Privacy and Confidentiality

1
Privacy and Confidentiality

• 2009
• Residents and Fellows Orientation

Virginia Terra Hodge, RN, MSN, NE-BC, CHP Privacy
Office Operations Manager Deborah Yano-Fong, RN,
MSN, PHN, CHP Chief Privacy Officer
June 19, 2009 June 30, 2009
2
Overview

• What Do You Need to Know?
• Whats New?
• New Privacy State Laws
• Important Privacy Concepts
• Privacy in the Clinical Environment
• Scenarios
• Best Privacy Practice Reminders
• What to do in the Event of a Privacy Breach?
• What is on the Horizon?
• Resources

3
What do you need to know about Privacy and HIPAA?
SECTION HEADING

• Review Advanced Provider Module
  http//www.ucsf.edu/hipaa/
• Read HIPAA Handbook (in your packet)
• Sign Confidentiality Statement and turn it in to
  your Department Manager
• Read Notice of Privacy Practices (NOPP) booklet
  http//www.ucsfhealth.org/common/3-03ucsfhipaa.pdf
  

4
Patient HIPAA Rights can be Hot Spots for
Providers
SECTION HEADING

• HIPAA Patient Rights
• To restrict use and disclosure of their PHI
• To request amendments to their PHI
• To file complaints with UCSF, UCOP and OCR that
  may result in civil and criminal penalties for
  individuals as well as the healthcare
  organization
• To request Accounting of Disclosure
• To inspect and receive a copy of their medical
  record
• To request confidential communication

5
Survival Tips For HIPAA Patient Rights
SECTION HEADING

• Dont
• Agree to patients request for restriction of
  access to their medical record
• Agree to patients request for an amendment to
  their medical record
• Harvest research data yourself from any of the
  Medical Record sources. HIMS is the control point
  for providing research data. For questions go to
• http//hims.ucsfmedicalcenter.
  org
• Do
• Refer patients request for restriction or
  amendment of the medical record to Patient
  Relations or HIMS
• Patient Relations and HIMS must evaluate and
  coordinate all requests for restriction or
  amendment of medical records

6
Whats New?

• Privacy is more than HIPAA these days
• New states laws are more stringent and impose
  increased fines/ penalties
• The Privacy environment is constantly changing
• National mandate for an Electronic Health Record
• State wide initiatives for a Health Information
  Exchange

7
Major Impacts of The New Privacy State Laws
Key Requirements
8
Major Impacts of The New Privacy State Laws
Fines Penalties
9
How Does This Impact You?

• Increased Fines and Civil Penalties
• 5 Day Notification Requirement to DPH and
  individuals
• Surveillance and Monitoring
• Audit Logs of Appropriate Access
• For Research, changes in the definition of
  operation functions and the new accounting of
  disclosure requirement for electronic
  information.
• Personal Liability

10
The Answer to All Legal/Risk Questions is

• IT DEPENDS

11
Important Privacy Concepts

• Utilize these concepts when making decisions
  regarding
• Privacy Protection in the clinical
  environment
• Treatment, Payment or Operations (TPO)
• You may access, use or disclosure PHI or ePHI for
  the purposes of TPO
• See Notice of Privacy Practices (NOPP) for
  details
• If your access, use or disclosure is not covered
  by the NOPP, then you will need to obtain an
  authorization from the patient prior to
  proceeding.
• PHI/ePHI
• Protected Health Information/Electronic Protected
  Health Information
• See HIPAA handbook for definition
• Minimum Necessary Standard applies for all uses
  and disclosures except for treatment.
• Access only what you need to know.
• Share only what you need to disclose
• Incidental Use and Disclosure as long as
• The disclosure is incidental to other permitted
  uses and disclosures.
• Never access, use or disclose PHI which you are
  not allowed to access in the first place
• Reasonable safeguards are in place to protect PHI
  that may be disclosed incidentally

12
Privacy in the Clinical Environment
Privacy answers are not black and white. You
need to assess the appropriate access, use,
storage, and disclosure of PHI each and every
time by asking yourselves all of the following
questions.

• Do I need to access this information to do my
  job?
• Am I using the minimum information needed to do
  my job?
• Am I providing others with the minimum necessary
  information to do their job?
• Do I need to store this information to do my job?
• If yes, how will I secure this information?
• Ok, I can do this, should I really do it?
• What if this was my information? How would I feel
  about how it is being handled?
• How would this process/practice look on the front
  page of the Chronicle?

13
Scenario 1 Email Communication

• A patient emails you about new symptoms that have
  presented since taking a new medication.
• Since the pt. has sent the email unencrypted,
  can you respond without sending your message in a
  secure manner?

14
Secure E-Mail is easy to use at UCSF!
SECTION HEADING

• How to use
• Use the secure email system when sending emails
  with ePHI
• Type in the email Subject Line the word
• Secure ePHI PHI
• Make sure you are sending your message to the
  correct recipient.
• Key points to remember
• This protects the information when it leaves our
  UCSF network environment. It does not encrypt
  the message within the UCSF network. However,
  best practice is to use the secure email system
  when sending ePHI anywhere. This will protect
  you if someone forwards your ePHI outside of the
  UCSF network.

15
Scenario 2 - Secure Data

• You have an excel spread sheet of subject
  information for a research study. OR, you are
  doing a Quality Improvement project for your
  department and have a spread sheet of outcomes
  for a certain population of UCSF patients.
• When do you need to store the data securely?
• What is the best way to store it securely?

