specific rights
regarding their health
information.
A signed acknowledgement must
be placed in the patient’s
medical record and documented
in IDX.
12
Notice of Privacy Practices

Patients have the right to:







Request restrictions on release of their PHI
Receive confidential communications
Inspect and copy medical records (access)
Request amendment to medical records
Make a complaint
Receive an accounting of any external
releases.
Obtain a paper copy of the Notice of Privacy
Practices on request
Use or Disclosure of Medical Information



Written Authorization required
to release medical information
Physician may share
information with referring
physician “patient in common”
without an authorization
All legal requests for release of
information should be
forwarded to the HIPAA
Compliance Office for review
Electronic Access is Recorded




Your access to Crown, WebCIS,
Eclipsys, and other clinical
electronic systems is recorded
and subject to audit
Periodic audits are done and
access is monitored
If you access medical
information without a legitimate
business purpose you will be
disciplined
Do not allow others to use your
password or user ID or work
after you have signed into a
clinical application
New Regulations - 2009

HITECH – Economic Stimulus Plan




Red Flag Regulations


Significantly increased penalties
PERSONAL liability for violations
Significantly increased requirements to protect
electronic medical information
New regulations to detect, prevent and respond to
medical identity theft
Social Security Notification Act

Individual notification and free credit monitoring when
the SS# of an individual is lost/stolen
HIPAA Research Training
All researchers are required to complete
HIPAA Research online training in
addition to the HIPAA general training
Researcher Training
Register on RASCAL: www.rascal.columbia.edu
HIPAA and Research

Two main avenues—



Some exceptions:




Form A HIPAA Clinical Research Authorization—required
elements
Form B HIPAA Application for Waiver of Authorization—subject
to approval of the IRB
Research using solely Decedent Information
Research using solely De-identified Information
Activities prior to research or preparatory
Medical Record Research done under a HIPAA Waiver of
Authorization is approved by the IRB
19
PATIENT PRIVACY
At some point in our lives we will all be a
patient
Treat all information as though it was your own
Questions & Answers
Karen Pagliaro-Meyer
Privacy Officer
Columbia University Medical Center
212-305-7315
[email protected]
[email protected]