Annual Training for IRB and other Clinical Research Professionals

1. Created 5/2017
HIPAA and the Security of
Electronic Protected Health
Information in Research
May 23, 2017
1

2. USA is a HIPAA Hybrid
Entity
A Hybrid Entity performs both covered and non-covered
functions under the HIPAA Rules.
• Healthcare components and components of USA that perform
Business Associate type of functions (such as: legal or computer
services)within USA are required to comply with HIPAA .
• Individuals who perform support services for both USA HIPAA
healthcare components and USA non-covered functions (such
as: non-healthcare academic departments) are prohibited from
using or sharing PHI obtained in the course of furnishing services
for HIPAA covered healthcare components.
• HIPAA treats the covered and non-covered functions as legally
separate entities and no PHI may be shared or disclosed without
the patient’s written authorization.
• USA Health- Organized Health Care Arrangement (OHCA)
2

3. Overview of Topics
This presentation addresses items that are pertinent to HIPAA Privacy and
Security for those conducting research within USA.
• What is Protected Health Information (PHI);
• Unauthorized accesses, Breaches, Disclosures;
• HIPAA identifiers that create protected health information (PHI);
• HIPAA Security;
• Institutional Review Board (IRB) research;
• IRB approval process;
• Data access and retrieval process;
• IRB cloud storage drive;
• OCR Audits and recent HIPAA Breaches.
3

4. PHI
definedPHI is generally defined as:
Any information that can be used to identify a patient – whether
living or deceased – that relates to the patient’s past, present,
or future physical or mental health or condition, including
healthcare services provided and payment for those services.
Employees may access the minimal necessary PHI
to perform their job-related duties.
4

5. Forms of Protected Health Information
(PHI)
It is the responsibility of every employee to
protect the privacy and security of protected health information
inALL forms.
printe
d
spoke
n
Electronic (data in motion or at rest)
Protected Health Information exists in various
forms…
5

6. Examples of
Protected Health Information(PHI)
• Social Security
numbers
• credit card numbers
• driver’s license
numbers
• patient clinical information
• research data
• computer passwords
• Individually identifiable
health information
The improper use or disclosure of protected health
information presents the risk of identify theft, invasion of
privacy, and can cause harm and embarrassment to
students, faculty, staff, patients, and USA Health. Breaches
of information privacy can also result in criminal and civil
penalties for both USA Health and those individuals who
improperly access or disclose protected health information,
as well as, disciplinary actions for responsible USA
employees.
Every employee must
protect the privacy and security of PHI.
6

7. Covered Entities
Have a Duty to Protect
PHI
A covered entity is any person or organization that
furnishes, bills, or is paid for health care services in
the normal course of business and electronically
transmits any health information in connection with
electronic standard transactions. Pursuant to HIPAA,
individually identifiable health information collected
or created by a covered entity is considered
protected health information or PHI. Departments
that use or disclose PHI are governed by HIPAA
requirements.
7

8. For PHI to be considered de-identified, the
following identifiers must be removed:
• Patient names
• Geographic subdivisions
(smaller than state)
• Telephone numbers
• Fax numbers
• Social Security Numbers(SSN)
• Vehicle identifiers
• E-mail addresses
• Web URLs and IP addresses
• Dates (except year)
• Names of relatives
8
• Full face photographs
or identifiable images
• Healthcare record numbers
• Account numbers
• Biometric identifiers
(fingerprints or
voiceprints)
• Device identifiers
• Health plan
beneficiary numbers
• Certificate/license
numbers
• Any other unique number,
code, or characteristic that
can be linked to an
individual.

