HIPAA Privacy and Security

1
HIPAAPrivacy and Security

• Cindy Cummings, RHIT

2
Authorization STILL NEED IT

• Facilities must obtain authorization from
  patients before using or sharing their PHI for
  reasons other than treatment, payment, or health
  care operations.

3
What is Confidential?

• Medical Record
• Name
• Address
• Telephone Number
• Age
• Social Security
• E-mail address
• Medical History
• Diagnosis
• Medications
• Observations
• And More

4
Breach Notification Requirements This is New
2010

• Individual Notices
• Media Notices
• Notice to the Secretary
• Notification of a Business Associate

5
Individual Notice

• Covered entities Thats HOB
• Must notify affected individuals once we
  discover a breach of unsecured protected health
  information. 
• Must provide this individual notice in writing
  by first-class mail, or alternatively, by e-mail
  if the affected individual has agreed to receive
  that way.
•  If HOB has insufficient/ out-of-date contact
  information for 10 or more individuals, we must
  provide substitute individual notice
• Post the notice on the home page of its web site
• Or provide the notice in major print/ broadcast
  media to where the affected individuals likely
  reside.
• Must include a toll-free number for individuals
  to contact HOB to determine if their protected
  health information was involved in the breach.
•  If fewer than 10 individuals, HOB may provide
  substitute notice by an alternative form of
  written, telephone, or other means.   

6
Individual Notice

• The individual notifications must be provided
  without unreasonable delay
• No later than 60 days following the discovery of
  a breach
• Must include, to the extent possible,
• a description of the breach,
• a description of the types of information that
  were involved in the breach,
• the steps affected individuals should take to
  protect themselves from potential harm,
• a brief description of what the HOB is doing to
  investigate the breach, mitigate the harm, and
  prevent further breaches,
• contact information for the HOB 

7
Media Notice

• IF HOB has a breach affecting more than 500
  residents of a State/ jurisdiction/area..
• Besides notifying the affected individuals, HOB
  is required to..
• Provide notice to prominent media outlets serving
  the State or jurisdiction.
• HOB would likely provide this notification in
  the form of a press release to appropriate media
  outlets serving the affected area
• Like individual notice, this media notification
  must be provided without unreasonable delay
• No case later than 60 days following the
  discovery of a breach
• Must include the same information required for
  the individual notice
• Notify the Secretary

8
Notice to the Secretary HHS

• In addition to notifying affected individuals and
  the media (where appropriate), HOB must notify
  the Secretary of breaches of unsecured protected
  health information. 
• HOB notifies the Secretary by visiting the HHS
  web site and filling out and electronically
  submitting a breach report form. 
• If a breach affects 500 or more individuals,
  covered entities must notify the Secretary
  without unreasonable delay and in no case later
  than 60 days following a breach.
• If, however, a breach affects fewer than 500
  individuals, the covered entity may notify the
  Secretary of such breaches on an annual basis. 
  Reports of breaches affecting fewer than 500
  individuals are due to the Secretary no later
  than 60 days after the end of the calendar year
  in which the breaches occurred.

9
Notification by a Business Associate

• If a breach of unsecured protected health
  information occurs at or by a business associate,
  the business associate must notify HOB following
  the discovery of the breach.
• A business associate must provide notice to HOB
  without unreasonable delay and no later than 60
  days from the discovery of the breach.
• To the extent possible, the business associate
  should provide HOB with the identification of
  each individual affected by the breach as well as
  any information required to be provided by HOB in
  its notification to affected individuals.  

10

• No Big Deal
• Right?
• Wrong!!!!!

