Transcript Document

UBMD Information & Privacy Program
HIPAA/HITECH Training
Home
Back
Forward
The Health Insurance Portability and
Accountability Act (HIPAA) requires that
UBMD, train all workforce members of
“Covered Entities” on the HIPAA policies
and those specific HIPAA-required
procedures that may affect the work you
do for UBMD and/or the University at
Buffalo
Aim of the Information Privacy &
Security Program
The aim of this program is to help you
understand:
• What are the HIPAA Privacy, Security and
the HITECH laws are about?
• Who has to follow the these laws?
• How does HIPAA/HITECH affect you and
your job?
• Why is HIPAA/HITECH important?
• Where can you get answers to your
questions about HIPAA/HITECH?
What is HIPAA (Information Privacy & Security)
• HIPAA is the Health Insurance
Portability and Accountability Act of
1996. It is a Federal law!
• HIPAA is a response, by Congress, to
reform healthcare.
• HIPAA affects the health care industry.
• HIPAA is mandatory
HIPAA Privacy and Security
Protects the privacy and security of a
patient’s health information.
Provides for electronic and physical
security of a patient’s health information
Prevents health care fraud and abuse
Simplifies billing and other transactions,
reducing health care administrative costs.
The HITECH Act Updated HIPAA in
2009
As part of the American Recovery and Reinvestment Act of 2009,
the Health Information Technology for Economic and Clinical
Health (HITECH) Act updated federal HIPAA privacy and security
standards.
The updates include:
• Breach notification requirements
• Fine and penalty increases for privacy violations
• Right to request copies of the electronic health care record
in electronic format
• Mandates that Business Associates are civilly and
criminally liable for privacy and security violations
WHO MUST FOLLOW THE
HIPAA LAW?
UBMD Covered Entity
The Covered Health Care Component (Entity) consists
of the UBMD Physicians Group, its participating
physicians and clinicians, and all employees and
departments that provide management, administrative,
financial, legal and operational support services to or
on behalf of UBMD to the extent that such employees
and departments use and disclose individually
identifiable health information in order to provide these
services to the UBMD, and would constitute a
“business associate” of UBMD if separately
incorporated.
What is a Business Associate?
• A person or entity which performs certain functions,
activities, or services for or to the UBMD Medical Group
involving the use and/or disclosure of PHI, but the
person or entity is not a part of UBMD or its workforce.
(Examples: transcription services, temporary staffing
services, record copying company etc.)
• The UBMD Medical Group is required to have
agreements with business associates that protect a
patient’s PHI.
Covered Entity…Always
Once you are part of a covered entity,
you are a covered entity with respect to
all Protected Health Information (PHI),
whether it is transmitted electronically, in
paper format, or transmitted orally
The Key to being a Covered Entity
The key to being a
covered entity is
whether any of the
Covered
Transactions are
performed
electronically
Examples of Covered Entities
Providers
Health
Plans
Electronic
Billing
Clearing
Houses
Business
Associates
(via
Contracts)
Examples of Covered Transactions
•
•
•
•
•
•
Enrollment and dis-enrollment
Premium payments
Eligibility
Referral certification and authorization
Health claims
Health care payment and remittance
advice
What is PHI
• Protected Health Information (PHI)
• Information that relates to the past,
present, or future physical or mental
condition of an individual; provisions of
healthcare to an individual; or for payment
of care provided to an individual.
• Is transmitted or maintained in any form
(electronic, paper, or oral representation).
• Identifies, or can be used to identify an
individual
Examples of PHI
PHI = Health Information with Identifiers
• Name
• Postal address
• All elements of dates
except year
• Telephone number
• Fax number
• Email address
• URL address
• IP address
• Social security number
• Account numbers
• License numbers
• Medical record number
• Health plan beneficiary #
• Device identifiers and their
serial numbers
• Vehicle identifiers and
serial number
• Biometric identifiers (finger
and voice prints)
• Full face photos and other
comparable images
• Any other unique
identifying number, code,
or characteristic
Applies to Written and Electronic
Information
The UBMD Covered Entity may not use or
disclose an individual’s protected health
information, except as otherwise permitted, or
required, by law.
However…
The UBMD’s Covered Entity may use and
share a patient’s PHI for:
Treatment
Payment
Healthcare
Operations
Treatment-Payment-Healthcare
Operations (TPO)
Treatment
Payment
•
•
•
•
• Includes any
activities required to
bill and collect for
health care services
provided to patients
Direct patient care
Coordination of care
Consultations
Referrals to other
health care
providers
Healthcare
Operations
• Includes business
management and
administrative
activities
• Quality improvement
• Compliance
• Competency, and
training.
