Transcript Compliance Education

Compliance Education
Tulane University
( For Staff assigned to TUMG HIPAA Clinics ONLY )
HIPAA & HITECH
HIPAA – The Health Insurance Portability & Accountability Act was passed by the U.S.
Congress in 1996. Its provisions were phased in over several years.
HIPAA Privacy – Protection for the privacy of Protected Health Information (PHI) was effective
April 14, 2003. It set the standards for how covered entities and business associates are to
maintain the privacy of PHI. It states that a covered entity is not allowed to use or disclose
PHI without permission from the individual, except as the law allows. The Privacy rule
applies to PHI in all formats. The Administration Simplification provision of HIPAA
(standardization of electronic data interchange in health care transactions) was effective
October, 2003.
HIPAA Security – Protection for the security of electronic Protected Health Information (ePHI)
was effective April 20, 2005. It defines the standards which require covered entities to
implement basic safeguards to protect ePHI that is created, received, used or maintained
by a covered entity.
HITECH is part of the “American Recovery and Reinvestment Act” of 2009. It allocated $20
billion to health information technology projects expanding the reach of HIPAA by
extending certain obligations to business associates and imposed a nationwide security
breach notification law and increased penalties and enforcement. Like HIPAA, the various
procedures will be phased in over several years.
HITECH-Breach Notification Provisions

The law requires covered entities and business associates to
notify individuals, the Secretary of Health and Human Services
and, in some cases, the media in the event of a breach of
unsecured protected health information
–
–
The law applies to the Tulane Health Care Component, which
consists of the Tulane University Medical Group (“TUMG”), its
participating physicians and clinicians, and all Tulane University
employees and departments that provide management,
administrative, financial, legal and operational support services to or
on behalf of TUMG to the extent that such employees and
departments use and disclose individually identifiable health
information in order to provide these services to TUMG, and would
constitute a “business associate” of TUMG if separately incorporated.
A business associate is a person or entity that performs certain
functions or services for or to TUMG involving the use and/or
disclosure of PHI, but the person or entity is not part of TUMG or its
workforce (examples include law firms, transcription services and
record copying companies).
HITECH-Breach Notification Provisions

Law applies to breaches of “unsecured protected
health information”
–
Protected Health Information (PHI)




Relates to past, present, or future physical or mental condition
of an individual; provisions of healthcare to an individual; or for
payment of care provided to an individual.
Is transmitted or maintained in any form (electronic, paper, or
oral representation).
Identifies, or can be used to identify the individual.
Examples of PHI include
–
Health information with identifiers, such as name, address, name
of employer, telephone number, or SSN
– Medical Records including medical record number, x-rays, lab or
test results, prescriptions or charts
–
Unsecured
 Information must be encrypted or destroyed in order to be
considered “secured”
HITECH-Breach Notification
Obligations

If a breach has occurred, Tulane will be responsible for
providing notice to
–
–
–
The affected individuals (without unreasonable delay and in no
event later than 60 days from the date of discovery—a breach
is considered discovered when the incident becomes known
not when the covered entity or Business Associate concludes
the analysis of whether the facts constitute a Breach)
Secretary of Health & Human Services-HHS- (timing will
depend on number of individuals affected by the breach)
Media (only required if 500 or more individuals of any one
state are affected)
No Notification;
Determine if Red
Flag Rules or state
breach notification
laws apply
No Notification;
Determine if
accounting and
mitigation obligations
under HIPAA
No Notification
No
Is the information PHI?
Yes
No
Decision Tree for
Breach Notification
Is the PHI unsecured?
Yes
No
Is there an
impermissible
acquisition, access, use
or disclosure of PHI?
Yes
No Notification;
Determine if
accounting and
mitigation obligations
under HIPAA
No
Does the impermissible
acquisition, access, use or
disclosure compromise
the security or privacy of
PHI?
Yes
No Notification;
Determine if
accounting and
mitigation obligations
under HIPAA
Yes
Does an exception
apply?
No
Notification Required;
Determine methods for
notification for affected
individuals, the Secretary of
HHS and, if necessary,
media
HITECH-Reporting Breaches




Breaches of unsecured PHI (can include information in any form or
medium, including electronic, paper, or oral form) or of any of
Tulane’s HIPAA policies and procedures must be reported to the
Privacy Official at 504-988-7739 or the Office of the General
Counsel immediately.
Tulane’s policy (GC-026) states,
– “Any member of the Health Care Component who knows,
believes, or suspects that a breach of protected health
information has occurred, must report the breach to the Privacy
Official or the Office of the General Counsel immediately.”
If a breach is reported, the incident will be thoroughly investigated.
The Tulane University Covered Entity is required to attempt to
remedy the harmful effects of a breach, including providing
notification to affected individuals
Disciplinary Actions

