HIPAA

3/12/2014

References

The HIPAA program reference handbook / Ross Leo, editor. p. cm. ISBN 0-8493-2211-1 Business Continuity and HIPAA: Business Continuity Management in the Health Care Environment by Jim Barnes ISBN:1931332258

3/12/2014

HIPAA

The Health Insurance Portability and Accountability Act of 1996 .

3/12/2014

HIPAA

3/12/2014

Background:

Congress was concerned about:

Electronic transmission of information Information crossing state lines with different laws Reports of violations of privacy in certain industries The volume of information available Loss of privacy during transmission of health information Efficiency and simplicity in health care system communications

Required the U.S. Department of Health and Human Services (DHHS) to adopt national standard formats for transmitting health information electronically
3/12/2014

Some incidents.before HIPAA

An Atlanta truck driver lost his job in early 1998 after his employer learned from his insurance company that he had sought treatment for a drinking problem. The late tennis star Arthur Ashes positive HIV status was disclosed by a healthcare worker and published by a newspaper without his permission. Tammy Wynettes (American Country Music Song Writer Singer, died 1998) medical records were sold to National Enquirer by a hospital employee for $2,610. www.patientprivacyrights.org
3/12/2014

HIPAA

Federal law Designed to protect the privacy of individually identifiable patient information Provide for the electronic and physical security of health and patient medical information Simplifies billing and other electronic transactions through the use of standard transactions and code sets (billing codes)..improving efficiency

3/12/2014

What are the goals of HIPAA?

Create a uniform floor for privacy protection Ensure security and privacy of individual health information Establishes security standards for health care information systems Role and responsibilities are defined to comply with HIPAA Increase patient rights and inform people of their rights Provide continuity and Portability of health benefits to individuals in between jobs Provide measures to combat fraud and abuse in health insurance and health care delivery (Accountability) Reduce administrative expenses in the healthcare system

Administrative costs have been estimated to account for nearly 20% of healthcare costs
3/12/2014

HIPAA applicable toCovered Entity (CE)

Health care providers who transmit information electronically

Physicians, hospitals, or any other provider who has direct or indirect patient contact Insurance companies or similar agencies that pay for health care

Health plans

Health care clearinghouses

Companies that facilitate the processing of health information for billing purposes
3/12/2014

Health information usage flow

Health information is used by multiple agents in the course of a single episode with a health problem. Below are some of the agencies and individuals who may handle health information Transport techs Admitting clerks Respiratory therapists Caregivers from the Billing clerks ED to the morgue Insurance Physical therapists agents/clerks Nutritionists School teachers/nurses Lab personnel Home health personnel Receptionists in MD Medical records clerks offices Website managers 3/12/2014

PHIProtected Health Information

Asset - Health information about a patient Individually identifiable information Physical or psychological status of an individual, whether past, present, or future, that is created, collected, or otherwise in the care of a functional entity such as a health plan, provider, school, university, or other entity, and relates in any way to provision of care or payment for that care, regardless of timeframe In any form: written, oral or electronic PHI should be shared only with agencies and individuals who have a need for the information Limits many uses and disclosures of health information to the minimum necessary amount needed for the task

3/12/2014

Examples of PHI

Name, photograph, date of birth Social Security Number, Passport no. Physical and mental condition

Past history of a condition Present condition Plans or predictions about the future of a condition Who provided care What type of care was given Where care was given When care was given Why care was given
3/12/2014

Health information from record

Examples of PHI

Individuals healthcare payments (Billing forms)

Who was paid What services were covered by the payment Where payment was made When payment was made How payment was made

Address, telephone number, FAX, e-mail Admission date/information, medical record number Finger prints, health status, diagnosis Clinical records
3/12/2014

When is Health Information considered identifiable?

If the information is accompanied by one or more identifiers that identify or could be used to identify an individual, such as: Name Address, phone number, fax number, e-mail address Birth date Admission or treatment dates Social Security number Medical record number or health plan beneficiary number
3/12/2014

When is Health Information considered identifiable?

or these individual demographic examples: License or certificate numbers Vehicle license number Medical device serial number Web (URL) address IP address Biometric identifier (finger print, iris scan, etc.) Full-face photographic images (new baby photos on bulletin boards)

3/12/2014

What are permitted Uses of PHI?

Treatment: patient care

Activities directly related to providing, coordinating, or managing the healthcare of patients

Payment

Administrative activities associated with billing and reimbursement

Health care operations

Most other activities in support of core functions

3/12/2014

Business Associate

Vendors, Contractors or other non-workforce members (any 3rd party entity) doing work for CE where work involves use/disclosure of Protected Health Information (PHI) A CE can be a business associate of another CE Required to subject them to the HIPAA privacy and security requirements through contract language

3/12/2014

Business Associate

This requirement applies to companies or persons who conduct, for example, the following activities or functions, such as:

Use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and re-pricing; or Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to, or for the CE, when provision of the service involves the disclosure of individually identifiable health information As per HITECH - HIEs, Regional Health Information Organizations (RHIO) and eRx gateways that provide data transmission of PHI, that require routine access to PHI are BAs and must enter into BAAs with the CEs
3/12/2014

Who are BAs?

Insurance Brokers Third Party Administrators Wellness Companies Lawyers Consultants Accountants Vendors i.e. Copy Services, Software and Hardware Management, Billing and Staffing Companies Medical Directors Agents
3/12/2014

Privacy & Security in HIPAA

Very close, intertwined relationship between Mission of any IS program: preservation of C.I.A Privacy is the goal, and Security, in all its forms, being the tool to achieve it Security is that set of mechanisms, controls, and practices that is employed to ensure that Privacy (confidentiality) of health information is gained and maintained in accordance with the statutes

3/12/2014

HIPAA Rules

Privacy and security are addressed separately under two distinct rules under HIPAA Privacy Rule

sets the standards for how protected health information should be controlled defines who is authorized to access information and includes the right of individuals to keep information about themselves from being disclosed defines the standards that require covered entities to implement basic safeguards to protect electronic protected health information (ePHI) Security is the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction, or loss
3/12/2014

Security Rule

Roles & Responsibilities

Two specific individuals defined under Subsection 164.530, Administrative Requirements of the privacy rule Defined specific roles and responsibilities in HIPAA Roles Chief Security Officer Chief Privacy officer Each of these roles must act in accordance with the requirements of the regulation to assure policy definition, awareness education, implementation, monitoring, and enforcement to achieve and maintain compliance in relation to Protected Health Information (PHI)
3/12/2014

