annual hipaa education

HIPAA & HITECH

HIPAA

• Has been a federal privacy regulation since 2003. Covers privacy and security of health information.

• Reviewed in annual education

• Taught in new employee orientation

• The facility Security Officer is Michael Boudreaux

• The facility Privacy Officer is Alane Bryan

HITECH• Does not replace HIPAA—it gives it TEETH!• Requires a breach notification policy• Encourages EHR adoption• Provides strict data protection regulations for

more secure patient privacy

New Fines as of March 26, 2013Violation Type Each Violation Repeat Violations/Yr.

Did not know $100 - $50,000 $1.5 million

Reasonable Cause $1,000 - $50,000 $1.5 million

Willful Neglect – Corrected $10,000 - $50,000 $1.5 million

Willful Neglect – Not Corrected $50,000 $1.5 million

•Healthcare organizations or providers may be held liable for violations. •Individual employees may be prosecuted or may be sued for civil penalties.

Breach Notifications Must notify individuals and HHS and, in some cases the media, of any

substantiated breaches within 60 days.

Breaches affecting 500 or more patients will be posted to the HHS.gov website.

Four factors are used to determine if there is low to high probability of PHI compromise:1. The nature and extent of the PHI involved in the incident

• Is the PHI sensitive information i.e. Security numbers, or infectious disease test results

2. The unauthorized recipient of the PHI • Is another physician receiving the PHI?

3. Whether the PHI was actually acquired or viewed4. The extent to which the risk to the PHI has been mitigated

• Was it immediately destroyed?

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

http://www.google.com/url?sa=i&rct=j&q=confidential+clipart+free&source=images&cd=&cad=rja&docid=JWx1AfcPuPUelM&tbnid=-QIqv8cwR6dSKM:&ved=0CAUQjRw&url=http://www.pamsclipart.com/clipart_images/file_folder_icon_with_confidential_written_across_it_0515-1007-3002-0654.html&ei=BVJbUYSKGIL72QWr8YCwDg&bvm=bv.44697112,d.b2I&psig=AFQjCNG0scp6rpKH-4td5feXDQ5JfOgy4A&ust=1365025665344164

Documented Breaches

• Mass General• California Breaches• BCBS of TN Breach• Individual Prosecution• Personal Gain

http://www.hhs.gov/news/press/2011pres/02/20110224b.html

http://hitech.uia.net/?p=37

http://www.fiercehealthpayer.com/story/blue-cross-fined-15m-hipaa-violation-adding-breachs-17m-cost/2012-03-14

http://journal.ahima.org/2010/04/29/californian-sentenced-to-prison-for-hipaa-violation/

http://www.ama-assn.org/amednews/2008/07/14/gvsb0714.htm

http://www.illustrationsof.com/royalty-free-rf-prisoner-clipart-illustration-by-yayayoyo-stock-sample-1066859.jpg

Top Privacy Violations• Stolen laptops/computers• Lost CDs• ID theft/Social Security Numbers• Medicare Fraud• Access to EMR with no job-related need

http://www.google.com/url?sa=i&rct=j&q=confidential+clipart+free&source=images&cd=&docid=qMJUqGfZz0JV8M&tbnid=ZyyhpE_jIbCp2M:&ved=0CAUQjRw&url=http://www.clipartof.com/gallery/clipart/confidential.html&ei=a1VbUcbKJ-qY2AWCrIHwCA&bvm=bv.44697112,d.b2I&psig=AFQjCNG0scp6rpKH-4td5feXDQ5JfOgy4A&ust=1365025665344164

Privacy Breach Examples• Using Social Networking to talk about patients• Discussing PHI with employees or family who

do not have a job-related need• Looking at EMR out of concern or curiosity• Telling others that a patient was “in” for

treatment• Discussing progress or prognosis in front of

family without permission

http://www.google.com/url?sa=i&rct=j&q=free+clip+art+for+top+secret&source=images&cd=&docid=nCvg2WgjqgC_0M&tbnid=3kUHmc2gtKOh3M:&ved=0CAUQjRw&url=http://www.masterfile.com/stock-photography/image/400-05304048/Classified-stamp-isolated-over-white&ei=KVZbUfujCYn02gWKy4DgAg&bvm=bv.44697112,d.b2I&psig=AFQjCNFAf8PlDkzU1kJN5EQFayH5JkoFtw&ust=1365023311065830

More Privacy Breach Examples• Using chart to get information to use against

patient in lawsuit or divorce• Looking in minor child’s EMR• Taking a peek for “educational purposes”• Starting conversations with “Don’t tell anyone

