HIPAA Awareness Training
Download
Report
Transcript HIPAA Awareness Training
LSU Health Shreveport
Shreveport - EA Conway - Huey P Long
HIPAA Privacy and Information Security Education
1
Prepared by Compliance Office
March 2012
CONTENTS
What is HIPAA and its relevance to you
How HIPAA affects you and your job
How you can protect patients’ health information
How to understand and reduce the risks when using
and storing electronic information
What role you play in protecting our computer
network
Where to get assistance with HIPAA questions
2
RELEVANCE TO YOU
Education about HIPAA and your institution’s
policies and procedures related to complying with
HIPAA, is required by law.
All employees under the direction of the North
Louisiana Chancellor are required to complete this
module and be familiar with related policies. This
includes all employees of Shreveport, E.A. Conway
and Huey P. Long campuses.
All campuses are designated as LSU Health
Shreveport for purposes of HIPAA.
3
WHAT IS HIPAA?
HIPAA is a federal statute (the Health
Insurance Portability and
Accountability Act of 1996) which…
Established national medical privacy
standards
Established security standards for
individual’s health information
Established Electronic Transaction
and Code Sets Standards for electronic
4
health information and payment
systems
HIPAA LAW CHANGES
The American Recovery and Investment Act of 2009,
otherwise known as the Stimulus Package or HITECH
Act, dramatically increased HIPAA requirements and
penalties.
In addition to the increased financial penalties,
facilities will be subject to civil and criminal penalties
beginning in 2011.
5
HIPAA REQUIREMENTS FOR
HEALTHCARE PROVIDERS
Must protect the privacy and security of an
individual’s Protected Health Information
(PHI)
Should only use the “minimum necessary”
patient information required to accomplish
the intended purpose of the patient’s
treatment, payment or hospital operations
Must allow individuals, by their written
authorization, to control the sharing of their
6
protected health information
HIPAA GIVES PATIENTS THE RIGHT TO:
review and/or receive a copy of their medical records
request an accounting of disclosures
request to amend their PHI
request confidential communications
request restrictions on disclosure of their information
7
WHAT INFORMATION MUST LSU
HEALTH SHREVEPORT PROTECT?
HIPAA and Louisiana State Law directs, that
as a healthcare provider, LSU Health
Shreveport must protect an individual’s
personal health information that they create,
receive, or maintain.
8
TERMS YOU SHOULD KNOW
Protected Health Information (PHI) is:
Individually Identifiable Information created or received in
any form (verbal, written, or electronic) by a HIPAA
covered entity
Information about an individual’s past, present or future
physical/mental condition
Information about an individual’s past, present, or future
provision for payment of health care
9
EXAMPLES OF PROTECTED HEALTH
INFORMATION (PHI, EPHI)
Personally identifiable information such as
name, address, birth date, phone and fax
numbers, e-mail address, social security
numbers and other unique numbers
Billing records, claim data, referral
authorizations
Medical records, diagnosis, treatment, xrays, photos, prescriptions, laboratory, and
other test results
Research records
This includes all formats of the above
10
information --verbal, written, and electronic
IN ORDER FOR A LSU HEALTH SHREVEPORT
HEALTHCARE PROVIDER TO USE OR DISCLOSE
PHI:
LSU Health Shreveport must provide each
patient with a Notice of Privacy Practices
and obtain a patient’s signature
acknowledging receipt of the notice that:
Describes how LSU Health Shreveport may use and disclose the
patient’s protected health information (PHI) and
Advises the patient of his/her privacy rights
11
HIPAA SPECIFICALLY ALLOWS…
LSU
HEALTH SCIENCES CENTER –
SHREVEPORT
LSU Health Shreveport to create,
use, and share a person’s protected
health information as the Notice of
Privacy Practices describes for the
following:
Treatment
NOTICE OF PRIVACY PRACTICES
FOR PROTECTED HEALTH
INFORMATION
Payment
THIS NOTICE DESCRIBES HOW YOUR MEDICAL
INFORMATION MAY BE USED AND DISCLOSED AND
HOW YOU CAN GET ACCESS TO THIS
INFORMATION. PLEASE REVIEW IT CAREFULLY.