Chief Security Officer

In 164.308 of the Act, the regulation states that:

A (2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity

In charge of ensuring that the entitys security and information risk management programs are well designed, thorough, and effectively address the real operational risks and threats it faces

3/12/2014

Chief Privacy Officer

The Act itself reads as follows:

(a)(1) Standard: personnel designations. (i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity

Preferred the person be from the legal dept., else a senior officer is designated as CPO
CPO should seek to have all members appropriately trained Provides input and draft review of the materials to ensure that all relevant points cover safeguarding PHI

3/12/2014

Chief Privacy Officer

CPO must ensure that training is developed and provided, that only the most current version of a given P is in active circulation CPO does not necessarily have to understand the technical safeguards functioning at a deep level, but if he does know, its better The CPO must understand completely what the particular technology or mechanism does to protect sensitive information

how effective it is at doing that, who is responsible for it, what monitoring and reporting functions it provides (if any), and what the outcome or backup plan is should the device fail to do its job correctly

3/12/2014

Training Requirements

Act realized that people cannot, as a practical matter, be held accountable for violations of a such complex regulation if

(a) they are not informed of the contents of the Act itself; (b) they are not trained in the three Ps, policies, processes, and procedures; (c) they are not provided the criteria and process of achieving and maintaining compliance; and (d) they are not given a clear grasp of the penalties for violations

Act includes training requirements for all persons that work for a given covered entity
3/12/2014

Training Requirements

It could be reasonably assumed that not all members of the entitys workforce are expected to come in contact with PHI Consideration must be given to the chance encounter with PHI

they must know precisely what to do and whom to see about it (b)(1) Standard: training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart, as necessary and appropriate for the members of the workforce to carry out their function within the covered entity
3/12/2014

The standard itself reads:

Training Requirements

the Act calls for three types of training to effectively implement the requirements of the standard:

(2)(i)(A) To each member of the covered entitys workforce by no later than the compliance date for the covered entity; (2)(i)(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entitys workforce; and (2)(i)(C) To each member of the covered entitys workforce whose functions are affected by a material change in the policies or procedures required by this subpart, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section

3/12/2014

Training Requirements - Types

Type 1: Practice

Organization wide general awareness training Ensures all workforce members are informed about the Act and its portent no later than the compliance date for that entity.
cover roughly the same material as the general awareness training Most significant difference: coverage given in this venue to the in-place policies, processes, and procedures used by the entity to implement and enforce the Act, and monitor personnel and institutional compliance HIPAA is amended, enhanced or even rewritten from time to time Intends to capture the significant points of such actions, and communicate them to the workforce members New versions would be presented during these sessions
3/12/2014

Type 2: New employee orientation

Type 3: Annual Refresher

Training Follow-Through

Process includes two basic aspects:

review of personnel performance and violation reports, and review of the training itself with respect to personnel findings and the regulation

The two things used in conjunction provide evidence that the training is indeed effective (or not), and how well it assists (or does not) in personnel avoiding violations Opportunities to discuss compliance with employees, clarify directions, answer specific questions, and correct inappropriate behavior
3/12/2014

Documentation Requirements

Requires substantial documentation of each activity described in the regulations Vital part of the overall assurance process Provides the necessary basis for monitoring and auditing as substantive proof for internal and external reporting For example, training should be documented, recording a minimum:

Identification of the workforce member (name, number, etc.) Date and location of the training Type of training given Name of trainer Signed and dated by employee Signed and dated by employees manager
3/12/2014

Documentation HIPAA Security Policy

HIPAA security rule includes the policies, procedures, and documentation requirements. This requirement includes two standards: 1. Policies and procedures standard

Required to comply with the standards and implementation specifications standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart

2. Documentation standard

maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form implementation specifications of the documentation standard are: Time limit (Required) ; Availability (Required) ; Updates (Required)
3/12/2014

Safeguards as per PHI

Standard reads:

(c)(1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (2) Implementation specification: safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart

3/12/2014

Administrative Safeguards

Policies, Processes and Procedures Defines the basis Sets the boundaries for: how the program will be conducted what the responsibilities are and for whom What procedures are to be followed under given circumstances In terms of compliance, this is likely to be the most troublesome area as it is active at every moment, it is largely paper-based (meaning form and instructions-driven), and has the most human involvement Most current version of a given P should be in active circulation and use All documents are reviewed periodically to ensure no violations, and that routine spot checks are performed to double check adherence by the workforce
3/12/2014

Technical Safeguards

Electronic or mechanistic measures such as combination keypads on doors, closed circuit camera systems, password controls on system access, passwords or PIN numbers for sensitive files, etc.

3/12/2014

Physical Safeguards

Measures taken with respect to the premises, storage containers, rooms, and the like, wherein the PHI is kept Examples

security guards, lockable storage containers, access control lists (paper or electronic), identification badges, and other such items that control access to the PHI or the system that stores it

3/12/2014

Text of HIPAA, 45 CFR 164: Security Requirements

See in more detail laterthis is just a preview
3/12/2014

3/12/2014

3/12/2014

3/12/2014

INCORPORATING HIPAA INTO ENTERPRISE SECURITY PROGRAM

3/12/2014

Meeting HIPAA Security requirements

Gaps between current practices and the practices required for HIPAA security and privacy compliance related to personal health information present both risks and challenges to organizations These changes must be addressed and they must be implemented to meet the HIPAA security requirements

Compliance plans that need to be developed and implemented are: .

3/12/2014

HIPAA Compliant Checklist

1. Have you formally designated a person or position as your organizations privacy and security officer? 2. Do you have documented privacy and information security policies and procedures? 3. Have they been reviewed and updated, where appropriate, in the last six months?

4. Have the privacy and information security policies and procedures been communicated to all personnel, and made available for them to review at any time?
3/12/2014

HIPAA Compliant Checklist

5. Do you provide regular training and ongoing awareness communications for information security and privacy for all your workers? 6. Have you done a formal information security risk assessment in the last 12 months? 7. Do you regularly make backups of business information, and have documented disaster recovery and business continuity plans?

3/12/2014

HIPAA Compliant Checklist

8. Do you require all types of sensitive information, including personal information and health information, to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices? 9. Do you require information, in all forms, to be disposed of using secure methods?

