Transcript Privacy or Security - County of Santa Barbara

HIPAA
Updates and Reminders
February 2014
1
Training Objectives
• What is the Omnibus Rule and what does
it mean for you and PHD?
• What are the changes to HIPAA?
• What is the HIPAA Security Rule?
• How do I report Compliance and HIPAA
issues?
• Resources for more information
2
Review
Safeguarding PHI…..
• Pay attention to detail when entering names and numbers to ensure
that it matches the right patient.
• Be mindful of your surroundings when discussing PHI in public or
areas in which conversations may be overheard.
• Protect the PHI that you are handling. Keep it safe and secure at all
times.
• If you don’t require access in order to perform the functions of your
job then DO NOT access the information.
• Place PHI in designated shred bins to ensure that the information is
not mistaken for trash.
• Turn over/cover PHI when you leave your desk or cubicle so others
cannot read it.
Protecting PHI is up to YOU
3
Protection of PHI is Covered By…
• HIPAA Laws as enforced by the Federal Government.
 Civil Penalties up to $25,000 for failure to comply.
 Criminal penalties:
$50,000 fine and 1 year prison for knowingly obtaining and
wrongfully sharing information.
$100,000 fine and 5 years prison for obtaining and disclosing
through false pretenses.
$250,000 fine and 10 years prison for obtaining and
disclosing for commercial advantage, personal gain, or
malicious harm.
• The Public Health’s Notice of Privacy Practices (NPP)
• You as an employee by following the PHD’s policies and
procedures.
4
Omnibus Rule
This rule enhances patients’ ability to access and
manage their heath information along with
providing expanded privacy rights and protection
of personal health data.
•Effective date March 23, 2013;
•Compliance date: September 23, 2013
5
What are some of the Key Elements
of the Omnibus Rule:
• Requires health care providers to supply electronic
copies of patient electronic health records when
requested.
• Patients are afforded the right to request that his or her
doctor not share treatment information with their health
plan when they pay out of pocket, up front and in full for
a specific service.
• Provide more specific standard to the Breach Notification
rule “harm” threshold.
• The rule also makes business associates (BA’s) of a
covered entities directly liable for compliance with HIPAA
requirements.
• The rule holds business associates to the same standard
in protecting patient information and notifying patient in
the event of a breach.
6
Other Key Highlights of the
Omnibus Rule:
• Prohibits the sale of personal health information without
authorization.
• Limits how health information is used and disclosed for
fundraising and marketing purposes.
• Access allowed to health information 50 years after the
patient is deceased.
• Covered entities can disclose proof of immunization to a
school under state law and agreement whether written or
oral.
• The notice of Privacy Practices must be revised and
distributed. PHD’s NPP can be found on the Internet.
PHD Notice of Privacy Practices
7
What is a Breach
• A breach is the release of protected health
information without authorization.
Reporting & Notification
• Breaches occurring on or after September
23, 2009 must be reported to DHHS.
• Patient notified of the breach without
unreasonable delay (within 60 days)
8
Breach Assessments
• The Public Health Department’s Privacy and
Security representatives need to do an
assessment on every potential reportable breach.
• Timely reporting is essential to ensure
compliance.
• If you suspect you might have a breach or are
unsure, report it.
9
There are 3 Exceptions to Breach
Reporting & Notification….
• Mistaken access by employee i.e. the
wrong record reviewed.
• Mistaken disclosure by one employee to
another employee in the same facility.
• Close call. The error was caught before it
turned into a breach.
10
HIPAA Security
11
HIPAA Security…What does it have
to do with me?
• The HIPAA Security Rule outlines how we
protect ePHI.
• Everyone is responsible for applying
County policies on the HIPAA Security
Rule to protect PHI in hardcopy AND our
computer systems.
12
Applying the Security Rule
Administrative Safeguards
Policies and procedures of the Public Health Dept and County are
required and must be followed by employees to maintain security.
Technical Safeguards
Many technical devices are needed to maintain security: computer
passwords, screen savers, ID badges, data backups, media disposal,
encryption and auditing. Computer and system processes are set up to
protect, control and monitor information access.
