HIPAA and Portable Electronic Devices

1
HIPAA and Portable Electronic Devices

• Michele Cerullo, Assistant Attorney
• Office of the General Counsel
• Jane Haughney, J.D., Privacy Consultant
• Professional Integrity Office
• March 6, 2012

2
Learning Objectives

• Learn about applicable University policies.
• Recognize that you must obtain a signed written
  consent from the patient for all photography,
  videotaping or audio taping of patients.
• Recognize that electronic media used for
  treatment purposes must be stored in the medical
  record.
• Understand that electronic media with
  identifiable patient images/information must be
  secured when stored or transmitted.
• Know the institutional and individual
  consequences of privacy violations.
• Learn how to report a privacy incident.
• 7. Know individuals to call with Privacy
  questions.

3
University Policies

• GME 226 Intentional and unintentional disclosure
• USF Physician Group Control and Security of
  Patient Medical Records
• Purpose to ensure security
• Policy it is the responsibility of faculty and
  residents to safeguard the medical record
• USFPG Release of Patient Health Information
• PHI shall not be disclosed except on written
  authorization, as required by law, for purpose of
  treatment or business operations

4
University Policies Continued

• USFPG Accounting of Protected Health Information
  Disclosures
• Release, transfer, provision of access to, or
  divulging in any manner including written, oral
  or electronic, of information outside of the USF
  covered entity
• USFPG Electronic Mail Containing PHI
• Email containing PHI must be treated with the
  same degree of privacy and confidentiality as the
  medical record
• Email messages concerning treatment are part of
  the medical record
• Patient must consent to correspondence between
  the patient and physician

5
University Policies Continued

• USFPG Accidental Release of PHI
• Process for responding to accidental disclosure
• USFPG Disclosure of De-Identified Information
• De-identified means the following are removed
• Name
• Geographic subdivision smaller than a State
• All elements of dates
• Telephone numbers
• Tax numbers
• Email addresses, URLs, IP addresses
• SSN
• MRN
• Health plan beneficiary number
• Account number
• Certificate/license number
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Biometric identifiers full face photographic
  images and comparable images
• Any other unique identifying number,
  characteristic, or code

6
Patient Consent Required

• Obtain a signed consent from each patient before
• taking a photograph of a patient
• making a video of a patient or
• making an audiotape of a patient.

7
Storing Electronic Media with Patient Information

• Protected health information or PHI in an
  electronic media format that is used for
  treatment purposes should be stored in the
  medical record.

8
Transmission and Storage of Patient Information

• Identifiable patient information in any form of
  electronic media must be secure when stored and
  transmitted.
• Is the patient information transmitted via
  encrypted email? Please note that USF Health
  email is not encrypted as of February 2012.
• Is the patient information stored on a secure USF
  Health server, or secure in Allscripts or EPIC?

9
What is Secure?

• PHI on mobile devices (including laptops, cell
  phones, digital cameras, tablets computers, PDAs,
  USB (flash, thumb) drives, external hard drives
  is not considered to be secure unless it is
  encrypted with AES 128-bit or better (Office for
  Civil Rights Guidance to render Unsecured
  protected health information Unusable,
  Unreadable, or Undecipherable).
• PHI stored on a personal device is never
  considered secure by USF.

10
Patient Consent Forms

• At USF Health a Consent for Photograph form is
  available on the USFPG SharePoint site
  https//myhealth.usf.edu/usfpg/admin/default.aspx
  under the Clinical Operations section. Contact
  the USFPG Medical Records Department (813
  396-2486) with related questions.
• For media releases, utilize the Patient
  Information Authorization for Release through
  News Stories, Photography and News Media Form
  available from the USF Health Public Affairs
  office at (813) 974-3300. You must contact the
  USF Health Public Affairs office before having
  any discussions with the media.

11
Patient Consent Forms at Tampa General Hospital

• Tampa General Hospital (TGH) policy requires
  consent for all photography, videotaping, or
  making of audio recordings at TGH except with
  regard to certain law enforcement investigations,
  decubitus and wound documentation, child abuse
  investigations, and patient/infant identification
  performed in accordance with TGH policies.
• At TGH, photo consent forms are available on the
  inpatient units and clinics and the OR consent
  includes a check box that must be used.

12
Common Questions about Patient Photos

• Q. Are patient photos considered protected health
  information (PHI)?

13
Answer

• A. Photos can be considered PHI based on the
  following definitions
• The Privacy Rule protects all individually
  identifiable health information held or
  transmitted by a covered entity or its business
  associate, in any form or media, whether
  electronic, paper or oral. The Privacy Rule calls
  this information protected health information
  (PHI).

14
Answer cont.

• Individually identifiable health information is
  information, including demographic data, that
  relates to
• the individuals past, present or future physical
  or mental health or condition,
• the provision of health care to the individual,
  or,
• the past, present or future payment for the
  provision of health care to the individual
• And that identifies the individual or for which
  there is reasonable basis to believe it can be
  used to identify the individual. Individually
  identifiable health information includes many
  common identifiers (e.g., name, address, birth
  date, Social Security Number).

