1.HIPPA and Information Technology BULNES, STEPHANIE CANNADY, DEVIN CANTY, KRISTI CLARKSON, HEATHER

2. What is the Health Insurance Portability and Accountability Act (HIPAA)?It is a federal law created in 1996, enforced by the Office of Civil Rights which protects the privacy of individually identifiable health information. 3. HIPAA RULES: The Privacy Rule Provides standards to protect patients medical records and other personal health information.Sets limits on uses and disclosures.Gives patients rights over their health information. 4. HIPAA RULES: The Security Rule Creates standards to protect patients electronic personal health information that is created, received, used, or maintained by a health plan, healthcare clearinghouse or health care providerrequires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. (Health Information Privacy 2007) 5. HIPAA RULES: The Breach Notification Rule requires HIPAA covered entities (health plans, healthcare clearinghouses, healthcare providers) and their business associates to provide notification following a breach of unsecure protected health information. 6. 2011 HIPAA Violations Resource: onlinetech.com 7. Information System Protection of information against threats to its integrity inadvertent disclosure or availabilityInformation systems can improve protection for client information in some ways and endanger it in others.The electronic medical record cannot easily be viewed by anyone who doesnt have access code. (Hebda, Czar 2013, p235) 8. Consent The process by which an individual authorizes healthcare personnel to process his or her information based on an informed understanding of how this information will be used.When obtaining consent the patient should be made aware of any risks to privacy.HIPAA has a consent form for the release of health related information that is intended to protect a patients privacy.The consent form is based on rules and restrictions on who may see or be notified of a patients protected health information. 9. What would you do? You are the nurse for an elderly confused patient. The patient is becoming increasingly confused and keeps asking for her son Larry. You access her medical records and find that Larry is not the patients health care proxy but is listed as one the patient contacts.You are the nurse for an intubated comatose patient. A woman comes to visit the patient stating she is the patients sister. You access the patient records, there is no information about the patient having a sister.A family member calls and states he is the patients Health Care Proxy and would like information on the patient, you have never met the him but his name matches the one on the patients record. 10. System Security HIPAA PROTECTS THE SECURITY AND PRIVACY OF ALL PERSONAL HEALTH INFORMATION (PHI) WHICH REFERS TO MEDICAL RECORDS AND OTHER HEALTH INFORMATION USED OR STORED IN ANY FORM. THIS INCLUDES COMMUNICATION THAT IS WRITTEN, VERBAL, ELECTRONIC OR NON ELECTRONIC. 11. System Security Compliance This includes computer screens, white boards, phone conversations, waste basket, patient chart, smart phones, conversation in elevator and many more.Compliance with HIPAA is about people, policies and procedures that make good sense. Remember that it is always about what is best for the patient. 12. The Minimum Necessary Rule In accordance with the Federal HIPAA law information may shared with other health care providers for the purpose of TPO:Treatment Payment Healthcare operations Patient information should only be accessed, used, or disclosed in the amount that is the MINIMUM NECESSARY in order for an individual to perform his/her duties. For example: The lab does not need to know the admitting diagnosis to run an Hepatitis screen on a patients blood. 13. Breaches in Security According to American Medical News 94% of facilities suffered a breach in security in the last 2 years. Leaving thousands of Americans at risk of Medical Identity theft.An entity regulated by HIPAA must have reasonable administrative, technical and physical safeguards to protect against intentional or unintentional disclosure of protected health information. This may include, shredding documents when they are disposed of and keeping electronic documents under password protected or key code security.Entities must have policies and procedures in place to keep employees from inadvertently sharing private information, such as closing computer screens before leaving the area and turning computer screens away from an area where they may be viewed by a family member. 14. Small Scale Snooping According to a survey by Veriphyr, the majority of HIPAA violations and security breaches are due to insiders who are snooping into the medical records of their coworkers, relatives or even looking at their own medical record.In this instance the facility must have policies and procedures in place to ensure all employees understand the electronic access needed to perform their job and sanctions in place if inappropriate access is discovered. 15. Penalties for violations of HIPAA The American Recovery and Reinvestment act of 2009 established civil penalties for the violation of HIPAA Federal Law.The penalties for violation of HIPAA laws have a tiered structure which is based on the nature and extent of the violation.The Secretary of the Department of Health and Human Resources has the discretion to determine the amount of the penalty based on the nature of the violation and the resulting harm.The Secretary is prohibited from imposing a civil penalty if the violation is corrected within 30 days except in cases of willful neglect. 