5 4 3

1 2

HIPAAHIPAA ACCESSACCESSACCESS

ALSO INSIDE THIS ISSUE:

AUTHORIZATION NEEDED FOR AN INTERPRETER?

2

EQUIPMENT WITH PHI 3

POLICY SPOTLIGHT 4

HIPAA IN THE NEWS 4

Volume 1 Issue 3

FEBRUARY 2015FEBRUARY 2015

NOTIFYING I.T.NOTIFYING I.T.NOTIFYING I.T.

MONITORINGMONITORINGMONITORING HITS A NEW LEVEL OF SOPHISTICATION WITH

PHOTOGRAPHING PHOTOGRAPHING PHOTOGRAPHING PATIENTSPATIENTSPATIENTS

WHEN IS IT OK?

HEALTH CARE SERVICES DIVISIONHEALTH CARE SERVICES DIVISION

IN THE POLICY SPOTLIGHT

TEXTING & EMAILING TEXTING & EMAILING TEXTING & EMAILING DO’S AND DON’TS OF

SENDING PHI

The Proper Disposal The Proper Disposal The Proper Disposal of of of PHIPHIPHI

Because We Care, We’re HIPAA Aware Because We Care, We’re HIPAA Aware

WHY AND HOW!

WHENEVER YOUR EMPLOYEE TRANSFERS TO A NEW ROLE OR JOB

FAQ from OCR The Office for Civil Rights, the organization responsible for educating providers about HIPAA, has a website with Frequently Asked Questions (FAQs). Here is one such question from their website.

Question: Does the hospital have to obtain an individual’s authorization to use or disclose protected health information to an interpreter? Answer: No. As long as the interpreter falls in the category of the hospital employee or business associate (such as Language Line), a

written authorization is not required. In addition, the hospital may, without the individual’s (written) authorization, use or disclose PHI to the patient’s family member, close friend, or any other person identified by the individual as his or her interpreter for a particular healthcare encounter. PRIVACY OFFICER NOTE: Always be cautious when a family member or friend is serving as the interpreter for the patient, as the patient may not realize that you will be sharing particularly sensitive information. If you are going to be sharing information or asking questions about subjects such as illicit drug use, sexually transmitted diseases, or other potentially sensitive areas, make sure the patient understands before sharing such information.

HIPAA ADVISOR Page 2

FEBRUARY 2015

ACCESS MONITORING HIACCESS MONITORING HIACCESS MONITORING HITS TS TS NEW LEVEL OF SOPHISTICATNEW LEVEL OF SOPHISTICATNEW LEVEL OF SOPHISTICATIONIONION HCSD has always monitored its workforce access to electronic systems that contain patient information. But beginning in February, the compliance department will be using a new program called FairWarning to more efficiently monitor that access. HIPAA regulations require health care providers to monitor access of its workforce to patient information to make sure that such information is not being inappropriately accessed. But because there are thousands of access hits in a day, it can be nearly impossible to monitor access in a meaningful way. FairWarning sifts through those thousands of hits and

allows the Compliance Department to look for specific patterns and situations. This makes it much more likely to find inappropriate access.

So here is Fair Warning to all. You should only be accessing patient information that you have a job related reason to access!

Access to any patient information for a personal reason is strictly prohibited, and will likely be picked up by the FairWarning monitoring system.

PHOTOGRAPHING PATIENPHOTOGRAPHING PATIENTSTS LSU HCSD Policy prohibits staff from taking pictures of patients except in very specific circumstances. Those circumstances include: • The photograph is taken for one of the approved reasons in LSU HCSD Policy 5520; • The photograph is taken on a hospital owned camera (not personal phones); • The patient must give his/her written consent for the picture to be taken;

• Full face photographs should be avoided; • Photographs may only be sent to others using secured I.T. methods, after contacting I.T. for assistance; • The photograph should be downloaded to the medical record and then immediately deleted from the camera so that no patient pictures remain on the camera.