Operations including medical
staff quality or peer review
activities, and government
reporting
12
WHAT DOES DISCLOSURE
MEAN?
To release, transfer, provide access to or
divulge patient information in any manner
outside of LSU Health Shreveport
Only the minimum amount of necessary
patient information may be disclosed for any
allowed use or disclosure
13
FOR DISCLOSURES
OTHER THAN TPO
For disclosures other than for treatment, payment,
and operations (TPO)… LSU Health Shreveport must
obtain a written patient authorization or receive a
subpoena to disclose information
Non routine disclosure requests should be sent to the
Compliance Office for review before processing
14
TEACHING HOSPITALS
In an academic institution teaching is a key part of
operations. Bedside rounds, teaching rounds,
conferences, etc are all permissible.
On the wards or in the clinics, staff should take
measures to minimize incidental disclosures, such
as speaking softly.
15
TEACHING HOSPITALS
At teaching conferences minimize disclosure of
patient identifiers as much as possible.
LSU Health Shreveport attempts to “de-identify”
patient information used in lectures and other
teaching activities.
16
DISCLOSURE LOGS
Any disclosure that is not authorized by the
patient or not made as a part of treatment or
payment must be entered into the online
disclosure logs which can be accessed by
anyone with their LSU Health Shreveport
system user id and password at the following
URL:
http://www.compliance.lsuhscshreveport.edu/secure/disclosures/
17
INCIDENTAL DISCLOSURES
AND HIPAA
Incidental uses and disclosures are permitted
if reasonable safeguards are used to protect
PHI such as talking in a low voice.
Example: discussions during teaching rounds; calling out a patient’s
name in the waiting room; sign in sheets in hospital and clinics.
Patients may see normal clinical operations
as violating their privacy (incidental
disclosure)
Ask yourself - ”What if it were my
information being discussed in this place or in
18
this manner?”
HIPAA VIOLATIONS CAN CARRY
PENALTIES
Criminal Penalties
$50,000 - $250,000 fines
Jail Terms up to10 years
Civil Monetary Penalties
$100 - $25,000/yr fines
Up to 1.5 million dollars per calendar year for
multiples of the same violation
LSU Health Shreveport corrective &
disciplinary action
Up to & including job loss
19
BE AWARE THAT PHI AND E-PHI
ARE EVERYWHERE
20
DISPOSAL OF PAPER RECORDS
All
papers that have any
patient information on
them should be shredded
before they are discarded.
If your department is using
a shredding bin from a
company that the hospital
has a contract with, put the
papers inside the bins. Do
not put papers beside the
21
bins.
PHYSICAL AND ELECTRONIC
INFORMATION CAN BE LOST OR
STOLEN
Lost or stolen physical items such as paper copies, films, tapes,
PDAs, CDs, cell phones, laptops, flash drives, etc…
Lost anywhere - streets, restrooms, coffee houses etc..
Stolen because items not properly secured
User not logged off and an unwanted person uses their computer
Unprotected systems hacked
Misdirected to outside world…
Mislabeled mail, wrong fax number, wrong phone number, wrong email
address, misplaced on intranet
Not using secured email
Verbal release of information without patient signed approval
22
PASSWORDS
The use of a strong password is critical to secure
protected information
Your password is like the lock on your house (you
want it to be as strong as possible)
23
IF SOMEONE KNOWS YOUR PASSWORD
THEY CAN:
Read your emails
Respond to your emails as if they were you
Inspect your files
Have access to all the your information
Have you blamed for their offenses
In other words; they have stolen your
identity!
24
TIPS FOR CREATING A STRONG
PASSWORD
Make it lengthy
Each character added increases protection many times over.
Ideally 8 – 14 characters
Combine letters, numbers and symbols
The greater the variety of characters the harder it is to guess
Use the entire keyboard not just the most common characters
Use phrases that are easy for you to remember but
difficult for others to guess
25
WHAT DO I DO IF I THINK MY
PASSWORD HAS BEEN COMPROMISED?