10. Do you have a documented breach response and notification plan, and a team to support the plan?
3/12/2014

Compliance Plans 1

Compiling an inventory of the individually identifiable electronic health information that the organization maintains, including secondary networks that are comprised of information kept on employees personal computers and databases and are not necessarily supported by the organizations IT department Conducting risk assessments to evaluate potential threats that could exploit the vulnerabilities to access protected health information within the organizations operating environment Developing tactical plans for addressing identified risks

3/12/2014

Compliance Plans 2

Reviewing existing information security policies to ensure they are current, consistent, and adequate to meet compliance requirements for security and privacy Developing new processes and policies and assigning responsibilities related to them Educating employees about the security and privacy policies Enforcement and penalties for violations Reviewing existing vendor contracts to ensure HIPAA compliance Developing flexible, scalable, viable solutions to address the security and privacy requirements
3/12/2014

HIPAA Violations.

Impact on business arrangements

Noncompliance may have an impact on business partner relationships that your organization maintains with third parties Noncompliance can lead to bad publicity, lawsuits, and damage to your brand and your credibility

Damage to reputation

Violations of the provisions of the Privacy Rule can result in civil penalties with fines of up to $250,000 and upto 10 years in prison Loss of employee trust

If employees are concerned about unauthorized use of their health-related information, they are likely to be less candid in providing information and more inclined to mislead employers or health professionals seeking health information
3/12/2014

Enterprise Security and PHI

HIPAA privacy regulations apply to PHI in any form HIPAA security regulations apply to electronic PHI An organizations approach to HIPAA security regulations can effectively leverage the assessment information gathered and business processes developed during the implementation of HIPAA privacy regulations to support a consistent enterprise wide approach to its enterprise security projects
3/12/2014

3/12/2014

Building a Security Decision Framework

3/12/2014

Issues and Considerations for BCP under HIPAA

3/12/2014

DHHS wants..

During a disaster, many privacy and security initiatives may become ineffective or disabled This is true no matter the nature of a disaster, whether it is natural (tornado, hurricane, earthquakes, etc.), intentionally manmade (war, act of terrorism, hacking, etc.), or an accidental disaster (power outage, equipment failures, software errors, etc.) For this reason, the Department of Health and Human Services (DHHS) requires organizations that handle private health information to implement a business continuity plan
3/12/2014

Act states that organisations*..

Maintain or transmit health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards. Among the safeguards mentioned include protecting against any reasonably anticipated threats or hazards to the security or integrity of the information. . . .

A contingency plan may involve highly complex processes in one processing site, or simple manual processes in another. The contents of any given contingency plan will depend upon the nature and configuration of the entity devising it. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
3/12/2014

* 142.308 Security Standard

Acts requires organisations to..

Develop a data backup plan, a disaster recovery plan, and an emergency mode operation plan. It does not provide specifics on what needs to be incorporated into any of these plans HIPAA states that contingency plan testing and revision procedures are addressable

3/12/2014

HIPAA Dos and Donts

Treat all patient information as if you were the patient. Dont be careless or negligent with PHI in any form, whether spoken, written or electronically stored Shred or properly dispose of all documents containing PHI that are not part of the official medical record. Do not take the medical record off of University property. Limit the PHI you take home with you

Use automatic locks on laptop computers and PDAs and log off after each time you use a computer. Do not share passwords. Purge PHI from devices as soon as possible
3/12/2014

HIPAA Dos and Donts

Use secure networks for e-mails with PHI and add a confidentiality disclaimer to the footer of such e-mails. Do not share passwords Set a protocol to provide for confidential sending and receipt of faxes that contain PHI and other confidential information

Discuss PHI in secure environments, or in a low voice so that others do not overhear the discussion
3/12/2014

HIPAA TITLES

3/12/2014

HIPAA Titles (Sections)

Title 1 Insurability and Portability

Title 2

Administrative Simplification

Title 3 Tax Implications Title 4 Group Health

Title 5 Revenue

3/12/2014

Title 2: Administrative Simplification

1.

Electronic Health Transaction Standards and Code Sets Privacy and Confidentiality Standards

2.

3.

Security and Electronic Signature Standards

Unique Identifiers

4.

3/12/2014

1. Electronic Health Transactions Standards and Code Sets

All payers, providers and clearinghouses using electronic healthcare transactions, must use a national standard format. The act designates standards for 10 specific transaction sets. (835 Payment, 837 Claim) Health organizations also must adopt a set of industry standard codes to be used with transactions. Various coding systems are already in use to identify:

diseases injuries other health problems (as well as their causes, symptoms, and actions taken)
3/12/2014

2. Privacy and Confidentiality

This rule protects the privacy of information related to an individual's health, treatment, or healthcare payment.

Limits the use of individually identifiable health information, sent or stored in any format (electronic, paper, voice, etc) without patient authorization Business partners who receive, store or have access to privately identifiable health information must ensure the privacy of the records Patients may have access to their own medical records

The Rule's federal privacy standards do not replace other federal, state, or local laws if those laws provide more privacy
3/12/2014

3. Security of Health Information & Electronic Signature Standards

A uniform level of security for all health information that is:

housed or transmitted electronically pertains to an individual

Organizations who use Electronic Signatures will have to meet:

a standard ensuring message integrity user authentication, and non-repudiation

3/12/2014

4. Unique Identifiers for Providers, Employers, and Health Plans

The current system allows for multiple ID numbers assigned by different agencies and insurers. HIPAA sees this as confusing, conducive to error, and costly. It is expected that standard identifiers will reduce problems. HIPAA sets a standard identifier for:

Providers Claims Payers Employers Unique Patient Identifier

Identifier likely to be eliminated:

3/12/2014

PRIVACY RULE

3/12/2014

PRIVACY CASE EXAMPLES

A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet (The Ann Arbor News, February 10, 1999). A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store (Kiplingers, February 2000). An employee of the Tampa, Florida, health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996). The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999). A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (The Boston Globe, August 1, 2000).
3/12/2014

PRIVACY CASE EXAMPLES

A Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. The pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997). A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the businessman's uses of the purchased records was selling them back to the former patients. (New York Times, August 14, 1991). In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).

3/12/2014

PRIVACY CASE EXAMPLES

A banker who also sat on a county health board gained access to patients' records and identified several people with cancer and called in their mortgages. See the National Law Journal, May 30, 1994. A physician was diagnosed with AIDS at the hospital in which he practiced medicine. His surgical privileges were suspended. See Estate of Behringer v. Medical Center at Princeton, 249 N.J. Super. 597. A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt. See New York Times, October 10, 1992, Section 1, page 25. A 30-year FBI veteran was put on administrative leave when, without his permission, his pharmacy released information about his treatment for depression. (Los Angeles Times, September 1, 1998)

3/12/2014

What do the Privacy Rules Require?

