2. HIPAA
• Health Insurance Portability and
Accountability Act
• Federal Law, enacted 1996
• National standards for security of health
data
• Administrative Guidelines for:
o Privacy
o Security
o Standard Transactions
3. HITECH
• Health Information Technology for Economic
and Clinical Health Act (HITECH)
• Included in the American Recovery and
Reinvestment Act (ARRA) of 2009
– Contains incentives related to healthcare technology
in general and specific incentives designed to
accelerate the adoption of electronic health records
– Meaningful Use
– Added “teeth” to HIPAA
• Wall of Shame:
https://ocrportal.hhs.gov/ocr/breach/breach_re
port.jsf
4. HIPAA Always Changing
Omnibus Rule (2013) included:
• Notice of Privacy Practices (NPP)
– Must be given to all clients
• Business Associate (BA) Agreements
– BAs now just as responsible and accountable
• Policies and Procedures
• Training Requirements
• Audits
5. Additional Mandates
• Mandated Breach Notification
• Expanded Privacy and Patient Rights
• Expanded and Mandated Security
• Enforcements and enhanced monetary
penalties
• Office of Civil Rights (OCR)
enforcement authority
• State Attorneys General enforcement
6. Important Definitions
Covered Entity
A Covered Entity is a
healthcare delivery option
that includes doctors,
clinics, hospitals, dentists,
nursing homes and
pharmacies that transmit
data, health plan and
healthcare clearinghouses
Business Associate
A Business Associate is
any person or organization
that functions on behalf of a
covered entity that involves
use or disclosure of
identifiable health
information. Examples
include billing and coding
vendors
7. Security Roles
• Security Roles are established to provide
governance of the HIPAA program
– Security Compliance Officer
– Privacy Officer
– Workforce Security Manager
– IT Security Manager
– Incident/Breach Manager
– Physical Security Manager
• CIBHS Compliance Officers are:
– Robin Texeira - Security Compliance Officer, Privacy
Officer, Incident/Breach and Physical/IT Security Manager
– Hope Alvidrez –Workforce Security Manager
8. What is Protected Health
Information (PHI)?
• Name
• Address
• Dates directly related to patient
• Telephone number
• Fax Number
• Email addresses
• Social Security Number
• Medical Record Number
• Health Plan Beneficiary Number
• Account Number
• Certification/License Number
• Any vehicle license number
• Any device serial number
• Web URL, IP address
• Finger or voice prints
• Photographic images
• Any other unique number,
characteristic or code
• Age greater than 89
9. PHI Details
What is Protected?
All Medical Records and
Other Individually
Identifiable Health
Information (PHI) Used or
Disclosed by a Covered
Entity in any Form;
Electronic, on Paper or
Orally
What is Included?
Individually Identifiable
Information that was
provided by the client,
created by you, created by
another and forwarded to
you and forwarded to you
for payment, treatment or
healthcare operations
10. Covered Entities Permitted Uses
and Disclosures
• A CE is permitted, but not required, to use and disclose
PHI without an authorization, for the following purposes:
– To the individual
– Treatment, Payment and Health Care Operations
(TPO)
– Opportunity to Agree (having someone in the
room during the session)
– Incident to an otherwise permitted use
– Limited Data Set for purposes of research, public
health or health care operations
11. Patient Rights under HIPAA
• To see their medical record
• Obtain a copy of their medical record
• Request amendments to their medical record
• Request disclosure restrictions
– Private Pay
– Certain other disclosures, including research
and marketing
12. Patient Rights under HIPAA
• To receive a Notice of Privacy Practices
• To have an accounting of disclosures (not
TPO)
• To authorize disclosures
• Timely notification of any breaches
• Secure Communications
• Confidential communications when requested
13. California Specific Regulations
California Laws that protect Medical
Information:
• The Confidentiality of Medical Information
Act (CMIA)
• The Information Practices Act (IPA)
• The Patient Access to Health Records Act
(PAHRA)
• The Insurance Information and Privacy
Protection Act (IPPA)
15. Security and Privacy Rules
• According to the Department of Health and
Human Services, the HIPAA Security Rule
outlines national standards designed to
protect individual’s electronic PHI (ePHI)
• The HIPAA Privacy Rule set a national
standard for the protection of certain health
information that addresses the use and
disclosure of PHI and standards for privacy
rights for patients to understand and control
how their health information is used
16. Security Rules
• In May 2005, the Security Rule was
implemented. Some of what it covers:
– Access Control-who can access PHI
– Computer protections against viruses,
malware
– Strong Passwords
– Remote Access
– Technical Security
– Back up and Recovery
17. Physical Security
• Environment
– Physical security: locks on doors and file cabinets
– Is there a networked printer or fax machine that is
out in the open?
