General Hospital: Protecting Patient Privacy and Confidentiality

Cassandra GibbsMHA: 690

Week 1 Discussion 21/7/2015

Defining the Issues

• Patient Privacy – Keeping all personal information [as outlined in federal law] safe in conversation, HIE, messaging, and security of EHRs

• Confidentiality – Limiting disclosure of when or how private information is shared; especially without prior permission from the patient

• Breach – Accessing, utilizing, disclosing, or acquiring protected health information that threatens its security [intentional or not]

Who it Involves

• Health care management • All staff employed by the facility• Employers • Insurers and other third parties • Patients • Providers• Medical researchers

Positive Promotions

• Compliance with Federal laws• Patient trust and satisfaction• Accountability• Patient safety• Enhanced reputation• Due diligence• Reduction in medical error

Federal Laws• Privacy Act of 1974 – access of records, limiting

disclosure of private information• Health Insurance Portability and Accountability Act of

1996; Privacy Rule of 2000 – guidelines for privacy rights and rule violations

• HIPAA Security Rule – technical, physical, and administrative security compliance

• Federal Trade Commission: Health Breach Notification Rule – prompt notification to victims of a breach

• HITECH Act of 2009- HIT meaningful use adoption

Current Violations/Penalties [per incident]

Civil• Unintentional: $100 (min);

$25,000 (repeat); $50,000 (max)• Reasonable cause: $1,000 (min);

$100,000 (repeat); $50,000 - $1.5 mil (max)

• Willful neglect [corrected]: $10,000 (min); $250,000 (repeat); $50,000 – $1.5 mil (max)

• Willful neglect [uncorrected]: $50,000 (min); $1.5 mil (annual max)

Criminal• Imprisonment from one to

10 years depending on the prior knowledge and severity of the violation

Quick Facts

• Employees commit the majority of data breaches

• Up to 37% search for medical information on fellow employees

• More than 25% research PHI of family members or friends without authorization

• Viruses and outdated security account for other major areas of data breach

What We Can Do: Confidentiality/Privacy

Secure usernames and

passwords

Protect other online accessible

devices

Log out of all servers

Encrypt all files and block personal

identifiers

Never send more than what

is needed

What We Can Do: Security

• Shred and destroy all unused or outdated documents

• Make sure antivirus software and definitions are up to date

• Do not reveal computer screens to the public• Store hardware not in use in a secure location• Ask for identification from unfamiliar personnel• Report! Report! Report! (any suspicious activity)

What We Can Do: Electronic Information

• Do not alter or delete information in PHI unless authorized

• Never share, save, or store passwords for any reason

• Do not give work computer access to non employees

• Do not open unknown emails or attachments• Only use approved servers for email and other

communications containing PHI

Monitoring

• Should be continuous• Abide by Security Management Process (per

HIPAA & HITECH)• Continue education and training of staff to

remain current• Create internal policies and provisions for

disciplinary action if needed

References• American Medical Association (2015). HIPAA violations and enforcement.

Retrieved from http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing- insurance/hipaahealth-insurance-portability-accountability- act/hipaa-violations-enforcement.page?

• Chadwick, A. (2012). A dignified approach to improving the patient experience: Promoting privacy, dignity and respect through collaborative training. Nurse Education in Practice, 12(4), 187-91.

• Health IT (2010). Summary of selected federal laws and regulations addressing confidentiality, privacy, and security. Retrieved from https://www.healthit.gov/sites/default/files/privacy-security/federal- privacy-laws-table2-26-10-final.pdf

• HIPAA Survival Guide (2015). HIPAA definition of breach. Retrieved from http://www.hipaasurvivalguide.com/hipaaregulations/164- 402.php

• Huang, C., Lee, H., & Lee, D. (2012). A privacy-strengthened scheme for E-Healthcare monitoring system. Journal of Medical Systems, 36(5), 2959