Providing Care With
Respect and Dignity
Through Data Security
& Privacy Practices
Presented by: The Privacy Office
Core Elements of this Review
1. Accessing PHI (Protected Health Information) beyond the scope of
your duties is a violation of HIPAA’s “Minimum Necessary” Rule”.
2. It also violates Clinic Policy, and can lead to immediate termination
of your rotation here.
3. HIPAA requires you to report privacy/security incidents or
suspected violations. Contact the Privacy Office at ext. 14216.
4. You are not allowed to copy, transmit or print patient information for
your own use or for your school. Any documentation that you feel
you need to send external for completion of your duties should be
de-identified by the ROI Services Manager in Health Information
Management (ext. 43742).
5. Sharing Passwords or user ID’s is strictly prohibited.
6. Please keep all patient-related conversations out of patient areas.
Our patients perceive a lack of privacy when this happens – even if
names are not used.
HIPAA is a Federal Law named “The Health
Insurance Portability and Accountability Act”.
• HIPAA was enacted in 1996 to standardize electronic health insurance
transactions. Its primary purpose was to reduce the gap in health
insurance coverage occurring with change of employment, thereby
reducing America’s personal bankruptcy rates as most of these were
related to lack of medical insurance.
• HIPAA targets the uses and disclosures of Protected Health
Information. PHI is any patient-identifiable health and/or billing
• Investigations and fines are handled by the Office for Civil Rights
• Cases are referred to the Dept. of Justice for prosecution (500+ cases
Health Insurance Portability & Accountability Act
HIPAA Privacy Rule gave patients 6 new civil
rights. Requires delivery of a Notice of Privacy
Practices before the first service, contractual
agreements for privacy between Organizations,
and mandatory internal and government
reporting with mitigation of violations.
HIPAA Security Rule focuses on the
Confidentiality, Integrity, and Availability
of patient-identifiable electronic health and
billing information. There are Organizational
requirements, and safeguards include
administrative, physical and technical
HITECH expands penalties, requirements, and
enforcement capacity. Expands the definition
and responsibilities of a Business Associate
(BA) to the same level as CE (Covered Entity).
Requires HHS proactive auditing of CE’s. Adds
patient right to Cash Restrictions. Requires
patient notification within 60 days of PHI
breach with potential harm. Requires that any
breach over 500 patients is reported to HHS,
media outlets, and patients. It also provides
Meaningful Use incentives for Providers to use
OMNIBUS The “Final Rule” expands requirements for BA’s and
their subcontractors, increases penalties, expands HHS audit
numbers, and audit scope where evidence of willful negligence
is found. Huge increases in fines. It requires the CE to audit
compliance of its Business Associates. BA’s are directly liable for
their breaches. It changes the definition of Business Associate
and “breach notification”. Lack of BA contract does not prevent
the BA designation. State Attorneys General are given “private
right to action” to prosecute on a patient’s behalf (the state gets a
percentage). Genetic information is now PHI. Decedent info is no
longer PHI 50 years after death. Documented Risk Analysis is now
required for incidents not reported to HHS due to low probability
that PHI was “compromised”. Patients can ask for records in
electronic format and must accommodate if reasonable. Entities
that create, receive, maintain or transmit ePHI for CE’s are now
BA’s. BA’s must provide an accounting of disclosures if requested.
Business associates will be subject to audits, compliance reviews,
and enforcement actions by HHS.
It’s been updated several times!
10 Transactions that Define a “Covered Entity”
1. Health Care claims or equivalent encounter information
2. Health care payment and remittance advice
3. Coordination of benefits
4. Health care claim status
5. Enrollment and disenrollment in a health plan
6. Eligibility for a health plan
7. Health plan premium payments
8. Referral certification and authorization
9. First report of injury
10. Health claims attachments
Note: HHS generally considers all providers, sites,
and services within an Organization or System to be
Who Is A
HIPAA Covered Entity?
• A Covered Entity (CE) is someone with a
direct (face-to-face) patient care
relationship. No authorization is
required for PHI release for purposes of
treatment, payment and CE operations.
• Everyone at Springfield Clinic is
considered part of the same covered
entity. Internally releasing patient
information without patient consent is
Who Is A Covered Entity
Outside the Clinic?