Enhanced security and privacy protection for protected health information Patient Rights and Privacy Notice Policies and Procedures Discipline for breaches and violations Training

3/12/2014

The Privacy Rule Protects PHI

Minimum Necessary Rule for PHI

Only the degree of information required should be released.

No Minimum Necessary restriction on release of information for treatment purposes

Written patient authorization is not required for purposes of treatment, payment, or healthcare operations
3/12/2014

Treatment

Provision of health care Coordination of health care among providers Referral of patient from one provider to another Coordination of care or other services with third parties

Appointment reminders
3/12/2014

Payment

Determining coverage of health benefit claims Billing, claims processing Review of health care services with respect to medical necessity, coverage, appropriateness Utilization review activities

3/12/2014

Health Care Operations

Quality assessment and improvement Legal services Research Evaluating performance of health care professionals General administrative functions Hospital directory Audits
3/12/2014

Training future health care professionals..the students

Students need to have a general knowledge of the Privacy Rule Also need to know the policies and procedures of the institution and/or agency in which they are serving clinical rotations Students need to review the Privacy Notice and the site-specific procedures on rotations Should never remove any PHI from premises under any circumstances If its not covered in orientation, ASK.
3/12/2014

Research

Not considered treatment, payment or operations Use and disclosure of PHI for research purposes is clearly permissible The Common Rule also applies

3/12/2014

Remember

Professionals already have an ethical responsibility to respect the confidentiality of patients Professionals have a legal responsibility to respect the privacy of patients (except when compelled to disclose..stay tuned) This is one more rule to the same effect: respect privacy!
3/12/2014

When can you disclose information?

When the patient gives you consent to do so When the patients representative gives you consent When you receive a subpoena to produce the record When you are required to do so
3/12/2014

Other Disclosures

Those required by law: child abuse, dependent adult abuse, wounds of violence Public health activities, health oversight Organ donation Avert threats to public health or safety Workers compensation (statutory)
3/12/2014

Also permitted.

Disclosures to the FDA Public Health registry activities Infectious disease reporting Law enforcement Special investigations

3/12/2014

Research:

Research is not treatment, payment or operations If you are a researcher AND a provider, you must get appropriate authority for use of PHI in research Patient authorization or a waiver from the IRB
3/12/2014

Patient Rights under Privacy Rule:

Privacy notice (Notice of Privacy Practices)

informs patients of their rights and how to exercise them

on how entity will communicate with the patient or release information Patients may request to inspect their medical record and may request copies. Notice describes how to file a request for an amendment or addendum.
3/12/2014

Request restrictions

Access to medical Record

Amend/correct record (PHI)

Patient Rights under Privacy Rule:

Accounting of disclosures

Patients have the right to receive an accounting of disclosures of their PHI

if they think that privacy rights have been violated

File a complaint

Confidentiality of PHI Confidential communications

Opt outfundraising, notice to family, Opt out facility directory and media

3/12/2014

Patient Authorisation

Patient Authorization is required for ALL uses and disclosures EXCEPT those for treatment, payment, or healthcare operations. HIPAA provides some additional instances where patient authorization is not required:

Releases to health oversight agencies For law enforcement purposes For judicial proceedings When otherwise required by law
3/12/2014

A Personal Representative is

A parent of a child A family member or next of kin A legal guardian A person with Power of Attorney
3/12/2014

Confidentiality

Access to PHI on need to know basis Never share PHI unless necessary for care (minimum necessary)

Billing clerk might only need to see a specific report to determine the billing codes. Admissions staff member may not need to see the medical record at all, only an order form with the admitting diagnosis and identification of the admitting physician. Only access and use the patient information that you need to do your own job.

Dispose of PHI properly, confidentially Report breach of confidentiality to Privacy Officer Inadvertent disclosures happen in casual communications: lunch, bus, elevator
3/12/2014

Confidentiality

Do you let a staff member who is the patients next door neighbor look at a record? Do you let a basketball fan check an athletes progress? Do you let a staff member look up a parents next appointment on a computer? Do you allow a student to peak at a roommates record?

3/12/2014

Notice of Privacy Practices (NPP)

Patient has the right to receive notice of privacy practices Written document informing patients how their PHI will be used or disclosed Given to patients at first encounter (first time of of first service delivery) Given once Acknowledgement that notice was received must be documented
3/12/2014

Privacy Notice

Describes how medical information is used and disclosed Summarizes patients rights States who patient can contact with questions Directs patient where to take a complaint

3/12/2014

Privacy Notice: Basics

Patients can restrict what is told to others Patients can opt out of having information included in patient directory (information) Patient can receive information at alternate address Patient can request changes to record Patient can inspect record Patient can ask who has had access to record Patient can file a complaint
3/12/2014

Institutional Responsibilities:

Assure that patients receive and acknowledge privacy notice Train staff and students in Privacy Rule Have policies and procedures for patients to exercise rights Monitor compliance, respond to concerns, solve problems, answer questions
3/12/2014

Individual Responsibilities:

Access only information necessary to do your job Treat patient information the way you would want your information treated Make suggestions to improve the system Report breaches Recognize privacy as an element of excellent care
3/12/2014

The high-risk information

Mental health treatment and diagnosis HIV and infectious disease status Substance use history and treatment Emergency treatment information Diagnosis and prognosis Anything having to do with high-profile people
3/12/2014

The high-risk transactions

Any casual discussions that include enough information to identify the patient Any discussion that can be overheard Any discussion that is disrespectful Any discussion that is out of context (at lunch, at home, on the bus, etc) Any discussion with someone who is not bound to maintain confidentiality
3/12/2014

Practical Issues:

Telephone communications:

Make sure they are not overheard Be sure you are talking to the right person Some disclosures should only be in person Document who you talked to and what was disclosed

3/12/2014

Practical issues:

Fax communications:

Check the number before sending the FAX Make sure it is received and has a cover sheet with the name on it Document that information was sent and received Again, some things should be communicated in person
3/12/2014

Practical issues:

E-mail:

Make sure you have the right address and the right person The e-mail should contain a disclaimer This should be used very carefully and only in conjunction with security procedures

3/12/2014

Other issues:

Disposal of records, notes, etc:

Should be shredded and disposed of separately Voicemail? Only if the information is not identifiable reminding of appointment on Tuesday, call with questions..
3/12/2014

Accounting of disclosures:

You will need to keep track of disclosures that are unrelated to treatment, payment or operations. Patients have a right to ask for these for 6 years after the effective date of the rule (but not prior to)

