3. STORING PATIENT INFORMATION ON
LAPTOPS…
• THE # 1HIPPA VIOLATION: IS A RESULT
OF STORING PHI ON UNSECURED
LAPTOPS .
• IF PHI MUST BE ASSESED REMOTLY IT IS
BEST TO CONSIDER UTILIZING A CLOUD
STORAGE ,FOR SECURITY.
4. EMPLOYEES INAPPROPRIATELY
ACCESSING, USING OR TRANSMITTING
PHI…
• MOST COMMON HIPPA VIOLATIONS INVOLVE
HEALTHCARE EMPLOYEES ACCESSING FILES
INAPPROPRIATELY, EIGHTER, OUT OF
CURIOSITY, OR MALICIOUSLY.
• USING CLEARENCE LEVELS AND USEING ID
CODES FOR ACCESSING PHI WILL DISCOURAGE
THIS BEHAVIOR.
5. THE LOSS OF BACKUP DISKS OR
PORTABLE DRIVES…
• LAST YEAR, AN ATLANTA-BASED HOSPITAL
SYSTEM MISPLACED 1O BACKUP DISKS
STORING THE PHI OF OVER 315K PATIENTS.
• ACCOUNTABILITY LOGS AND THOROUGH
RECORDS SHOULD BE KEPT WHEN DEALING
WITH BACKUP DISK, AND THUMB-NAIL DRIVES
SHOULD BE PASSWORD PROTECTED AND
ENCRYPTED
6. COMPUTER HACKING…
• IN 2012, THE UTAH DEPARTMENT OF HEALTH
CONFIRMED THAT A SERVER WITH THE PHI OF
MORE THAN 780K PATIENTS HAD BEEN
HACKED INTO, LEAKING ADDRESSES, BIRTH
DATES, SOCIAL SECURITY NUMBERS,
DIAGNOSES CODES , ETC.
• ENCRYPTION, FIREWALLS, AND OTHER
SECURITY MEASURES ARE IMPERATIVE TO
7. FAILURE TO RELEASE PATIENT
INFORMATION IN A TIMELY MANNER …
• ANOTHER ADDITION OF THE FINAL
OMNIBUSRULE IS THE REQUIREMENT OF
MEDICAL FACILITIES TO RELEASE
ELECTRONIC COPIES OF MEDICAL RECORDS
TO PATIENTS UPON REQUEST.
• SHOULD YOUR FACILITY BE UNABLE TO
RESPOND TO THE REQUEST IN A TIMELY
MANNER, YOU COULD NE FINED.
• IF YOUR FACILITY IS NOT CURRENTLY
EQUIPPED TO PROCESS ELECTRONIC FILES ,
8. ERRORS IN PAPER FILE STORAGE
AND DISPOSAL…
• SOME OF THE MOST COMMON HIPPA
VIOLATIONS OCCUR AS A ESULT OF HUMAN
ERROR.
• ITS ALL TOO EASY FOR AN ADMINISTER TO
INCORRECTLY FILE A PATIENTS RECORD., OR
MISTAKENLY DISCARD A PRIVATE DOCUMENT
WITHOUT SHREDDING IT.
• BREECHES LIKE THESE CAN BE AVOIDED BY
SWITCHING TO AN ELECTRONIC FILING
9. RELEASE OF INFORMATION AFTER
AUTHORIZATION PERIOD HAS
EXPIRED…
• INSIST THAT YOUR STAFF TAKE THE TIME TO
VERFIY THE EXPIRATION DATES ON HIPPA
AUTORIZATIONS EACH TIME THAT A RELEASE
OF IMFORMATION REQUEST COMES THROUGH
• ALTHOUGH EVERYTHING ELSE MAY APPEAR TO
BE IN ORDER, IF THE REQUEST FOR
INFORMATION COMES IN AFTER THE
EXPIRATION DATE, A NEW AUTHORIZATION
FORM WILL NEED TO BE COMPLETED.