– Awareness of who is allowed into the area with
PHI
– How is your computer monitor positioned?
• Can others see the data on the screen?
– What paper charts/forms are left out on your
desk?
– Stay alert, stay safe
18. Computer Security
• Your devices
– Do you have a smart phone, tablet or laptop that
accesses your email or your Electronic Health
Record?
– Is your desktop computer secure and safe from
someone removing it from your office?
• Passwords
– Make sure your passwords are complex, using letters,
numbers and special characters
– Be sure to change it often (every 90 days or per your
agency policy) and after an incident
– Never write your password down or give to others
19. What Can I Do?
• Follow your agency’s P&Ps
• Computers
– Make sure your monitor is not visible to others
– Lock your workstation when you leave your desk
• Mobile Devices
– Password protect your devices
– Don’t save PHI to your mobile device
– Lock up your devices to reduce theft
• Passwords
– Change every 90 days or after an incident
– Don’t write down or share with others
• Be Careful with emails
– Phishing attempts
– Don’t click on links or Download now buttons
– Be suspicious and think before you take any actions
– Confirm that the email was sent from your friend/co-worker if there are links included
• Stop, Think and Don’t click the Link!
• Report anything suspicious to your security compliance officer
20. Communicating with Clients
• Communications with clients must be secure
• Includes emails and texting
– Yahoo and Gmail are insecure
– Texting is insecure unless you have a technology that securely sends your texts
• 3 issues with texting
• Have to manage the requests from clients that may put you at risk of a
breach
– Portals
– Request a release of information to allow insecure communications if there is no other
option
• Discuss using secure emails and texting solutions with your IT group
– TigerText
– OhMD
– DocHalo
– Cortext by Imprivata
21. Security Incidents
• A security incident is the attempted or successful
unauthorized access, use, disclosure, modification
or destruction of information or interference with
system operations in an information system.
– Includes access to the client’s record - minimum necessary
– Includes loss of a device that has access to PHI
– You must report anything you do yourself, you observe or
that you are concerned about
– IT will initiate monitoring tools to assist
• You should report anything suspicious to your
Security Compliance Officer
22. Privacy Rules
The goal of the HIPAA Privacy Rule is to
properly protect individual’s health
information and to use PHI appropriately
while protecting the privacy of people
who seek care and healing
23. What’s covered in Privacy?
• Privacy covers paper, oral
communication and electronic data
• When PHI is used and/or disclosed and
when you need an authorization
• Notice of Privacy Practices
• Administrative requirements
24. The Office of Civil Rights enforces HIPAA. This
is an example of a YouTube video that instructs
patients on their rights.
https://www.youtube.com/watch?v=3-
wV23_E4eQ&sns=em
25. Breaches
Breach Definition
An impermissible use or disclosure under the
Privacy Rule of PHI is presumed to be a breach
unless the covered entity or business associate,
as applicable, demonstrates that there is a low
probability that the PHI has been compromised
Breaches of more than 500 patient records must
be reported to the news media and are posted
on the Wall of Shame
26. Breaches
Recent Breaches
Kern County Mental Health reported a breach of PHI that occurred
during relocation of admin dept in April 2016. A limited amount of PHI
of patients who received from KCMH from 9/1-30/2006 was exposed. A
single document was left in offices and potentially viewed by
construction workers. It contained patient names; internal record
numbers; service codes and unit where service provided. They have
notified the media, patients and updated P&P to avoid a similar
breach in the future. This isn’t listed on the Wall of Shame as it is
unclear how any patients were affected.