3/12/2014

The consequences

A patient complaint to the institution An investigation Disciplinary action against you-more training, warning, suspension, termination Or a complaint to the OCR An investigation A sanction against the hospital (fine) And possible sanctions against you
3/12/2014

The bottom line:

We must be in compliance with the Privacy rule We must work together to achieve the goal of protecting PHI because it is important and We must resolve questions in a way that assures that the important missions of the University are carried out.
3/12/2014

Conclusion:

Confidentiality and protection of information is an element of excellent care Privacy protection is a legal and ethical responsibility We must be in compliance with the rules because it is the right thing for clients and it is our responsibility as professionals Questions?
3/12/2014

SECURITY RULE

3/12/2014

Purpose

To ensure confidentiality, integrity and availability of all electronic protected health information (ePHI) that is created, received, maintained or transmitted by the covered entity

To protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI
To protect against any reasonably anticipated uses or disclosures of ePHI To ensure compliance by its workforce
3/12/2014

What does HIPAA require for Security?

Security = controls + counter-measures + procedures

Ensures the appropriate protection of information assets and control access to valued resources Minimizes the vulnerability of assets and resources

Under HIPAA, secure all access to electronically stored and transmitted protected health information (ePHI)

3/12/2014

Security Rule:

Three sets of requirements:

Physical Technical Administrative Safeguards for information maintained in electronic form

3/12/2014

Text of HIPAA, 45 CFR 164: Security Requirements

3/12/2014

3/12/2014

3/12/2014

SEC.09 Security Incident Procedures .308(a)(9)

HIPAA Requirement (Formal documented instructions for reporting security breaches) that include all of the following implementation features: 1. Report procedures (documented formal mechanism employed to document security incidents). 2. Response procedures (documented formal rules or instructions for actions to be taken as a result of the receipt of a security incident report).

3/12/2014

SEC.09 Security Incident Procedures .308(a)(9)

Explanation of HIPAA Regulation The covered entity must have written procedures for reporting security breaches to ensure that security violations are handled promptly and appropriately. These must include:

1. Procedures for reporting security incidents 2. Procedures describing response, i.e., actions to take when a security incident is reported

3/12/2014

SEC.09 Security Incident Procedures .308(a)(9)

Key Issues What constitutes a security incident? How should the covered entity define levels of incidents and sanctions for each (e.g., accessing protected health information as opposed to sharing protected health information)? How can security awareness be kept hot? How can a covered entity determine when access to protected health information is inappropriate?

3/12/2014

SEC.09 Security Incident Procedures .308(a)(9)

Actions required to address these Implement an incident reporting and response procedure and document it.

3/12/2014

SEC.09 Security Incident Procedures .308(a)(9)

Actions highly recommended to address these Tell workforce members when, how, and to whom to report a security incident. Require workforce members to acknowledge that they have received security incident training. Require workforce members to report the incident if they inadvertently access protected health information they should not have accessed. Ensure that workforce members know that they should report security violations to a supervisor, system administrator, security, internal audit, or others as appropriate.
3/12/2014

SEC.09 Security Incident Procedures .308(a)(9)

Require workforce members to report instances of noncompliance. Ensure that the teams of people who are typically involved in responding to a security incident have a well understood working arrangement that ensures that the incident is handled efficiently, expeditiously, and with respect for law and individual rights.

3/12/2014

3/12/2014

3/12/2014

Information Access Management

All persons authorized to have access to PHI shall have a unique User ID.

This process shall include all volunteers, temporary workers and independent contractors Workforce members and other authorized users will be required to select passwords for each of their User IDs. User IDs and Passwords must NEVER be shared! Change password periodically

3/12/2014

Log-in Monitoring

Log-on attempts to the computer systems are monitored. If you do not log-on correctly within five (5) attempts your User ID and password will be automatically disabled.

An individuals access shall be restored only after the persons identity has been verified.
If you are locked out of the system because you forgot your password, please contact your supervisor.

3/12/2014

Access Control

The Security Rule requires facilities to implement access controls to the physical plant in other words, doors need to be locked or manned. The policies discuss a variety of types of people who have access to the facility such as Patients, Visitors, Volunteers, Staff, and Physicians. You MUST wear your identification badge at all times!
3/12/2014

Facility Security Plan

Public Access. All entrances in which public access to the Hospital is allowed shall be manned by reception or security personnel. Non-public Access. All non-public entrances shall be locked or secured in some manner so as to prohibit entrance without proper authorization. ANY staff person found tampering with the door security system (propping open doors, opening doors for others with no reason to be in the area) will be subject to disciplinary action up to and including termination.
3/12/2014

Visitor Identification

All staff MUST question visitors or other persons who are in restricted areas and are not displaying proper identification. Vendors and contractors will be wearing their company ID in addition to hospital identification noting that they have permission to be in the building. All employees, volunteers and other workforce members MUST wear their identification badge as issued by the hospital.
3/12/2014

Audit Controls

IMPORTANT!! Audit trails will document who was where in our systems and will document what the employee was accessing. This is performed by our HIPAA Officers (Privacy & Security). Your User ID will link to every item read or printed. Every employee, physician and VIP admitted to our hospital will have their account reviewed for inappropriate access Disciplinary action will be taken if employees are found violating HIPAA policies and accessing information that they have no need to know
3/12/2014

Security Incident Procedures

If you suspect your computer has received a virus, contact your Privacy Officer, Risk Manager, and IS Director immediately No software can be loaded onto computers without the permission of the IS Director! This includes downloads from the Internet!

3/12/2014

Reporting Violations

We expect all employees to adhere to the privacy and security policies, but we know there may be times when the policy is being abused. Report violations or suspected violations to the Privacy Officer or HIPAA Security Official. You may report anonymously, if you wish.

HMA Compliance Helpline: 1-888-462-0380 HMA, Inc. PO Box 770621, Naples, FL 34107

You will not be retaliated against if you report a privacy violation. It is part of your job to report instances where you suspect policies are being broken.
3/12/2014

Conclusion:

We must all remember to protect the privacy and security of patient information at all times. We are all patients from time to time. How would you feel if your own health information was used or disclosed in a way that was harmful to you or your family?

