Course Objectives

1
Course Objectives

• After competing this course, you should
  understand
• Privacy and security of sensitive information is
  your responsibility
• How you can recognize situations where sensitive
  information may be handled improperly
• How you can protect patient and confidential
  information in common workplace situations
• That you will be held responsible for improperly
  handling sensitive information and
• Who to notify if you have questions about the
  privacy and security of sensitive information.

2
Menu

• Overview Privacy, Security, and your Job.
• A, B, and Cs of Privacy and Security in 2011
• Awareness of your responsibilities and patient
  rights.
• Breaches of patient information.
• Common questions.

3
Overview Privacy, Security, and Your Job

• The Ohio State University Medical Center Expects
  Everyone to
• Protect a patients information
• Protect other restricted information such as
  employee information and
• Follow the Universitys privacy and security
  policies.

Remember . . . You may only access information
that is needed to do perform you job duties!
Failure to do so will result in corrective
action up to and including termination.
4
As, Bs, and Cs of Privacy Security in 2010

• Awareness of patient rights and your
  responsibilities
• Breach of Protected Health Information
• Common Questions

5
Awareness Patient Rights Your Responsibilities

• Identity Theft

Under the Identity Theft Red Flag Rules, the Ohio
State University Medical Center must prevent,
detect, and reduce the harmful effects of
identity theft
An Identity Theft Red Flag is a pattern,
practice, or specific activity that indicates the
possible existence of identity theft
6
Awareness Patient Rights Your Responsibilities

• Identity theft occurs when someone uses another
  persons identifying information without
  permission.
• Examples of identifying information include
• name
• Social Security number
• medical insurance number
• credit card number or
• OSUMC badge with payroll deduct.

7
Awareness Patient Rights Your Responsibilities

• Examples of Identity Theft Red Flags
• Records showing medical treatment that is
  inconsistent with a physical examination
• Identification appears altered or forged
• Complaints or questions from a patient about
  information added to a credit report
• Patient receives
• a bill for another patient
• a bill for a product or service the patient did
  not receive
• a notice of insurance benefits (or Explanation of
  Benefits) for health care services never
  received or
• a collection notice from a collection agency for
  services the patient never received.

8
Awareness Patient Rights Your Responsibilities

• Identity Theft Your Responsibilities
• Prevent identity theft by keeping patient
  information safe
• Detect identity theft by being aware of
  suspicious activities and
• Report identity theft as soon as you suspect it.

9
Awareness Patient Rights Your Responsibilities

• You have access to the electronic medical record.
• You search by the patients name and date of
  birth to try to find the patient.
• Two patients return with the same social security
  number, but with different dates of birth.

What should you do?
10
Awareness Patient Rights Your Responsibilities

• Two patients with the same Social Security number
  is an Identity Theft Red Flag.
• Action
• Notify your manager who will complete an initial
  investigation
• If your manager is unavailable, then notify the
  Privacy Office
• OSU Physicians, Inc. (OSUP) 784-7806
• OSU Health System (OSUHS) College of Medicine
  (COM) 293-4477.
• File an anonymous complaint via the EthicsPoint
  Reporting System
• OSUP 1-800-559-5217 https//secure.ethicspoint.
  com/domain/en/report_custom.asp?clientid14670
• OSUHS COM 1-866-294-9350. https//secure.ethic
  spoint.com/domain/en/report_custom.asp?clientid76
  89
• The Identity Theft Red Flag Rules Response Team
  will investigate.

11
Awareness Patient Rights Your Responsibilities

• Your colleague has access to patient and staff
  social security numbers.
• Recently, you notice that your colleague is
  placing stacks of papers in envelopes and sending
  them out in the mail or takes the information
  home. This is not something your colleague needs
  to do as part of her job duties.