16. Civil Penalties 17. Case Study An Arkansas LPN may face 10 years in prison and/or a $250,000 fine.Smith pleaded guilty to wrongfully disclosing individually identifiable health information for personal gain and malicious harmAccording to the associated press, the nurse obtained private medical information on a patient while working at clinic in Arkansas.She then shared the information with her husband who contacted the patient and threatened to use the information against him in a court proceeding the two were involved in,The patient contacted the states attorneys office and charges were filed against the nurse and her husband. 18. Case Study An HIV positive patient relocating to another city asks his existing physician to fax his medical records to his new doctor.The busy office manager mistakenly faxed the records to the patients new employer. The fax did not have a cover sheet that indicated that the content was confidential.The patient was very upset that his new employer had private information about health. He contacted the US Department of Health and Human Services, who referred the case to the Office of Civil Rights (OCS).The physicians office was investigated and the staff underwent voluntary HIPAA privacy training. 19. Policies and Procedures ADMINISTRATION AND PERSONAL 20. Policy and Procedure Administrative Responsible for creating and managing an infrastructure which protects client privacy and confidentiality. This involves: Developing a PlanPolicies designated structure for implementationUser access levelsAdequate budget 21. Administration Centralized Security Function Comprehensive Security PlanAccurate and complete informationInformation asset ownership and sensitivity classificationsIdentification of a comprehensive security programInformation security training and user supportAwareness program 22. Administration Centralized Security Function Infrastructure consist of: Comprehensive Security Plan: Defines security responsibilities for each level of personnel as well as a timeline for the development and implementation of policies, procedures and physical infrastructure.Accurate and Complete Information: Publishing should be online for easy access with email notification of employees as new policies arises. 23. Administration Centralized Security Function Information asset ownership and sensitivity classifications Ownership: Who is responsible for the information, including security Sensitivity Classification: determination of how damaging an item of information might be if it were disclosed inappropriately. Determines what information should be encryptedIdentification of a comprehensive security program: Security plan can avert and minimized threats by the Identification of responsibility for : Information integrityPrivacyConfidentiality 24. Administration Centralized Security Function Information security training and user support: Important component in fostering a proper system is by incorporating education and proper training.Awareness program: Remind user of the need to protect information 25. Level of Access Strictly granted on a need-to-know basis Access Limitation: On dependence to personnel levels or user classification, area in the system are accessible. Example: Nursing Assistant would only have access to the documentation of hygiene, dietary intakes, vital signs, input and output but no other area in the patients recordsUser Authentications: Authentication of the user through passwords, smartcards, fingerprint, voice recognition or a even third authentication system such as Kerberos and Sesame can be used 26. Personal Issues Policies and procedures must be established and communicated to all personnel who handle Information. Key element include: Information Ethics training Including: Audit Trails- Records of IS (Personnel) activity.Acceptable Computer users- includes authorization access and only authorized and legal copies of software.Collect only required Data Limiting the collection of information to what is needed.Encourage client review of file for accuracy and error correction - Ensuring accuracyEstablish controls for the use of information after hours and off-site Policy limiting usage of accessing patient information after hours. 27. Personal Issues Key elements include: Access controlSystem monitoringData EntryBackup proceduresResponsibilities for the use of information on mobile devicesExchange of client information 28. HIPPA Education & Training FOR EMPLOYEES AND PATIENTS 29. HIPAA Education for Employees Institutions should: Administer a HIPAA Policy handbook for new hires with privacy and confidentiality measures.Have all staff read and sign a confidentiality statement which is to be stored in the employees file.Implement required online training modules for all staff to complete.Require annual mandatory re-training modules.Offer advanced HIPAA training appropriate to each individuals responsibilities at their institution. 30. HIPAA Education for Patients It is required by law that all patients receive a Notice of Privacy Practices from a doctor, hospital, or any other health care provider that they see in person. This form tells patients how the health care provider may use and share their health information and how the patient can exercise their health privacy rights. It is also required by law for each patient to sign a form stating they received a copy of the notice of privacy practices.The notice must describe: ways that the Privacy Rule allows the covered entity to use and disclose protected health information. It must also explain that the entity will get patients permission, or authorization, before using their health records for any other reason.the covered entitys duties to protect health information privacy.privacy rights, including the right to complain to Health and Human Services (HHS) and to the covered entity if you believe your privacy rights have been violated. 