Notify the Help Desk (5-5470 option 2) or your
computer support personnel
Change your password immediately (If you need
assistance changing your password, ask your
computer supporter)
Remember: you are responsible for all activities
occurring under your LSU Health Shreveport login
ID
26
MALWARE VIRUSES/WORMS/SPYWARE
Malware is any software that causes unintended
results
Viruses/Worms are programs that attempt to spread
throughout your system and the entire network
Prevention: antivirus software should be installed
and updated on your computer
Spyware are programs that are installed with little or
no notification during the installation of another
program or while browsing the Internet
Prevention: install and run an updated spyware
scanner
27
SUSPICIOUS EMAIL
Steps to prevent malware sent by email:
Don’t open e-mail attachments or click on website addresses
contained in an e-mail
Save all attachments to your computer and scan them with
your antivirus product before opening them
Don’t open, forward, or reply to suspicious e-mails
Delete spam
If you suspect malware has been installed, contact
your computer supporter or the Helpdesk as soon as
possible.
28
INAPPROPRIATE USE OF THE I.T.
INFRASTRUCTURE
Computer users (employees, students, etc.)
shall NOT:
Engage in any activity that jeopardizes the
availability, performance, integrity or security of
the I.T. infrastructure
Use computing resources in a wasteful manner
Use I.T. resources for personal gain or
commercial purposes not directly related to your
job
Install, copy, or use any software in violation of
licensing agreements, copyrights, or contracts
29
INAPPROPRIATE USE CONT…
Computer users (employees, students, etc.)
shall NOT:
Obtain or attempt to access the files or electronic mail of others
unless authorized by the owner
Send, forward, or reply to E-mails chain letters
Create or transmit any offensive, obscene, or indecent images,
data, or other material
Play “Internet radio or “web radio”
30
CONFIDENTIALITY / SAFEGUARDS
Extra precautions must be taken when
protected information (health or financial
information) is stored on a local computer:
Data must be stored using encryption in case your laptop is lost or
stolen
Lock your computer if you leave your machine unattended
Written backup and disaster plans must be in place
31
CONFIDENTIALITY/
SAFEGUARDS
PHI must NOT be emailed or “texted” outside the
LSU Health Shreveport intranet system unless it is
encrypted.
32
GOOD COMPUTING PRACTICES
PORTABLE DEVICE SECURITY
Don’t keep restricted data on portable
devices (this includes any patient
information)
Back-Up your data
Make backups a regular task, ideally at least
once a day.
Backup data to your department’s secure
server.
Store backup media safely and separately
from the equipment.
33
GOOD COMPUTING PRACTICES
DATA MANAGEMENT
Managing Restricted Data
Know where this data is stored.
Destroy restricted data which is no longer
needed
Shred or otherwise destroy restricted data
before throwing it away
Erase/degauss information before disposing of
or re-using drives
34
GOOD COMPUTING PRACTICES
SAFE INTERNET USE
Practice safe internet use
Accessing any site on the internet could be
tracked back to your name and location.
Accessing sites with questionable content
often results in spam or release of viruses.
And it bears repeating…
Don’t download unknown or unsolicited
35
programs!
INCIDENT REPORTING
Notify your local computer supporter or
Helpdesk if:
You suspect your password has been compromised
You suspect your files have been tampered with
Your computer behaves abnormally
You suspect someone has obtained or is trying to obtain
unauthorized access
36
REPORTING DEVICE LOSS OR
THEFT
Report lost or stolen laptops, blackberries, PDAs, cell phones, flash
drives, etc…
Loss or theft of any computing device MUST be
reported immediately to the University Police
Department. 5-6165
37
REPORTING PRIVACY AND
SECURITY INCIDENTS/BREACH
Immediately report anything unusual, suspected privacy
breaches or security incidents, to IT Security and the
Compliance Office.
This includes loss/theft of PHI in hardcopy format (paper,
films etc).