What should you do?
12
Awareness Patient Rights Your Responsibilities

• Your colleagues behavior is an Identity Theft
  Red Flag.
• Worst case scenarioyour colleague may be
  stealing patient information and selling it for
  misuse by identity thieves.
• This type of theft has occurred at other
  hospitals.
• Action
• Notify your manager who will complete an initial
  investigation
• If your manager is unavailable, then notify the
  Privacy Office
• OSUP 784-7806
• OSUHS COM 293-4477.
• File an anonymous complaint via the EthicsPoint
  Reporting System
• OSUP 1-800-559-5217 https//secure.ethicspoint.
  com/domain/en/report_custom.asp?clientid14670
• OSUHS COM 1-866-294-9350. https//secure.ethic
  spoint.com/domain/en/report_custom.asp?clientid76
  89
• The Identity Theft Red Flag Rules Response Team
  will investigate.

13
Awareness Patient Rights Your Responsibilities
If it is found that you have been misusing data
or inappropriately accessing systems, then you
will face corrective action up to and including
termination.
Misuse of patient information may subject you and
OSUMC to civil or even criminal penalties.
These penalties may include fines and possible
jail time.
14
Awareness Patient Rights Your Responsibilities

• What is HIPAA?
• HIPAA is the Health Insurance Portability and
  Accountability Act, a federal law that
• Requires health care organizations like OSUMC to
• follow certain rules when we use and release
  patient information
• keep patient information private, confidential,
  safe, and accurate.

15
Awareness Patient Rights Your Responsibilities

• HIPAA Privacy
• We must protect an individuals Protected Health
  Information that is created, kept, filed, used or
  shared and is

Written
Spoken
Electronic
16
Awareness Patient Rights Your Responsibilities

• HIPAA Patients Rights
• The right to look at and get a copy of their own
  medical and billing records.
• The right to ask for an amendment to these
  records.
• The right to ask for limits on how we use their
  information.
• The right to a paper copy of the notice of
  privacy practices.
• The right to an accounting of disclosures, and
  more.

17
Awareness Patient Rights Your Responsibilities

• Examples of Protected Health Information (PHI)
• A patients name, address, birth date, age, phone
  and fax numbers, e-mail address
• Medical record numbers
• Medical records, diagnosis, x-rays, photos,
  prescriptions, lab work and test results
• Billing records, claim data, referral
  authorizations and explanation of benefits
• Certain research records.
• Click here for a list of 18 key PHI identifiers

18
Awareness Patient Rights Your Responsibilities
Releasing Protected Health Information Requires
Patient Authorization

• Exceptions
• Authorized staff may disclose information to
  fulfill public health reporting requirements to
  governmental agencies as required by state,
  federal or local law
• For law enforcement requests, subpoenas, court
  orders or for purposes other than listed here
• OSUHS COM Medical Information Management
  and/or Legal Services must approve the release of
  information.
• OSUP The Privacy Officer must approve the
  release of information.
• A Waiver of HIPAA Authorization has been obtained
  for research purposes.

19
Awareness Patient Rights Your Responsibilities

• You are watching the football game and see that
  Famous Football Player has been injured. You
  think that he is being treated at OSUMC, but are
  not sure. You are not involved in Famous
  Football Players care.
• You have access to patient information. You log
  into the Integrated Healthcare Information System
  (IHIS) just to check if Famous Football Player
  has been admitted to OSUMC for treatment.

Whats wrong with this scenario?
20
Awareness Patient Rights Your Responsibilities
You must only access patient information as
needed to perform your job duties. Failure to do
so will result in corrective action up to and
including termination.

• In this scenario, you did not need to know
  whether Famous Football Player was admitted to
  the hospital.
• Looking up this information is a violation of
  hospital policy and may be a violation of state
  and federal laws.
• Access to patient information is monitored and
  you are responsible for all that occurs under
  your log-in and password.
• Action
• Should you have questions about whether access to
  patient information is appropriate, ask your
  supervisor and/or contact the Privacy Office
• OSUP 784-7806
• OSUHS COM 293-4477.