3/12/2014

HITECH ACT

3/12/2014

HITECT ACT

Health Information Technology for Economic and Clinical Health Act (HITECH)
Enacted as part of the American Recovery and Reinvestment Act of 2009 Expansive changes to HIPAA aimed at encouraging the sharing of electronic health information

Provides funding assistance and incentives to encourage implementation of electronic health records (EHRs)
3/12/2014

Changes to HIPAA

Expanded Responsibilities and Liability for Business Associates Breach Notification Enforcement Penalties Restrictions Accounting of Disclosures Sale of PHI Meaningful use of EHR

3/12/2014

Breach Notification under HITECH

BA

Notice Requirements

Recipients

Notify CE to which the breached information relates Without unreasonable delay but no later than 60 days following the BAs discovery of the breach Identify affected individuals to the extent possible and other information available to BA
3/12/2014

Timing

Content

Notice of Breach

Covered Entities and Business Associates obligated to notify Unsecured PHI has been or is reasonably believed to have been accessed, acquired or disclosed due to breach Effective as of September 2009

3/12/2014

Definition of Breach

Breach is the unauthorized access, use, or disclosure of PHI, which compromises the security or privacy of the PHI. HITECH Act breach notification requirement applies only to the breach of unsecured PHI.

3/12/2014

Secure PHI

If PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals, it is secure. HHS guidance specifies encryption and destruction as methods for safeguarding PHI. The breach of secure PHI is not subject to the breach notification requirement. Avoid having to comply with the breach notification requirement by securing PHI.

3/12/2014

Who to notify

Covered Entity reports to the:

Individual Secretary of HHS Media

Business Associate reports to the:

Covered Entity

3/12/2014

How to notify
The notification shall: Describe what happened; Describe types of unsecured PHI involved in the breach; Provide steps individuals should take to protect themselves; Describe what covered entity is doing to investigate the breach, mitigate harm, and to protect against further breaches; and Provide contact procedures for individuals to ask questions or learn additional information (i.e., toll-free telephone number, e-mail address, website, or postal address). 3/12/2014

Restrictions on Disclosures

Individuals have the right to request a restriction on disclosures and uses of their PHI

To carry out treatment, payment or healthcare operations

Covered Entities are required to accept the request to restrict If disclosure is to a health plan for purposes of carrying out payment or healthcare operations And PHI pertains solely to a healthcare item or service for which the provider involved has been paid in full Effective February 17, 2010
3/12/2014

Accounting of Disclosures of EHR

If Covered Entity uses electronic health records Then individuals have the right to an accounting upon request For all disclosures, including those made for treatment, payment and healthcare operations For prior three years Effective as of:

January 1, 2014; or

the later of effective date of implementation of EHR or January

1, 2011.
3/12/2014

Prohibition on Sale of EHR

A Covered Entity or a Business Associate cannot directly or indirectly receive remuneration in exchange for any PHI of an individual Except pursuant to a valid HIPAA authorization

Or pursuant to specified exceptions

3/12/2014

Restrictions on Marketing

If payment is received for making the communications, the communication is marketing, unless:

1. The communication describes only a drug or biologic

currently being prescribed for the individual and the amount of payment received for making the communication (if any) is reasonable in amount;

2. The communication is made by the covered entity and the

covered entity has received a valid HIPAA authorization; or

3. The communication is made by a business associate and is

consistent with the terms of its BA agreement.

3/12/2014

Impact on Business Associates

Makes elements of HIPAA directly applicable to Business Associates Prior to HITECH Act, Business Associates only subject to Business Associate Agreement After HITECH Act, Business Associates subject to government oversight and enforcement Effective February 17, 2010

3/12/2014

Some differences between HITECH and HIPAA - General

3/12/2014

Some differences between HITECH and HIPAA Breach Notification

3/12/2014

Some ways to address the provisions of the act

3/12/2014

Some ways to address the provisions of the act

3/12/2014

CASE STUDY 1

3/12/2014

CASE STUDY 2

3/12/2014

CASE STUDY 3

3/12/2014

SCENARIOS

3/12/2014

Consider the following example 1:

You are a healthcare provider. Your friends spouse is in the hospital after an accident. Your friend asks you to review what treatment has been provided to the spouse and see if you concur. What are you able to do under HIPAA?

Access the persons chart so that you can communicate with your friend about the patients condition. Contact the charge nurse on the floor and ask her to look into the patient records for you. Advise your friend that you can only look at the medical records if you are treating the patient or you receive the patients authorization to review the medical record.
3/12/2014

Answer:

Under HIPAA you are only allowed to use information required to do your job.
Since you are not part of the patient care team, it is against the law to access the patient record or ask someone to access it on your behalf even though you may know the person and just want to be helpful. Remember, that if you were in a similar situation, you may not want your colleagues going through your medical records or those of your spouse or close friend.
3/12/2014

Consider the following example 2:

The father and mother of an adult married competent patient are visiting the patient. As a member of the care team, you need to review and provide education to her on the new meds ordered by the physician. One medication is Prozac, a well known anti-depressant. What is the best way to approach a patient when her relatives are in the room?

Ask the patients relatives to leave the room. Go ahead and explain the medications to her. She wont mind her family members overhearing. Explain to the patient that you need to discuss her medications with her, and that the information is confidential. If she says her relatives may stay in the room, go ahead explain the medications to her.
3/12/2014

Answer:

Never assume that the patient has shared her medical information with her relatives.
You should ideally ask the patients relatives to step out of the room. If the patient understands that the information is sensitive and she agrees to have her relatives present, you can go ahead and have the discussion with the patient. The answer would be the same if it had been her husband visiting her. The patient may not have shared all of the information with her husband.
3/12/2014

Consider the following example 3:

A physician is invited by a drug company rep to play golf. During the game, the rep begins talking about a new COX-2 inhibitor the drug company is developing. The physician gives the rep names and phone numbers of a few patients with arthritis, believing that they could benefit from the new treatment. A week later, the patients call the doctors office complaining about being solicited by the drug company to take part in a clinical trial. What does HIPAA say about this?

Since the physician had good intentions, the physician has not violated HIPAA. Physicians should stop associating with drug company reps as there are many circumstances that could result in violations of federal law, including HIPAA. Since PHI was disclosed for purposes other than what state and federal law allows, an authorization from the patients should have been obtained before the PHI was released.
3/12/2014

Answer:

This is an example of marketing under HIPAA. PHI was IMPROPERLY disclosed. Never provide information to a friend, colleague or business representative UNLESS it is required as part of your job and permitted under HIPAA and/or other state and federal laws. Always keep your patients information confidential to maintain your rapport and the patients trust. Providing an unauthorized release of information to a drug rep for marketing or research purposes violates state and federal law. This could be interpreted as an illegal disclosure for personal gain (the value of the round of golf) and subject you to a hefty fine and imprisonment.
3/12/2014

Consider the following example 4:

A physician and a nurse were discussing a patient in an elevator filled with people. In the conversation the patients name, diagnosis and prognosis are mentioned. What could have been done differently to protect the patients privacy?