11
Kentucky Hospital

• The Bowling Green Medical Center had a hard drive
  stolen that contained information on 5,418
  patients.
• Information contained on hard drive
• Patients name -Weight
• Birthdate - Height
• Address - Menopause age
• MR
• SS

12
Massachusetts General Hospital

• The impermissible disclosure of PHI involved the
  loss of documents consisting of a patient
  schedule containing names and medical record
  numbers for a group of 192 patients, and billing
  encounter forms containing the name, date of
  birth, medical record number, health insurer and
  policy number, diagnosis and name of providers
  for 66 of those patients. These documents were
  lost on March 9, 2009, when a Mass General
  employee, while commuting to work, left the
  documents on the subway train that were never
  recovered.

The General Hospital Corporation and
Massachusetts General Physicians Organization
Inc. (Mass General) has agreed to pay the U.S.
government 1,000,000 to settle potential
violations.
13
Federal Penalties for not Complying

• For the misuse of personally identifiable health
  information
• Fines up to 50,000 and/or imprisonment for a
  term up to 1 Year
• For the misuse under false pretenses
• Fines up to 100,000 and/or imprisonment for a
  term up to 5 Years
• For the misuse with the intent to sell, transfer,
  or use identifiable health information for
  commercial advantage, personal gain or malicious
  harm
• Fines up to 250,000 and/or imprisonment for a
  term up to 10 Years

14
First Person Goes to Jail for HIPAA Violation

• Researcher from UCLA School of Medicine sentenced
  to 4 months in federal prison.
• Accessed confidential medical records without a
  valid reason.

15
2010 Breach Notifications
So How did HOB do in 2010?

• 137 breaches occurred for Hospice of the
  Bluegrass
• 19 of those breaches required the patient as well
  as the Secretary for the Dept. of Health and
  Human services to be notified.

16
Patient Variances
137 breaches.. The breakdown

• 110 variances were email related
• 3 variances involved other patient names
  included within a mailing
• 6 variances involved medications sent to wrong
  patient
• 12 variances involved a lost pager
• 2 variances involved staff members allowing non
  staff members to ride along on patient visits
• 1 variance involved a page sent to an entire
  site location rather than supervisor

17
How to Protect Patient Privacy
18
What is Information Security?

• All the protections put into place to ensure
  ePHI is
• Kept confidential
• Is not improperly altered or destroyed
• And readily available to those who are authorized

19
Protect Patients Privacy

• Do not discuss patients in public areas such as
  elevators and cafeteria lines

• Do not leave information about a patients health
  on an answering machine

20
Protect Patients Privacy

• Always close curtains and speak softly when
  discussing treatments in semi-private rooms
• Always log off the computer when youre finished
• Always dispose of patient information only in
  locked containers

21
Protecting Patient Information

• Keep your computer login and passwords a secret.

22
Rules for Using Computers
Protecting Patient Information

• Do not log into the system using someone elses
  password
• Only access patient information that you need to
  do your job.
• Keep computer screens pointed away from the
  public
• Do not copy PHI onto a removable device such as a
  thumb drive, disc, etc.

23
E-mail

• Hospice of the Bluegrass DOES NOT have encryption
  software that is needed to e-mail PHI outside of
  the HOB network.
• If the e-mail address does not end with
  hospicebg.org you CANNOT include PHI.

24
Physical Security

• Practice Common Sense Security
• Keep Laptops and other portable devices locked
  when not in use
• Keep cell phones and pagers on your person at all
  times.
• Make sure doors and desks are locked as
  appropriate

25
Physical Security

• The most frequent risk to using PDAs and laptops
  is theft.
• When transporting laptops (or any patient
  information) it should be stored in the
  floorboard area or in the trunk.
• Keep your car locked at all times.

X
26
Sanctions

• Hospice of the Bluegrass takes seriously the
  responsibility of privacy/security of all PHI in
  its care.
• Failure to adequately ensure the privacy/security
  of PHI can result in disciplinary action against
  you, up to and including
• Dismissal
• Termination of Business Contract
• Reporting the violation to licensing agencies and
  law enforcement officials.

27
Scenarios

• Youre at the grocery store.
• Youre at church..
• Youre at the gas station..
• Your cell phone rings at home ..