10. FAILURE TO ESTABLISH CONTRACTS
WITH BUSINESS ASSOCIATES…
• THE FINAL OMNIBUS RULE HAS EXTENDE THE
UMBRELLA UNDER WITH AND ENTITYS
“BUSINESS ASSOCIATE” MAY FALL.
• SHOULD YOUR BUSINESS EMPLOY ANY
OUTSIDE PARTY TO HANDLE, PROCESS, OR
TRANSMIT PHI, YOU MUST IMMEDIATELY
ESTABLISH A NEW CONTRACT WITH THE
AGENCY.
• IN THIS CONTRACT , YOUR BUSINESS
11. EXCLUTION OF “RIGHT TO REVOKE”
CLAUSE…
• YOUR PATIENTS HAVE THE RIGHT TO REVOKE
THEIR HIPPA AUTHORIZATION, AND THIS RIGHT
SHOULD CLEARLY BE STATED ON THE HIPPA
FORM, LEST THE AUTHORIZATION BECOME
INVALID.
12. INCOMPLETE HIPPA AUTHORIZATION
FORMS…
• BEFORE RELEASING ANY INFORMATION TO
OUTSIDE PARTIES, IT IS IMPERATIVE THAT
YOU DOUBLE AND TRIPLE CHECK TO
ENSURE AUHORIZATIONS ARE COMPLETED
FROM TOP TO BOTTOM.
• THE FORM SHOULD CLEARLY LIST THE
PATIENTS NAME, THE PARTY OR PARTIES
WHOM INFORMATION MAY BE RELEASED
WHICH SPECIFIC ASPECTS OF THEIR
MEDICAL RECORDS CAN BE
RELEASED, AND THE DATE THROUGH
15. THIS POWER POINT PRESENTATION
CREATED BY NUR353 WORK GROUP C AND
INCLUDES PARTICIPATION BY THE
FOLLOWING MEMBERS:
• Mary Edwards, RN
16. TRANSITION FROM PAPER TO
ELECTRONIC:
• A statement by the American Health Information Management Association
suggests the complete transition from paper charting to an electronic
medical record system to be a best practice.
• The use of or consultation involving a nurse with informatics experience and
a health information technology specialist is critical to making the transition
to the electronic record a reachable goal.
• Staff education to the electronic system and time to practice using the
electronic health record will be essential steps in the transition to the
electronic system.
17. HIPPA REQUIREMENTS OF ELECTRONIC
MEDICAL RECORDS
A healthcare facility is obligated to identify any possible threats to
patient records, assess any specific vulnerabilities in filing systems and
must determine a reasonable level of tactics for safeguarding patient
information.
Facilities are required to implement any and all defense mechanisms to
ensure patient records are protected.
18. WHAT HEALTH INFORMATION IS
PROTECTED?
• Names
• Dates relating to a patient, (i.e. birthdates, date of treatment, date of admission or discharge, and dates of death)
• Telephone numbers, addresses, other contact information
• Social Security Numbers
• Medical record numbers
• Photographs
• Finger and voice prints
• Any other identifying number
• An individual’s health information (health information is protected even without the patient’s name on it if the
information helps identify the patient)
19. WHO MUST COMPLY?
• Health Care Providers
• Health Care Clearinghouses, (i.e. billing services)
• Health Plans
• Any Health Care Provider who transmits health information in
electronic form in connection with a transaction
20. WHO IS EXEMPT FROM THE PRIVACY
RULE?
Those covered by the privacy rule of the HIPPA act do not include
group health plans administered or maintained by an employer with less
than 50 employees.
The privacy rule does not apply to workmen’s compensation or
automobile insurance companies.
21. THERE ARE SEVERAL LAYERS TO
MAINTAINING THE SECURITY OF THE
ELECTRONIC MEDICAL RECORD
• PHYSICAL SECURITY
• NETWORK SECURITY
• USER SECURITY
• SYSTEM SECURITY
22. PHYSICAL SECURITY CONSIDERATIONS
• Is it possible the computers that store the confidential information to
be stolen?
• Keep all computers used to store confidential information as well as
the server in a locked and secure area of the healthcare facility.