I told you this, but…”• Sharing computer access/passwords

http://www.google.com/url?sa=i&rct=j&q=free+clip+art+for+top+secret&source=images&cd=&docid=WYfyIrxhnWuLrM&tbnid=nAuRoElAbLgpUM:&ved=0CAUQjRw&url=http://www.fotosearch.com/clip-art/secret.html&ei=fFZbUfznCqTx2QWk-YHQAQ&bvm=bv.44697112,d.b2I&psig=AFQjCNGhDIy7natOB4u_2lZqVh0yyfLOCA&ust=1365026801268837

Permitted HIPAA Exceptions• Treatment, Payment, Operations• Some law enforcement exceptions• Public health reporting• When in doubt, get a Signed Release• Disclose “minimal necessary” amount of PHI

http://www.google.com/url?sa=i&rct=j&q=free+clip+art+for+top+secret&source=images&cd=&cad=rja&docid=JFLjUEkyTqLBkM&tbnid=IbjFOycT2s8YXM:&ved=0CAUQjRw&url=http://www.clker.com/clipart-top-secret-folder-and-magnifying-glass.html&ei=plZbUdygEuri2gWgvoHYAQ&bvm=bv.44697112,d.b2I&psig=AFQjCNGhDIy7natOB4u_2lZqVh0yyfLOCA&ust=1365026801268837

HIPAA, HITECH, & YOU• Patients/family members requesting patient

information AFTER DISCHARGE should be referred to the HIM Department

• If a patient requests information during an admission, make sure the report is FINAL before giving the information to the patient or to their designee (document the designee). We do not release information unless it is in a FINAL status.

• Discuss patient information as quietly as possible

http://www.google.com/url?sa=i&rct=j&q=free+clip+art+for+top+secret&source=images&cd=&cad=rja&docid=OYVeB6TWGgXYUM&tbnid=LsdwM1U6ltqcFM:&ved=0CAUQjRw&url=http://www.fotosearch.com/illustration/top-marks.html&ei=mVhbUaqBDoOE2gWJr4GICg&bvm=bv.44697112,d.b2I&psig=AFQjCNGhDIy7natOB4u_2lZqVh0yyfLOCA&ust=1365026801268837

HIPAA, HITECH, & YOU• Try not to say the patient’s name repeatedly• Make sure paper containing PHI makes it to a shred bin• Shred bins should be dumped in large bins each day• Use fax cover sheets with the confidentiality clause • Do not leave messages with too much information• Wear your employee ID badge at all times• Do not take pictures in patient care areas. Patients , their

names, or their family members may be visible without you realizing it. It is not worth the risk!!

http://www.google.com/url?sa=i&rct=j&q=free+clip+art+for+top+secret&source=images&cd=&docid=7vMzw69dnaruxM&tbnid=ehB0aVeh0USJnM:&ved=0CAUQjRw&url=http://www.clipartof.com/portfolio/toonaday/illustration/cartoon-black-and-white-outline-design-of-a-secret-agent-1047842.html&ei=OVlbUdiJGOis2QX6zoAQ&bvm=bv.44697112,d.b2I&psig=AFQjCNGhDIy7natOB4u_2lZqVh0yyfLOCA&ust=1365026801268837

HIPAA, HITECH, & YOU• Use workstations for intended purposes– No gaming, no unauthorized downloading of files,

personal emails are subject to access by P&S Surgical Hospital

• Log-off or lock your computer when you are not using it

• Make sure others cannot view your computer screen

http://www.google.com/url?sa=i&rct=j&q=free+clip+art+for+top+secret&source=images&cd=&cad=rja&docid=bxGjdeSwy5DiRM&tbnid=AuPcesLTjPKRuM:&ved=0CAUQjRw&url=http://www.fotosearch.com/clip-art/tops.html&ei=ollbUeHcC4fX2QXa1oHYCQ&bvm=bv.44697112,d.b2I&psig=AFQjCNGhDIy7natOB4u_2lZqVh0yyfLOCA&ust=1365026801268837

HIPAA, HITECH, & YOU• Keep passwords secure• Use your own individual password• Avoid sharing passwords• Trigger encryption for emails containing PHI

being sent outside the organization• If photos must be taken of a patient, use a

P&S camera or device; NEVER use your personal camera or smart phone

HIPAA, HITECH, & YOU

• Never share proprietary or confidential information in blogs or on social media sites

• Report potential breaches, inappropriate disclosures, or otherwise suspect behavior to your direct supervisor, the Privacy Officer, the Security Officer, or the Corporate Compliance Officer

annual hipaa education

Education