13
Applying the Security Rule
Physical Safeguards: Many physical barriers and devices are needed
to maintain security: installing locks on doors, securing the buildings
and rooms, identifying visitors, locking file cabinets to protect PHD’s
property and health information.
Personal Security. PHD’s policies and procedures manage the
assignment of access authority to employees and other workforce
members. Procedures address employee transfers, role
changes and terminations. Security and privacy training must
be conducted.
14
How do we control access to electronic protected
health information (ePHI) in our computer systems?
• By requiring all users to utilize individually unique
Usernames and Passwords.
– Follow County policies to establish strong passwords
(minimum of 8 characters, mixed case, include numbers,
etc.)
– Usernames and passwords control what users are able to
access and help identify what information users accessed
in our systems.
– Protect your login information and do not share it. If you
think your login information is not secure, report this to
your supervisor and change your password immediately.
– When leaving a computer, ALWAYS:
 Log off, OR
 Lock before you walk (control-Alt-Del) and select lock.
15
Employee Access
• It is your responsibility as an employee of the
PHD to protect our departments
systems/equipment/computers at all times.
• Do not disable anti-virus software, malware
protection, encryption or any security related
programs as per PHD’s computer investigation
policy.
• If you have access from offsite and/or a PC,
pager, or phone, this is for your use only.
Do Not Allow Family and Friends Access to County
Property
• Report the loss or theft of any device immediately
16
Email Security
• Immediately report any suspicious and/or
threatening emails to PHD IT Help desk
(x4000)
• Do not open suspicious email. Delete it.
• Emails containing PHI must be approved
by your supervisor and will only be sent
using a PHD IT approved secure method.
(see how to send [secure] email on PHD
Intranet)
17
Security Violations:
Downloading Onto PCs
NO. We DO NOT download anything onto
our computers, laptops, notebooks, smartphones,
tablets, etc. without the permission from PHD IT.
• This includes not downloading from the internet,
CD, flash drive, DVD, disc, software, etc.
• Why not? PHD IT verifies we have the
appropriate licenses and virus protection in
place and that downloaded content/programs
will not compromise your laptop or County PC.
18
Other types of Security Issues and
Incidents…
• Theft (or loss) of a computer, laptop, PDA.
• Inappropriate use of PHD computers
• A technology-related situation which results in a
significant adverse effect on people, process,
technology, facilities, etc., such as:
Excessive use of streaming radio or video
which results in network congestion.
A virus that prevents users from being able to
access systems
19
Auditing and Monitoring
How does this impact me?
20
Audit Trails: Accessing More Than
the “Minimum Necessary”
• We may only access the minimum
necessary to complete our assigned job
responsibilities. This means we may not
access information out of curiosity or don’t
have a reason to for our job duties.
21
Audit Trails of What I Access
The Security Regulations require this
• The PHD conducts random audits of employee and
contractor access to determine:
 Appropriateness of access, and
 If access is in based on PHD’s Access policies.
• Audit trails show what patient records have been
accessed, the date and time of the access, what
was accessed, etc.
 If access appears to be inappropriate, the Privacy
Officer along with the Security Officer initiate an
investigation to determine if a Breach has occurred.
22
Audit trails:
Securing Systems (Examples)
• When leaving his/her computer, an employee
didn’t log off the EMR; another employee then
utilized it to look-up her family members medical
information.
Important Note: In this situation, both employees
did not follow PHD P&Ps which require:
 Logging off/securing all applications when
unattended.
 Using the password protected screensaver when
leaving unattended.
 Not using another person’s login
23
Audit Trails:
Accessing More Than the “Minimum Necessary”
• A clinical staff employee is assigned to routinely
view and update medications, blood pressure,
pulse, and weight for each patient seen by the
provider she works with. She was curious about
the outcomes of another providers patient and
decided to view that patient’s record for similar
updates.
Note: This was determined to be a breach of
confidentiality as she was not requested by her
provider and/or supervisor to access the other
providers records.
24
Types of HIPAA Violations
25
HIPAA Violations
There are three types of violations
1. Incidental
2. Accidental
3. Intentional
The following slides will describe the
differences……
26
Incidental Violations
• If reasonable steps are taken to safeguard
a patient’s information and a visitor
happens to overhear or see PHI that you
are using, you will not be liable for that
disclosure.
