Title: HIPAA and Portable Electronic Devices
1HIPAA and Portable Electronic Devices
- Michele Cerullo, Assistant Attorney
- Office of the General Counsel
- Jane Haughney, J.D., Privacy Consultant
- Professional Integrity Office
- March 6, 2012
2Learning Objectives
- Learn about applicable University policies.
- Recognize that you must obtain a signed written
consent from the patient for all photography,
videotaping or audio taping of patients. - Recognize that electronic media used for
treatment purposes must be stored in the medical
record. - Understand that electronic media with
identifiable patient images/information must be
secured when stored or transmitted. - Know the institutional and individual
consequences of privacy violations. - Learn how to report a privacy incident.
- 7. Know individuals to call with Privacy
questions.
3University Policies
- GME 226 Intentional and unintentional disclosure
- USF Physician Group Control and Security of
Patient Medical Records - Purpose to ensure security
- Policy it is the responsibility of faculty and
residents to safeguard the medical record - USFPG Release of Patient Health Information
- PHI shall not be disclosed except on written
authorization, as required by law, for purpose of
treatment or business operations
4University Policies Continued
- USFPG Accounting of Protected Health Information
Disclosures - Release, transfer, provision of access to, or
divulging in any manner including written, oral
or electronic, of information outside of the USF
covered entity - USFPG Electronic Mail Containing PHI
- Email containing PHI must be treated with the
same degree of privacy and confidentiality as the
medical record - Email messages concerning treatment are part of
the medical record - Patient must consent to correspondence between
the patient and physician
5University Policies Continued
- USFPG Accidental Release of PHI
- Process for responding to accidental disclosure
- USFPG Disclosure of De-Identified Information
- De-identified means the following are removed
- Name
- Geographic subdivision smaller than a State
- All elements of dates
- Telephone numbers
- Tax numbers
- Email addresses, URLs, IP addresses
- SSN
- MRN
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Biometric identifiers full face photographic
images and comparable images - Any other unique identifying number,
characteristic, or code
6Patient Consent Required
- Obtain a signed consent from each patient before
- taking a photograph of a patient
- making a video of a patient or
- making an audiotape of a patient.
7Storing Electronic Media with Patient Information
- Protected health information or PHI in an
electronic media format that is used for
treatment purposes should be stored in the
medical record.
8Transmission and Storage of Patient Information
- Identifiable patient information in any form of
electronic media must be secure when stored and
transmitted. - Is the patient information transmitted via
encrypted email? Please note that USF Health
email is not encrypted as of February 2012. - Is the patient information stored on a secure USF
Health server, or secure in Allscripts or EPIC?
9What is Secure?
- PHI on mobile devices (including laptops, cell
phones, digital cameras, tablets computers, PDAs,
USB (flash, thumb) drives, external hard drives
is not considered to be secure unless it is
encrypted with AES 128-bit or better (Office for
Civil Rights Guidance to render Unsecured
protected health information Unusable,
Unreadable, or Undecipherable). - PHI stored on a personal device is never
considered secure by USF.
10Patient Consent Forms
- At USF Health a Consent for Photograph form is
available on the USFPG SharePoint site
https//myhealth.usf.edu/usfpg/admin/default.aspx
under the Clinical Operations section. Contact
the USFPG Medical Records Department (813
396-2486) with related questions. - For media releases, utilize the Patient
Information Authorization for Release through
News Stories, Photography and News Media Form
available from the USF Health Public Affairs
office at (813) 974-3300. You must contact the
USF Health Public Affairs office before having
any discussions with the media.
11Patient Consent Forms at Tampa General Hospital
- Tampa General Hospital (TGH) policy requires
consent for all photography, videotaping, or
making of audio recordings at TGH except with
regard to certain law enforcement investigations,
decubitus and wound documentation, child abuse
investigations, and patient/infant identification
performed in accordance with TGH policies. - At TGH, photo consent forms are available on the
inpatient units and clinics and the OR consent
includes a check box that must be used.
12Common Questions about Patient Photos
- Q. Are patient photos considered protected health
information (PHI)?
13Answer
- A. Photos can be considered PHI based on the
following definitions - The Privacy Rule protects all individually
identifiable health information held or
transmitted by a covered entity or its business
associate, in any form or media, whether
electronic, paper or oral. The Privacy Rule calls
this information protected health information
(PHI).
14Answer cont.
- Individually identifiable health information is
information, including demographic data, that
relates to - the individuals past, present or future physical
or mental health or condition, - the provision of health care to the individual,
or, - the past, present or future payment for the
provision of health care to the individual - And that identifies the individual or for which
there is reasonable basis to believe it can be
used to identify the individual. Individually
identifiable health information includes many
common identifiers (e.g., name, address, birth
date, Social Security Number).