If no one is available to receive your report please call the
Computer Helpdesk 24/7
You can also e-mail or go to the LSU Health Shreveport
website:
email: SHV IT Security
SHV Compliance
38
PATIENT BREACH
NOTIFICATION
•
•
•
As of September 23, 2009 patients must be notified if
there is a breach involving their information.
Annually all breaches must be reported, to the CMS
Office of Civil Rights, by the Compliance Office.
Remember to call the Compliance Office at 675-8503 if
you identify a breach.
39
YOU ARE RESPONSIBLE FOR:
Complying with LSU Health Shreveport security and privacy
policies
Accessing or using PHI only if necessary to perform your job
duties
Accessing only the minimum necessary information you need
to perform your job
Using computer resources responsibly and for authorized
purposes only
40
RESOURCES: WITH PRIVACY
AND CONFIDENTIALITY
HIPAA website:
http://myhsc.lsuhscshreveport.edu/Compliance/ComplianceHipaa.
aspx
LSU Health Shreveport Privacy Officer:
Debbie Hall Miller
318-675-8503
[email protected]
EA Conway Privacy Official:
Ken Roark
318-330-7418
[email protected]
Huey P Long Privacy Official: Debbie Hall Miller
318-675-8503
[email protected]
41
RESOURCES:
INFORMATION SECURITY
Information Security Officer for Shreveport:
Jeff Laughlin 318-675-4609 [email protected]
Information Security Officer for E A Conway:
Todd Walters 318-330-7544 [email protected]
Information Security Officer for H P Long:
Mickey Roberts 318-473-6228 [email protected]
42
CONFIDENTIAL HOTLINE
Confidential Hotline
1-800-465-1923
43
LSU HEALTH SHREVEPORT
CONFIDENTIALITY AGREEMENT
LSU Health Shreveport has a legal and ethical responsibility to
safeguard the privacy of all patients and protect information
that is defined as confidential. Confidential information
includes information contained in manual documentation as
well as information stored in the facilities computer systems.
Patient, personnel, financial and other business records contain
confidential information.
44
CONFIDENTIALITY AGREEMENT
CONTINUED
I, understand that information regarded as confidential must be
maintained in the strictest of confidence. As a condition of my
affiliation with LSU Health Shreveport, I hereby agree that I
will not at any time during or after my affiliation with LSU
Health Shreveport, disclose any confidential information to any
person, other than as necessary in the course of my affiliation
with LSU Health Shreveport. Release of any information must
be provided by the appropriate, authorized personnel.
Institutional computer systems and the data in those systems
may be accessed only by authorization from Administration.
45
CONFIDENTIALITY AGREEMENT
CONTINUED
Computer system access is granted only to persons who have
been issued user identification codes. All user identification
codes and passwords are confidential. I understand that I am
directly responsible for the accuracy and completeness of data
entries which are entered into the LSU Health Shreveport
computer systems.
Revealing user identification codes or passwords is a crime,
punishable by fine and/or imprisonment (La.R.S. 14.73.1 et
seq.). Using another employee’s user identification
code/password or giving my user identification code/password
to another person may result in disciplinary action, fine or
imprisonment.
46
CONFIDENTIALITY AGREEMENT
CONTINUED
Security violations may include but are not limited to failing to
sign off when leaving the computer unattended; modifying my
own medical or employment record; requesting another
employee access my employment or medical record; allowing
another employee to use my password; accessing medical or
employment records without having a legitimate reason;
allowing anyone else to view confidential information while I
am signed-on to a computer system; using another employee’s
access code; revealing confidential information or
business/financial details of patients or employees.
47
CONFIDENTIALITY AGREEMENT
CONTINUED
All privacy and security violations will be reported to and
investigated by the appropriate authorities.
The failure to abide by this agreement may result in
disciplinary action, including dismissal from employment, fine
and/or imprisonment, according to the Civil Service Rules and
Regulations, LSU System Guidelines, applicable Medical Staff
By Laws, Federal Law and Louisiana State Law.
48
ATTESTATION
CONFIDENTIALITY AGREEMENT
I certify that I have read the HIPAA Privacy
and Security education and agree to the
terms of the LSU Health Shreveport
Confidentiality Agreement.
49