21
Awareness Patient Rights Your Responsibilities
If it is found that you have been misusing data
or inappropriately accessing systems, then you
may face corrective action up to and including
termination.
In an investigation into HIPAA violations, both
OSUMC and you may be subject to civil or even
criminal penalties. These penalties may include
fines and possible time in jail.
22
Awareness Patient Rights Your Responsibilities
Resident Rita prints a rounds report and leaves
it in the pocket of her white coat. At the end of
the day while leaving the hospital the list falls
out of her pocket onto the sidewalk.
Whats wrong with this scenario?
23
Awareness Patient Rights Your Responsibilities
Do not remove PHI on paper from OSUMC premises.

• In this scenario, Rita inappropriately took PHI
  from the hospital. Exposing the information to
  risks of loss or theft.
• PHI on paper is easily lost or stolen and you are
  responsible for ensuring that it remains secure
  and properly disposing of the information when it
  is no longer needed.
• Action
• Should you have questions about PHI on paper and
  how to properly secure it or dispose of it, ask
  your supervisor and/or contact the Privacy
  Office
• OSUP 784-7806
• OSUHS COM 293-4477.

24
Awareness Patient Rights Your Responsibilities
The clinic has a fax machine and printer that are
located in a patient waiting area. These machines
are often unattended and receive faxes and print
jobs containing PHI throughout the day and night.
Whats wrong with this scenario?
25
Awareness Patient Rights Your Responsibilities
Fax machines and printers that receive PHI must
be kept in a secure area. PHI sent to fax
machines or printers must be removed promptly.

• In this scenario, the clinic has the fax/printer
  located in an unsecure location.
• Faxes and printers must be attended by OSUMC
  staff at all times or behind locked doors and
  only accessible by authorized staff.
• Faxes and print jobs containing PHI must be
  removed from the fax or printer promptly.
• Action
• Should you have questions about faxing or
  printing PHI and how to properly secure it, ask
  your supervisor and/or contact the Privacy
  Office
• OSUP 784-7806
• OSUHS COM 293-4477.

26
Awareness Patient Rights Your Responsibilities
If it is found that you have been misusing data
or inappropriately accessing systems, then you
may face corrective action up to and including
termination.
In an investigation into HIPAA violations, both
OSUMC and you may be subject to civil or even
criminal penalties. These penalties may include
fines and possible time in jail.
27
Awareness Patient Rights Your Responsibilities
As part of Andrews job, he prints out
information that includes patient addresses and
zip codes. He thinks that he should place
these documents in the shredder bin, but whenever
he goes to the shredder bin it is either full or
unlocked, so he doesnt bother. Andrew decides
that because there is no patient name on the
papers, that it is okay to throw the papers in
the regular trash.
Whats wrong with this scenario?
28
Awareness Patient Rights Your Responsibilities

• Patient addresses, zip codes, and medical record
  numbers are Protected Health Information.
• Action
• Place paper with Protected Health Information and
  any sensitive information in a shredding
  container and
• If the shredding container in your area is full
  or unlocked, notify
• OSUHS Environmental Services 293-8645/293-4230
• OSUP Shred-It 231-7470.

29
Awareness Patient Rights Your Responsibilities
- PASSWORDS
HIPAA Security

• Passwords
• A password, along with your MedCenter Logon ID,
  is the key that protects your identity within
  information systems
• You protect your passwords in the same way that
  you would protect the key to your home or
  automobile
• Keep your password a secret
• OSUMC IT will NOT request your password via
  e-mail
• You should not share your passwords with anyone,
  including co-workers, administrative staff, IT
  staff, physicians, manager/supervisors or
  strangers
• Password sharing is a violation of OSUMC policy.

30
Awareness Patient Rights Your Responsibilities

• Passwords (cont.)
• You can reset your own MedCenter Logon ID
  Password using the Password Change Portal on
  OneSource (OneSourcegt MyWorkplacegt Pasword
  Portal)
• For assistance with password related issues or if
  you feel your password has been stolen or
  compromised call the OSUMC Help Desk at 3-3861.