9. Access Must be
Authorized
Except in very limited circumstances, if an employee
accesses or discloses PHI without a patient’s written
authorization or without a job-related reason for doing so, the
employee violates USA Health HIPAA Policies and
Procedures.
An employee may only access or disclose a
patient’s PHI when this access is part of the
employee’s job duties.
9

10. Unauthorized Access
It is never acceptable for an employee to look at
PHI “just out of curiosity,” even if no harm is
intended (i.e., retrieving an address to send a get
well card).
It also makes no difference if the information
relates to a “high profile” person or a close
friend or family member –ALL information is
entitled to the same protection and must be
kept private.
These rules apply to all employees, including
health care professionals.
Be aware that accessing PHI of someone involved in a divorce,
separation, break-up, or custody dispute may be an indication of
intent to use information for personal advantage, unless the access
is required for the individual to do his job. Such improper behavior
will be considered by USA Health when determining disciplinary
10

11. Breaches
A breach occurs when information that, by
law, must be protected is:
• lost, stolen or improperly disposed of (i.e.
paper or device upon which the
information is recorded cannot be
accounted for);
• “hacked” into by people or mechanized
programs that are not authorized to have
access (e.g. the system in which the
information is located is compromised
through a Virus, or Malware); or
• communicated or sent to others who
have no official need to receive it
(e.g. gossip about information
learned from a medical record).
11
Types of
Breaches
reported
(as of 5/2016) Percent
Theft 46%
Unauthorized
Access/
Disclosure
24%
Hacking/IT 12%
Loss 9%
Improper
Disposal
3%
Other/
Unknown
7%

12. Penalties for Breaches
Breaches of the HIPAA Privacy and Security Rules have serious
ramifications for all involved. In addition to sanctions imposed by
USA Health, such breaches may result in civil and criminal penalties.
Multiple types of HIPAA violations can result in penalties exceeding
$1.5 million.
12

13. Employees Must Report
BreachesPart of your responsibility as an employee is to report privacy or security
breaches involving PHI to your supervisor AND the HIPAA Compliance
Office. Even if you are not sure whether an incident or action involves
a breach, it is your responsibility to notify so that it
can be investigated.
Employees, volunteers,students,or contractors of USA may
not threaten or take any retaliatory action against an
individual for exercising his or her rights under HIPAA or for
filing a HIPAA report or complaint, including notifying of a privacy or security breach.
Reports may be made via telephone by calling the
Compliance Hotline 251- 445-9192, 24 hours a day,
365 days a year. You may choose to remain
anonymous.
13

14. Breach
Notification
RequirementsAny impermissible use or disclosure that compromises PHI or
other sensitive information may trigger breach notification
requirements. Depending upon the results of a risk analysis of the
impermissible use or disclosure, breach notification may have to be
made to:
• the Department of Health and Human
Services, Office of Civil Rights (OCR);
• all individuals whose information was breached or disclosed;
and
• the media.
Letters of explanation describing the circumstances may have to be
sent to responsible parties. Abreach can significantly impact both the
economic and human resources of USA. The estimated average cost
in a data breach can exceed $200 per compromised record. In
addition, a breach has great potential to harm the reputation of USA. 14

15. Disclosures of PHI
HIPAA regulations permit use or disclosure of PHI for:
• providing medical treatment
• processing healthcare payments
• conducting healthcare business operations
• public health purposes as required by law
Employees may not otherwise access or disclose PHI unless:
• the patient has given written permission
• it is within the scope of an employee’s job duties
• proper procedures are followed for using data in
research
• required or permitted by law
Note: the Final Rule now protects the PHI of a deceased
individual
for period of 50 years following the death of that individual. 15

16. HIPAA Security Rule
The HIPAA Security Rule concentrates on safeguarding
PHI by focusing on the confidentiality, integrity, and
availability of PHI.
Confidentiality means that data or information is not
made available or disclosed to unauthorized persons or
processes.
Integrity means that data or information has not been
altered or destroyed in an unauthorized manner.
Availability means that data or information is
accessible and useable upon demand only by an
authorized person.
16

17. Security
Standards/SafeguardsUSA Health is required to have administrative, technical, and
physical safeguards in place to protect the privacy of PHI.
Safeguards
must:
Protect PHI from accidental or intentional
unauthorized use/disclosure in computer
systems (including social media networking
sites such as Facebook, Twitter and others) and
work areas;
Limit accidental disclosures (such as PHI
discussions in waiting rooms and hallways); and
Include practices such as encryption,
document shredding, locking doors and file
17