Internal Disciplinary Actions
–
Individuals who breach the policies will be subject
to appropriate discipline under policy GC-009
Minimum
Privacy Violation Action
Level & Definition of
Violation
Example
Action
Accidental and/or due to lack of
proper education.
•Improper disposal of PHI.
•Improper protection of PHI
(leaving records on counters,
leaving documents in
inappropriate areas).
•Not properly verifying
individuals.
•Re-training and re-evaluation.
•Oral warning with documented
discussions of policy, procedures,
and requirements.
Purposeful violation of privacy
or an unacceptable number of
previous violations
•Accessing or using PHI without
have a legitimate need.
•Not forwarding appropriate
information or requests to the
privacy official for processing.
•Re-training and re-evaluation.
•Written warning with discussion of
policy, procedures, and
requirements.
Purposeful violation of privacy
policy with associated potential
for patient harm.
•Disclosure of PHI to
unauthorized individual or
company.
•Sale of PHI to any source.
•Any uses or disclosures that
could invoke harm to a patient.
Termination.
Disciplinary Actions

Civil Penalties
–
Covered entities and individuals who violate these
standards will be subject to civil liability.
Tiered Civil Penalties
Circumstance of
Violation
Minimum Penalty
Maximum Penalty
Entity did not know
(even with reasonable
diligence)
$100 per violation
($25,000 per year for
violating same
requirement)
$50,000 per violation
($1.5 million annually)
Reasonable cause, not
willful neglect
$1,000
($100,000)
$50,000
($1.5 million)
Willful neglect, but
corrected within 30
days
$10,000
($250,000)
$50,000
($1.5 million)
Willful neglect, not
corrected
$50,000
($1.5 million)
None
Disciplinary Actions

An employee who does not report a
breach in accordance with the policies and
procedures could lose his or her job.
Employee Obligations



Do not disclose PHI without patient authorization. If
you have questions about whether a disclosure is
permitted, ask your supervisor.
If you think there has been an unauthorized
disclosure of PHI, contact the Security or Privacy
Official or the Office of the General Counsel
immediately.
When removing PHI from Tulane (i.e., by physician
removal of medical records or through the use of a
laptop), act in accordance with Tulane’s security
measures.
Review
Review of HIPAA Policies & Procedures that
were revised 2010
Patient Access to Protected Health
Information Fees – GC-008
Policy Revised November 2010




Copies – 0.25¢ per page and a handling fee
of $10.00
A fee of $25.00 will be charged for an
expedited request.
A fee of $25.00 will be charged to prepare a
summary of the information.
A fee of $25.00 will be charged to prepare an
explanation of the information.
Patient Access to Protected Health
Information – GC-008 continued

If a patient requesting copies of the record is
unable to pay because the cost would
constitute a hardship, the TUMG Financial
Hardship form must be completed and
become part of the patient’s record.

If any of the TUMG clinics have a third party
vendor handling the copying of records then
this policy is not applicable for the vendor.
Authorization for Release of Protected
Health Information – GC-010
Policy revised August 2010

An additional authorization was added to
this policy.

Form is specific “to use / disclose
protected health information for marketing,
public relations, and external
communications.”
HIPAA Security Policies
Protecting Data in Copiers &
Multifunction Devices

Copiers, faxes, and/or scanners
1. Purchasing / leasing: If you are in the process
of purchasing, leasing or renting a copier, fax,
and/or scanner, please ask your supplier or
vendor about security options now available by
most manufactures that regularly clear the
memory of these devices and also encrypt the
hard drives so that privacy breaches can be
prevented.
Protecting Data in Copiers &
Multifunction Devices continued

Copiers, faxes, and/or scanners
2. Existing Equipment: If you are currently in the
middle of a product’s life, TS recommends you
carefully follow the following guide.
– Determine if it has a hard disk drive