The patients privacy was protected, nothing was done wrong since no written PHI was exchanged. It is important to be aware of your surroundings when you discuss patient information (PHI). The patients case should have been discussed in another room, away from other patients, or at least in low voices that could not be overheard. No patients or patient families should be allowed to use hospital staff elevators to avoid such situations.
3/12/2014

Answer:

Although HIPAA allows incidental uses and disclosures, this type of disclosure is not allowed. PHI includes oral communications. The patients case should have been discussed in a location that allowed for privacy of the information discussed.

3/12/2014

Consider the following example 5:

As a resident downloads a patient file into her PDA, a code blue is called. In her hurry to respond, she leaves her PDA in its cradle. When she returns, the PDA is gone. What does HIPAA require?

HIPAA says nothing because a copy of a patients file on a PDA is not PHI. The resident has a responsibility to make certain that her laptop, PDAs, and other equipment are password protected and have an automatic key lock. HIPAA does not allow the use of PDAs to store PHI.

3/12/2014

Answer:

HIPAA requires that everyone protect PHI, whether in electronic, oral or written form. Using passwords and automatic key locks provides for the security of PHI since anyone without the password cannot access the files.

3/12/2014

Consider the following example 6:

You are in the ER examining a 6-year-old boy and observe cigarette burns on the arms and hands of the boy. What does HIPAA require you to do?

HIPAA requires you to protect patient confidentiality so no disclosure of PHI should be made. Patient safety is involved, and federal and state law require that you report this. HIPAA does not allow you to report this incident, but state law requires it.

3/12/2014

Answer:

While HIPAA requires you to maintain patient confidentiality, exceptions exist which allow PHI disclosures. State law requires and HIPAA allows the reporting of child or elderly abuse and communicable diseases.

3/12/2014

QUESTIONS

3/12/2014

Question #1: What is PHI?

A. B. C. D.

Private history information. Protected health information. Personal health information. Private health insurance.

Answer: B. Refer to slide 8 for a list of PHI data elements.

3/12/2014

Question #2. Which of these requests for copies of medical records / billing records / images requires the patients prior written authorization?

Requests for copies of psychotherapy notes. Requests for copies of PHI from your employer. Requests for copies of your PHI from concerned fellow employees. Requests for publication / publicity. All of the above.

Answer: E. All of the above.

3/12/2014

Question #3. Which of these is a HIPAA disclosure that must be logged?

A.

B. C.

D. E. F.

Release of PHI to the ME following death of a patient. Release of PHI for legal reasons. Release of PHI via e-mail or fax to the incorrect address outside of UC network. Release of PHI through a hacker attack. Lost or stolen laptop or device with PHI. All of the above.

Answer: F. See facility policies on handling breaches.

3/12/2014

Question #4. Personal Representative Which of these statements best describes the new HIPAA personal representative? Check all that apply.

Personal, legally authorized individual to make health care decisions on the individuals behalf School nurse Employer Parent for an adult patient (not incapacitated)

Answer: A..
3/12/2014

Question #5. Medical students / residents who participated in Ms. Joness care write up the case for presentation at grand rounds. True or False. Mark all that are true. A. HIPAAs definition of health care operations includes conducting training programs in which students, trainees, or practitioners in healthcare learn under supervision to practice or improve their skills as healthcare providers B. No authorization is needed, since this is covered in Ms. Joness general consent C. The minimum necessary information should be used, as this is not a part of direct or indirect care of Ms. Jones. Ms. Jones should not be identified by name Answer: A, B and C are true.
3/12/2014

Question #6. Security With new hires & temporary personnel, when can I share my password to avoid patient care and/or billing delays? Choose the 1 correct answer.

I may share my password with new personnel for up to 10 days until the person has their own password, as long as they have completed privacy training. B. I may post my password in a discrete area to limit access to my password. Only when temporary personnel are hired or students are visiting. Never!

Answer: D.

3/12/2014

Question #7. Protected Health Information comes from a health care provider or a health plan and includes:
A. Information about an individuals condition
B. Information about an individuals payment

for health care C. An individuals demographic information D. All of the above

Answer: D All of the above. Protected Health Information comes from a health care provider or a health plan and includes all of the items listed, including: Information about an individuals condition Information about an individuals payment for health care An individuals demographic information
3/12/2014

What if a research investigator wants information about my patients?

Treating physicians cannot discuss their patients and their PHI with research investigators for the purpose of recruitment. However, providers can inform their patients about research studies. For example:

Research investigators can inform providers that there are research studies and clinical trials available to subjects (examples: by information letter, flyers, website,brochures) Treating physicians can inform their patients of research studies that the patients might be interested in Patients can contact the research studies they heard about from their treating physicians or from advertisements, flyers

3/12/2014

How does a researcher gain access to PHI from medical records?

Health Information Management Services will require the investigator to show one of the following as proof of authorization to view PHI:

Copy of CHR Approval Letter with statement of Waiver of Consent/Authorization of individual consent to access PHI Copy of CHR Approval Letter with statement that individual subject consent/authorization will be obtained to access PHI Copy of Individual Authorization signed by research subject
3/12/2014

Scenario 1

The chief of cardiology reports to his assigned development officer that he has just treated the founder of a major San Francisco company and asks the development officer to call the patient and discuss gift opportunities. Is this a violation of HIPAA? The cardiologist can provide information about the patients demographics and dates of service but cannot provide diseasespecific information. If the cardiologist would like the development officer to discuss disease-specific information with the patient, the cardiologist should obtain an Authorization first. In either case, the cardiologist should inform the patient that a development officer will be calling.
3/12/2014

Scenario 2

The department of surgery asks its assigned development officer to send a fundraising letter to all of its former kidney transplant patients. Is this a violation of HIPAA? The department of surgery is asking the development officer to use a fundraising list based on disease-specific information. Neither the department nor the development office may use disease-specific information for fundraisingfor direct mail, events or major/planned giftswithout prior Authorization.

3/12/2014

Scenario 3

The Breast Care Center creates a list of breast cancer survivors and subsequently sends this group a Health Care Communication in the form of a newsletter; the newsletter includes a remit envelope for gifts. Is this a violation of HIPAA? When combining a Health Care Communication with a fundraising appeal, the stricter standard for fundraising applies. In this case, the list is OK for a Health Care Communication, for which PHI may be used without Authorization. However, PHI can be used for fundraising only with prior Authorization. Therefore, a remit envelope for gifts may not be included in the newsletter.

