HIPAA - GT Independence€¦ · What HIPAA is and Why it is important Who must follow the HIPAA law...
Transcript of HIPAA - GT Independence€¦ · What HIPAA is and Why it is important Who must follow the HIPAA law...
Provider Training HIPAA: Privacy & Security
2018
Created by: Deb Trombly Operations Manager, LTC Programs
Privacy Rule – Effective April 14, 2003
Standards for storing, sharing, and accessing hard copy Protected Health Information (PHI)
Security Rule – Effective April 20, 2005
Standards and basic safeguards for the storage, security, transmission, and access of electronic Protected Health Information (e-PHI)
HIPAA Training
HIPAA requires that UPCAP train Business Associates on HIPAA policies and procedures
State contracts require UPCAP to verify that provider staff are trained
What HIPAA is and Why it is important
Who must follow the HIPAA law
Define Protected Health Information (PHI)
PHI Use, Access, & Sharing
Security Measures: Organizations & Individuals
Prevent & Report Breaches
Congressional response to healthcare reform
Prevents health care fraud and abuse
Simplifies billing and other transactions, reducing health care administrative costs
Covered Entities: Health Care Providers Health Plans Electronic Billing Clearinghouses
& Business Associates (contracts & sub-contracts)
…responsible for all Protected Health Information (PHI & e-PHI), whether it is stored or transmitted electronically, in paper format, or communicated verbally
i.e. … EVERYONE!!!
Past, present, or future physical or mental condition of an individual
Provision of healthcare to an individual Payment of care provided to an individual Is transmitted or maintained in any form
(electronic, paper, or verbal representation)
Identifies, or can be used to identify the individual
Name – Relative’s Names Address (including street, city, parish, zip code
and equivalent geo-codes)
Name of Employer Any Date (birth, admit date, discharge date)
Telephone & Fax numbers Electronic (email) Addresses Social Security Number
Medical Records & Client Numbers
Treatment: direct or coordinated care consultation or referrals
Payment: billing and collection for provided services
Operations: business and management activities quality, compliance, and training public health and other government reporting
Secure & Restricted Access: Only those directly involved in care (locked
files, computer access)
Sharing: Business Associates Agreement in place Consent from Program Participant Only what is “minimally necessary”
Know approved methods of sharing!!!
In the Office Be mindful of who can over hear case
discussions and phone calls
Phone Calls Be sure you are talking with those directly
involved with the case Who can overhear cell phone calls
Outside of Work NEVER!!!!
Approved and minimally necessary PHI can be faxed only if:
if cover sheet includes your agency’s Confidentiality Statement
you have assurances that the receiving party’s fax is in a secure area
DO NOT FAX PHI containing:
drug or alcohol dependency
mental illness or psychological information
sexually-transmitted infections (STI)
HIV status genetic info
EMAIL IS NOT SECURE!!!!! There are four basic places where email can be
compromised: On your devices On the networks & servers that allow you to share
internally and externally On your recipient’s devices
Communications via email over the Internet are not secure. Everyone who can see the Internet path an email is sent along (which is a lot of people) can see all the contents of the message. It is possible that information included in an email can be intercepted and read by other parties besides the person to whom it is intended… auto-fill!!!
UPCAP sends email to: [email protected]
Outgoing mail server via Simple Mail Transfer Protocol (SMTP)
Domain Name System (DNS) server – domain sort
michigan.gov server
mail exchange server
Mail Transfer Agent
De-identifying Email Communications
… not a good idea! Staff members starting out an email
conversation about a participant using only first name or initials just opens the door for adding an additional piece of identifying information that would allow an outsider to “connect the dots.”
Emails to participants may have even more consequences if using a free email service like Yahoo, Hotmail, etc. – see next example:
Patient Gary sends an email to his Dr. Lee about something he feels may be a sexually transmitted infection and includes a picture from his Smartphone. Neither Patient Gary or Dr. Lee mentions the words “genital herpes.”
Wherever Patient Gary goes online now, he sees advertisements for Valtrex, as does his wife who uses a shared tablet device. She now sees herpes treatment ads when she’s on Kohls.com shopping for shoes.
Because advertising matching algorithms (sometimes called “retargeting”) have become so accurate, scanning medical emails in a free email service have the potential to violate HIPAA with alarming frequency and to the great embarrassment of those involved.
Manually encrypt transmitted files
Office 2007 and later has the ability to encrypt and password protect documents.
PeaZip and WinZip are common way to encrypt & password protect files.
Websites may have secure file exchange feature
End-user must have same system Check with your IT staff
Unique “User ID” for log-in purposes, limits access to the minimum information needed to do your job
i.e. UPCAP issues User ID and Pass Codes to Provider staff to utilize VenderView and NAPIS data systems.