You are responsible for all activity that occurs
under your log-in and password.
31
Awareness Patient Rights Your Responsibilities
You receive an e-mail from IT Support stating
that OSUMC is performing system maintenance and
telling you that you need to provide
your Name UserID Password and Phone Number.
What should you do?
32
Awareness Patient Rights Your Responsibilities

• STOP! This is a Phishing attempt.
• Phishing is where people send an email to a user
  falsely claiming to be a legitimate requestor.
• Phishing tries to scam a user into surrendering
  private information that can be used to attack
  OSMCs electronic systems.
• OSUMC IT will NOT request your password via
  email.
• Action
• Delete the email and
• Call the Help Desk at 293-3861 to report the
  email.

33
Awareness Patient Rights Your Responsibilities
You are working with a new staff member that
doesnt currently have access to log into the
computer. You need the staff members assistance
so, you log into IHIS and allow the staff member
to use your account to access PHI.
What wrong with this scenario?
34
Awareness Patient Rights Your Responsibilities
Do not share your passwords with anyone,
including co-workers, administrative staff, IT
staff or strangers Password sharing is a
violation of OSUMC policy. Violations of OSUMC
policy may result in corrective action up to and
including termination

• In this scenario, both staff members violated
  OSUMC policy.
• You are responsible for all activity that occurs
  under your log-in and password.
• Action
• Should you have questions about computer access
  to PHI ask your supervisor and/or contact the
  OSUMC IT Helpdesk 293-3861.

35
Awareness Patient Rights Your Responsibilities

• Work Stations
• Computers are business tools you may use to
  access OSUMC electronic resources required to
  perform your job
• Computers should be used for business purposes
  only and not for personal gain or inappropriate
  activities
• Physical security of computers is vital to
  protecting sensitive information. Where
  appropriate, computers should be locked to a
  stationary piece of furniture
• Position the computer monitor so that sensitive
  information displayed on the screen is not
  visible to an unauthorized observer.

36
Awareness Patient Rights Your Responsibilities

• Unsupported Devices
• Devices that are not registered and supported by
  a LAN manager or OSUMC IT cannot be attached to
  the OSUMC network as they create vulnerabilities
  that may lead to virus outbreaks, information
  exposure and network performance issues
• If you have a device that you would like to
  attach to the OSUMC network, then please contact
  your LAN manager or OSUMC Help Desk at 3-3861.

37
Awareness Patient Rights Your Responsibilities
Researcher Ron is recruited to the Medical
Center. Researcher Ron hires a research assistant
that has some computer skills and asks that she
set up and maintain some non-medical center owned
computer equipment that is needed for his study.
What wrong with this scenario?
38
Awareness Patient Rights Your Responsibilities
Devices that are not registered and supported by
a LAN manager or OSUMC IT cannot be attached to
the OSUMC network.

• In this scenario, Researcher Rons assistant is
  not a LAN manager and is not part of OSUMC IT and
  therefore is not authorized to maintain and
  support equipment attached to the OSUMC network.
• Computer equipment that is not properly
  maintained may lead to virus outbreaks,
  information exposure and network performance
  issues.
• Action
• Should you have questions about attaching
  computers to the OSUMC network or accessing OSUMC
  applications using non-OSUMC issued devices ask
  your supervisor and/or contact the OSUMC IT
  Helpdesk 293-3861.

39
Awareness Patient Rights Your Responsibilities

• Software
• Only software that is appropriately licensed and
  approved by a LAN manager or OSUMC IT should be
  installed on devices that are connected to the
  OSUMC network
• Do not install any unlicensed software on any
  computing device that uses the OSUMC network
• Do not download, install or run peer-to-peer file
  sharing applications on devices connected to the
  OSUMC network
• Peer-to-peer file sharing applications (e.g.,
  Kazaa, Morpheus, Napster, Limewire, etc.) are
  often used to spread malicious software.