15Answer cont.
- De-Identified Health Information de-identified
health information neither identifies nor
provides a reasonable basis to identify an
individual. There are two ways to de-identify
information either (1) a formal determination
by a qualified statistician or (2) removal of
specified identifiers of the individual and of
the individuals relatives, household members and
employer is required, and is adequate only if the
covered entity has no actual knowledge that the
remaining information could be used to identify
the individual.
16Common Questions about Patient Photos cont.
- Q. May I take patient photos with my cell phone
to share with others on the treatment team?
17Answer
- A. No. Many cell phones can be used to easily
share pictures and videos with others, including
uploading such media to publically accessible
websites. Even if the media is not deliberately
shared, privacy breaches can occur if the cell
phone photos are viewed by an unauthorized
individual or the cell phone or its memory card
is lost.
18Common Questions about Patient Photos cont.
- Q. Is it a HIPAA violation for a patients family
member or friend to take a picture of a patient I
am treating? This could happen without my
realizing it and I could end up on someones
Facebook page stitching up a wound.
19Answer
- A. Generally speaking, a covered entity is not
responsible for the actions by a patients family
members or friends. If the patient allowed the
family member or friend to accompany him/her into
the treatment room, that may indicate the
patients consent. What if a stranger took a
photo of the patient? Some covered entities post
signs in patient care areas prohibiting
photography.
20Common Questions about Patient Photos cont.
- Q. We want to post a photo of a patient and a
related article about their successful treatment.
Do we need to obtain the patients consent?
21Answer
- A. Yes. Using a patients photograph and
information about their treatment requires the
patients written consent and completion of the
USF Health Patient Information Authorization for
Release through News Stories, Photography, and
News Media Form. This is the case even if the
information is de-identified.
22Office of Civil Rights Enforcement
- OCR Director, Georgina Verdugo, states
Employees must clearly understand that casual
review for personal interest of patients
protected health information is unacceptable and
against the law. - Entities will be held accountable for employees
who access protected health information to
satisfy their own personal curiosity. (7/2011)
23Examples of enforcement agreements with the OCR
- UCLA Health Sciences agreed to settle potential
HIPAA violations for 865,500 after employees
repeatedly accessed e PHI of celebrity patients. - Massachusetts General Hospital paid a 1 million
settlement after an employee inadvertently left
sensitive files of infectious disease patients on
a commuter train.
24Consequences of Privacy Violations
- Privacy violations can lead to
- Discipline, including probation and termination
- Fines
- Criminal prosecution.
25Annual Reporting of Privacy Incidents to HHS
- The PIO is responsible for submitting an annual
log to HHS of privacy breaches for the calendar
year. - In order to file the annual log with HHS, the PIO
must learn of privacy incidents.
26What to do if you think an error resulted in a
privacy issue
- Tell your supervisor, attending, Program Director
or Chair and contact - The Professional Integrity Office Helpline at
(813) 974-2222 - Call or email Jane Haughney, J.D., Privacy
Consultant (813) 974-3478 jhaughne_at_health.usf.edu
or - Call Patricia Bickel, CPA, MBA, Compliance and
Privacy Officer, Director of the Professional
Integrity Program (813) 974-8090
pbickel_at_health.usf.edu.
27How to Report Privacy Incidents
- Contact the PIO at (813) 974-8090 or all the PIO
Helpline at (813) 974-2222 to report any privacy
incident. Also tell your supervisor, attending,
Program Coordinator, Program Director or Chair. - You may also call or email Jane Haughney, J.D.,
Privacy Consultant (813) 974-3478
jhaughne_at_health.usf.edu or - Call Patricia Bickel, CPA, MBA, Compliance and
Privacy Officer, Director of the Professional
Integrity Program (813) 974-8090
pbickel_at_health.usf.edu.
28What happens after I report a privacy incident?
- You will be asked to complete an investigation
form and take steps to mitigate any privacy
breach. - If a privacy breach involves 500 or more
individuals, notify PIO immediately. The PIO will
also notify USF Health IS if the matter involves
a security breach such as a laptop theft or the
loss of flash drive.
29Who are you going to call if you have questions
about patient privacy?
- 1. Ask your supervisor, attending, Program
Director, Chair or the GME Office. - 2. Call the PIO Help Line at (813) 974-2222. The
PIO Website has information that can be a
resource and is located at www.health.usf.edu/pio
- 3. If you cannot reach the PIO, call the Office
of the General Counsel and ask for - Attorney Michele Cerullo at (813) 974-1671 or
- Attorney R. B. Friedlander (813) 974-1675 or
- Any available attorney at the main number (813)
974-2131. -