• Any Provider with either a face-to-face patient relationship or
who processes transactions using electronic patient
• Any Health Care Plan paying for patient services
• Any Clearinghouse providing healthcare billing services
• Interpreters; Dentists; NP’s, PA’s, Counselors, Therapists
• Medical Benefits Coordinator for ANY residential facility
– Law enforcement officials holding prisoner in custody
– Residential, Group & Nursing homes
• School Nurses (only when evaluating students or
De-identifying PHI is the only legal way to transmit in an unsecured transmission.
Consult with I.T. before using ePHI on personal devices.
To de-identify information, call the ROI Services Manager in HIM Correspondence.HIPAA Protects Patient-identifiable Health and/or Billing
Information, So What Constitutes Identifiers?
2. Street address
5. All dates (admit/discharge, DOS, date of death)
6. First 3 digits of zip only (if population > 20,000)
7. any geographic divisions smaller than state
8. age (if 90 or more, report age as “90+”)
9. Telephone, cell, or other personal number
10. Fax Number
11. URL and IP addresses (e-mail/internet)
12. VIN and serial numbers (vehicle)
13. Full face photos
14. Tattoos and any unique physical anomalies
15. Medical Record Number
16. Account Number
17. Insurance plan numbers
18. Device identifiers and serial numbers
19. Biometrics including fingerprint, voice, iris
20. Certificate/License Numbers
De-identifying PHI is considered a “safe harbor” for transport or storage.
However there must be a procedure in place, to de-identify and re-identify
accurately. Encryption is more commonly used.
Degree of Culpability/ “State of
Maximum Annual Cap for All
Violations of Identical HIPAA
Violation was not known and could
not have been discovered with
$100 - $50,000 $1,500,000
Reasonable cause for violation, not
due to willful neglect
$1000 - $50,000 $1,500,000
Violation due to willful neglect, but
corrected in 30 days
$10,000 - $50,000 $1,500,000
Violation due to willful neglect, not
corrected in 30 days
•Violations are counted up “based on the nature of the … obligation to act or not to act.”
New factors - # of persons affected by the violation, potential harm to those persons’
reputations and finances.
•Generally, monetary penalties will be tallied on a per person and per day basis. A
violation should be corrected promptly within 30 days. Delaying beyond the timeframe
will foreclose certain defenses that could decrease monetary penalty amounts.
•The maximum annual cap of $1.5 million is applied on a “per provision” basis.
•Monetary penalty system is as follows:
HIPAA Rule: Provide Minimum
Necessary Information Per
• It is the individual’s responsibility to
provide no more than the “minimum
necessary” patient information to satisfy a
request or to complete a transaction.
• The only exception to minimum necessary
is releasing health and/or billing
information to another Provider.
Patient Rights Under HIPAA
• If we accept terms or conditions
requested by the patient they must be
• Please contact the Privacy Office
when patients assert the civil rights
reviewed on the following slides.
The Right To Review their Health and/or
• Patients may ask to sit with us and review their
medical and billing records, which is a Health
– (Call the Privacy Office Staff)
• They may ask for paper or electronic copies in any
preferred format and we generally must provide this
(Behavioral Health Records may be an exception –
– (Call Health Information Mgmt. - Correspondence)
The Right To Request Amendment of
Their Health Or Billing Information
• When the patient disagrees with statements in the
record, it is their right to ask the author to change the
– (Refer them to the Privacy Office)
• The provider may refuse the amendment if he/she
feels that the content is “complete and accurate” as
it is, or if the information came from another source
• The Privacy Office assists the patient in adding a
rebuttal letter to the disputed content if amendment
The Right To Request
• When a patient asks us to change our
normal method of communicating with
him or her.
• HIPAA states that where we can we
should. Remember that this type of
request applies to all Clinic computer
systems and offices. Let the Privacy
Office handle it.
The Right To Request
When a patient asks us to change the way we internally
flow their PHI through our transaction processes.
– (It is critical to call the Privacy Office)
• Don’t give my records to the worker’s Comp
• Don’t let the receptionist ay my doctor’s office
see my information (she’s my ex sister-in-law)
• Don’t send information to my other doctors
The Right To An
• When a patient asks “Where have you sent my
information without my authorization”?
– (Call the Privacy Office)
• We must supply a listing of 6 years of past
• With an EHR, we must include all electronic
transactions as of 1/1/14.