40
Awareness Patient Rights Your Responsibilities

• Malicious Software
• Are programs that covertly enter information
  systems with the intent of compromising the
  confidentiality, integrity and availability of
  data, applications or operating systems (other
  names are viruses, works, trojans and spyware)
• Can lead to identity theft and the exposure of
  sensitive information
• Is often spread as e-mail attachments. (If an
  attachment looks suspicious, then don't open it
  and delete it!)
• Can be spread through Social Networking Sites
  such as FaceBook and MySpace
• Use caution when viewing files from friends. Ask
  the friend if they sent the message before
  clicking links that install software such as
  Viewers for video content.

TIP Antivirus software is available free to
OSUMC employees. Visit OSUMC IT Information
Security Home Page or OSU Office of Information
Technology for more details.
41
Awareness Patient Rights Your Responsibilities

• What is Encryption?
• Encryption is defined as putting data into a
  secret code so it is unreadable except by
  authorized users and
• Encryption uses keys to scramble and unscramble
  data.
• Per OSU and OSUMC policy all PHI must be
  encrypted when stored on portable devices such as
  laptop computers, smart phones and flash drives.

42
Awareness Patient Rights Your Responsibilities

• Encryption and Remote Access
• When working remotely, encryption and wireless
  security should be considered
• Information sent via unencrypted wireless
  networks can be intercepted by unintended
  recipients.

43
Awareness Patient Rights Your Responsibilities

• Encryption and eMail
• You should only use the email system associated
  with your osumc.edu account to conduct OSUMC
  related business
• Do not use Web based email accounts such as
  Yahoo!, Gmail, AOL and MSN to conduct OSUMC
  business
• Never send unencrypted sensitive information such
  as Protected Health Information, social security
  numbers, and credit card information through
  email.

44
Awareness Patient Rights Your Responsibilities
Its the Holiday season and you receive a message
in your Social Networking account to view a funny
video from a friend. When you click on the link
in the message you are prompted to install a
viewer before you can watch the video.
Whats should you do?
45
Awareness Patient Rights Your Responsibilities

• Stop!
• Do not install the viewer because it may
  introduce a virus or malicious code into the
  OSUMC computer network and compromise sensitive
  information.
• Delete the email.

46
Awareness Patient Rights Your Responsibilities

• OSUMC Encryption Tools
• If you need to use FTP (File Transfer Protocol)
  electronic Protected Health Information to
  perform your job, use secure FTP (SFTP or another
  secure method such as typing SECURE MAIL in the
  subject line of emails
• Messages sent and received through the OSUMC
  approved email system are scanned for malicious
  code and for restricted data to protect our
  patients and OSUMCs reputation
• For more information on encryption, please
  contact your LAN manager or the OSUMC Help Desk
  at 3-3861 or the OSUP Help Desk at 784-7812.

To send a message securely to a non OSUMC e-mail
address, add SECURE MAIL to the subject line of
you message
47
Awareness Patient Rights Your Responsibilities
Doctor Jones uses her personal flash drive to
store information about her patients. The drive
is not encrypted. One day during her rounds she
mistakenly leaves the flash drive on a nursing
unit and is unable to find it when she returns.
What wrong with this scenario?
48
Awareness Patient Rights Your Responsibilities
Per OSU and OSUMC policy all PHI must be
encrypted when stored on portable devices such as
laptop computers, smart phones and flash drives.

• In this scenario, Dr. Jones was using an
  unsecured flash drive to store PHI.
• Portable equipment is easily lost or stolen and
  must be encrypted in order to protect OSUMC
  restricted data such as PHI.
• Action
• Should you have questions about storing PHI or
  other restricted data on portable storage devices
  ask your supervisor and/or contact the OSUMC IT
  Helpdesk 293-3861.