UBMD’s Covered Entities must
• Must use or share only the minimum amount
of PHI necessary, except for requests made
• For treatment of the patient
• By the patient, or as requested by the patient to
others
• To complete standardized electronic transactions,
as required by HIPAA
• By the Secretary of the Department of Health &
Human Services (DHHS)
• As required by law
Examples of TPO
• The patient’s referring physician calls and asks for a
copy of the patient’s recent exam at UBMD
(Treatment)
• A patient’s insurance company calls and requests a
copy of the patient’s medical record for a specific
service date (Payment)
• The Quality Improvement office calls and asks for a
copy of an operative report (Health Care
Operations)
• For these TPO purposes, patient information may be
provided
For Purposes other than TPO
• Unless required or permitted by law, UBMD entities
must obtain written authorization from the patient to
use, disclose, or access patient information.
•
Patient Authorization allows UBMD entities to disclose information
for purposes not related to treatment, payment, or operations
–
For human subjects research, additional rules and training apply (See the UB
HIPAA IRB website for guidance at:
http://www.hpitp.buffalo.edu/hipaa/Research/UB_HIPAA_ResearchHomePage.htm
– PHI may not be accessed for human subjects research unless the UB
Institutional Review Board (IRB) has approved the research
and
– BOTH Informed Consent and HIPAA Authorization have been obtained from the
subject, OR the UB IRB has approved a Waiver of Informed Consent and HIPAA
Authorization.
NOTE: if you obtain or use PHI for research purposes with only an
Informed Consent but without a HIPAA Authorization, it is considered an
unauthorized disclosure under HIPAA
Use and Disclosures of PHI for
Research
PHI may be used in research if appropriate authorization from research
participants is obtained, or if the PHI is obtained through one of the following
alternatives:
• Certified De-identified data sets;
• Limited data sets (when accompanied by an appropriate Data Use Agreement);
• Waiver or alteration of the authorization requirement by an Institutional Review
Board (IRB) or Privacy Board;
• Research involving decedents’ PHI (when appropriate representations are
made by the researcher to UBMD that the PHI is necessary and sought solely
for research on decedents); or
• Reviews preparatory to research when UBMD receives representations from
the researcher that access to the PHI is necessary and will not be removed
from UBMD.
• PHI may be used in research only by those individuals authorized to access the
information by the person(s) responsible for the project (principal investigator,
project director, project coordinator) or the department head. The person(s)
responsible must protect the information from unauthorized access and must
maintain and regularly update a list of staff that is authorized to have access to
the PHI.
For Other Uses and Disclosures
For other disclosures,
the UBMD Covered
Entity must get a
signed authorization
from the patient (E.g.,
to disclose PHI to a
marketing or
pharmaceutical
company.)
Uses and Disclosures of PHI for
Marketing
•
A UBMD Medical Group health care
provider may use PHI to communicate to
the patient about a health-related product
or service that UBMD provides.
•
A UBMD health care provider may use
PHI to communicate to the patient about
general health issues: disease
prevention, wellness classes, etc.
•
For all other marketing, a patient
authorization must be obtained, unless
the communication is in the form of
• A face-to-face communication made
by UBMD to an individual
• A promotional gift of nominal value
provided by UBMD
Scenario 1
A physician, while having a new-product orientation meeting with a drug
company rep., learns about a new Asthma Inhaler being developed by the
pharmaceutical company. The physician provides the rep with the names
and phone numbers of a few of his patients with asthma, because he
believes that they could benefit from the new treatment. A week later,
patients call the doctor’s office complaining about being solicited by the
drug company to take part in a clinical trial.
A.
Since the physician had
good intentions, this
situation should not be
avoided, and the doctor has
not violated HIPAA
B.
Physicians should stop
meeting with drug company
reps, as there are many
circumstances that could
result in violations of federal
law, including HIPAA
C.
Since PHI was disclosed for
purposes other than what state and
federal law allows without a
patient’s authorization, an
authorization from the patients
should have been obtained before
the PHI was released
That is not correct
Click Here to try again!
Scenario 1 Answer
The Correct answer is C. PHI was disclosed without patient
authorization. Never provide information to a friend, colleague, or
business representative UNLESS it is required as part of your job
and permitted under HIPAA and/or other state and federal laws.
Always keep your patient’s information confidential to maintain
your rapport and the patient’s trust. Providing an unauthorized
release of information to a drug rep for marketing or research
purposes violates state and federal law
A.
B.
C.
Since the physician had good intentions, this situation should not be
avoided, and the doctor has not violated HIPAA.
Physicians should stop meeting with drug company reps, as there
are many circumstances that could result in violations of federal law,
including HIPAA.
Since PHI was disclosed for purposes other than what state and
federal law allows without a patient’s authorization, an authorization
from the patients should have been obtained before the PHI was
released.
The Patient Authorization must
•
•
•
•
Describe the PHI to be used or released
Identify who may use or release the PHI
Identify who may receive the PHI
Describe the purposes of the use or
disclosure
• Identify when the authorization expires
• Be signed by the patient or someone making
health care decisions (E.g., personal
representative) for the patient
Requirements by HIPAA
The UBMD Covered Entity is required
to:
• Give each patient a Notice of Privacy
Practices that describes a patient’s
privacy rights and how the UBMD Medical
Practice can use and share his or her
Protected Health Information (PHI)
• Request each patient to sign a written
acknowledgement that he/she has
received the Notice of Privacy Practices.