• Limit access to the area where the server is stored.
23. NETWORK SECURITY CONSIDERATIONS
• Is it possible for unauthorized persons outside the healthcare facility to
access patient records?
• Can a hacker get access to the protected information?
• Make use of multiple firewalls-using only one firewall is not enough
protection to prevent hackers from gaining access to protected
information.
• Use Spyware software.
• Use IT personnel or a technical expert to maintain the network
system.
24. PROTECT THE PATIENT’S INFORMATION:
• Be careful of entering identifiable patient information into emails.
• Some emails can become public information and can be used in legal
disputes.
• When using fax machines be sure to protect the patient information by
limiting who receives the information or limit the patient identifiable
information that is contained in the fax.
• Only disclose patient identifiable information on a need to know basis.
25. USER SECURITY CONSIDERATIONS
• Require password protection to access confidential patient files.
• Utilize a user managerial system to determine which staff members
will have access to certain levels of private information.
• Make use of the managerial system to require password changes
every 90 days.
26. WHO’S LOOKING OVER YOUR SHOULDER?
• Be sure no one else can view the computer screen as you work.
• Only share the necessary patient information to complete the job.
• Discuss patient information in private and not in hallways.
• Keep papers with patient information secure.
• Do not disclose patient information without proper authorization.
27. SYSTEM SECURITY CONSIDERATIONS
• Work with a reputable Information Technology Company.
• Update Security Systems frequently.
• Backup electronic health records on a regular basis.
• Store regular backups in a secure place.
28. REFERENCES
• US Department of Health and Human Services: Health Information Privacy
(2014). Summary of the hippa security rule. Retrieved March 30, 2014 from
http://hhs.gov/ocr/privacy/hippa/understanding/srsummary.html
• Gardner, L. A., & Sparnon, E. M., (2014). Work-arounds slow electronic
health record use: a slow transition to electronic records creates a safety
hazard. American Journal of Nursing, 114(4), 64-67.
• Filipova, A. A., (2013). Electronic health records use and barriers and
benefits to use in skilled nursing facilities. CIN:
computers, informatics, nursing 31(7), 305-318.
30. HIPAA AND INFORMATION TECHNOLOGY
HIPAA of 1996
• States that after leaving an employer, health insurance coverage will
continue.
• Provides guidelines related to health information being sent
electronically
www.cdc.gov/mmwr/preview/mmwrhtml/m2e411.htm
31. HIPAA AND INFORMATION TECHNOLOGY
Who is covered?
• Healthcare providers
• Health plans
• Healthcare clearinghouse
www.hhs.gov/ocr/privacy/
32. HIPAA AND INFORMATION TECHNOLOGY
Important Dates
April 14, 2001-HIPAA became effective
August 14, 20002-HIPAA was modified
April 14, 2003-Healthcare entities must be in compliance with regulations
www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm
33. HIPAA AND INFORMATION TECHNOLOGY
HIPAA Privacy Rule
• “Protects the privacy of individually identifiable health information”
• Enforced by the Office for Civil Rights
www.hhs.gov/ocr/privacy/
34. HIPAA AND INFORMATION TECHNOLOGY
Three Parts
• Privacy Rule
Federal protection
Health information is protected.
Health information can be shared to assist
providing care or for insurance benefits
www.hhs.gov/ocr/privacy/
35. HIPAA AND INFORMATION TECHNOLOGY
Three Parts
• Security Rule
Administrative, physical, and technical
safeguards
www.hhs.gov/ocr/privacy/
36. HIPAA AND INFORMATION TECHNOLOGY
Three Parts
• Breach Notification Rule
To assure confidentiality, integrity, and
availability of health information
www.hhs.gov/ocr/privacy/
37. HIPAA AND INFORMATION TECHNOLOGY
References
Center for Disease Control. (2003). HIPAA privacy rule and public
health. Retrieved March 30, 2014 from
www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm
US Dept of Health & Human Services. Health information privacy.
Retrieved March 30, 2014 from www.hhs.gov/ocr/privacy/