49
Awareness Patient Rights Your Responsibilities

• Portable Devices
• Portable devices such as laptops, flash drives,
  smart phones and cameras are powerful and
  convenient business tools. However, they are also
  highly susceptible to loss and theft.
• Unless the portable device is properly encrypted,
  you must not store sensitive information such as
  patient data, Social Security numbers, credit
  card numbers and financial information.
• All laptops carrying OSUMC owned data MUST be
  encrypted.
• Physically secure all portable devices when left
  unattended. Examples include a locked office,
  file cabinet or trunk or a cable and lock that is
  secured to a stationary piece of furniture.

TIP -Do NOT leave your Laptop or PDA
unattended. -Purchase a locking security cable
to attach to your laptop around an immovable
object to prevent theft. -Use strong passwords to
prevent unauthorized users from accessing your
laptop or Smart Phone.
50
Awareness Patient Rights Your Responsibilities
Nurse Neal received the latest smart phone as a
birthday present. He would like to use the device
to access his OSUMC e-mail and OSUMC clinical
applications.
What should Nurse Neal do?
51
Awareness Patient Rights Your Responsibilities
Per OSU and OSUMC policy all PHI must be
encrypted when stored on portable devices such as
laptop computers, smart phones and flash drives.

• In this scenario, Nurse Neal should contact OSUMC
  IT to have his device properly encrypted and
  secured before accessing OSUMC electronic
  resources.
• Portable equipment is easily lost or stolen and
  must be encrypted in order to protect OSUMC
  restricted data such as PHI.
• Action
• Should you have questions about storing PHI or
  other restricted data on portable storage devices
  ask your supervisor and/or contact the OSUMC IT
  Helpdesk 293-3861.

52
Awareness Patient Rights Your Responsibilities

• Data Storage
• If you store Protected Health Information (PHI)
  on a Personal Digital Assistant (PDA), laptop,
  computer, CD ROM, camera, phone or other storage
  media, you are the Data Custodian for the data
  and are responsible for its security and proper
  disposal.
• Basic protections include that Data Custodians
  must
• Locate the file on a secure department share
  (network drive) that is protected from those who
  do not require access to the data
• Encrypt (password protecting) the data files (MS
  Office documents)
• Password protect databases (MS Access) and
• Completely destroy the data when it is no longer
  needed.

53
Awareness Patient Rights Your Responsibilities

• Data Storage (cont.)
• Storing an unencrypted sensitive file on your C
  drive is NOT an acceptable security practice.
• Be aware that the My Documents folder usually
  resides on the C drive.
• Save unencrypted sensitive files only to your
  individual work folder on the network (P drive)
  or to a secure network shared folder
• For assistance with properly storing and
  disposing of sensitive information stored on
  electronic devices, please contact your LAN
  manager or the OSUMC Help Desk at 3-3861 or OSUP
  Help Desk at 784-7812.

54
Awareness Patient Rights Your Responsibilities
Bill and Carla are using the same spreadsheet to
analyze patient outcomes. The spreadsheet is
currently stored on a Secure department shared
drive. Carla decides it is too hard to work on
the same spreadsheet and creates a copy on her
desktop.
What is wrong with this scenario?
55
Awareness Patient Rights Your Responsibilities

• Carla is placing the data on her C drivean
  unsafe place for patient information.
• Carla must save the data to a folder on the
  network (P drive) or to a secure network shared
  folder.
• If Carla needs assistance with properly storing
  and disposing of sensitive information, then she
  should contact her LAN manager or the or the
  OSUMC Help Desk at 3-3861 or the OSUP Help Desk
  at 784-7812.

56
As, Bs, and Cs of Privacy Security in 2010

• Awareness of patient rights and your
  responsibilities
• Breach of Protected Health Information
• Common Questions

57
Breach Protected Health Information
New HIPAA Breach Notification Rules

• Changes in HIPAA
• In 2009 the American Recovery and Reinvestment
  Act of 2009 (ARRA) brought changes to HIPAA
• The Breach Notification Provisions is one change
• Breach Notification Provisions
• Where there is a Breach of patient information,
  OSUMC must notify the patient
• With each possible breach, OSUMC must complete a
  risk assessment to determine if the potential
  breach qualifies as an actual Breach under the
  rule
• The risk assessment determines whether there is a
  significant risk of financial, reputational, or
  other ham to the individual whose PHI was
  breached.