Password Protection • Do not use anyone else’s User ID, log-on,
password, or a computer someone else is logged-on to
• Do not share your User ID, log-on, or password • Do not post written User ID or passwords at
workstation or laptop • Do not insert into an email or electronic
communication Workstation Protection
• Be sure equipment with access to PHI/e-PHI is logged off and locked when not in use
YOU are responsible for everything that occurs under your log-in
Workstations are desktop or laptop computers, or other devices that perform similar data storage and communication functions
Physical Security Measures include Disaster Controls Physical Access Controls Device and Media Controls
Malware Controls are measures taken to protect against any software that causes unintended results
Access & Device Controls Log-off when leaving a workstation Automatic Screen Savers: Password return Locked Office Locked & out of sight in vehicle or hotel
room Security for USB Memory Sticks and Other
Portable Storage Devices: Don’t store e-PHI on memory sticks If you must store it, use encryption & passwords Delete the e-PHI when no longer needed Protect the devices from loss, damage, and theft
Hackers and Worms and Spyware … Oh My! Hacker: Cybercriminal using a number of techniques to gain unauthorized access to computer and/or accounts
Phishing Emails: Appear to be from trusted source to collect confidential information (passwords, account #s, SS #s, etc.)
Virus, Worms, Trojan Horses: Usually acquired by opening an email attachment, visiting websites, or downloading software that are infected with self-replicating, usually malicious, program that spreads into other executable code, documents, or networks
Keystroke Logging: A tool designed to copy ("log") every keystroke on an affected machine for later retrieval (Log-ins & PW)
Scareware: Email pop-up leads you to believe you need to download a program to protect your system – get virus instead
Malvertising & Watering Holes: Fake websites and ads that are infected with virus
Ransomeware: Locks up data or PC until funds are sent. This is HUGE - can only happen if users (unknowingly) allow it
Be suspicious of … any email you receive with an attachment an email from someone you do not recognize reduced performance (your computer slows or
“freezes”) windows opening by themselves missing data slow network performance unusual toolbars added to your web browser
When in doubt, ask IT !!
YOU are the First Line of Defense!!!
HITECH Act: Health Information Technology for Economic
& Clinical Health Act 2009 created a nationwide security breach
notification law The law requires covered entities and business associates to notify individuals, the Secretary of Health and Human Services and, in some cases, the media, in the event of a breach of unsecured protected health information
HITECH Act: All Covered Entity and Business Associate
staff must be trained on the importance of timely reporting of privacy and security incidents, and the consequences of failing to do so.
A “Security Incident” is “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.’’ [45 CFR 164.304]
Examples include: Laptop containing PHI is stolen Unauthorized staff member looks through
participant files in order to gain info “not needed” to perform their job
Billing statements containing PHI mailed or faxed to the wrong individual/entity
You are required to immediately report incidents or security breaches, to your director and to UPCAP Security Officer, Mark Bomberg.
Breaches or violations may result in: disciplinary action up to and including removal,
demotion, suspension, or termination criminal prosecution civil litigation referral to appropriate law enforcement authorities referral to regulatory or licensure authorities other remedies as deemed appropriate
by your organization
Circumstance of Violation
Minimum Penalty
Maximum Penalty
Entity did not know (even with reasonable diligence)
$100 per violation ($25,000 per year for violating same requirement)
$50,000 per violation ($1.5 million annually) Jail: up to 1 year
Reasonable cause, not willful neglect
$1,000 per violation ($100,000 /yr)
$50,000 ($1.5 mill/yr) Jail: up to 5 years
Willful neglect, but corrected within 30 days
$10,000 ($250,000 /yr)
$50,000 ($1.5 mill/yr) Jail: up to 10 years
Willful neglect, not corrected
$50,000 ($1.5 million/yr)
None Jail: up to 10 years
Violations of Privacy, Confidentiality, Security, and IT Policies may result in disciplinary action, up to, and including possible termination, and civil and criminal liability
The final Omnibus Rule (2013) strengthens the ability of HHS’s Office of Civil Rights (OCR) to vigorously enforce the HIPAA Privacy and Security Rules regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.
Recent HIPAA Settlements:
Corporate Example:
Memorial Healthcare Systems: Largest HIPAA settlement of 2017 thus far $5.5m - employees inappropriately accessing patient information, including names, dates of birth, and SS#.
Presence Health: $475,000 payment for when a paper-based operating room schedules containing PHI was missing from the Surgery Center – mainly because of delayed notification … “clear policies & procedures must be in place to respond to the Breach Notification Rule’s timeline requirements”
2017 HealthITSecurity.com
Recent HIPAA Settlements: Non-Healthcare Provider - Example
Life Insurance Company: $2.2M settlement after reporting a USB drive containing ePHI was stolen from the IT office. OCR’s investigation found they did not do risk assessments, and did not use encryption measures on laptops and removable media.
Jan’17 HealthITSecurity.com
Individual Example
A licensed practical nurse who pled guilty to wrongfully disclosing a patient’s health information for personal gain faces up to 10 years in prison, and/or $250,000 fine. She gained access to a patient’s private medical file then shared that information with her husband, who on that same day, called the patient stating he intended to use the information against the patient in an upcoming legal proceeding. Mar’14 NurseZone.com
Access and share only the needed for job
Use only software to store and transmit your e-PHI
Protect User Keep locked and logged off when
not in use Collect signed from participants suspected breaches to your agency’s
director & UPCAP’s Security Officer, Mark Bomberg (if applicable)