Notice and Acknowledgement
• Notice of Privacy Practices:
– A statement given to each patient
describing how the practice will use and
disclose health information and outlining
the patient’s rights under HIPAA
• Acknowledgment:
– Written documentation that the notice was
provided to a patient, either signed by the
patient or completed by a staff member
explaining why the patient did not sign it
Our Patients’ Rights
• The right to request restriction of PHI uses &
disclosures
• The right to request alternative forms of
communications (mail to P.O. Box, not street
address; no message on answering machine, etc.)
• The right to access and copy patient’s PHI
• The right to an accounting of the disclosures of
PHI
• The right to request amendments to information
How Does HIPAA Affect my Job
HIPAA requires that UBMD train all workforce
members about the organization’s HIPAA
policies and specific procedures which may
affect the work you do. These rules apply to you
when you look at, use, or share Protected
Health Information (PHI).
Who uses PHI at UBMD?
• Anyone who works with or may view health, financial, or
confidential information with HIPAA protected health identifiers
• Everyone who uses a computer or electronic device which
stores and/or transmits UBMD Patient information
• The following constitute workforce members:
•
•
•
•
•
•
•
•
•
•
Faculty Group Practice staff
Schools of Medicine, Nursing, Dentistry: staff and faculty
UBMD/University staff who work in clinical areas
Administrative staff with access to PHI
Volunteers
Students who work with patients
Researchers and staff investigators
Accounting and payroll staff
Contractors/Temporary Workers
Almost EVERYONE, at one time or another
When can you use PHI?
Only to do your job!
Treat Patients’ Information as if it
were your own information
Look at a
patient’s PHI
only if you
need it to
perform your
job.
Use a
patient’s PHI
only if you
need it to
perform your
job.
Give a
patient’s PHI
to others
only when
it’s
necessary
for them to
perform their
jobs.
Talk to
others about
a patient’s
PHI only if it
is necessary
to perform
your job,
and do it
discreetly
Scenario 2
I do not work with patients or have access to medical records,
however I see patients pass by my desk in the clinic. Can I talk
about the patients with my coworkers, family and friends even if it
has nothing to do with my job?
A.
You may not discuss any
patient information with
anyone unless required
for your job
B.
You may only talk about
the patient with our
coworkers
C.
You may only talk about
the patient with your
family and friends
That is not correct
Click Here to try again!
Scenario 2 Answer
The correct answer is A. Information can only be used
as needed for your job.
A. You may not discuss any patient information with
anyone unless required for your job
B. You may only talk about the patient with our
coworkers
C. You may only talk about the patient with your family
and friends
Scenario 3
I work in Radiology on the 4th Floor and my friend, who works at the Front
Desk, told me that she just saw a famous athlete get on the elevator. My
friend read in the paper that the star athlete has some sports injuries and
asked me to find out what clinic that star is being seen at. Can I give my
friend the information?
A.
It is okay as I am only
looking up his location,
not his medical condition
B.
I already have approval
to access patient clinical
systems, so no one will
know that I accessed it
C.
It is not necessary for my job, so I would be violating
the patient’s privacy by checking on her location and
by sharing this information with my friend
That is not correct
Click Here to try again!
Scenario 3 Answer
The correct answer is C. It is not part of your or your
friend’s job, even if you are a system user. Your access
to the record will automatically be recorded and can be
tracked. Both you and your friend are not protecting the
privacy of this patient. There could be serious
consequences to your employment.
A. It is okay as I am only looking up his location, not his medical
condition
B. I already have approval to access patient clinical systems, so
no one will know that I accessed it
C. It is not necessary for my job, so I would be violating the
patient’s privacy by checking on her location and by sharing
this information with my friend
Scenario 4
As a file clerk, it is my job to see PHI, but while opening lab reports, I saw
my manager’s pregnancy test results. Her pregnancy test was positive! I
congratulated her, but found out that I was the first person to tell her. Did I
do the right thing?
A.
It is okay as it was part of
my job to see PHI
B.
I should not have used the
information as it was not my
job to discuss lab results, to
provide a diagnosis, or to
use her information outside
of my job duties
C.
She is an employee at
UBMD, so it is okay to look
at other UBMD employee
records
That is not correct
Click Here to try again!
Scenario 4 Answer
The correct answer is B. There was impermissible
disclosure of her information. UBMD employees can
also be patients; they have all the same rights to
privacy of their information as does any other patient.
This was also a violation of UBMD policy, which could
impact your employment.