The Right to a Paper Copy of the
Notice of Privacy Practices
• HIPAA requires that patients receive the Notice of Privacy
Practices (NPP) before their first service with a covered
• The purpose is to:
– Assist the patient in choosing a provider based on our uses and
disclosures of their PHI
– Inform them of their privacy rights under the law
– Provide a contact to complain to when they feel their rights have
• If anyone asks for a privacy notice, please take them to
the nearest reception desk for an NPP (Notice of Privacy
Purpose Of The NPP
• Intent of a public notice
• To help patients choose between
• To explain rights given to individuals
• To inform a patient where to complain
if rights are violated
The Right to Receive Their PHI
Electronically in Their Preferred Format
• Patients now have the right to ask for their
PHI in their preferred electronic format.
We must accommodate if reasonable to
• We must provide a reason why if we
decline and ask for another preference.
The Right to Request a
HITECH Cash Restriction
• Any patient may request that today’s services
not be submitted to insurance, and if he/she
meets conditions, we must allow it.
• In order to allow this cash restriction, the patient
must request it before the visit is completed, and
pay up front total charges for today.
• When those conditions are met, we must never
release this information to the insurer (even in
HIPAA Says: No Snooping!
Five medical workers have been fired over patient data
breaches at Cedars-Sinai Medical Center. The audit was
triggered by Kim Kardashian’s delivery of daughter North West
on June 15, 2013. Kim’s family suspected a leak of information
at Cedars-Sinai after media reports included undisclosed
details of the stay.
Four of the workers logged onto the hospital’s information
system to access patient records, as employees of local
physicians with staff privileges at the hospital.
The others included a Medical Assistant, a Foundation
employee, and a volunteer student research assistant.
After “Octomom’ was discharged, Kaiser Permanente fired 15
employees and disciplined 8 more for inappropriate access.
After Fashion Designer Gianni Versace passed away, 5
employees were fired for inappropriate access.
UCLA paid $865,500 for breach of celebrity privacy. The audit was
2005-2009 where breaches had been reported on dozens of
celebrities, including Britney Spears, Farrah Fawcett, and
• Extra sensitivity for well-known patients is required. Access audits are likely on
VIP’s, such as celebrities, politicians, or recent news stories.
• Even mentioning that the VIP was treated at the Clinic is a HIPAA violation.
• Clinic Policy states that all health and health-
related services and programs provided by the
Clinic are available and accessible equally to
patients who are hearing impaired, and to
those with limited English proficiency (“LEP”).
• Interpreters shall receive payment for services
performed only upon submitting a Clinic form
invoice, which is verified or endorsed by a
May I discuss treatment information with a
visitor present in the exam room?
• The patient has implied consent to discuss
treatment-related information by allowing them
in the treatment room.
• Include the visitor by name and relationship in
• Best practice is always to ask the visitor to
step out at some point and ask the patient if
there is anything they wish to discuss privately
at this time. Also inquire as to social history
and any potential abuse issues.
Good to Know!
• A visitor brought to the exam room is
only allowed to be privy to the
discussion during the exam. For an
adult patient, even a parent’s presence
does not provide access to any
additional information later, regarding
that visit (or any other encounter)
without a signed patient authorization.
Authorized Patient Representatives
May I release information to a patient’s
healthcare power of attorney?
– Watch this! Typically a POA for healthcare may only
access a patient’s information after the patient is
deemed incapacitated. However, some forms state
they are effective on the date signed.
– You must read the form to see if it is activated.
– This is different from a non-healthcare POA.
– Protect yourself and do not act on a POA unless the
document is in patient’s record!
• A Business Associate is defined as a
business or person who is hired to
assist with daily operations, and whose
job requires them to have access to
• HIPAA requires written contracts with
legally specific language which
requires that BA to handle all PHI
according to HIPAA rules even when
Is It Okay to E-mail Patient
Information to Another Provider?
• Students are not allowed to do this
at Springfield Clinic.
• Please discuss any need to
disclose PHI with the ROI Services
Manager in Health Information
How Can I Reach the Privacy Office?
The phone directory lists us under Privacy Office.
• Information Privacy Officer
– Linda Meadows ext. 14540
• Privacy Operations Manager
– Nancy Cardinale-Lower ext. 14216
• Privacy Operations Analysts:
– Dawn Kane ext. 14245
– Farrah Reagon ext. 14217
– Danielle Dellaquila ext. 14278
• Privacy Support Specialist
– Safron Squires ext. 14198
Let’s Test Your Skills
• Answer each of the following questions.
Click here to access the quiz.
• Be sure to click on SUBMIT THE QUIZ in
order to meet your training requirement.
• Thank you!
for completing this
Helping to educate our students
about privacy and security rules is
part of the Clinic’s ongoing mission to
provide the highest quality of
healthcare to the people of Central