Nursing Students October 2009


Published on

Published in: Health & Medicine, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The focus of HIPAA has evolved or changed since is was implemented in 2003. At the time of implementation, the greatest concern was the misuse of patient information. “Who is looking at my information” Today, our greatest concern is theft of patient data. Identity theft, including medical identity theft has increased in the last several years. As patients lose insurance they are more likely to use someone else’s insurance information in order to obtain medical services. In addition, CUMC collects information that can be used for other financial theft purposes including name, date of birth, social security number and sometimes credit card information for payment. Protection of all information, including the loss of patient information is the responsibility of every individual working at CUMC.
  • Here are some examples of patient privacy rights. Again, all but the last item were already patient rights in NY State. Patient’s often request confidential communications when requesting to “call on my cell phone not on my home phone” or send all bills to my work address rather than my home address.
  • It is important to understand the HIPAA implications for Research, even if you are not involved with research. If you have patient information it should not be shared with researchers without proper IRB approval.
  • Nursing Students October 2009

    1. 1. HIPAA Privacy and Security <ul><li>October 20, 2009 </li></ul>Karen Pagliaro-Meyer Privacy Officer Columbia University medical Center [email_address] (212) 305-7315 Nursing Students
    2. 2. HIPAA: PRIVACY vs. SECURITY <ul><li>PRIVACY </li></ul><ul><li>Refers to WHAT is protected — Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information </li></ul>June 21, 2010 What’s the Difference?: SECURITY Refers to HOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss
    3. 3. Consequences of Privacy or Security Failure <ul><li>Disruption of Patient Care </li></ul><ul><li>Increased cost to the institution </li></ul><ul><li>Legal liability and lawsuits </li></ul><ul><li>Negative Publicity </li></ul><ul><li>Negative Patient perception </li></ul><ul><li>Identity theft (monetary loss, credit fraud) </li></ul><ul><li>Disciplinary action </li></ul>
    4. 4. HIPAA –Privacy & Security Concerns <ul><ul><li>Theft of Patient Data </li></ul></ul><ul><ul><ul><li>Identity Theft </li></ul></ul></ul><ul><ul><ul><li>Stolen lap top </li></ul></ul></ul><ul><ul><li>Loss of Patient Data </li></ul></ul><ul><ul><ul><li>incorrect disposal of documents </li></ul></ul></ul><ul><ul><ul><li>Portable devices increases the possibility of data loss </li></ul></ul></ul><ul><ul><li>Misuse of Patient Data </li></ul></ul><ul><ul><ul><li>Privacy Breach </li></ul></ul></ul>
    5. 5. <ul><li>A NYP employee (patient admissions representative) was charged with stealing almost 50,000 patient files and selling some of them. </li></ul><ul><li>The files stolen probably contained little or no medical information, but did include patient names, phone numbers and social security numbers --fertile ground for identity theft. </li></ul><ul><li>Employee reported that he sold 1,000 files to a man for $750 . </li></ul><ul><li>NYP sent letters and offered free 2 year credit monitoring to all patients </li></ul><ul><ul><li>50,000 * $15 = $750,000 +++ </li></ul></ul>Theft of Patient Data NewYork-Presbyterian Hospital
    6. 6. Theft of electronic devices at CUMC <ul><li>A large fire in a NYP/CUMC building with immediate evacuation of the entire building </li></ul><ul><li>An outside firm was hired to assist with the clean-up and repair of the building </li></ul><ul><li>When staff returned it was discovered that laptops, USB drives (thumb drives) and digital cameras had been stolen </li></ul><ul><li>Lesson learned – All equipment must be password protected . Portable equipment that includes patient information must also be encrypted . </li></ul><ul><li>Consider installing software like PC phone home that may assist in locating stolen portable devices </li></ul>
    7. 7. Loss of Patient Data CVS Pharmacy <ul><li>CVS Pays $2.25 Million & Toughens Disposal Practices to Settle HIPAA Privacy Case </li></ul><ul><ul><li>A case that involves the privacy of millions of health care consumers </li></ul></ul><ul><ul><li>On January 16, 2009 the U.S. Department of Health & Human Services (HHS) reached agreement with CVS Pharmacy, Inc. to settle potential violations of the HIPAA Privacy Rule.  </li></ul></ul><ul><ul><li>CVS agreed to pay $2.25 million and implement a detailed Corrective Action Plan to ensure that it will appropriately dispose of protected health information such as labels from prescription bottles and old prescriptions, related medical information and credit card information .  </li></ul></ul>
    8. 8. Privacy Breach <ul><li>The Kaiser hospital in Bellflower at which Nadya Suleman gave birth eight has been hit with a $250,000 fine by California health officials. </li></ul><ul><li>Kaiser Permanente spokesman Jim Anderson said that the hospital had warned employees to stay away from the Octo-Mom's files and reported the privacy violations itself, firing 15 employees. </li></ul><ul><li>According to the state, however, the hospital did not do enough to protect Octo-Mom's privacy </li></ul><ul><li>UCLA Medical Center disciplined 53 staff members for accessing the medical information of Britney Spears in 2007 </li></ul>
    9. 9. What you need to know about HIPAA & Patient Privacy <ul><li>Notice of Privacy Practices </li></ul><ul><li>Authorization to Release Medical Information </li></ul><ul><li>Patient Rights </li></ul><ul><li>Privacy Breaches </li></ul><ul><li>Business Associates </li></ul><ul><li>HIPAA and Research </li></ul>
    10. 10.