58
Breach Protected Health Information

• Dr. Holland was watching news reports about a
  prominent local news anchor who was involved in a
  severe car crash.
• Dr. Holland noticed that the news anchor was
  admitted to the hospital where he works. Dr.
  Holland logged on to the hospitals medical
  record to see if the news reports were true. Dr.
  Holland was not involved in the news anchors
  care.
• Sarah a registration clerk and Carmen a clinic
  nurse also viewed the patients medical record
  out of curiosity of the patients condition.

What is wrong with this scenario?
59
Breach Protected Health Information

• Dr. Holland, Sarah, and Carmen did not need this
  information to do their jobs.
• Their curiosity is considered a Breach under the
  new regulations.
• OSUMC must record this as a Breach and report it
  to the Federal Government annually.
• OSUMC must also write a letter to the patient to
  tell the patient
• Her information has been breached
• The date and time that it was breached
• What OSUMC has done to prevent future
  incidences and
• Contact information about where she can get
  further information.

60
Breach Protected Health Information

• Jennifer Smith receives an email from Dr. Donna.
  
• Jennifer often receives misdirected emails
  because there are at least four other Jennifer
  Smiths that work at OSUMC.
• Jennifer notices that she is not the intended
  recipient of Dr. Donnas email.
• Jennifer Smith works in a lab at the College of
  Medicine. Jennifer does not use patient
  information to do her job.

What should Jennifer Smith do?
61
Breach Protected Health Information

• Jennifer Smith should
• immediately delete the email
• notify Dr. Donna of the misdirected email and
• report the event to the Privacy Officer.
• Is this a Breach under the New HIPAA rules?
• Likely, yes.

62
Breach Protected Health Information

• Terry lost his flash drive a few days ago.
• Terry kept patient information on the flash drive
  including patient names, admission dates, copies
  of patient prescriptions, and clinic patient
  lists. Terry did not notify anyone that his
  flash drive was lost because he thought it would
  turn up some day.
• Over two weeks has past and Terry has not located
  his lost flash drive.

What is wrong with this scenario?
63
Breach Protected Health Information

• Terry should not store PHI unless it has been
  encrypted.
• Terry should have notified the Privacy Officer of
  the lost device ASAP after she noticed it was
  lost
• OSUP 784-7806
• OSUHS COM 293-4477
• The clock is ticking - Once the employee
  discovers the potential breach, OSUMC has no more
  than 60 days to notify the patients of the Breach.

64
Breach Protected Health Information

• Joe is a faculty member at the College of
  Medicine and works primarily in a research lab.
  He meets his friend for lunch at the hospital
  cafeteria.
• When Joe sits down, he finds papers on the
  cafeteria table. On the papers he sees a list of
  patients names with notes about each patient.

What should Joe do?
65
Breach Protected Health Information

• Joe should notify the Privacy Office of what he
  has found
• OSUP 784-7806
• OSUHS COM 293-4477
• The Privacy Office will ask Joe to return the
  information ASAP.
• Is this a breach of patient information?
• Likely, yes.
• The Privacy Office must complete a risk
  assessment and determine whether this is a breach
  of patient information and whether OSUMC must
  notify the patient.

66
Breach Protected Health Information

• In Summary
• Under new HIPAA laws we must notify patients and
  the federal government when we have a breach of
  patient information
• Inappropriate access to patient information
  qualifies as a Breach under the new laws and
• You must do all you can to keep patient
  information secure.

67
As, Bs, and Cs of Privacy Security in 2010

• Awareness of patient rights and your
  responsibilities
• Breach of Protected Health Information
• Common Questions

68
Common Questions
Does HIPAA allow a health care provider to
discuss the patients health information with the
patients family, friends, or others involved in
the patients care or payment for care?