DISPOSING ODISPOSING OF PHIF PHI Protected Health Information could be at risk at times of disposal. PHI can be in many different places. Be aware before you dispose of any item that might contain PHI.

Use the following tips to ensure proper disposal: • If ANY piece of paper has anything that is specific to a patient, that paper must be placed in the shred

bin. • If you keep a separate box to store paper until it is time to be brought to the shred bin, make sure that

the box is secure and that it cannot be mistaken for trash. The best practice is to put paper in the shred bin as you no longer need it.

• If you have flash drives or other computer storage devices that are no longer needed, bring them to I.T. for disposal. Do not attempt to wipe the device clean yourself.

• Any equipment that may contain PHI must be checked out through I.T. before being discarded.

PRIVACY FACTS

Becky Reeves & Trish Rugeley Compliance & HIPAA Privacy Officers

NNNOTIFYOTIFYOTIFY I.T. WI.T. WI.T. WHENEVERHENEVERHENEVER YYYOUROUROUR EEEMPLOYEEMPLOYEEMPLOYEE TTTRANSFERSRANSFERSRANSFERS TOTOTO AAA NNNEWEWEW RRROLEOLEOLE OROROR JJJOBOBOB

Did you know that your access to various electronic programs such as PeopleSoft, PELICAN, Pyxis, etc. is specific to your job and the functions you perform in that job? Because of this, it is VERY important that anytime an employee transfers to another job, even within Lallie Kemp, that the I.T. department be made aware PRIOR to the change.

I.T. is asking that all Department Managers send an email to I.T. whenever there will be a transfer of an employee PRIOR TO the change so that the proper access can be given when the job change occurs.

Even if you do not think that there needs to be any change in access, notify I.T. anyway.

Page 3

FEBRUARY 2015

TEXTINGTEXTING W henever you communicate about a patient, you must make sure that the communication is done

securely. Texting is NOT a secure communication. In order for texting to be secure, the device that sends the text message must be encrypted, the device that receives the text message must be encrypted, and the route that the message takes through the internet must be encrypted. If one of those three components is not encrypted, then the communication is not secure. In addition, since the text message is stored on the mobile device, and could theoretically be used by someone other than the employee sending the text (e.g., your teenage child “borrowing” your phone for a minute), the PHI in the text is vulnerable. Texting has also been identified by the Joint Commission as an unsafe way to communicate about patients. So when

it comes to communicating about patients, texting is not the way to go.

EQUIPMENT WITH PHI PHI is everywhere! Not only is it on paper, in PELICAN, and in secure files, but it may also be on your copy machine, the portable x-ray machine, or surgery beds. Any place where we input patient data will possibly contain PHI. And just like we have to protect our EHR and paper PHI, we have to protect the PHI on equipment.

When a piece of equipment needs repair or is going to be removed from the premises, make sure that you contact the proper department. The equipment that contains PHI will have a sticker on it notifying you who to contact. If you believe you have a piece of equipment that may contain PHI, but it does not have a sticker, contact the I.T. Department for further assistance.

SENDING EMAILS

LSU HCSD prohibits the use of patient PHI in everyday work emails, except for either the patient’s medical record number OR the patient’s account number, along with the patient’s initials. Email transmissions within LSU are secure. However, if the email with PHI is sent outside the LSU email domain (lsuhsc.edu), it is no longer within a secure route, and the email is vulnerable . In addition, there is always the chance that the email might be sent to the wrong person(s) within the LSU email domain, which still constitutes a violation of HIPAA, as only those who need to see the PHI in order to do their job should have access to it.

Be on the lookout for PHI in email strings. Sometimes people forget about LSU HCSD’s policy, and mistakenly forward along PHI when responding to lengthy strings.

If you have a business need to send PHI in a secure way, contact your I.T. Department. I.T. has a variety of options to help you send PHI securely, including a new option called Liquid Files. More information about Liquid Files will be shared with you soon.