15
Answer cont.

• De-Identified Health Information de-identified
  health information neither identifies nor
  provides a reasonable basis to identify an
  individual. There are two ways to de-identify
  information either (1) a formal determination
  by a qualified statistician or (2) removal of
  specified identifiers of the individual and of
  the individuals relatives, household members and
  employer is required, and is adequate only if the
  covered entity has no actual knowledge that the
  remaining information could be used to identify
  the individual.

16
Common Questions about Patient Photos cont.

• Q. May I take patient photos with my cell phone
  to share with others on the treatment team?

17
Answer

• A. No. Many cell phones can be used to easily
  share pictures and videos with others, including
  uploading such media to publically accessible
  websites. Even if the media is not deliberately
  shared, privacy breaches can occur if the cell
  phone photos are viewed by an unauthorized
  individual or the cell phone or its memory card
  is lost.

18
Common Questions about Patient Photos cont.

• Q. Is it a HIPAA violation for a patients family
  member or friend to take a picture of a patient I
  am treating? This could happen without my
  realizing it and I could end up on someones
  Facebook page stitching up a wound.

19
Answer

• A. Generally speaking, a covered entity is not
  responsible for the actions by a patients family
  members or friends. If the patient allowed the
  family member or friend to accompany him/her into
  the treatment room, that may indicate the
  patients consent. What if a stranger took a
  photo of the patient? Some covered entities post
  signs in patient care areas prohibiting
  photography.

20
Common Questions about Patient Photos cont.

• Q. We want to post a photo of a patient and a
  related article about their successful treatment.
  Do we need to obtain the patients consent?

21
Answer

• A. Yes. Using a patients photograph and
  information about their treatment requires the
  patients written consent and completion of the
  USF Health Patient Information Authorization for
  Release through News Stories, Photography, and
  News Media Form. This is the case even if the
  information is de-identified.

22
Office of Civil Rights Enforcement

• OCR Director, Georgina Verdugo, states
  Employees must clearly understand that casual
  review for personal interest of patients
  protected health information is unacceptable and
  against the law.
• Entities will be held accountable for employees
  who access protected health information to
  satisfy their own personal curiosity. (7/2011)

23
Examples of enforcement agreements with the OCR

• UCLA Health Sciences agreed to settle potential
  HIPAA violations for 865,500 after employees
  repeatedly accessed e PHI of celebrity patients.
• Massachusetts General Hospital paid a 1 million
  settlement after an employee inadvertently left
  sensitive files of infectious disease patients on
  a commuter train.

24
Consequences of Privacy Violations

• Privacy violations can lead to
• Discipline, including probation and termination
• Fines
• Criminal prosecution.

25
Annual Reporting of Privacy Incidents to HHS

• The PIO is responsible for submitting an annual
  log to HHS of privacy breaches for the calendar
  year.
• In order to file the annual log with HHS, the PIO
  must learn of privacy incidents.

26
What to do if you think an error resulted in a
privacy issue

• Tell your supervisor, attending, Program Director
  or Chair and contact
• The Professional Integrity Office Helpline at
  (813) 974-2222
• Call or email Jane Haughney, J.D., Privacy
  Consultant (813) 974-3478 jhaughne_at_health.usf.edu
  or
• Call Patricia Bickel, CPA, MBA, Compliance and
  Privacy Officer, Director of the Professional
  Integrity Program (813) 974-8090
  pbickel_at_health.usf.edu.

27
How to Report Privacy Incidents

• Contact the PIO at (813) 974-8090 or all the PIO
  Helpline at (813) 974-2222 to report any privacy
  incident. Also tell your supervisor, attending,
  Program Coordinator, Program Director or Chair.
• You may also call or email Jane Haughney, J.D.,
  Privacy Consultant (813) 974-3478
  jhaughne_at_health.usf.edu or
• Call Patricia Bickel, CPA, MBA, Compliance and
  Privacy Officer, Director of the Professional
  Integrity Program (813) 974-8090
  pbickel_at_health.usf.edu.

28
What happens after I report a privacy incident?

• You will be asked to complete an investigation
  form and take steps to mitigate any privacy
  breach.
• If a privacy breach involves 500 or more
  individuals, notify PIO immediately. The PIO will
  also notify USF Health IS if the matter involves
  a security breach such as a laptop theft or the
  loss of flash drive.

29
Who are you going to call if you have questions
about patient privacy?

• 1. Ask your supervisor, attending, Program
  Director, Chair or the GME Office.
• 2. Call the PIO Help Line at (813) 974-2222. The
  PIO Website has information that can be a
  resource and is located at www.health.usf.edu/pio
  
• 3. If you cannot reach the PIO, call the Office
  of the General Counsel and ask for
• Attorney Michele Cerullo at (813) 974-1671 or
• Attorney R. B. Friedlander (813) 974-1675 or
• Any available attorney at the main number (813)
  974-2131.