27. Breaches
Recent Breaches
In May, San Juan County, NM, announced a hacker had gained access
to it’s computer system and potentially viewed PHI of patients
enrolled in its drug and alcohol abuse programs. Patients name,
health assessments, treatment methods and detail of medications
was potentially revealed. San Juan County was alerted to intrusion
within 30 minutes of accessed being gained. They hired a
cybersecurity firm to conduct an investigation. Patients were offered
a year of credit monitoring services free. The county is protected by a
$50,000 data breach insurance policy that will likely cover costs
associated with the breach.
28. Largest data breach
settlements/fines
New York-Presbyterian Hospital and Columbia University (New York City)
May 2014
Deactivation of a network server resulted in the protected health information of more
than 6,800 individuals being accessible online.
$4.8 million HIPAA fine
Alaska HHS (Anchorage)
June 2012
A portable storage device containing electronic patient data was stolen from an HHS
employee.
$1.7 million HIPAA fine
Concentra Health Services (Addison, Texas)
April 2014
An unencrypted laptop containing patient data was stolen.
$1.7 million HIPAA fine
UCLA Health (Los Angeles)
July 2011
Complaints were filed against UCLA Health that from 2005-2008, unauthorized
employees repeatedly accessed the protected health information of patients.
$865,000 HIPAA fine
29. Reporting Requirements
• Following a breach of unsecured PHI, Covered
Entities must provide notification of the breach
to the affected individual, the Secretary, and in
certain circumstances, to the media
• Business Associates must notify the Covered
Entity of a breach
• Provided without unreasonable delay, no later
than 60 days following the discovery of the
breach.
– CA requires a 15 day maximum
• You will follow your agency policy and
procedures for incident/breach reporting
30. Penalties
• Criminal Penalties: Covered Entities and
specified individuals that “knowingly” obtain
or disclose PHI can face up to $50,000 fine, as
well as up to one year in prison.
• Offenses committed under false pretenses
allow penalties to be increased to a $100,000
fine and up to five years in prison
• Offenses committed with the intent to sell,
transfer or use info for personal gain has fines
up to $250,000 and up to 10 years in prison
31. Penalty Descriptions
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising
reasonable diligence would not have known)
that he/she violated HIPAA
$100 per violation, with an annual maximum
of $25,000 for repeat violations (Note:
maximum that can be imposed by State
Attorneys General regardless of the type of
violation)
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation due to reasonable cause and
not due to willful neglect
$1,000 per violation, with an annual
maximum of $100,000 for repeat violations
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation due to willful neglect but
violation is corrected within the required
time period
$10,000 per violation, with an annual
maximum of $250,000 for repeat violations
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation is due to willful neglect and
is not corrected
$50,000 per violation, with an annual
maximum of $1.5 million
$50,000 per violation, with an annual
maximum of $1.5 million
33. 42 CFR Part 2
42 CFR Part 2 are the federal regulations governing
the confidentiality of drug and alcohol abuse
treatment and prevention records
• Privacy protections afforded to alcohol and drug
abuse patient records
• Motivated by the understanding that stigma and fear
of prosecution might dissuade persons from seeking
treatment
34. Who is Covered?
• 42 CFR Part 2 applies to any individual or
entity that is federally assisted and
provides alcohol or drug abuse treatment
or referral for treatment (42 CFR § 2.11)
• Consider funding, treatment provided and
clinical licenses that are at the federal
level (DEA license)
35. Regulations
• Restrict the disclosure and use of alcohol and
drug client records
• Any information disclosed by a covered
program that “would identify a patient as an
alcohol or drug abuser” (42 CFR §2.12(a) (1)
• With limited exceptions, 42 CFR Part 2
requires client consent for disclosures of PHI
even for the purposes of TPO. Consent must
be in writing
36. US Government Publishing
Office
• Includes the electronic codes of federal
regulations
• Introduction, General Provisions, Disclosures with
Patient Consent, Disclosures without Patient
Consent, Court Orders Authorizing Disclosure and
Use
• http://www.ecfr.gov/cgi-bin/text-
idx?rgn=div5;node=42%3A1.0.1.1.2
• 42 CFR Changes coming
• https://www.federalregister.gov/articles/2016/02/09
/2016-01841/confidentiality-of-substance-use-
disorder-patient-records
37. Written Consent
The primary way in which patient substance abuse
information may be disclosed is with a patient’s
written consent. Substance abuse programs and
providers must give patients a written summary of
the federal laws and regulations that protect the
confidentiality of patient substance abuse records
and a description of the circumstances when the
patient’s information may be disclosed without
his/her consent.