A. It is okay as it was part of my job to see PHI
B. I should not have used the information as it was not my job to
discuss lab results, to provide a diagnosis, or to use her
information outside of my job duties
C. She is an employee at UBMD, so it is okay to look at other
UBMD employee records
Scenario 5
Because I have access to confidential patient information as part
of my job, I can look up anybody’s record, even if they are not my
patient, as long as I keep the information to myself.
A.
True, as long as I do not
share this information
B.
I can only look at
records when it is
required by my job
C.
I can access hard copy
medical charts, but not
electronic records,
anytime I want
That is not correct
Click Here to try again!
Scenario 5 Answer
The correct Answer is B. It is acceptable only when it is
necessary for your job and only the minimum
information necessary to do your job. Idle curiosity can
jeopardize the patient’s privacy and your employment.
A. True, as long as I do not share this information
B. I can only look at records when it is required by my job
C. I can access hard copy medical charts, but not electronic
records, anytime I want
Protecting Patient Privacy Requires
us to Secure Patient Information
Downloading/Copying/Removal
• Employees should not
download, copy, or remove
from the clinical areas any
PHI, except as necessary to
perform their jobs.
• Upon termination of
employment, or upon
termination of authorization to
access PHI, the employee
must return to UBMD all
copies of PHI in his or her
possession.
Dealing with PHI on paper
• Shred or destroy PHI before throwing it away
• Dispose of paper and other records with PHI
in secured shredding bins. Recycling and
Trash bins are NOT secure.
• Shredding bins work best when papers are
put inside the bins. When papers are left
outside the bin, they are not secured from:
– Daily gossip
– Daily trash
– The public
Know where you left your
paperwork
• Check printers, faxes, copier machines when
you are done using them
• Ensure paper charts are returned to
applicable areas in nursing stations, medical
records, or designated file rooms
• Do not leave hard copies of PHI laying on
your desk; lock it up in your desk at the end
of the day
• Seal envelopes well when mailing
Faxing
• Faxing is permitted. Always
include, with the faxed information,
a UBMD cover sheet containing a
Confidentiality Statement:
• Limit manual faxing to urgent
transmittals-In an emergency,
faxing PHI is appropriate when the
information is needed immediately
for patient care
• Other situations considered urgent
(e.g., results from lab to physician)
• Place Fax machine in a secure
area
Information that should not be
Faxed except…
in an emergency:
– Drug dependency
– Alcohol dependency
– Mental illness or
psychological information
– Sexually-transmitted
disease (STD) information
– HIV status
Locations of Fax Machines/Printers
• Location should be secure
whenever possible
• In an area that is not
accessible to the public
and
• Whenever possible, in an
area that requires security
keys or badges for entry.
If information is
inadvertently faxed to
a patient-restricted
party or a recipient
where there is a risk of
release of the PHI
(e.g., newspaper), the
Privacy Official should
be notified @ NNNNNN-NNNN, and legal
counsel should
become involved.
Public Viewing/Hearing
• PHI should not be left in
conference rooms, out
on desks, or on counters
where the information
may be accessible to the
public, or to other
employees or individuals
who do not have a need
to know the protected
health information.
Public Viewing/Hearing
• Patients may see normal
clinical operations as
violating their privacy
• Be aware of your
surroundings when talking
• Do not leave PHI on
answering machines
• Ask yourself, “What if it was
my information being
discussed like this?”
Scenario 6
Susan, who works at the front desk, called a patient’s phone
number and left a voice mail for Mrs. Becky Jones to contact the
office regarding her scheduled lap band procedure. Was this a
privacy breach?
A.
No, the patient provided
this phone number
B.
Yes, I stated her name
and medical procedure
C.
No, I did not state the
medical reason for the
surgery
That is not correct
Click Here to try again!
Scenario 6 Answer
The correct answer is B. Patient name in conjunction with any
medical information constitutes PHI. You do not know who will
hear the message; the patient may not have told her family, friend
or roommate. It is best practice to leave the minimum amount of
information needed: your name, phone number, and that you are
from the UBMD office. Never leave PHI on an answering machine.
A.
B.
C.
No, the patient provided this phone number
Yes, I stated her name and medical procedure
No, I did not state the medical reason for the surgery
HIPAA Security
• HIPAA Security is focused on e-PHI.
– e-PHI (electronic Protected Health Information) is computerbased patient health information that is used, created,
stored, received or transmitted by the UBMD using any
type of electronic information resource.
– Information in an electronic medical record, patient billing
information transmitted to a payer, digital images and print
outs, information when it is being sent by UBMD to another
provider, a payer or a researcher.
• Physical safeguards
protect UBMD’s
electronic information
system hardware and
related buildings and
equipment.
• Security measures
include protections
from natural or
environmental
hazards and
unauthorized access.
Technical Safeguards
• Administrative
Safeguards require
written documentation
of the security
measures.
• Policies and
procedures must
ensure prevention,
detection,
containment and
correction of security
violations. Policies
and procedures must
also ensure that all
workforce members
have appropriate
access to electronic
PHI in order to
perform their jobs.