3/12/2014

Scenario 4

The Diabetes Center is asked to provide a list of former patients to the Juvenile Diabetes Foundation (JDF) which, in turn, will solicit the patients for gifts to the JDF. Is this a violation of HIPAA? The JDF is an outside entity not specifically charged with raising funds for UCSF; as such, it will not qualify for a Business Associates Agreement. Providing PHI of any kind to the JDF is therefore considered marketing and a violation of HIPAA unless the patients have Authorized the disclosure.

3/12/2014

Scenario 5

The Childrens Hospital has built a new pediatric dialysis facility. It is working with its assigned development officer to invite the families of its diabetic patients to an opening celebration. The cost to attend the event is $1,000 per person, $900 of which can be considered a gift. Is this a violation of HIPAA? If the invitation is sent to all families of patients of the pediatric dialysis center, this is not a violation of HIPAA. Sending the invitation to a subset of this population would probably require the use of PHI and, thus, would require Authorization. The invitation must include the Opt Out language required by HIPAA for all fundraising communications.
3/12/2014

Scenario 6

UDAR wishes to obtain lists of daily inpatient admissions and review them for known donors as well as prospective new donors. Is this a violation of HIPAA? Although HIPAA defines fundraising as a part of Operations, UDAR may view only Demographic Information from the Medical Center. UDAR staff may initiate direct contact with a patient only when an Authorization is on file. Alternately, UDAR must work through the Health Care Provider to contact the patient.

3/12/2014

Scenario 7

A fundraising volunteer shares a list of his friends who have had skin cancer with his assigned development officer. They intend to solicit this group for gifts to UCSFs melanoma research program. Is this a violation of HIPAA?

Yes. Members of the UCSF workforceincluding volunteers cannot create, use or disclose PHI that includes disease or treatment specific information for fundraising purposes without Authorization. If a volunteer wants a friend to be contacted by the development officer, s/he should provide name, address and phone number only AND advise the friend that s/he has done so. In other words, volunteers should identify individuals as having an interest in a UCSF program and not as having a particular disease.
3/12/2014

Scenario 8

The department of neurosurgery needs to purchase an expensive new imaging machine. It plans to ask its neurosurgeons to identify former brain tumor patients and work with UDAR to develop a campaign plan. Is this a violation of HIPAA? Yes, unless and Authorization has been obtained from the patient. To access, use and disclose a list of former brain tumor patients for fundraising, a signed Authorization must be on file for each patient. Alternately, the neurosurgeons may generate a list of all their patientsnot just those with brain tumorsto be solicited for this project.

3/12/2014

Scenario 9

The thoracic oncology programwhich does not have an assigned development officerpulls a list of its patients (i.e., all former patients of all affiliated physicians) using Demographic Information only and sends out a fundraising letter. Is this a violation of HIPAA? This is not a violation of HIPAA as long as only Demographic Information is used to pull the list. However, UCSF policy states that all solicitations should be cleared through UDAR. This is critical to assure that all HIPAA requirementssuch as honoring existing Opt Outs and providing a mechanism to accept new Opt Outs have been met.

3/12/2014

Scenario 10

A major donor calls UDAR to say that she has a friend who is at the Medical Center for surgery on his back. The donor wants UDAR to ask the CEO to visit her friend. Is this a violation of HIPAA? Technically, this is not a violation of HIPAA. However, because the perception could be that UCSF is using a patients disease information without permission, UDAR should only provide the CEO with the information that the major donor called regarding a friend who is in the hospital. Information regarding the patients back surgery should not be discussed at this point.

3/12/2014

Scenario 11

A reporter calls Public Affairs asking for the condition of a 43-year old man who was the victim of a car crash. He gives you the patients name but has no other details. You disclose the patients condition. Is this a violation of HIPAA? The Covered Entity may disclose a patients condition in general terms (good, fair, serious, critical or undetermined) that do not communicate specific medical information as long as the inquiry specifically contains the patients name and the patient has not placed restriction on release of information. Although California law has permitted hospitals to release a description of the nature of a patients injuries, this is not permissible under HIPAA without written Authorization.
3/12/2014

Scenario 12

A national magazine reporter calls regarding a story on liver transplantations. She would like to interview a patient who has recently undergone a transplant to help illustrate the importance of organ donation. How can the media relations representative find an appropriate patient for the story? A media relations representative may discuss the concept for the story and PHI with a physician to determine if there is an individual who would make a good spokesperson for the institutions liver transplant program. However, the discussion of PHI must be limited to the minimum necessary in order to make the decision and to only those persons who need to know for the decision to be made. Once it has been decided that the patient might be a good spokesperson, the physician should make the initial contact. If the patient agrees, the physician or media relations representative must obtain an Authorization for release of any PHI to the news media.
3/12/2014

Scenario 13

A member of the UCSF staff overhears the name of a well known television personality when it is called out in a patient waiting room. She shares the information with her family at dinner that evening. Is this a violation of HIPAA? Yes. Although HIPAA tolerates Incidental Use and Disclosure, such as when a name is overheard in a patient waiting room, it does not permit a staff member to discuss that information in any context or setting not directly related to his/her work.

3/12/2014

Scenario 14

The department of radiology sends a negative consent Authorization letter to its former patients stating that they will assume it is OK to use the patients PHI for fundraising unless they request otherwise. Is this a violation of HIPAA? Yes. HIPAA does not recognize negative consent Authorization, so this is a violation of HIPAA. HIPAA also does not recognize verbal Authorization. Only the approved UCSF Authorization form may be used to obtain permission to use PHI for fundraising.

3/12/2014

Remember:

PHI is contained in the designated record set. Should you copy any protected information for your use to a PDA, 3x5 card, slip of paper or other site it is your responsibility to safe guard and destroy it once it is no longer needed. It is everyone's responsibility to protect PHI and you may be at personal financial risk if you fail to do so.

3/12/2014

HIPAA Resources

3/12/2014

http://www.compliancehelper.com/demo-ba http://www.compliancehelper.com/resources/ http://www.cms.gov/EducationMaterials/03_Tran sactionsandCodeSetMaterials.asp http://www.cms.gov/EducationMaterials/02_HIP AAMaterials.asp#TopOfPage

3/12/2014

3/12/2014

3/12/2014