16
Key to Your Survival
SECTION HEADING

Is How You Control Access, Use, and Disclosure of
PHI
17
PHI is Everywhere
SECTION HEADING

• Desktop computer
• Laptops
• Memory Sticks
• Text pagers
• Memory sticks
• PDAs
• Cell Phones
• Conversations
• Paper records/notes

18
Best Privacy Practice Reminders

• Make sure you maintain access for only the
  systems that you have a business need
• Review privacy newsletters and make sure you
  understand them
• PHI/ePHI should never leave the department
• If unavoidable, then the materials should stay
  with the person without exception
• Limit discussion in public areas
• Place PHI/ePHI in the InstaShred
• Do not block software updates
• Encrypt ePHI on mobile devices Laptops, Memory
  sticks etc

19
Best Privacy Practice Reminders contd...
Ensure additional layers of protection for PHI
and ePHI

• Use locked doors/storage areas
• Lock up patient information such as paper,
  floppies, memory sticks, CDs, tapes or other
  portable media
• Secure devices with locks when possible, even
  when laptops are docked in docking stations
• You are responsible for securing home and mobile
  devices w/confidential information. If you take
  your laptop home, you need to keep it with you at
  all times while in transport.
• Secure building at the end of the business day
• Store information on a secure/encrypted server

20
Protect your computers and mobile eDevices
SECTION HEADING

• Backup all confidential information on a UCSF
  protected server
• Complex password protection
• Encryption
• Delete old files
• Create an encrypted back-up file and store
  separately from the computer/mobile e-device
• Access UCSF network using an approved, secure
  means
• VPN

21
What is My Responsibility, if I suspect a breach
or have questions

• Report any known or suspected privacy breaches to
  the Privacy Office ASAP.
• Report erratic computer behavior or unusual
  e-mails to IT
• Report lost/stolen e-devices to UCSF Police
  immediately. If it is hard copy PHI, report it to
  the Privacy Office.
• Be prepared to outline exact data elements
  disclosed, how many patients, over what time
  period, to whom, and for what purpose.
• When you are planning any project that involves
  releasing PHI outside of UCSF for any purpose
  outside of TPO contact the Privacy Office for
  consultation.

22
Scenario 3
SECTION HEADING

• A Workers Comp Insurance company contracts with
  your department for an evaluation of a patient.
  The contract specifies that the report is to be
  sent only to the company and not to the patient
  as the insurance company is paying for the exam.
  Upon completion of the exam, the patient requests
  a copy of the report and you tell them you can
  not provide it.
• What is wrong with this scenario?

23
Scenario 3- Answer

• It is a patients right to have access to their
  record. By refusing to provide access, this
  creates a HIPAA violation
• In this scenario you should do the following
• Do not sign anything that limits UCSFs ability
  to provide the required access to the medical
  record

24
Scenario 4

• A patient arrives in the ED and states that he
  has been seen at another ED two times in the last
  24 hours for abdominal pain. He now presents with
  increased abdominal pain. You diagnose him with a
  bowel obstruction, and he goes to the OR for
  surgery. You know the MD at the other hospital
  and want to inform him about what happened to
  this patient.
• Should you contact the MD at the other ED?

25
Scenario 4- Answer

• No, to do so would cause a HIPAA violation
• If you feel strongly that the other ED should
  know you should
• Obtain authorization from the patient to disclose
  this information
• Document the authorization in the medical record

26
What is on the Horizon?

• Federal Red Flag Rule
• American Recovery and Reinvestment Act (ARRA)
  2009 HITECH Act
• California goal for a Health Information Exchange
• National goal for a National Health Record

27
Newspaper Headlines
Kaiser hospital fined 250,000 for privacy breach
in octuplet case
Hacker Holding Virginia Health Records for 10
million Ransom
HIPAA Privacy Violation Settled for 2.25 Million

20M to Settle Lawsuit for Loss of Laptop 
28
Federal Regulations/Laws Some Major Impacts
American Recovery Reinvestment Act of 2009
(ARRA) HITECH Act amends HIPAA

• Stimulus Package included health information
  technology, e.g., Electronic Health Records
• Multiple impacts related to Privacy
• Defines unsecured PHI
• Requires notification to the consumer w/in 60
  days
• Individuals may be fined for wrongful disclosure
• Increases criminal fines and penalties for
  wrongful disclosure
• Individuals have right of civil action for
  wrongful disclosure
• Requires honoring restriction requests, when
  related to self pay situations.
• Major impact on Business Associates (BAs)
• More guidance from HHS expected

29
Remember- Privacy is bigger than HIPAA

• California Confidentiality of Medical Information
  Act (COMIA) (CA Civil Code 56-56.07)
• California Confidentiality of Social Security
  Numbers (CA Civil Code 1798.85)
• California Information Practices Act (IPA) (CA
  Civil Code 1798.24)
• California Lanterman-Petris-Short Act (CA Welfare
  and Institutions Code 5000-5120)
• Federal Education Rights and Privacy Act (FERPA)
  (34 CFR Part 99)
• Federal Health Insurance Portability and
  Accountability Act of 1996 (HIPAA) (45 CFR Parts
  160, 162, 164)
• AB-211
• SB-541
• Red Flag Rule

30
Where to go for
UCSF Resources

• Your Department Manager or IT support person
• UCSF Privacy Officer
• Deborah.yano-fong_at_ucsfmedctr.org
• UCSF Information Security Officer (Medical
  Center)
• Jose.claudio_at_ucsfmedctr.org
• UCSF Information Security Officer (Campus)
• Michael. Kamerick_at_ucsf.edu (Interim)
• Security Training
• Tiki Maxwell 514-1363
• UCSF HIPAA Handbook
• http//hipaa.ucsf.edu/default.html
• IT Customer Support 514-4100

31
Thank you!