38. Consent Forms
For all other disclosures,
consent must be obtained
using a written consent form.
A single consent form may
authorize disclosure to
multiple parties or for
multiple purposes. Consent
forms must contain specific
elements (see right column)
• Patient Name
• Agency making disclosure
• agency name of the person or agency to
which disclosure is made
• nature and amount of information to be
disclosed (minimum necessary),
• purpose of the disclosure (as specific as
possible),
• effective and expiration dates and event
or condition upon which the consent
expires
• language explaining the consent
process and may include a statement
about possible denial of services if not
signed for purposes of treatment,
payment or healthcare operations
• and signatures of client, authorized
representative and description of
authority to sign on the client’s behalf
39. Exceptions-Always work with
Privacy Officer
• Program Communications
• To communicate with
Qualified Service
Organizations (QSO)
– Similar to other covered entities
or business associates
• Medical Emergencies
• Response to a crime against
program personnel or on
program premises
• Research activities
(approved by IRB)
• Audit and Evaluation
• Report suspected child
abuse or neglect
• Circumstances
involving certain minors
or incompetent patients
• Response to a valid
court order
• Cause of death
40. HIPAA and 42 CFR Part 2
• Substance use programs must comply with both
HIPAA 45 CFR and 42 CFR Part 2
• If there is a conflict, the more stringent rule applies
• You begin to see that addiction treatment
providers fall under the more stringent laws of 42
CFR, Part 2, in most cases.
• However, there are requirements of HIPAA that
must be put into place on specific forms that
previous laws didn’t address or mandate.
41. SAMHSA
• The Substance Abuse and Mental Health
Services Administration (SAMHSA)
provides great information and support on
42 CFR Part 2
• Spearheading efforts to change 42 CFR
Part 2 to accommodate sharing info in
EHRs/HIEs
• http://www.samhsa.gov/about-us/who-we-
are/laws/confidentiality-regulations-faqs
42. Policies and Procedures
• Must be current and reference 45 CFR for
both privacy and security
• Agency must have an interconnected set
of polices, plans, procedures and security
roles assigned to have the end result be a
secure, compliant and auditable
environment
43. Agency Policies
• CIBHS has approved policies that include
HIPAA regulations
• You can find the policies and procedures
on the Public Drive
Editor's Notes
Welcome to the HIPAA Compliance Overview for CIBHS class. This class will cover, at a high level, the basics of the HIPAA 45 CFR regulations as of January 2016, what you will need to do to meet compliance and future planning needs.
HIPAA was enacted in 1996 to address the different standards noted in the slide. This class will cover the security and privacy sections of the law. HIPAA set a national standard for accessing and handling medical information. It was started by President Clinton, AKA the Kennedy Kassenbaum Act. Click on the orange bubble for more info on HITECH.
8/21/96 Included a number of titles but we are concerned with Title II, Administrative Simplification.
The Health Information Technology for Economic and Clinical Health Act, or HITECH, was included in the American Recovery and Reinvestment Act of 2009. The focus here was the move to the electronic health record implementations, so much of HITECH is around healthcare technology, Meaningful Use and penalties for organizations that do not comply. HITECH added the teeth to HIPAA so healthcare providers are required to comply with the regulations or be forced to pay penalties and even be put on the Wall of Shame for all to see any reported breaches that affected 500 or more individuals. The Wall of Shame website is https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf if you would like to take a look sometime.
The federal government reviews and addresses HIPAA and updates the regulations as required. The last change occurred in 2013 (Omnibus Rule) and included:
1. new regulations about providing the Notice of Privacy practices, or NPPs, to the clients so they understand their rights.
2. mandated Business Associates to follow the same rules as healthcare providers –
3. made changes to the P&Ps and staff training requirements.
