HIPAA Understanding the Privacy and Security Regulations

Michelle Caryl Created 11.13.12

THE BASICS BEHIND HIPAA

• Health• Insurance • Portability &• Accountability• Act

• It is a federal law established to give patients basic privacy protections to which all patients are entitled.

• Its original goal, in 1996 (under the Clinton administration), was to make it easier for people to move from one health insurance plan to another as they change jobs or become unemployed.

THE BASICS BEHIND HIPAA

• The law also required that common electronic transactions, such as insurance claims, be in a standard format for healthcare organizations and payers.

• Many states during this time did not have privacy laws so this was the first time that patient’s privacy rights became more than ethical obligations, but now a federal law with civil and criminal penalties for violations.

THE BASICS BEHIND HIPAA

• HIPAA Includes 3 regulations:

1.Transactions and Code SetsNational standards for electronic healthcare transactions (coding and billing). These are the standards set on how we get our electronic claims “talking” the same language between provider, clearinghouse, and payer.

2.PrivacyEstablishes federal protections for the privacy of health information and an individuals rights to their health information.

3.Security Ensures confidentiality of health information and protects

against anticipated hazards or unauthorized uses or disclosures.

THEN CAME THE HITECH ACT

• With the enactment of The American Recovery and Reinvestment Act of 2009, came the subset act called the HITECH Act.

• This act was created to enforce stricter privacy and security protections for patient data as the federal government made the transitioning to an electronic health record a priority.

• The HITECH Act also… Increased patient rights giving them more control over their

information. Limited the uses of patient information for marketing purposes. Mandated the Breach Notification Rule Made business associates directly accountable for protecting

patient information.

COMMON HIPAA DEFINITIONS

• Covered Entity (CE)Individual or organization that must comply with HIPAA. This includes health plans, healthcare clearinghouses, and most provider organizations, such as physician practices, therapists, dentists, hospitals, nursing homes, home health agencies, and pharmacies.

• Business Associate (BA)An individual or organization (other than a member of the CE’s work force) that performs a function for the CE that requires access to protected health information. A CE must have a contract with a BA called a Business Associate Agreement protecting the information used during these functions. A few examples of these kinds of functions or activities include: collections, IT services, legal services, and transcription.

COMMON HIPAA DEFINITIONS

• Protected Health Information (PHI)PHI includes any information that can be linked to a specific patient and can take any form, including electronic, written, spoken or heard. It includes demographic information (i.e patient name), financial information (i.e insurance number), and health information (i.e diagnosis codes)

• Minimum NecessaryOnly those individuals with an authorized “need to know” to perform their job may have access to PHI. HIPAA requires these individuals to only use or share the minimum necessary to perform their job.

PRIVACY & SECURITY– DOs AND DON’Ts

DO DON’T

Avoid discussions about patients in elevators, cafeteria lines, nurses’ stations, and other public places, both inside and outside the facility.

Don’t discuss patients other than when necessary for work-related purposes.

Return patient information to its appropriate location or destroy it properly.

Don’t leave health records unattended, this includes computers and computer monitors.

If you notice someone without identification viewing or handling PHI, ask them for identification. It is not appropriate for visitors to view PHI without valid permission.

Don’t leave patients messages pertaining to their condition or test results on answering machines or with anyone other than the patient, unless you have the patients written authorization.

Discard patient information by shredding it or storing in a locked container for future destruction.

Don’t share information that you overhear or see at work with anyone who doesn’t need to know.

Keep papers containing patient information facedown as you carry them or transport them in a closed, and perhaps locked container depending on where you are transporting.

Don’t leave medical records or patient information on printers, copiers, fax machines or other public places.

Use the same precautions with electronic devices at home as you do work. Log off when not using and be mindful of others using electronic devices that others may access.

Don’t remove patient information from the facility unless you have specific permission to do so from your Manager/Supervisor or Privacy Officer.

WHAT WE DO TO PROTECT PRIVACY AND SECURITY• Keep records locked up and allow access only to those individuals who need

information for either treatment, payment or healthcare operations.• Require employees to log off computers when away from their desks.• Turn computer screens away from public view or using privacy screens to

ensure information is not accidentally accessed.• Shred paper that includes PHI and keep shred bins away from public areas.• Educate staff on privacy and security policies.• Keep low voices in nurse stations where PHI is frequently discussed.• Keep doors closed while having discussions with patients about their care.• Wear name badges so patients know that you are a CFH employee and you are

responsible for protecting their privacy.• Never email information with PHI in it.• Never look up friends, relatives, or neighbors information unless you have

written authorization to have access to it. In doing so, follow proper procedures and go the Health Information for this information rather then looking up yourself.

• Do not put PHI on CD-ROM’s, DVD’s or thumb-drives unless you have been given instruction to do so by your Manager/Supervisor.

• Keep passwords protected and never share them with others or post them where others may see them.

• Don’t attempt to disable or change password protected screensavers or software used for security purposes.

FAXING

• HIPAA does not address faxing patient information specifically, but faxed information is still PHI that is protected under HIPAA.

• Faxing information can easily fall into the wrong hands, which is a privacy violation.