    11. 11.
    12. 12. Authorization to Release Medical Information Written Authorization required to release medical information Physician or care team may share information with referring physician without an authorization “patient in common ” All legal requests for release of information should be forwarded to the HIPAA Compliance Office for review Must understand who is the legal next of kin
    13. 13.
    14. 14. Notice of Privacy Practices Patient Rights <ul><li>Patients have the right to: </li></ul><ul><ul><li>Request restrictions on release of their PHI </li></ul></ul><ul><ul><li>Receive confidential communications </li></ul></ul><ul><ul><li>Inspect and copy medical records (access) </li></ul></ul><ul><ul><li>Request amendment to medical records </li></ul></ul><ul><ul><li>Make a complaint </li></ul></ul><ul><ul><li>Receive an accounting of any external releases. </li></ul></ul><ul><ul><li>Obtain a paper copy of the Notice of Privacy Practices on request </li></ul></ul>
    15. 15. Privacy Breach <ul><ul><li>Privacy Breaches do not usually involve high profile patients </li></ul></ul><ul><ul><li>Most Privacy Breaches involve staff accessing medical information of friends, family members and co-workers </li></ul></ul><ul><ul><li>Audit reports are run daily to identify potential inappropriate access, use or disclosure of medical information </li></ul></ul><ul><ul><li>It is important that staff are aware that ANY access of medical information WITHOUT a business purpose will result in disciplinary action </li></ul></ul>
    16. 16. Who is a Business Associate? <ul><li>Individuals who do business with CUMC and have access to protected health information </li></ul><ul><li>Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen </li></ul><ul><li>Examples of BAAs include: </li></ul><ul><ul><li>billing companies or claims processing </li></ul></ul><ul><ul><li>voice mail or appointment reminder service management </li></ul></ul><ul><ul><li>transcription services or coding companies </li></ul></ul><ul><ul><li>accreditation </li></ul></ul><ul><ul><li>Software used for medical data </li></ul></ul>
    17. 17. HIPAA and Research <ul><li>Medical Record Research or identification of potential research subjects must be approved by the IRB which includes a review of HIPAA Research requirements </li></ul><ul><li>Two main avenues of HIPAA Research — </li></ul><ul><ul><li>Form A HIPAA Clinical Research Authorization—required elements </li></ul></ul><ul><ul><li>Form B HIPAA Application for Waiver of Authorization—subject to approval of the IRB </li></ul></ul><ul><li>Some exceptions: </li></ul><ul><ul><li>Research using solely Decedent Information </li></ul></ul><ul><ul><li>Research using solely De-identified Information </li></ul></ul><ul><ul><li>Activities prior to research or preparatory to research </li></ul></ul>
    18. 18. HIPAA Privacy Guidance – Top 10 <ul><li>Provide patients with the Notice of Privacy Practices </li></ul><ul><li>Shred patient information </li></ul><ul><li>Follow Electronic Security Policies </li></ul><ul><li>Telephone Guidance – messages and requests for info </li></ul><ul><li>Use and Disclose Medical Information Correctly </li></ul><ul><li>Fax patient information utilizing a cover sheet </li></ul><ul><li>Verify patient at the time of new registration </li></ul><ul><li>Avoid unintentional disclosures (hallway – email - mail) </li></ul><ul><li>Report and manage Privacy Breaches </li></ul><ul><li>Notify Privacy Office of Complaints </li></ul>
    19. 19. What you need to know about Information Security
    20. 20. Good Computing Practices 10 Safeguards for Users <ul><li>User ID or Log-In Name (aka. User Access Controls) </li></ul><ul><li>Passwords </li></ul><ul><li>Workstation Security </li></ul><ul><li>Portable Device Security – USB, Laptops </li></ul><ul><li>Data Management , e.g., back-up, archive, restore. </li></ul><ul><li>Remote Access - VPN </li></ul><ul><li>Recycling Electronic Media & Computers </li></ul><ul><li>E-Mail – Columbia email account ONLY </li></ul><ul><li>Safe Internet Use – virus </li></ul><ul><li>Reporting Security Incidents / Breach </li></ul>
    21. 21. Security Controls <ul><li>Laptop and File Encryption </li></ul><ul><li>WinZip (password protect + encrypt) </li></ul><ul><li>7-zip (free, password protect + encrypt) </li></ul><ul><ul><li>Truecrypt (free, complete folder encryption) </li></ul></ul><ul><li>FileVault (folder encryption on Macintosh) </li></ul><ul><li>Encrypted USB Drives </li></ul><ul><li>Kingston Data Traveler </li></ul><ul><li>Iron Key (Fully encrypted) </li></ul>