4. Audits are now given more priority and additional funding has been made available to confirm healthcare agency’s HIPAA compliance. - If County audited, CIBHS would likely be audited.
5. Applied HIPAA to subcontractors (businesses that perform activities on behalf of BAs).
Additional changes made to the 45 CFRs expanded the mandated breach notification rules, the patient privacy and patient rights requirements, and increased the penalties for breaches. The enforcement authorities are now the Office of Civil Rights (OCR) and the State Attorneys General departments. Bottom line, the federal government is stressing to all that HIPAA is required and it is serious to meet the regulations. Click on the orange bubble to find out more about definitions for some important hipaa terms
We mentioned a Business Associate earlier in the class. That is one of the important definitions you will need to remember as you work on your compliance efforts. A Business Associate is a person or organization that functions on behalf of the covered entity. CIBHS is considered a Business Associate to our customers who are covered entities. A covered entity is a healthcare delivery option that includes doctors, clinics, hospitals, nursing homes and pharmacies that transmit data. Also includes health plans and healthcare clearinghouses (billing services, medical reviewers).
Show BAA example.
Security Roles are part of the HIPAA regulations and were created to establish responsibility and accountability for security functions and activities. HIPAA requires overall responsibility reside in a single person. This way the organizational activities are monitored by the single person, but other responsibilities and roles can be given to others to share in the work. For example, the Security Compliance Officer is responsible for developing and implementing the security P&Ps. They are also responsible for establishing and maintaining an official repository of all security docs including P&Ps, plans, staff assignments, implementation data, test results and data required by regulation. The other roles assist across the functional areas. Privacy Officer is responsible for ensuring the organization’s compliance with the HIPAA privacy rule and other applicable privacy regulations. The Workforce Security Manager has overall responsibility for workforce security and training including Background checks, Security and access roles assignment, Security training and the Sanctions process. The IT Security Manager has overall responsibility for implementing and operating technical IT security. The Incident/Breach Manager is responsible for creating and implementing the security incident / privacy breach response plan. And, the physical security manager is responsible for ensuring that the facility is secured from unauthorized access to restricted areas, devices, files and sensitive information 24/7/365. It is permissible for one person to be assigned multiple roles if needed. Do you know who your security compliance and your privacy officers are? If not, ask and understand what they do at your agency and when you need to report concerns to them.
There are 18 types of identifiers that if used alone or in combination are considered PHI. Review the list and see if you are surprised by any item. The last item, Age greater than 89, relates to a possible identification of someone just based on their age. For example, Mr. Jones is 99 and receiving services at the local MH agency. The agency has an article in the local paper talking about their services and mentions their 99 y/o client who loves coming in for services. Mr. Jones is the only 99 y/o in the town. He could be identified and his privacy breached by that remark. Mr. Jones should have signed a release of information to allow his information to be used.
All medical records and other individually identifiable health information used or disclosed by a CE in any form (electronic, paper and oral) is protected. You have to consider all of the information you have on the client; information that was provided by the client, created by you, created by another, forwarded to you for any reason including TPO.
There are some instances where a covered entity is permitted to disclose PHI without an authorization. You can use and disclose PHI to the individual, for Treatment, Payment and Healthcare Operations (TPO), and other areas noted here that may or may not come up at your agency. The government understands you have to treat your client, work together with others at your agency and receive payment for services delivered without undue hardship. Remember that any other use or disclosure falls under privacy rules.
The latest 45 CFR* regulations expanded patient rights. Patient’s have the right to see their medical record, obtain a copy of their medical record and request amendments to their medical record. They also have the right to authorize disclosures, to request disclosure restrictions if they are private pay clients and other types of disclosures, including research and marketing and to have an accounting of non-TPO disclosures. Clients have a right to receive the notice of privacy practices (NPP), timely notification of breaches, and secure and confidential communications when requested.
*Code of Federal Regulations.
The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
The latest 45 CFR* regulations expanded patient rights. Patient’s have the right to see their medical record, obtain a copy of their medical record and request amendments to their medical record. They also have the right to authorize disclosures, to request disclosure restrictions if they are private pay clients and other types of disclosures, including research and marketing and to have an accounting of non-TPO disclosures. Clients have a right to receive the notice of privacy practices (NPP), timely notification of breaches, and secure and confidential communications when requested.