• It is a risky way to transmit PHI, so unless it is an emergency we do not fax patient records.

• When we do need to fax these are steps to follow: Always use our CFH designated cover page with the

confidentiality message. Every department at CFH has their own cover sheet for this purpose. See your Manager/Supervisor if you can not locate them.

Verify the fax number to which you are faxing. Ensure the recipient is authorized to receive the information. Call to confirm that the person received the fax or that a

confirmation sheet prints out to confirm it went through correctly.

Link: A CFH Fax Cover Sheet

INCIDENTAL DISCLOSURES

• Sometimes you may have incidental access to confidential information, defined as “secondary use(s) or disclosures(s) that cannot reasonably be prevented, are limited in nature, and that occur as a byproduct of an otherwise permitted use or disclosure.”

• An example of this would be when a patient overhears a nurse talking on the phone to a patient while a patient walks by the nurse station.

• HIPAA requires that all covered entities make a reasonable effort to minimize and limit incidental disclosures without compromising patient care.

WHAT WE CAN TO DO AVOID INCIDENTAL DISCLOSURES

• Turn papers on desks and elsewhere facedown so that passersby don’t see information accidentally.

• Keep printers and fax machines in areas that are not accessible to passersby and ensure the prompt removal of information from these areas to not leave information sitting around.

• Arrange workstations so that information on computer screens is not visible to those who don’t need to know.

• Don’t use patient names in meetings or in other places where those present do not need this information.

• Keep patient exam rooms closed while patients wait to see the provider.

HIPAA PATIENT RIGHTS

• In order to use or release PHI for reasons other than those used for treatment, payment, healthcare operations, or a limited number of other specific instances required by law, the patient or legal representative must sign an authorization form agreeing to let us use or release the information for a particular request or need.

• We can not refuse to treat patients who won’t sign Authorization to Release or Disclose Confidential Information forms.

Link: Authorization to Release or Disclose Confidential Information Form

HIPAA PATIENT RIGHTS: NOTICE OF PRIVACY PRACTICES (NPP)• The HIPAA Privacy Rule requires covered entities to distribute

and post a privacy notice at the facility and on a website, if applicable.

• Where can you find CFH’s Notice of Privacy Practices? In a black binder in all patient lobbies. On the internet at www.centerforfamilyhealth.org On the intranet under the Health Information Management policy:

Communicating the HIPAA Notice of Privacy Practice Hard copies are located at all front desk workstations.

• The purpose of this notice is to inform patients about: All the ways we can use or release patient information to another

organization or to the government Their right to view their records and obtain copies. Their right to request amendments, restrict use and disclosure

and request confidential communications How to file a complaint with us or with the U.S. Department of

Health and Human Services (HHS) if they feel their privacy has been violated.

Link: Notice of Privacy Practices

HIPAA PATIENT RIGHTS:ACCESS TO OWN RECORD• Patients may have access to their own PHI, except in rare circumstances

where the information that they access may endanger the life or safety of the patient or another individual.

• PHI includes the medical records, dental records, pharmacy records, billing records, and any other patient-specific information used to make decisions about the patient.

• Although not a requirement of HIPAA, CFH requires that patients or personal representatives complete an Authorization to Release Confidential Information form and provide identification before records will be disclosed.

• Covered entities may not impose a fee to patients who wish to view their own records, only a fee for costs associated with copying records can be imposed.

• Many states impose their own fee schedule for these fees. HIPAA does not set a fee schedule and allows individual states to set the law. HIPAA’s only concern is that the fee does not impose a barrier to the patient getting the access.

HIPAA PATIENT RIGHTS:ACCESS TO OWN RECORD• A patient may request a copy of all or any part of their record and

have it provided to them in either paper or electronic format within 30 days of his or her request.

• Applicable charges for providing these records do apply for those patients that are not medically indigent.

• Patients that are considered medically indigent are entitled to one free copy of their record. The following program benefits meed the medically indigent criteria: Medicaid and/or applying HealthPay A or B and/or applying Jackson Health Plan and/or applying Social Security Disability and/or applying Project Access FIP (Family Independent Program) Benefits – patients need to provide copy

of Bridge card.

• Please send patients to Health Information for determining associated costs with providing patient records.

DECEASED PATIENTS

• When a patient is deceased, only the patient’s personal representative (if designated after death), the patient’s heir at law, or the beneficiary of the patient’s life insurance policy are deemed as an authorized representative to access the deceased patient record.

Personal Representative – designated by Probate Court. Legal paperwork with this designation must be present for information to be given.

Heir at Law – includes surviving spouse and all adult children 18 years of age or older (excluding step children). A notorized Affidavit of Heir at Law Form must be completed in order to confirm designation of the Heir at Law for information to be given.

Beneficiary – this person must provide a copy of the life insurance policy designating this person as the beneficary for information to be given.

Link: Affidavit of Heir or Life Insurance Beneficiary Requesting Records Form

MINORS RECORDS

• Minors generally need an adult to consent for care until age 18.