    22. 22. Types of Security Failure <ul><ul><li>Sharing Passwords </li></ul></ul><ul><ul><li>You are responsible for your password. If you shared your password, you will be disciplined even if other person does no inappropriate access </li></ul></ul><ul><ul><li>Not signing off systems </li></ul></ul><ul><ul><li>You are responsible and will be disciplined if another person uses your ‘not-signed-off’ system and application </li></ul></ul><ul><ul><li>Sending EPHI outside the institution without encryption </li></ul></ul><ul><ul><li>Under HITECH you may be personally liable for losing EPHI data </li></ul></ul><ul><ul><li>Losing PDA and Laptop in transit with unencrypted PHI or PII </li></ul></ul><ul><ul><li>Under HITECH and NY State SSN Laws, you may be personally liable, and you will be disciplined for loss of PHI or PII </li></ul></ul>
    23. 23. New Regulation: HITECH Act (ARRA) <ul><li>(Health Information Technology for Economic and Clinical Health) </li></ul><ul><li>New Federal Breach Notification Law – Effective Sept 2009 </li></ul><ul><ul><li>Applies to all electronic “unsecured PHI” </li></ul></ul><ul><ul><li>Requires immediate notification to the Federal Government if more than 500 individuals effected </li></ul></ul><ul><ul><li>Requires notification to a major media outlet </li></ul></ul><ul><ul><li>Will be listed on a public website </li></ul></ul><ul><ul><li>Requires individual notification to patients </li></ul></ul><ul><li>Criminal penalties apply to individual or employee of a covered entity </li></ul><ul><li>State Attorneys General will have enforcement authority and may sue for damages and injunctive relief </li></ul>
    24. 24. New York State SSN/PII Laws <ul><li>Social Security Number Protection Law </li></ul><ul><ul><li>Effective December 2007 </li></ul></ul><ul><ul><li>Recognizes SSN to be a primary identifier for identity theft </li></ul></ul><ul><ul><li>It is Illegal to communicate this information to the general public </li></ul></ul><ul><ul><li>Access cards, tags, etc. may not have SSN </li></ul></ul><ul><ul><li>SSN may not be transmitted over Internet without encryption </li></ul></ul><ul><ul><li>SSN may not be used as a password </li></ul></ul><ul><ul><li>SSN may not be printed on envelopes with see-through windows </li></ul></ul><ul><ul><li>SSN may not be requested unless required for a business purpose </li></ul></ul><ul><ul><li>Fines and Penalties </li></ul></ul>
    25. 25. New York State SSN/PII Laws <ul><li>Information Security Breach and Notification Act </li></ul><ul><ul><li>Effective December 2005 </li></ul></ul><ul><ul><li>IF … Breach of Personally Identifiable Information occurs </li></ul></ul><ul><ul><ul><li>SSN </li></ul></ul></ul><ul><ul><ul><li>Credit Card </li></ul></ul></ul><ul><ul><ul><li>Driver’s License </li></ul></ul></ul><ul><ul><li>THEN … Must notify </li></ul></ul><ul><ul><ul><li>patients / customers / employees </li></ul></ul></ul><ul><ul><ul><li>NY State Attorney General </li></ul></ul></ul><ul><ul><ul><li>Consumer reporting agencies </li></ul></ul></ul>
    26. 26. New Regulations – Red Flag rule <ul><li>Red Flag – Identity Theft Prevention Program </li></ul><ul><li>Requires healthcare organizations to establish written program to identify, detect and respond to and correct reports of potential identity theft </li></ul><ul><li>Educate all staff how to identify Red Flags and report them </li></ul><ul><li>Appoint program administrator & Report to leadership </li></ul><ul><li>FTC law includes fines and penalties $2,500 per violation </li></ul><ul><li>Business Associate Agreements will have to be revised to inform CUMC of any Red Flags involving CUMC data </li></ul>
    27. 27.
    28. 28. What Is My Role in Protecting Medical Information? <ul><li>Good Security Standards follow the “90 / 10” Rule: </li></ul><ul><li>10% of security safeguards are technical </li></ul><ul><li>90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices </li></ul><ul><ul><li>Example : The lock on the door is the 10%. </li></ul></ul><ul><ul><li>You remembering to lock, </li></ul></ul><ul><ul><li>check to see if it is closed, </li></ul></ul><ul><ul><li>ensuring others do not prop the door open, </li></ul></ul><ul><ul><li>keeping controls of keys is the 90%. </li></ul></ul><ul><ul><li>10% security is worthless without YOU! </li></ul></ul>
    29. 29. PATIENT PRIVACY At some point in our lives we will all be a patient Treat all information as though it was your own
    30. 30. Questions & Answers Karen Pagliaro-Meyer Privacy Officer Columbia University Medical Center 212-305-7315 [email_address] [email_address]