*Code of Federal Regulations.
The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
Each state has their own privacy laws that may be lower, match or exceed HIPAA requirements. The most stringent rule should apply. In California, there are other Acts that have regulations related to PHI privacy. Review this list and determine if you are referencing these laws at your organization.
Confidentiality of Medical Information Act (CMIA) is in the California Civil Code and regulates the privacy of medical information. (Cal. Civ. Code §§ 56-56.37) See the California Office of Health Information Integrity (CalOHII) website for a list of both who and what the CMIA covers.
1798. This chapter shall be known and may be cited as the Information Practices Act of 1977. 1798.1. The Legislature declares that the right to privacy is a personal and fundamental right protected by Section 1 of Article I of the Constitution of California and by the United States Constitution and that all individuals have a right of privacy in information pertaining to them. The Legislature further makes the following findings: (a) The right to privacy is being threatened by the indiscriminate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies. (b) The increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the maintenance of personal information. (c) In order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits.
California Health & Safety Code Section 123100 et seq. establishes a patient's right to see and receive copies of his or her medical records, under specific conditions and/or requirements.
The purpose of this article is to establish standards for the collection, use and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents or insurance-support organizations; to maintain a balance between the need for information by those conducting the business of insurance and the public’s need for fairness in insurance information practices, including the need to minimize intrusiveness; to establish a regulatory mechanism to enable natural persons to ascertain what information is being or has been collected about them in connection with insurance transactions and to have access to such information for the purpose of verifying or disputing its accuracy; to limit the disclosure of information collected in connection with insurance transactions; and to enable insurance applicants and policyholders to obtain the reasons for any adverse underwriting decision.
Now is a good time to take a break, we will move onto the Rules!
The HIPAA security rule outline national standards designed to protect the individuals ePHI. The Privacy rule set a national standard for the protection of certain health information that addresses the use and disclosure of PHI. There are also standards for patients to understand and control how their health information is used.
The Privacy Rule is the longest and most complex HIPAA rule. The intent is to provide high level PHI protection without impacting delivery of care.
The security rule was final in 2005 and covers the more technical, or IS department standards and rules. It covers Access Control (who can access PHI), anti-virus and anti-malware procedures to keep hardware safe, Password standards for all users to have strong passwords (meaning 8 characters, including alpha-numeric and special characters), standards for secure remote access, secure physical security on doors and locks. There are other technical security standards that address Contingency planning, back up and recovery from the back ups, and a risk analysis that includes testing for secure networks and servers.
How does Physical Security apply to you? Think about your office environment; are you in a locked area or are the doors open? Is there a receptionist to greet visitors or can people just walk in? Is there a secure space for file cabinets that contain PHI and are there locks that are used? Now look at your desk space; is your computer monitor positioned to protect others from viewing your screen or can someone walk up or look around and view the data? Do you have paper charts/forms that contain PHI out when you are not in your office? Your agency may have a facilities manager that governs your physical set up, but that doesn’t prevent you from assisting and identifying issues that need to be resolved to reduce risk. Stay alert so both you and your client’s PHI are safe.
We need to think about our electronic devices and how we access PHI. Do you have a smart phone, tablet or laptop that has access to PHI? Is it encrypted? Is your desktop computer protected from being stolen? Passwords are included in the security rule. Users must have strong passwords that are more difficult to figure out. Letters, numbers and special characters help make your password strong. Changing your password often helps to protect your data. A good standard is changing every 90 days or after an incident. Refer to your IT Password policy and procedures so you understand your agencies standards. Remember, never write your password down, put in under your keyboard or give to others. Your identity is part of your login/password and anyone that uses that combination looks like you in the system. If you allow someone to use your login/password and something happens, you will be held responsible.