• If the patient is present and has the capacity to
  make health care decisions, then a health care
  provider may discuss the patients health
  information with a family member, friend or other
  person if
• The patient agrees or
• When given the opportunity does not object.
• A health care provider may share information with
  these persons if, using professional judgment,
  the provider decides that the patient does not
  object.
• In either case, the health care provider may
  share or discuss only the information that the
  person involved needs to know about the patients
  care or payment for care.

69
Common Questions

• Friends and Family If there is a frequent
  visitor in the room when the physician (or other
  staff) comes in, the health care provider should
  ask the patient (or the patients legal
  representative) if a private conversation is
  preferable.
• Use professional judgment, but make it
  comfortable for the patient to say Id like to
  keep this discussion private.

70
Common Questions
May a health care provider discuss a patient's
health information over the phone with a family
member, friend or others involved in the
patient's care or payment for the patients care?

• Yes. Where a health care provider is allowed to
  share a patients health information in-person,
  information may be shared over the phone as well.
• However, proceed with caution
• If the patient has asked you not to share
  information with a family member, then you must
  not share the information
• If you are uncertain whether the patient would
  want you to, then do not share the information
• If you are uncertain of the identity of the
  caller, then do not share the information.
• If you work in the hospital, know your units
  policy. Many units use code numbers or words
  that signal to staff that the caller has been
  identified as someone with whom you may share
  information.

71
Common Questions
How should OSUMC employees protect paper
documents that contain sensitive information
about our staff, patients, and vendors?

• Documents that contain sensitive information such
  as patient information should be maintained
  behind a locked door to which other staff do not
  have access after hours.
• If other staff have access to your desk after
  hours, then sensitive information must be placed
  in a locked drawer.

72
Common Questions
What if patients or family members overhear us
talking about other patients in a shared or open
patient care setting?

• In shared or open patient care settings, take
  steps to make sure that the patients privacy
  rights are respected
• Monitor the volume of your conversation and pull
  curtains whenever possible
• When sharing sensitive results or discussing
  sensitive information with patients, offer a
  private setting whenever possible
• Dont talk about patients in elevators, the
  cafeteria, or other public places.

73
More Information

• For more information about privacy and security
  at OSUMC, please access
• OSUMC Information Security https//onesource.osum
  c.edu/departments/it/informationsecurity/
• OSUMC Privacy https//onesource.osumc.edu/departm
  ents/Privacy
• OSUP Privacy http//osup.osumc.edu/osup_hipaa.ht
  m
• Campus Data Security and Policy on Institutional
  Data http//buckeyesecure.osu.edu/
• Additional CBLs related to HIPAA and Red Flag
  Rules are available via Educational Development
  and Resources

74
Identifiers

• The following identifiers of the individual or
  of relatives, employers, or household members of
  the individual, must be removed
• Names
• All geographic subdivisions smaller than a State,
  including street address, city, county, precinct,
  zip code, and their equivalent geocodes, except
  for the initial three digits of a zip code if,
  according to the current publicly available data
  from the Bureau of the Census
• The geographic unit formed by combining all zip
  codes with the same three initial digits contains
  more than 20,000 people and
• The initial three digits of a zip code for all
  such geographic units containing 20,000 or fewer
  people is changed to 000.
• All elements of dates (except year) for dates
  directly related to an individual, including
  birth date, admission date, discharge date, date
  of death and all ages over 89 and all elements
  of dates (including year) indicative of such age,
  except that such ages and elements may be
  aggregated into a single category of age 90 or
  older
• Telephone numbers
• Fax numbers
• Electronic mail addresses

75
Identifiers (Continued)

• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including
  license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice
  prints
• Full face photographic images and any comparable
  images and
• Any other unique identifying number,
  characteristic, or code, except as permitted by
  paragraph (c) of this section and
• The covered entity must not have actual
  knowledge that the information could be used
  alone or in combination with other information to
  identify an individual who is a subject of the
  information.