HIPAA ADVISOR

SECURITY FACTS

Susan Arceneaux IT Director /

HIPAA Security Officer

If you have any HIPAA questions or concerns, contact your Compliance Department at LAK (985) 878-1639 or ABO (225) 354-7032.

EMPLOYEE FROM TEXAS HOSPITAL

PLEADS GUILTY TO STEALING PATIENT

INFORMATION

A registration specialist at a Dallas, Texas hospital used his position to obtain confidential patient information, including patient’s names, phone numbers, dates of birth, participation in the Medicare program, and their Medicare health insurance numbers. The employee then used that information to attempt to gain patients for his home health care business. The employee pleaded guilty to one count of fraud and related identity theft. He faces a maxi-mum penalty of five years in federal prison and a $250,000 fine. Lesson Learned: Unfortu-nately, there are people who will illegally use PHI. If you ever suspect such activity, contact your supervisor or compliance immediately.

And of course, it goes without saying that it is not permissible to steal patient

information!

SONY HACK UNLEASHED MALWARE

In late November, 2014, when Sony Pictures employees logged into their computers, they were greeted with an im-age of a skeleton and a message “Hacked by #GOP”. The “Guardians of Peace” claimed responsibility for the hack, and began a series of leaks of data stolen from the compromised system. It started with the pirating of DVD copies of movies yet to be released to the public, then the personal information of Sony employees, followed by passwords and other security information of the computer system itself. The hackers also wiped clean Sony hard drives and network drives, causing massive disruption of Sony computer systems and even destroying much of the equipment. The FBI had issued warnings to some U.S. businesses, warning of such an attack. There has been much speculation about how the hackers were able to gain access to Sony’s systems.

The Guardians Of Peace unleashed malware called “Destover”. One possible way (though not confirmed) is through a successful phishing e-mail to a Sony employee, when once responded to by the employee, unleashed the malware, allowing the hackers to control Sony’s computer system. North Korea has since been blamed for the attack by the U.S. government. Lesson Learned: Beware of phishing scams. If you suspect an email, do not respond to it. Contact your I.T. Department for advice. In addition, Sony had a practice of allowing very weak passwords, and storing those passwords in their computer files. Follow the LSU policy of longer, more complex passwords. And do not store them in your computer or on paper close to your computer.

Volume 1 Issue 3 Page 4

FEBRUARY 2015

BLUE CROSS LOSES

THOUSANDS OF PAPER RECORDS

Independence Blue Cross which serves the Philadelphia area has notified its beneficiaries that storage boxes containing their confidential files have gone missing. In October, 2014, the boxes were slated to be moved from one floor of Blue Cross’ office building to another. Blue Cross originally thought that the boxes went to storage, but a month later, it was determined that the boxes were missing and most likely thrown away by the maintenance crew who were assisting with the move. Lesson Learned: All employees, even those who do not typically come into contact with PHI, need to be HIPAA aware and ensure that any document with PHI is properly stored or disposed. Containers with PHI should be clearly marked, and care should be taken to ensure that such containers are not placed in areas where they can be mistaken for trash.

PHOTOGRAPHING, VIDEO RECORDING, AUDIO RECORDING, AND OTHER IMAGING OF

PATIENTS, VISITORS, AND WORKFORCE MEMBERS

LSU HCSD Policy 5520 This policy establishes guidelines for situations where patients and/or workforce members may or may not be photographed, video or audio recorded, or otherwise imaged within the facility. The policy outlines under what situations such imaging is acceptable (such as to document abuse or

neglect, wound care, research documentation, etc), and the processes that are required to ensure safety of the images. In most instances, written consent from the patient is required PRIOR TO the photographing, etc. of the patient. To understand the full intent of the policy, please go to www.lsuhospitals.org/new_medicalservices_policies.aspx to read the policy.