We are always being challenged at work and at home with identify theft and the risk is high that you will experience some sort of hardware or data vulnerabilities. Your security compliance officer is doing what they can to help protect your agency’s data, and you need to help by understanding the risks and what you can do to help. First, make sure you understand and follow your agency’s P&Ps regarding security. Ask if you don’t understand something or need assistance. Then, think about your computer and your office/cubbie space. Try to turn your monitor so people walking by can’t easily see your screen. Ask for a privacy screen if turning the monitor isn’t possible. Be sure to lock your workstation when you leave. It’s easy for someone else to quickly sit down at your desk and do something that exposes your client’s PHI. If you use mobile devices that have work emails or access to other systems, make sure you password protect those and that you keep them safe. Always know where your mobile device is. Take the additional step to never save PHI to your device. Change your password at a regular interval and never write it down or share with others unless your IT support person requests per policy. Emails are full of attempts to get your identity, your passwords, to install malware or Trojans on your server-basically hackers know the tricks to get what they want. We can be alert and help reduce risks. Phishing means any attempt designed to get your information and it happens all the time. Be careful when you receive an email from someone you know that doesn’t look right or includes a link to a great website they found. Be a detective before you click anything; are things misspelled, do they look like it goes to a website that has a different name included? Be very suspicious if you see a website with a Download here button (usually green!). You have to make sure you are dealing with the actual website and not a clone. Say to yourself “Stop, Think and Don’t Click the Link!” Bottom line, report anything suspicious to your security compliance officer. It might not be anything, but better to know that sooner than when it’s too late.
Communication is our job, and now with new technologies we are faced with new questions about emailing and texting with our customers. This slide has a clinical focus, but the content is the same. Communications with your customers or with CIBHS staff that includes PHI needs to be secure. Many prefer email to the telephone for scheduling appointments, requesting copies of their records, test results and it does provide a documented record of the communication. Unfortunately, emails are not secure by default and there are no assurances of privacy and security in the chain of communication. Texting is fast, can be more discreet and private than a phone call but is insecure. 3 issues with texting; possible risk to privacy, lack of med record documentation of the communication and safety issues if a client texts during off hours or to the wrong person.
There are standards that cover how we are to respond to a security incident. The definition of a security incident is the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Areas addressed here include your access rights in the EHR, includes the loss of any device that accesses or includes PHI and anything you do or observe happening that isn’t appropriate. IT has monitoring tools to assist with access issues, but you are also responsible to report anything to Robin, your Security Compliance Officer, that you see that is suspicious.
Privacy rules are more focused on the individual’s health information and how we protect it. The goal of the privacy rule is to properly protect the client’s health information and use PHI appropriately while protecting the privacy of people who seek care and healing.
June 13, 2016 Obama Administration Temporarily Waives HIPAA: But Did It Have To Be? In the aftermath of the shootings in Orlando late Saturday night, President Obama applied a unique waiver to HIPAA -- allowing family and friends of the victims to gain quicker access to information about their loved ones. In most situations, information about an individual's condition would not be released to anyone but a spouse or next of kin absent a consent from the patient In normal circumstances this is a valuable protection on an individual's privacy. However, the situation this weekend was anything but normal. Family and friends were unable to obtain any information on the condition of their loved ones, and a consent was simply not possible in many circumstances. Section 1135 of the Social Security Act which was invoked allows healthcare providers flexibility in sharing protected health information ("PHI") with loved ones in emergency situations. The only other time this provision had been enacted was in the aftermath of Hurricane Katrina. For this waiver to be applied the president must declare a national emergency and the secretary of the Department of Health and Human Services must declare a public health emergency. Both of which were declared for Orlando on Sunday. The waiver applying during an "emergency period" may be no more than 72 hours, which is how long this waiver is in effect. This is also not a complete waiver of HIPAA, but only a temporary suspension on requiring patient consent before releasing PHI to loved ones who are not a spouse or next of kin. There is a question whether Section 1135 had to be invoked. The Office of Civil Rights has published opinions stating that health care providers can release PHI to loved ones if a person is incapacitated "if, in their professional judgment, doing so is in the patient's best interest." Arguably that would be the end of the discussion. However, invoking Section 1135 unequivocally insulated health care providers from even the potential of fines or sanctions for non-compliance. Absolutely necessary or not, temporarily waiving limited portions of HIPAA allowed providers to focus on the important tasks at hand rather than worrying about potential HIPAA violations.