18. Malicious
Software
Viruses, worms, spyware, ransomware, and spam are examples of
malicious software, sometimes known as “malware.”
Antivirus and anti-spyware software can be utilized for protection.
These should be updated regularly with patches.
Safe Internet browsing habits can also reduce the likelihood of an
infection; do not open email or click on embedded links from an
unknown or untrusted site.
If the computer or mobile device you are using is approved for storage
of work-related sensitive information, personal use of the web is not
recommended.
18

19. Viruses
Another major threat to USA’s
information system and to your data
is computer viruses.
• Viruses “infect” your computer by modifying how it operates
and, in many cases, destroying data.
• Viruses spread to other machines by the actions of users,
such as opening infected email attachments.
• Viruses can forward PHI to unauthorized persons by
attaching themselves to documents, which are then
emailed by the virus.
• Newer viruses have their own email engines, enabling them to
send email without having to use an email client or server.
• Many viruses also install a “backdoor” on affected computer
systems allowing for unauthorized access and collection of
PHI.
19

20. Ransomware
Ransomware is a type of malicious software designed to encrypt
data, which then blocks access to a computer system until a sum of
money is paid.
20
• Fastest growing malware threat – on average there are 4,000
attacks daily
• Ransomware can be downloaded onto systems when
unsuspecting users visit malicious or compromised websites.
However, most ransomware arrives in some sort of email
attachment, along with a message that encourages you to open
the file and look at it.

21. Spam and
PhishingSpam is an unsolicited or “junk” electronic mail
message, regardless of content.
Spam usually takes the form of bulk advertising
and may contain viruses, spyware, inappropriate
material, or “scams.”
Spam also clogs email
systems.
Phishing is a particularly dangerous form of spam that seeks
to trick users into revealing sensitive information, such as
passwords.
REMEMBER: USA will never ask you to disclose
passwords, social security numbers, or other sensitive
information via email.
Questions?
Call HSIS at 445-9123 or
the Office of HIPAA Compliance (OHC) at 445-9192
21

22. Safe Computing and Email
Use
See USA Health Privacy Policy # 5- Safeguarding Protected Health
Information and HIPAA Security Policy # 25- Use of Mobile Devices
for Computing and Data Storage
 Mobile Devices are not approved for storage of PHI without prior
Administrative approval unless they are part of a designated Health
System Information System.
 Encryption is required when a USA Health employee sends or receives
PHI to a destination address outside the USA Health network. Always use
#secure in the subject line.
 When traveling, working from home, or using a mobile device, an
employee whose work involves the transmission of PHI must encrypt the
data UNLESS the employee uses a VPN connection AND transmits data
only to a destination within the secure network.
 Do not open email attachments if the message looks the least bit
suspicious, even if you recognize the sender. “When in doubt, throw it out.”
 Do not respond to “spam” – simply discard or delete it, even if it
has an “unsubscribe” feature.
22

23. Password Control
Many security breaches come from within
an organization and many of these occur
because of bad password habits.
• Use strong passwords where possible (at least 7 characters,
containing a combination of letters, numbers, and special
characters).
• Change your passwords frequently (90 days) to prevent hackers
from using automated tools to guess your password.
• It is a violation of USA Health Policy to share your password with
anyone.
• Electronic audit records track information based on activity
associated with user IDs .
23

24. Employee
Responsibiliti
es
 Avoid storing sensitive information on mobile devices and portable
media, but if you must, use encryption.
 Always keep portable devices physically secure (under lock
and key) to prevent theft and unauthorized access.
 Access information only as necessary for your
authorized job responsibilities.
 Keep your passwords confidential.
 Comply with USA Health’s HIPAA Security and Privacy policies.
 Report to your supervisor and the USA Office of HIPAA Compliance
the loss or misuse of devices storing PHI or other Sensitive
Information promptly.
24

25. Appropriate Disposal of
DataObserve the following procedures for the
appropriate disposal of Sensitive Information,
including PHI.
• Hard copy materials such as paper or microfiche must be properly
shredded or placed in a secured bin for shredding later.
• Magnetic media such as diskettes, tapes, or hard drives must be
physically destroyed or “wiped” using approved software and procedures.
Contact HSIS or the Office of HIPAA Compliance for more information.
• CDs and DVDs must be rendered unreadable by shredding, defacing the
recording surface, or breaking.
25
Sensitive information and PHI should
never be placed in the regular trash!

