Transcript HIPAA Security Training

HIPAA
Privacy and
Security
Cindy Cummings, RHIT1
Authorization –STILL
NEED IT
Facilities must obtain authorization from
patients before using or sharing their
PHI for reasons other than treatment,
payment, or health care operations.
2
What is Confidential?
•
•
•
•
•
•
•
•
•
•
•
•
Medical Record #
Name
Address
Telephone Number
Age
Social Security #
E-mail address
Medical History
Diagnosis
Medications
Observations
And More
3
Breach Notification Requirements
– This is New 2010
•
•
•
•
Individual Notices
Media Notices
Notice to the Secretary
Notification of a Business Associate
4
Individual Notice
Covered entities… That’s HOB
• Must notify affected individuals once we discover a
breach of unsecured protected health information.
• Must provide this individual notice in writing by first-class
mail, or alternatively, by e-mail if the affected individual
has agreed to receive that way.
• If HOB has insufficient/ out-of-date contact information
for 10 or more individuals, we must provide substitute
individual notice
– Post the notice on the home page of its web site
– Or provide the notice in major print/ broadcast media to where the
affected individuals likely reside.
– Must include a toll-free number for individuals to contact HOB to
determine if their protected health information was involved in the
breach.
– If fewer than 10 individuals, HOB may provide substitute notice by
an alternative form of written, telephone, or other means.
5
Individual Notice
• The individual notifications must be provided
without unreasonable delay
– No later than 60 days following the discovery of a breach
– Must include, to the extent possible,
• a description of the breach,
• a description of the types of information that were involved
in the breach,
• the steps affected individuals should take to protect
themselves from potential harm,
• a brief description of what the HOB is doing to investigate
the breach, mitigate the harm, and prevent further
breaches,
• contact information for the HOB
6
Media Notice
IF HOB has a breach affecting more than 500 residents of
a State/ jurisdiction/area…..
– Besides notifying the affected individuals, HOB is required
to..
– Provide notice to prominent media outlets serving the
State or jurisdiction.
– HOB would likely provide this notification in the form of a
press release to appropriate media outlets serving the
affected area
Like individual notice, this media notification must be
provided without unreasonable delay
– No case later than 60 days following the discovery of a
breach
– Must include the same information required for the
individual notice
Notify the Secretary
7
Notice to the Secretary HHS
In addition to notifying affected individuals and the media (where
appropriate), HOB must notify the Secretary of breaches of
unsecured protected health information.
HOB notifies the Secretary by visiting the HHS web site and
filling out and electronically submitting a breach report form.
If a breach affects 500 or more individuals, covered entities must
notify the Secretary without unreasonable delay and in no
case later than 60 days following a breach.
If, however, a breach affects fewer than 500 individuals, the
covered entity may notify the Secretary of such breaches on
an annual basis. Reports of breaches affecting fewer than
500 individuals are due to the Secretary no later than 60 days
after the end of the calendar year in which the breaches
occurred.
8
Notification by a Business
Associate
If a breach of unsecured protected health information
occurs at or by a business associate, the business
associate must notify HOB following the discovery of
the breach.
A business associate must provide notice to HOB
without unreasonable delay and no later than 60
days from the discovery of the breach.
To the extent possible, the business associate should
provide HOB with the identification of each
individual affected by the breach as well as any
information required to be provided by HOB in its
notification to affected individuals.
9
No Big Deal
Right?
Wrong!!!!!
10
Kentucky Hospital
• The Bowling Green Medical Center had a
hard drive stolen that contained
information on 5,418 patients.
• Information contained on hard drive:
– Patient’s name
– Birthdate
– Address
– MR #
– SS #
-Weight
- Height
- Menopause age
11
Massachusetts General
Hospital
• The impermissible disclosure of PHI involved the loss of documents
consisting of a patient schedule containing names and medical record
numbers for a group of 192 patients, and billing encounter forms
containing the name, date of birth, medical record number, health
insurer and policy number, diagnosis and name of providers for 66 of
those patients. These documents were lost on March 9, 2009, when a
Mass General employee, while commuting to work, left the documents
on the subway train that were never recovered.
The General Hospital Corporation and Massachusetts
General Physicians Organization Inc. (Mass General) has
agreed to pay the U.S. government
potential violations.
$1,000,000 to settle
12
Federal Penalties for not
Complying
For the misuse of personally identifiable health
information:
Fines up to $50,000 and/or imprisonment for a term up to 1 Year
For the misuse under false pretenses:
Fines up to $100,000 and/or imprisonment for a term up to 5 Years
For the misuse with the intent to sell, transfer, or use
identifiable health information for commercial
advantage, personal gain or malicious harm:
Fines up to $250,000 and/or imprisonment for a term up to 10 Years
13
First Person Goes to Jail for
HIPAA Violation
• Researcher from UCLA School of
Medicine sentenced to 4 months in federal
prison.
• Accessed confidential medical records
without a valid reason.
14
2010
Breach
Notifications
So How
did HOB
do in 2010?
• 137 breaches occurred for Hospice of the
Bluegrass
• 19 of those breaches required the patient
as well as the Secretary for the Dept. of
Health and Human services to be notified.
15
137
breaches..
The breakdown
Patient
Variances
•110 variances were email related
•3 variances involved other patient names
included within a mailing
•6 variances involved medications sent to wrong
patient
•12 variances involved a lost pager
•2 variances involved staff members allowing
non staff members to ride along on patient visits
•1 variance involved a page sent to an entire
site location rather than supervisor
16
How to Protect
Patient Privacy
17
What is Information Security?
All the protections put
into place to ensure ePHI
is:
– Kept confidential
– Is not improperly altered or
destroyed
– And readily available to
those who are authorized
18
Protect Patients’ Privacy
• Do not discuss
patients in public
areas such as
elevators and
cafeteria lines
•Do not leave
information about a
patient’s health on
an answering
machine
19
Protect Patients’ Privacy
•Always close curtains and
speak softly when discussing
treatments in semi-private
rooms
•Always log off the computer
when you’re finished
•Always dispose of patient
information only in locked
containers
20
Protecting Patient Information
Keep your
computer
login and
passwords a
secret.
21
Protecting Patient Information
Rules for Using Computers
•
Do not log into the system using someone else’s password
•
Only access patient information that you need to do your job.
•
Keep computer screens pointed away from the public
•
Do not copy PHI onto a removable device such as a thumb drive,
disc, etc.
22
E-mail
• Hospice of the Bluegrass
DOES NOT have
encryption software that is
needed to e-mail PHI
outside of the HOB
network.
• If the e-mail address does
not end with
“hospicebg.org” you
CANNOT include PHI.
23
Physical Security
Practice Common Sense
Security
• Keep Laptops and other
portable devices locked
when not in use
• Keep cell phones and
pagers on your person at
all times.
• Make sure doors and
desks are locked as
appropriate
24
Physical Security
The most frequent risk to using PDAs and laptops is theft.
• When transporting laptops (or any patient information) it
should be stored in the floorboard area or in the trunk.
• Keep your car locked at all times.
X
25
Sanctions
• Hospice of the Bluegrass takes seriously the
responsibility of privacy/security of all PHI in its
care.
• Failure to adequately ensure the privacy/security
of PHI can result in disciplinary action against
you, up to and including:
• Dismissal
• Termination of Business Contract
• Reporting the violation to licensing agencies and law
enforcement officials.
26
Scenarios
• You’re at the grocery store…….
• You’re at church……..
• You’re at the gas station……..
• Your cell phone rings at home ……..
27