The privacy rule covers paper, oral communication and electronic data. There are regulations about when you can use your client’s PHI without an authorization (treatment, payment and healthcare operations), when you need to track disclosures and when you need an authorization to use or release information. The Notice of Privacy Practices is the information about what privacy is, where the client can report a complaint (at your agency, at the state and at the federal level) and their right to view their records, to amend their records and to get a copy of their records. The regulation also includes that you need to document the client received the NPP and signed as such. There are other administrative requirements included that can be referenced in the 45 CFR, parts 160 and 164.
An impermissible use or disclosure under the privacy rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates there is low probability that the PHI has been compromised. There is now a rule that breaches of more than 500 patient records must be reported to the news media and the breach is added to the Wall of Shame.
Breaches at CIBHS – CPS packages arriving ripped. We have taken steps to correct the problem. In case of ripped CPS data: notified county, conducted risk assessment, changed procedures for receiving packages at front desk.
Breach Examples:
Rite Aid disposed of empty labeled pill bottles in dumpster - $1 million fine
Well Point online database was not protected and accessible via Internet - $1.7 million fine
Employees at UCLA Health System were looking at patient records of celebrities – Paid $865,000 settlement
An impermissible use or disclosure under the privacy rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates there is low probability that the PHI has been compromised. There is now a rule that breaches of more than 500 patient records must be reported to the news media and the breach is added to the Wall of Shame.
Breaches at CIBHS – CPS packages arriving ripped. We have taken steps to correct the problem. In case of ripped CPS data: notified county, conducted risk assessment, changed procedures for receiving packages at front desk.
Breach Examples:
Rite Aid disposed of empty labeled pill bottles in dumpster - $1 million fine
Well Point online database was not protected and accessible via Internet - $1.7 million fine
Employees at UCLA Health System were looking at patient records of celebrities – Paid $865,000 settlement
An impermissible use or disclosure under the privacy rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates there is low probability that the PHI has been compromised. There is now a rule that breaches of more than 500 patient records must be reported to the news media and the breach is added to the Wall of Shame.
Breaches at CIBHS – CPS packages arriving ripped. We have taken steps to correct the problem. In case of ripped CPS data: notified county, conducted risk assessment, changed procedures for receiving packages at front desk.
Wall of Shame – for San Juan County: sort by state, go to page 10 – about halfway down page – first NM listing.
An impermissible use or disclosure under the privacy rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates there is low probability that the PHI has been compromised. There is now a rule that breaches of more than 500 patient records must be reported to the news media and the breach is added to the Wall of Shame.
Breaches at CIBHS – CPS packages arriving ripped. We have taken steps to correct the problem. In case of ripped CPS data: notified county, conducted risk assessment, changed procedures for receiving packages at front desk.
Wall of Shame – for San Juan County: sort by state, go to page 10 – about halfway down page – first NM listing.
Criminal penalties apply to Covered Entities, Business Associates and individuals.
Most current penalties. What’s important to take away here is that there are monetary and possible jail time for violations. These are imposed on the agency as well as the person who was responsible for the violation.
Fines are not mandatory, it’s up to HHS what to fine.
Ex: surveys in parking lot. 100 surveys could be fined at $100 EACH survey.
Now we’ll discuss 42 CFR. You are aware of these regulations if you work in a substance abuse program. These regulations were developed to reduce stigma while receiving substance abuse treatment and to help address the privacy concerns client’s may have.
Read slide
Read slide
Read slide.
Ask if they remember what TPO is.
For your information, here is the link to the 42 CFR regulation.
Must get a written consent-read slide
Lots of content on this slide, but the consent form is very prescribed and MUST include these data elements.
Read slide
Both HIPAA (45 CFR) and 42 CFR Part 2 are about client privacy. The most stringent rule will apply. Here is a reference to a comparison between HIPAA and 42 CFR. In most cases, 42 CFR will be followed. There are some HIPAA requirements for form language that also must be met.
Click on the Samhsa logo to take you to their site.
Let’s talk about Policies and Procedures.
CIBHS has developed polices that include our HIPAA requirements, found on the public drive. Those policies cover privacy and security items. There are two additional webinar classes to take that go over “How to report a breach” and Workforce Security items. Please take these classes and exams in the next two weeks so it is fresh in your mind.