• An incidental disclosure is not a
privacy incident. This type of
disclosure is not required to be
documented.
27
Accidental Violations
• Mistakes can happen. Don’t compound the mistake
by keeping it to yourself. If you mistakenly disclose
PHI or breach the security of confidential data:
 Immediately acknowledge the mistake and notify your supervisor
and the Privacy Officer.
 Learn from the error and help revise procedures (when
necessary) to prevent it from happening again.
 Assist in correcting the error under the direction of your
supervisor and/or the Privacy Officer. Don’t try to cover up the
mistake.
28
Intentional Violations
• If you ignore PHD/County polices and procedures and
carelessly or deliberately use or disclose protected
health or confidential information, you can expect:
 Disciplinary action, up to and including termination.
 Civil and/or criminal charges.
• Examples include:
 Accessing PHI for purposes other than assigned job
responsibilities .
 Attempting to learn or use another person’s access
information.
 Using someone else's login to access ePHI
If you’re not sure about a use or disclosure, check
with your Supervisor or PHD Privacy Officer.
29
It’s Important to Report HIPAA
Violations Immediately….
• So they can be investigated, managed, and
documented.
• So they can be prevented from happening again in the
future.
• So damages can be kept to a minimum.
• To minimize your personal risk
• In some instances, affected parties of lost, stolen or
compromised PHI will need to be notified as required by
law.
If you are unsure if an incidental disclosure needs to
be reported, report them to your Supervisor or
Privacy Officer Anyway.
30
How do I report a Privacy or
Security Violation?
• Report to your Supervisor, who will then report to the
Privacy and/or Security Officer
• Complete a Health Information Privacy Complaint form
(HCS-535) located on the PHD Intranet.
• Fax completed form to the confidential fax number
located on the form or send the scanned form to
[email protected] .
• Notify the Privacy Officer and/or Security Officer once
you have sent the document.
• If you wish to report information
anonymously, you may use the
compliance reporting form on the PHD
Website at www.countyofsb.org/PHD
31
Final Reminders
• Access to online medical records is audited.
• You will be held responsible for any inappropriate access done using
your accounts.
• Do not share passwords.
• Log off or lock your workstation when you step away.
• Do not look up any information that is not required for your job,
which means your co-workers’ records, your own or your family’s
records, or any other patient, even a VIP individual.
• Dispose of confidential information in secure shred bins.
• Our patients have entrusted their care to us and need the assurance
that all information, both personal and medical will be confidential
and not used for personal curiosity or gain.
Thank you for Protecting Our Patient Information!
32
Privacy and Security Contacts
for the PHD
Privacy and Compliance Officer: Dan Reid
Email: [email protected] Phone: 805-681-5173
Security Officer: Janine Neal
Email: [email protected] Phone: 805-681-5295
33
HIPAA REFRESHER AND OMNIBUS RULE 2014
ACKNOWLEDGEMENT OF TRAINING
As an employee, contractor, volunteer or agent of the County of Santa Barbara Public
Health Department, I am committed to upholding the highest standard of individual ethical and legal
business practices. I will follow the Public Health Department’s policies and procedures to adhere to the
requirements of the Health Information Portability and Accountability Act (HIPPA) and the Health
Information Technology for Economic and Clinical Health Act (known as HITECH Act) to ensure the
security and privacy of protected health information (PHI) for PHD patients. I will be vigilant to prevent
the disclosure (breach) of PHI and will report any instances of the violations of these policies or other
issues of Non-Compliance as specified in this training.
I acknowledge that I have received training on HIPAA, the HITECH Act and the HIPAA
Omnibus Rule as well as I been made aware of the Public Health Department’s polices and procedures
as they relate to these Acts. I agree to adhere to these policies.
“I certify that I have received training on HIPAA and the HIPAA Omnibus Rule as it applies to me
and my position with the Public Health Department.”
Please print this slide, sign, scan and send via email to [email protected]
Print Full Name (first, middle initial, last):
Signature:
Title:
Date Signed: