Title: Privacy and Confidentiality
1Privacy and Confidentiality
- 2009
- Residents and Fellows Orientation
Virginia Terra Hodge, RN, MSN, NE-BC, CHP Privacy
Office Operations Manager Deborah Yano-Fong, RN,
MSN, PHN, CHP Chief Privacy Officer
June 19, 2009 June 30, 2009
2Overview
- What Do You Need to Know?
- Whats New?
- New Privacy State Laws
- Important Privacy Concepts
- Privacy in the Clinical Environment
- Scenarios
- Best Privacy Practice Reminders
- What to do in the Event of a Privacy Breach?
- What is on the Horizon?
- Resources
3What do you need to know about Privacy and HIPAA?
SECTION HEADING
- Review Advanced Provider Module
http//www.ucsf.edu/hipaa/ - Read HIPAA Handbook (in your packet)
- Sign Confidentiality Statement and turn it in to
your Department Manager - Read Notice of Privacy Practices (NOPP) booklet
http//www.ucsfhealth.org/common/3-03ucsfhipaa.pdf
4Patient HIPAA Rights can be Hot Spots for
Providers
SECTION HEADING
- HIPAA Patient Rights
- To restrict use and disclosure of their PHI
- To request amendments to their PHI
- To file complaints with UCSF, UCOP and OCR that
may result in civil and criminal penalties for
individuals as well as the healthcare
organization - To request Accounting of Disclosure
- To inspect and receive a copy of their medical
record - To request confidential communication
5Survival Tips For HIPAA Patient Rights
SECTION HEADING
- Dont
- Agree to patients request for restriction of
access to their medical record - Agree to patients request for an amendment to
their medical record - Harvest research data yourself from any of the
Medical Record sources. HIMS is the control point
for providing research data. For questions go to - http//hims.ucsfmedicalcenter.
org - Do
- Refer patients request for restriction or
amendment of the medical record to Patient
Relations or HIMS - Patient Relations and HIMS must evaluate and
coordinate all requests for restriction or
amendment of medical records
6Whats New?
- Privacy is more than HIPAA these days
- New states laws are more stringent and impose
increased fines/ penalties - The Privacy environment is constantly changing
- National mandate for an Electronic Health Record
- State wide initiatives for a Health Information
Exchange
7Major Impacts of The New Privacy State Laws
Key Requirements
8Major Impacts of The New Privacy State Laws
Fines Penalties
9How Does This Impact You?
- Increased Fines and Civil Penalties
- 5 Day Notification Requirement to DPH and
individuals - Surveillance and Monitoring
- Audit Logs of Appropriate Access
- For Research, changes in the definition of
operation functions and the new accounting of
disclosure requirement for electronic
information. - Personal Liability
10The Answer to All Legal/Risk Questions is
11Important Privacy Concepts
- Utilize these concepts when making decisions
regarding - Privacy Protection in the clinical
environment - Treatment, Payment or Operations (TPO)
- You may access, use or disclosure PHI or ePHI for
the purposes of TPO - See Notice of Privacy Practices (NOPP) for
details - If your access, use or disclosure is not covered
by the NOPP, then you will need to obtain an
authorization from the patient prior to
proceeding. - PHI/ePHI
- Protected Health Information/Electronic Protected
Health Information - See HIPAA handbook for definition
- Minimum Necessary Standard applies for all uses
and disclosures except for treatment. - Access only what you need to know.
- Share only what you need to disclose
- Incidental Use and Disclosure as long as
- The disclosure is incidental to other permitted
uses and disclosures. - Never access, use or disclose PHI which you are
not allowed to access in the first place - Reasonable safeguards are in place to protect PHI
that may be disclosed incidentally
12Privacy in the Clinical Environment
Privacy answers are not black and white. You
need to assess the appropriate access, use,
storage, and disclosure of PHI each and every
time by asking yourselves all of the following
questions.
- Do I need to access this information to do my
job? - Am I using the minimum information needed to do
my job? - Am I providing others with the minimum necessary
information to do their job? - Do I need to store this information to do my job?
- If yes, how will I secure this information?
- Ok, I can do this, should I really do it?
- What if this was my information? How would I feel
about how it is being handled? - How would this process/practice look on the front
page of the Chronicle?
13Scenario 1 Email Communication
- A patient emails you about new symptoms that have
presented since taking a new medication. - Since the pt. has sent the email unencrypted,
can you respond without sending your message in a
secure manner?
14Secure E-Mail is easy to use at UCSF!
SECTION HEADING
- How to use
- Use the secure email system when sending emails
with ePHI - Type in the email Subject Line the word
- Secure ePHI PHI
- Make sure you are sending your message to the
correct recipient. - Key points to remember
- This protects the information when it leaves our
UCSF network environment. It does not encrypt
the message within the UCSF network. However,
best practice is to use the secure email system
when sending ePHI anywhere. This will protect
you if someone forwards your ePHI outside of the
UCSF network.
15Scenario 2 - Secure Data
- You have an excel spread sheet of subject
information for a research study. OR, you are
doing a Quality Improvement project for your
department and have a spread sheet of outcomes
for a certain population of UCSF patients. - When do you need to store the data securely?
- What is the best way to store it securely?