26. What if there is a breach of
confidentiality?
Breaches of USA Health HIPAA policies or an
individual’s confidentiality must be reported to the
employee’s supervisor AND the Office of HIPAA
Compliance as soon as possible.
USA Health is required to take reasonable steps to lessen harmful
effects of a confirmed breach involving compromised PHI.
This includes notifying individuals whose information has been
breached. USA Health must report breaches to the Secretary of Health
and Human Services.
26

27. Disciplinary
Actions
Individuals who violate USA Health’s
HIPAA Policies will be subject to
appropriate disciplinary action, up to
and including termination, as outlined
in USA Health Human Resources and
HIPAA policies, as well as subject to
possible criminal or civil penalties.
27

28. Research Data
HIPAA regulates how PHI may be obtained and
used for research. This is true whether the PHI
is completely identifiable or partially “de-identified”
in a limited data set.
A researcher or healthcare provider is not entitled to use PHI in
research without the appropriate HIPAA documentation, including an
individual patient authorization
or
an institutionally approved waiver of authorization.
HIPAA requirements for accessing and using PHI in
research are explained on USA Office of Research
Compliance and Assurance webpage under Human
Subjects.
28

29. IRB Approval Process
• Submission of research application
• Research registration form
• HIPAA waiver
• HIPAA acknowledgement of research
application
• IRB approval (required for research to
begin.)
29

30. Data AccessRetrieval
Process
• Hospitals- Medical Records process
• Ambulatory clinics- Clinic operations
• Lack of Compliance
• Researchers requesting more PHI than what has been
approved
• EMR review not permitted unless approval granted
30

31. IRB Cloud Storage Drive
Where should research data be stored?
• All research data
• Intellectual property
IRB Cloud storage includes:
• Free storage
• Back-up protection
• Access from anywhere
• Secure encrypted connection
31

32. 32
Office of Civil Rights(OCR) Audit
• The audit program is an important part of OCR’s overall health
information privacy, security, and breach notification compliance
activities.
• After completion of audit, the OCR will review and analyze
information from the final reports.
• The OCR may apply a penalty on the Covered Entity (CE) if the
findings show the CE is violating HIPAA rules.

33. 33
Recent HIPAA Breaches
• Advocate Health Care Network
In 2013, 4 unencrypted laptops were stolen from Advocate,
the largest health care system in Illinois. The combined
breaches affected the ePHI of approximately 4 million
individuals. This settlement is the largest to-date against a
single entity - $5.55 million.
• St. Joseph Health
PHI of 31,800 individuals was publicly accessible on the
internet due to a server setting that was not securely
configured. The resolution agreement of this breach was
$2.14 million.
• University of Mississippi Medical Center
OCR leveled a $2.75 million fine against the medical center
when a password-protected laptop went missing. The
breach impacted about 10,000 patients. Investigators
discovered UMMC was aware of risks and vulnerabilities to
its systems as far back as April 2005, yet took no action to
avoid it.

34. 34
HIPAA Resources
USA Office of HIPAA Compliance
Linda Hudson, Chief HIPAA Compliance Officer
470-5802 lhudson@health.southalabama.edu
Thad Phillips, Asst Chief, HIPAA Comp/Security
410-4550 tphillips@health.southalabama.edu
Cynthia Holland, HIPAA Audit Coordinator
471-7621 cholland@health.southalabama.edu
MCI
Cindy Nelson, Mgr, MCI Clin & Res Systems
445-9849 crnelson@health.southalabama.edu