–
Consult the device manual, if available
Contact your service rep
It may be possible to look up online by model on the
vendor web site
If it does have a hard disk drive, you must ensure
the data stored on the device does not leave our
control
Protecting Data in Copiers &
Multifunction Devices continued
3. Disposing of, transferring, or retiring old equipment:
• Since it has become public knowledge that copiers/multifunction
office devices may contain sensitive personal information, their
disposal must be handled carefully. The university already has the
following existing resources related to the disposal of hard drives
and the secure removal of data, which should be applied to this type
of equipment:
• HIPAA Disposal Policy
– http://www.tulane.edu/~hipaa/TS30Disposal_Policy.pdf
• Computer Recycling
– http://recycle.tulane.edu/recycle-news.html
Protecting Data in Copiers &
Multifunction Devices continued

Each link below contains documentation for how to wipe the hard drive of a printing
device by the particular manufacture. Some manufactures provide a feature
whereby the printer will continuously or periodically wipe its hard drive. You should
enable this feature where available.
–
Xerox Devices:
http://www.xerox.com/information-security/product-security/enus.html
–
Ricoh Devices:
http://www.ricoh.com/about/security/product/index.html
–
HP Devices:
http://www.hp.com/large/solutions/hp-disk-erase-white-paper.pdf
–
Lexmark Multi-function Printer security features:
http://www1.lexmark.com/documents/en_us/CIP_Piece_POD.pdf
–
Cannon Image RUNNER Devices:
http://www.usa.canon.com/CUSA/assets/app/pdf/ISG_Security/brochure__ir_hard_disk_dri
ve_security_kit_061009.pdf
For more information on best practices, see:
–
http://www.prlog.org/10640424-how-to-protect-your-photocopier-hard-drive
–
http://www.dataerasure.com/printer_hard_drive.php
HIPAA Security Phishing

WARNING: Be always vigilant for email scams that could result
in theft of Protected Health Information (PHI).

A common, recent variation on the scam is an email that:
1. Requires you to verify a user name and/or password, or
2. Links you to a site pretending to be one you know and requires you
to enter your user name and/or password.

Tulane is particularly concerned with a current scam that tries
to trick you into revealing your Tulane email user name and
password, so that the sender can read all of your emails and
either steal PHI that is contained in your email or use your
codes to enter other password-protected accounts that you
maintain for PHI.
HIPAA Security Phishing continued
What you should do:



First, be careful following links in emails – you may be able to
verify if the link’s true identity from a careful reading of the web
address. If you are uncertain, you should instead check out of
email and enter the desired web site using Google or another
search engine to find the true home page of the desired web
site.
Second, never provide confidential information to someone who
initiates a contact with you. In this case, never respond to an
email that directly or indirectly requires you to provide, verify or
enter your Tulane email user name and password.
Finally, if you think you may have been compromised in this
way, take immediate steps to change your Tulane password;
then contact the University’s 24/7 Technology Help Desk and
send an email to [email protected]
SOM Vendor Policy
( http://tulane.edu/compliance/upload/IndustryPolicy-2.pdf )
1.
2.
Covers all interactions between Tulane
employees and Industry Representatives
relating with any purchases related to patient
care.
Covers interaction between vendors and
Tulane employees related to meals, gifts, and
entertainment.
SOM Vendor Policy Continued
3.
4.
5.
Sets forth vendor registration process for all
vendors visiting Tulane University
downtown campus (not hospital).
Sets forth guidelines related to handling
sample medications and vouchers.
Sets forth guidelines related to ghost
writing.
TUMG Healthcare Compliance Manual
( http://tulane.edu/compliance/upload/Compliance-Manual.pdf )

Resource for policies related to:
-
-
Coding, billing, and claims issues
Record keeping and retention
Patient referrals / payments for gifts
Conflict of interest
Response to investigations
Secure Computing Practices
Safeguards for Users
E-mail Encryption
1.
2.
3.
Email Encryption to HCA Healthcare
Email Encryption to the outside world
Email Encryption within Tulane
Email Encryption to HCA Healthcare

Email messages between tulane.edu and
hcahealthcare.com are encrypted
automatically by servers policy.
Email Encryption to the outside world



Type the word Secure: at the subject line
It can be lowercase, uppercase or mix case
It can be anywhere in the subject line
–
–
–
–
Secure:
secure:
SECURE:
The Colon “ : ” is important.
Email Encryption within Tulane
By default, email within Tulane for other clients such as Mac
Mail, Entourage or iPhone are automatically encrypted
with SSL.
Resources
HIPAA Security Official
Hunter Ely (504) 988-8566
HIPAA Privacy Official
Glenda Folse (504) 988-7739
Legal Issues
Sarah Hunter (504) 988-5297
Associate General Counsel