16Key to Your Survival
SECTION HEADING
Is How You Control Access, Use, and Disclosure of
PHI
17PHI is Everywhere
SECTION HEADING
- Desktop computer
- Laptops
- Memory Sticks
- Text pagers
- Memory sticks
- PDAs
- Cell Phones
- Conversations
- Paper records/notes
18Best Privacy Practice Reminders
- Make sure you maintain access for only the
systems that you have a business need - Review privacy newsletters and make sure you
understand them - PHI/ePHI should never leave the department
- If unavoidable, then the materials should stay
with the person without exception - Limit discussion in public areas
- Place PHI/ePHI in the InstaShred
- Do not block software updates
- Encrypt ePHI on mobile devices Laptops, Memory
sticks etc
19Best Privacy Practice Reminders contd...
Ensure additional layers of protection for PHI
and ePHI
- Use locked doors/storage areas
- Lock up patient information such as paper,
floppies, memory sticks, CDs, tapes or other
portable media - Secure devices with locks when possible, even
when laptops are docked in docking stations - You are responsible for securing home and mobile
devices w/confidential information. If you take
your laptop home, you need to keep it with you at
all times while in transport. - Secure building at the end of the business day
- Store information on a secure/encrypted server
20Protect your computers and mobile eDevices
SECTION HEADING
- Backup all confidential information on a UCSF
protected server - Complex password protection
- Encryption
- Delete old files
- Create an encrypted back-up file and store
separately from the computer/mobile e-device - Access UCSF network using an approved, secure
means - VPN
21What is My Responsibility, if I suspect a breach
or have questions
- Report any known or suspected privacy breaches to
the Privacy Office ASAP. - Report erratic computer behavior or unusual
e-mails to IT - Report lost/stolen e-devices to UCSF Police
immediately. If it is hard copy PHI, report it to
the Privacy Office. - Be prepared to outline exact data elements
disclosed, how many patients, over what time
period, to whom, and for what purpose. - When you are planning any project that involves
releasing PHI outside of UCSF for any purpose
outside of TPO contact the Privacy Office for
consultation.
22Scenario 3
SECTION HEADING
- A Workers Comp Insurance company contracts with
your department for an evaluation of a patient.
The contract specifies that the report is to be
sent only to the company and not to the patient
as the insurance company is paying for the exam.
Upon completion of the exam, the patient requests
a copy of the report and you tell them you can
not provide it. - What is wrong with this scenario?
23Scenario 3- Answer
- It is a patients right to have access to their
record. By refusing to provide access, this
creates a HIPAA violation - In this scenario you should do the following
- Do not sign anything that limits UCSFs ability
to provide the required access to the medical
record
24Scenario 4
- A patient arrives in the ED and states that he
has been seen at another ED two times in the last
24 hours for abdominal pain. He now presents with
increased abdominal pain. You diagnose him with a
bowel obstruction, and he goes to the OR for
surgery. You know the MD at the other hospital
and want to inform him about what happened to
this patient. - Should you contact the MD at the other ED?
25Scenario 4- Answer
- No, to do so would cause a HIPAA violation
- If you feel strongly that the other ED should
know you should - Obtain authorization from the patient to disclose
this information - Document the authorization in the medical record
26What is on the Horizon?
- Federal Red Flag Rule
- American Recovery and Reinvestment Act (ARRA)
2009 HITECH Act - California goal for a Health Information Exchange
- National goal for a National Health Record
27Newspaper Headlines
Kaiser hospital fined 250,000 for privacy breach
in octuplet case
Hacker Holding Virginia Health Records for 10
million Ransom
HIPAA Privacy Violation Settled for 2.25 Million
20M to Settle Lawsuit for Loss of Laptop
28Federal Regulations/Laws Some Major Impacts
American Recovery Reinvestment Act of 2009
(ARRA) HITECH Act amends HIPAA
- Stimulus Package included health information
technology, e.g., Electronic Health Records - Multiple impacts related to Privacy
- Defines unsecured PHI
- Requires notification to the consumer w/in 60
days - Individuals may be fined for wrongful disclosure
- Increases criminal fines and penalties for
wrongful disclosure - Individuals have right of civil action for
wrongful disclosure - Requires honoring restriction requests, when
related to self pay situations. - Major impact on Business Associates (BAs)
- More guidance from HHS expected
29Remember- Privacy is bigger than HIPAA
- California Confidentiality of Medical Information
Act (COMIA) (CA Civil Code 56-56.07) - California Confidentiality of Social Security
Numbers (CA Civil Code 1798.85) - California Information Practices Act (IPA) (CA
Civil Code 1798.24) - California Lanterman-Petris-Short Act (CA Welfare
and Institutions Code 5000-5120) - Federal Education Rights and Privacy Act (FERPA)
(34 CFR Part 99) - Federal Health Insurance Portability and
Accountability Act of 1996 (HIPAA) (45 CFR Parts
160, 162, 164) - AB-211
- SB-541
- Red Flag Rule
30Where to go for
UCSF Resources
- Your Department Manager or IT support person
- UCSF Privacy Officer
- Deborah.yano-fong_at_ucsfmedctr.org
- UCSF Information Security Officer (Medical
Center) - Jose.claudio_at_ucsfmedctr.org
- UCSF Information Security Officer (Campus)
- Michael. Kamerick_at_ucsf.edu (Interim)
- Security Training
- Tiki Maxwell 514-1363
- UCSF HIPAA Handbook
- http//hipaa.ucsf.edu/default.html
- IT Customer Support 514-4100
31Thank you!