Physical Safeguards
Administrative Safeguards
HIPAA Security Rule Provisions
• Technical Safeguards
involve the use of
computer technology
solutions to protect
the integrity,
confidentiality and
availability of
electronic PHI
• Access Controls
• Audit controls
• Integrity
• Person/entity
Authentication
• Transmission Security
Protecting e-PHI
• Ensure the confidentiality, integrity, and
availability of information through safeguards
(Information Security)
– Confidentiality - Ensure that the information will
not be disclosed to unauthorized individuals or
processes
– Integrity - Ensure that the condition of information
has not been altered or destroyed in an
unauthorized manner, and data is accurately
transferred from one system to another
– Availability - Ensure that information is accessible
and useable upon demand by an authorized
person
Good Computing Practices
Safeguards for Users
Safeguard #1: Access Controls
(Unique User Identification)
• Users are assigned a unique “User ID” for
log-in purposes (UBIT), which limits access
to the minimum information needed to do
your job. Never use anyone else’s log-in,
or a computer someone else is logged on
to. Log them out before you use it.
• Use of information systems is audited for
inappropriate access or use.
• Access is cancelled for terminated
employees.
Safeguard #2: Password Protection
UBMD requires that:
• All passwords be changed at least once every 90 days, or
immediately if a breach of a password is suspected
• User accounts that have system-level privileges granted
through group memberships or programs have a unique
password from all other accounts held by that user;
• Passwords not be inserted into email messages or other forms
of electronic communication;
• Personal Computers and other portable devices such as
Laptops and PDAs which may contain e-PHI must be password
protected, and when possible, encrypt the e-PHI;
• Default vendor passwords be changed immediately upon
installation of hardware or software;
If you think somebody knows your
password…
• Notify the Support Desk or
your
computer support person,
and
• Change your password
IMMEDIATELY (if you need
assistance, ask the Help
Desk)
Remember: You are responsible for everything
that occurs under your UBMD login.
Safeguard #3: E-mail Considerations
• Practice Safe Emailing
– Do not open, forward, or reply to suspicious emails
– Do not forward UBMD email to personal accounts
– Do not open suspicious email attachments or click on
unknown website addresses
– NEVER provide your username and password to an email
request
– Delete spam and empty the “Deleted Items” folder
– Use a secure email solution whenever sending email
outside UBMD (Use Encryption if available)
– Use all the tools and methods available to you to encrypt
your email.
Check with your UBMD IT personnel for details
Safeguard #4: Workstation Security
Workstation Security Contd.
Workstations
• Electronic computing devices
• Laptops, desktop computers, or other devices that perform
similar functions (Tablets, Smartphones)
• Electronic media stored in or near them
Physical Security Measures
• Disaster Controls
• Physical Access Controls
• Device and Media Controls
Malware Controls
• Measures taken to protect against any software that causes
unintended results
Workstation Security Contd.
• Disaster Controls
– Protect workstations from
natural
and environmental hazards
– Locate equipment above
ground
level to protect it against
flood damage
– Use electrical surge
protectors
– Move workstations away
from
overhead sprinklers
Workstation Security Contd.
• Access Controls
– Create a strong password and do not share your
username or password with anyone
– Lock/Log-off before leaving a workstation
unattended. This will prevent other individuals
from accessing e-PHI under your User-ID, and
limit access by unauthorized users.
You have
logged out
successfully!
Workstation Security Contd.
Device Controls
• Ensure information on computer screens is not visible to
passersby
– Auto Log-Off - Where possible and appropriate, devices
must be set to “lock” or “log-off” and require a user to sign in
again after 5 minutes
– Automatic Screen Savers - Password protect, and set to
activate in 5 minutes
– Use a privacy screen
– Manually lock your PC by using the keyboard command
(Press the Ctrl + Alt + Delete keys simultaneously and
select appropriate action)
– Use a password to start up or wake-up your computer
Malware
• Malicious software that designed to
harm or secretly access computers
without the users knowledge
– Viruses
– Worms
– Spyware
– Keystroke Loggers
– Remote access Trojans
Malware Contd.
Viruses
• Malicious programs that attempt to spread throughout your computer system and the entire network
• They can be prevented by installing antivirus software on your computer, and updating it frequently
Worms
• Malicious software that spreads without any user action. They take advantage of security holes in the
operating system or software package
• They can be prevented by making sure that your system has all security updates installed
Spyware
• A class of malicious programs that monitors your computer usage habits and reports them for storage in a
marketing database
• They are installed without you knowing while installing another program or browsing the Internet
• They can open advertising windows (popups)
• They can be prevented by installing and running an updated spyware scanner
Keystroke Loggers
• They can be software programs or hardware (devices installed between your keyboard and computer) that
log every keystroke typed.