31. HIPAA Education Starts in the Classroom HIPAA education and training should be implemented in the curriculum of all studies affiliated with the medical field.Early education allows for full understanding of privacy and confidentiality policies prior to entering the clinical field.This allows for staff at clinical sites to act as role models for students and aid in educating about HIPAA rules and regulations. 32. Proper Disposal of PHI (Protected Health Information) MANDATED THROUGH HIPAA 33. PHI DEFINEDPHI stands for Protected Health Information and is used within HIPAA to describe the type of information that must never be seen by unauthorized individuals. PHI can come in many forms whether it be paper or electronic and can involve patient demographic information, diagnostic study results, treatment records, billing information, and any other form of information pertaining to the patients stay at any type of medical institution. 34. Required Proper PHI Disposal The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form.Improper disposal of PHI can result in a mandatory fine of up $1,500,000 as well a an investigation enforced by the State Attorney General and the Health and Human Services (HHS).Under the HIPAA Privacy Rule institutions are not authorized to dispose of PHI in any containers that could be potentially accessible to the public. 35. Paper PHI Disposal Paper forms of PHI are to disposed through, shredding, burning, pulping, or pulverizing.Once disposed of the PHI must be rendered unreadable without the possibility of being reconstructed.Many institutions use secure document disposal receptacles throughout the facility designated strictly for PHI paper records. A vendor then removes the paper PHI from the receptacle to be properly shredded and disposed of. 36. Electronic and Pharmaceutical PHI DisposalElectronic Disposal PHI is automatically stored on the hard drives of computers therefore in order to properly dispose of the record: The system could be cleared through software that will overwrite the recorded data.Purging the system by disrupting the recorded magnetic domainsComplete destruction of the system to destroy any material that may be stored.Labeled Medication Disposal Pharmaceuticals are always labeled with patient demographic information and must be properly disposed of. Most institutions use opaque bags to store disposed labeled medication.Vendors will then take the bags from the facility and properly dispose of the labeled medications without breaching privacy regulations. 37. Ensure Proper Disposing Proper HIPAA education of all staff is very important to ensure privacy and confidentiality regulations are being followed. In order to be sure all staff are up to date on HIPAA regulations it is important to re-educate annually. Patients should be educated on their rights as well and should always receive a Notice of Privacy Practices upon admission. Educating all staff (including students) will ensure proper handling and disposing of all PHI information. 38. Video 39. References PHI Disposal. (2011) Welcome to Proper PHI Disposal. Retrieved from http://www.properphidisposal.net/University of California. (2008). Privacy Training. HIPAA checklist for new hires: UCSF staff employee/postdocs. Retrieved from http://hipaa.ucsf.edu/education/staff/default.htmlU.S. Department of Health and Human Services. (2009). Frequently Asked Questions About the Disposal of Protected Health Information. The HIPAA Privacy and Security Rule. Retrieved from www.hhs.gov/ocr/.../disposalfaqs.pdfWimberley, P., Isaacson, J., & Walden, D. (2005). HIPAA and Nursing Education: How to Teach in a Paranoid Health Care Environment. Journal Of Nursing Education, 44(11), 489-492.Czar. P, & Hebda, T. (2013) Handbook of informatics for nurses and healthcare professionals. Upper Saddle River, New JerseyUS Department of Health and Human Services 40. References US Department of Health and Human Services (2010, July) http://www.hrsa.govAmerican Medical Association. (2014). HIPAA Violations and Enforcement. HIPAA Violations and Enforcement. Retrieved February 02, 2014, from http://www.amaassn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billinginsurance/hipaahealth-insurance-portability-accountability-act/hipaa-violationsenforcement.pageAssociated press. (2008, April 17). Nurse admits to privacy violation in HIPAA case. Healthcare Business News, Research and Events from Modern Healthcare. Retrieved February 1, 2014, fromhttp://www.modernhealthcare.com/article/20080417/NEWS/621626204Gungor, F. (2013, June 09). Resources. 10 Examples of HIPAA Violations. Retrieved January 31, 2014, from http://www.onesourcedoc.com/blog/bid/95168/10-Examples-of-HIPAAViolationsDept of Health and Human Resources. (2003). Office of Civil Rights Privacy brief [Brochure]. Author. Retrieved February 02, 2014, from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdfLatner, A. (2013, June). Fax Sent to Wrong Number Results in HIPAA Violation. - Renal and Urology News. Retrieved February 2, 2014, from http://www.renalandurologynews.com/faxsent-to-wrong-number-results-in-hipaa-violation/article/305022/