• They can be detected by most antivirus programs and spyware scanners
• They can be spotted if you check your hardware for anything unfamiliar (do it often)
Remote Access Trojans
• They allow remote users to connect to your computer without your permission, letting them take
screenshots of your desktop, take control of your mouse and keyboard and access your programs at will.
• Most regularly updated antivirus programs can detect and remove them
Symptoms of Malware Infection
• Reduced performance
(your computer slows or
“freezes”)
• Windows opening by
themselves
• Missing data
• Slow network
performance
• Unusual toolbars added
to your web browser
Contact the UBMD Support Desk @ 716-842-2112
if you suspect that your computer has been
infected with malware.
Be aware of Suspicious Email
• Any unsolicited email you receive with an
attachment
• Any email from someone whose name you
don’t recognize
• Phishing
– Emails that ask you to provide personal or
sensitive information. Verify by calling on the
phone before providing any information.
Indications of a Tampered Account
• Your account is locked
when you try to open it
• Your password isn’t
accepted
• You are missing data
• Your computer settings
have mysteriously
changed
If you suspect someone has tampered with your account,
contact the UBMD Support Desk @ 716-842-2112
Portable Device Security Tips
• Always encrypt portable devices and media with
confidential information on them (laptops, flash
drives, memory sticks, external drives, CDs, etc.)
• Encryption must be an approved UBMD data
encryption solution. A UBMD or UB campus owned
device may have already been encrypted for you.
Check with the IT department.
• Purchase only electronic devices and media which
can be encrypted.
Best Practice: Do not keep confidential data on portable devices
unless absolutely necessary and if necessary, the information
must be encrypted.
Scenario 7
Dr. Gordon is very busy and asks you to log into the clinical
information system using his User ID and password to retrieve
some patient reports. What should you do?
A.
It is a physician, so it
is okay to do this
B.
Ignore the request
and hope he forgets
C.
Decline the request
and refer him to the
UBMD information
Security Policies
D.
None of the above
That is not correct
Click Here to try again!
Scenario 7 Answer
The correct answer is C. Always login under your own
user ID and password. If you do not have system
owner permission to access the system, then do not
access the system. This would have been a violation of
privacy and security policies.
A. It is a physician, so it is okay to do this
B. Ignore the request and hope he forgets
C. Decline the request and refer him to the UBMD information
Security Policies
D. None of the above
Scenario 8
In your role as a Resident, you need to use a laptop as you work at
various UBMD Practices. You have patient emails, addresses, and
medical information files on the laptop. What is the best way to protect this
device?
A.
It is secured as I use a
complex password and when
unattended, I always lock it
up in the trunk of my car
B.
I only need a complex
password to secure the laptop
C.
The information on my
portable device is encrypted, I
use a complex password, and
I physically secure the device
when leaving it unattended
D.
None of the above
That is not correct
Click Here to try again!
Scenario 8 Answer
The correct answer is A. Your laptop must be encrypted if it contains
UBMD patient information or other sensitive confidential information.
Password protection by itself is not enough but you do need to use
complex passwords for the device and physically secure it when
unattended. Unencrypted devices are considered unsecured in the event
of a loss or theft by federal and state privacy laws and therefore
reportable to federal and state agencies!
A. It is secured as I use a complex password and when unattended, I
always lock it up in the trunk of my car
B. I only need a complex password to secure the laptop
C. The information on my portable device is encrypted, I use a complex
password, and I physically secure the device when leaving it
unattended
D. None of the above
Safeguard #5: Workstation Security
Check List
Always use the physical security measures
listed in Safeguard #4, including this “Check
List”
– Use an Internet Firewall, if applicable
– Always use Anti-virus software, and keep it up-to-date
– Always install computer software updates, such as Microsoft
patches routinely
– Encrypt and password-protect portable devices (PDAs,
laptops, etc.)
– Lock-it-up! Lock office or file cabinets, lock up laptops
– Use automatic log-off from programs
– Use password-protected screen savers
– Use physical privacy screens
– Back up critical data and software programs
Safeguard #5: Workstation Security
- when you take it with you…
Security for USB Memory Sticks and
Storage Devices
• Don’t store e-PHI on flash drive/memory
cards
• If you must store it, either de-identify it,
and/or encrypt it
• Delete the e-PHI when no longer needed
• Protect the devices from loss and damage
Safeguard #5: Workstation Security
PDAs/Tablets/Smartphones
•
•
•
•
•
Don’t store e-PHI on mobile devices
If you must store it, de-identify it and/or
Encrypt it and password-protect it
Back up original files
Synchronize with computers as often as
practical
• Delete e-PHI files from all portable media
when no longer needed
• Protect your device from loss or theft-Report
any incident immediately.
Safeguard #6: Data Management
and Security
Data Management and Security
Storage – Portable Devices
• Permanent copies of e-PHI should not be
stored on portable equipment, such as laptop
computers, PDAs, Smartphones and storage
medium like memory sticks/flash drives
• If necessary, temporary copies can be used
on portable computers only while using the
data, and if encrypted to safeguard the data if
the device is lost or stolen
Data Management and Security Disposal
Destroy e-PHI data which are no
longer needed:
• Know where to take hard drives, CDs, flash
drives, or any backup devices for appropriate
safe disposal or recycling (Check with your IT
professional)
Security Incidents and e-PHI
A “Security Incident” is:
“The attempted or successful unauthorized access,
use, disclosure, modification, or destruction of
information or interference with system operations in
an information system.’’ [45 CFR 164.304]
What is your role?
Security Reminders!
A good Security Standard to follow is the “90 / 10” Rule:
• 10% of security safeguards are technical
• 90% of security safeguards rely on the YOU to
adhere to good computing practices
– Example: The lock on the door is the 10%. Your
responsibility is 90%
•
•
•
•
Remembering to lock it
Checking to see if it is closed
Ensuring others do not prop the door open
Keeping control of the keys
10% security is worthless without YOU!
Privacy Breach from Lost, Stolen,
or Misdirected Information
A privacy breach can occur when information
is:
• Physically lost or stolen
– Paper copies, films, tapes, electronic devices
– Anytime, anywhere - even while on public transportation, crossing the
street, in the building, in your office
• Misdirected to others outside of UBMD
– Verbal messages sent to or left on the wrong voicemail or sent to or left for
the wrong person
– Mislabeled mail, misdirected email
– Wrong fax number, wrong phone number
– Placed on UBMD intranet, internet, websites, Facebook, Twitter
What constitutes a Breach?
Definition of “Breach”
• An impermissible acquisition, access, use or disclosure not
permitted by the HIPAA Privacy Rule
• Examples include
–
–
–
–
Laptop containing PHI is stolen
Receptionist who is not authorized to access PHI looks
through patient files in order to learn of a person’s
treatment
Nurse gives discharge papers to the wrong individual
Billing statements containing PHI mailed or faxed to the
wrong individual/entity
Examples of Privacy Breach
• Talking in public areas, talking too loudly, talking to the wrong
person
• Lost/stolen or improperly disposed of paper, mail, films,
notebooks
• Lost/stolen laptops, PDAs, cell phones, media devices (video
and audio recordings)
• Lost/stolen media like CDs, flash drives, memory cards
• Hacking of unprotected computer systems
• Email or faxes sent to the wrong address, wrong person, or
wrong number
• User not logging off of computer systems, allowing others to
access their computer or system
Exceptions to Breach
• Exceptions to Breach
•
•
•
Unintentional acquisition, access, use or disclosure by a workforce
member (“employees, volunteers, trainees, and other persons
whose conduct, in the performance of work for a covered entity, is
under the direct control of such entity, whether or not they are paid
by the covered entity”) acting under the authority of a covered
entity or business associate
Inadvertent disclosures of PHI from a person authorized to access
PHI at a covered entity or business associate to another person
authorized to access PHI at the same covered entity, business
associate, or organized healthcare arrangement in which covered
entity participates
If a covered entity or business associate has a good faith belief
that the unauthorized individual, to whom the impermissible
disclosure was made, would not have been able to retain the
information
Breach Notification Obligations
• If a breach has occurred, UBMD will be
responsible for providing notice to:
– The affected individuals (without unreasonable
delay and in no event later than 60 days from
the date of discovery—a breach is considered
discovered when the incident becomes known
not when the covered entity or Business
Associate concludes the analysis of whether
the facts constitute a Breach)
– Secretary of Health & Human Services-HHS(timing will depend on number of individuals
affected by the breach)
– Media (only required if 500 or more individuals
of any one state are affected)
Breach Notification Decision Tree
What if there is a Breach of
Confidentiality?
• Breaches of the policies and
procedures or a patient’s
confidentiality must be
reported to the UBMD
Privacy Official at NNN-NNNNNNN.
• UBMD’s Breach Mitigation
Policy states:
“Anyone who knows or has reason
to believe that another person has
violated this policy should report
the matter promptly to his or her
supervisor and the UBMD’s
Information Privacy and Security
Office.”
…if a breach is reported?
• The incident will be
thoroughly
investigated.
• The UBMD Covered
Entity is required to
attempt to fix the
harmful effects of
any breach
Disciplinary Actions (Sanctions)
• Internal Disciplinary Actions
• Individuals who breach the policies
will be subject to appropriate
discipline under UBMD Sanction
Policy.
• Civil/Criminal Penalties
• An employee who does not protect a
patient’s privacy and follow all
required UBMD policies and
procedures could lose his or her job
and also (See below)
• Covered entities and individuals who
violate these standards will be
subject to civil and/or criminal liability.
Minimum Privacy Violation
Level & Definition of
Violation
Example
Possible Actions may
include:
Accidental and/or due to lack of
proper education.
•Improper
disposal of PHI.
•Improper protection of PHI (leaving
records on counters, leaving
documents in inappropriate areas).
•Not properly verifying individuals.
•Re-training
Purposeful violation of privacy or an
unacceptable number of previous
violations
•Accessing
or using PHI without have
a legitimate need.
•Not forwarding appropriate
information or requests to the privacy
official for processing.
•Re-training
Purposeful violation of privacy policy
with associated potential for patient
harm.
•Disclosure
Termination.
of PHI to unauthorized
individual or company.
•Sale of PHI to any source.
•Any uses or disclosures that could
invoke harm to a patient.
and re-evaluation.
•Oral warning with documented
discussions of policy, procedures, and
requirements.
and re-evaluation.
•Written warning with discussion of
policy, procedures, and requirements
or Termination
Civil Penalties
• Covered entities and individuals who violate these
standards will be subject to civil liability
Tiered Civil Penalties
HIPAA Violation
Minimum Penalty
Maximum Penalty
Individual did not know (and by
exercising reasonable diligence
would not have known) that
he/she violated HIPAA
HIPAA violation due to
reasonable cause and not due to
willful neglect
HIPAA violation due to willful
neglect but violation is corrected
within the required time period
HIPAA violation is due to willful
neglect and is not corrected
$100 per violation, with an annual
maximum of $25,000 for repeat
$50,000 per violation, with an
annual maximum of $1.5 million
$1,000 per violation, with an annual
maximum of $100,000 for repeat
violations
$10,000 per violation, with an
annual maximum of $250,000 for
repeat violations
$50,000 per violation, with an
annual maximum of $1.5 million
$50,000 per violation, with an
annual maximum of $1.5 million
$50,000 per violation, with an
annual maximum of $1.5 million
$50,000 per violation, with an
annual maximum of $1.5 million
UBMD is SERIOUS about
protecting our Patients’ Privacy
HIPAA Criminal Penalties
HIPAA Violation
An Individual who knowingly obtains or
discloses individually identifiable health
information in violation of HIPAA regulations
If wrongful conduct involves false pretenses
If the wrongful conduct involves the intent to
sell, transfer, or use identifiable health
information for commercial advantage,
personal gain or malicious harm.
Criminal Penalty
Up to $50,000 and up to one-year
imprisonment
Criminal penalties increase to
$100,000 and up to five years
imprisonment
$250,000 and up to 10 years
imprisonment
Reporting Security Incidents
You are required to:
• Respond to security incidents and report
them first to your practice Information Privacy
and Security personnel and/or to the Practice
Administrator as well as to the:
UBMD Information Privacy and Security Officer
First Name Last Name
NNN-NNN-NNNN
[email protected]
How to Report Privacy Breaches
Immediately report any known
or suspected privacy breaches
(such as paper, conversations,
suspected unauthorized or
inappropriate access or use of
PHI) report them first to your
practice Information Privacy and
Security personnel and/or to the
Practice Administrator as well
as to the UBMD’s Information
Privacy and Security Office at
(NNN) NNN-NNN
Remember…
From the patients’ point of view, ALL
information is private
• This includes a patient’s:
– Personal information
– Financial information
– Medical information
– Protected Health Information
– Information in any format: spoken, written, or
electronic
Resources for Privacy and Security
• Your Immediate Supervisor/Manager
• The UBMD HIPAA SharePoint site:
https://prvsharepoint.pn.buffalo.edu/VPHS/UBMD/HIPAA/default.aspx
• Your Practice’s designated Information
Privacy and Security person
• UBMD Information Privacy and Security
Program Office
– Contact Number: (NNN) NNN-NNNN
• UBMD Chief Privacy and Security Officer:
First Name Last Name
Telephone #: (NNN) NNN-NNNN
Summary Question 1
Which workstation security safeguards are you
responsible for using and/or protecting?
A.
Your User ID
B.
Your Password
C.
Logging out of
programs
that access PHI when
not in use
D.
All of the safeguards
listed
That is not correct
Click Here to try again!
Summary Question 1 Answer
The correct answer is D. Always log off
programs and always protect your user ID and
password. Never share these with anyone.
A. Your User ID
B. Your Password
C. Logging out of programs
that access PHI when not in use
D. All of the above

Summary Question 2
You can protect patient information by:
A.
Protecting verbal,
written, and electronic
information
B.
Utilizing safe
computing skills
C.
Reporting suspected
privacy and security
incidents
D.
By Following UBMD
Policies
E.
All of the above
methods
That is not correct
Click Here to try again!
Summary Question 2 Answer
The correct answer is E. All of these actions
helps to protect the privacy and security of
patient information.
A. Protecting verbal, written, and electronic
information
B. Utilizing safe computing skills
C. Reporting suspected privacy and security
incidents
D. Following UBMD policies
E. All of the above

Thank you for taking the time to review this important Training
Presentation. If you have any questions or comments, please refer
to the UBMD Information Privacy and Security Program office.
Proceed to the following section to acknowledge the attestation
statement and then take complete the Competency Assessment
END