• In some cases, parental consent is not needed and minors may consent to care based on the following circumstances in accordance with state and federal law:

Family Planning Prenatal/Pregnancy related counseling and/or care Reproductive Health Care Outpatient Mental Health Services at or over the age of 14 Sexually Transmitted Infection Treatment HIV Treatment Drug and Alcohol Treatment

MINORS RECORDS

• In the following circumstances, minors may consent to general health care if the minor is:

Married Active duty in Armed Forces Emancipated by court Law enforcement custody Incarcerated

• If a minor consents for care, state and federal laws apply: Minor controls access to those designated records Provider has discretion to share with parent or guardian if there is

substantial probability of harm to the minor or to another. Information will be shared without consent for reasons of child

abuse reporting.

• Review proper documentation guidelines for making encounters and medications confidential in the patient record.

DISCLOSURE EXCEPTIONS TO PATIENT AUTHORIZATIONS • We may be required by law to release PHI without asking

for the patient’s permission. • Some of these scenarios include:

Reporting certain communicable diseases and other conditions to state or federal health agencies.

Reporting suspected child or elderly abuse and or neglect to the state Department of Human Services.

Responding to police requests for certain information about patients to determine whether they are suspects in a criminal investigation.

Responding to court orders. Reporting cases of suspicious deaths or certain suspected crime

victims, such as individuals with gunshot wounds or burns that may be due to arson.

Providing information to coroners and funeral directors when patients die.

• Whenever in doubt on whether PHI can or can’t be disclosed contact the Privacy Officer or your Manager/Supervisor before proceeding.

HIPAA PATIENT RIGHTS:REQUESTING AN AMENDMENT

• If a patient feels something has been documented or reflecting incorrectly in their health record, they have a right to request the provider review their record for accuracy and/or correction and respond to his or her request within 60 days.

• The patient or personal representative must submit this request in writing, to the Privacy Officer, using our Request for Amendment to Protected Health Information Form.

Link: Request for Amendment to Protected Health Information Form

HIPAA PATIENT RIGHTS:ACCOUNTING OF DISCLOSURES• The patient has a right to receive an accounting of all non-

routine disclosures of his or her PHI within 60 days of his or her request.

• The patient or personal representative must submit this request in writing, to the Privacy Officer, using our Request for Accounting of Disclosures of Protected Health Information.

• These non-routine disclosures exclude: Those for which are used for treatment, payment, or health

care operations. Those made to the patient or personal representative. Those made prior to a six year period prior to the request. Those pursuant to an authorization. Those made to federal officials to conduct national security

activities. Those made to a correctional facility or law enforcement

officials under limited circumstances.

Link: Request for Accounting of Disclosures of Protected Health Information

HIPAA PATIENT RIGHTS:ACCOUNTING OF DISCLOSURES• Disclosures to include in an accounting:

Disclosures required by law (such as reporting communicable diseases or child abuse.

Court Orders Subpoenas (unless the individual or his or her personal representative

signed an authorization) Research (unless the individual or his or her personal representative

signed an authorization Adult abuse or neglect Adverse drug reactions (if the individual was identified in the report) Adverse vaccine reactions Animal bites (if reporting is required) Child abuse or neglect Coroner or medical examiner Court Order Immunization Registry Research, unless authorization was obtained or the study used a

limited data set or de-identified information Subpoena (without authorization).

HIPAA PATIENT RIGHTS:RESTRICTING PHI USE AND DISCLOSURE

• A patient may request restrictions on the center’s use and disclosure of his PHI for purposes of treatment, payment, or health care operations, or on disclosures of PHI to family members, friends, or other persons identified by the patient for purposes of notification or assistance with care and can expect a response to this request within 30 days.

• The patient or personal representative must submit this request in writing, to the Privacy Officer, using our Request for Restriction or Confidential Communication of Protected Health Information Form.

Link: Request for Restriction or Confidential Communication of Protected Health Information Form

HIPAA PATIENT RIGHTS:RESTRICTING PHI USE AND DISCLOSURE

• A guardian, particularly for use with children in foster care, can use a password restriction. This password restriction can only be used in cases that do not limit a legal guardian from being granted health information, but can, for example, restrict demographic information pertaining to the child. In cases of joint custody both parents must agree to a password restriction and know the password.

• Effective February 18, 2010, the American Recovery and Reinvestment Act (ARRA) allows a patient the right to request that a healthcare provider must comply with the patient’s request for restriction of disclosure to a health plan when the patient health information pertains to a service for which the healthcare provider has been paid in full by the patient “out of pocket.”

HIPAA PATIENT RIGHTS:REQUEST FOR CONFIDENTIAL COMMUNICATION

• A patient or personal representative may request that they be contacted through alternative means, such as a different address or telephone number, so that the communication is more confidential.

• The patient or personal representative must submit this request in writing, to the Privacy Officer, using our Request for Restriction or Confidential Communication of Protected Health Information Form.

• Any reasonable request for confidential communications must be accommodated and a response given to the patient within 30 days.

• When appropriate, we may also require the patient to supply information on how payment will be handled when communication is limited.

• Once this accommodation has been made, we need to comply and follow the request to avoid a breach of the patient’s confidentiality and a HIPAA violation.

HIPAA SECURITY REGULATION

• Privacy and security are directly related. Many of the security measures are mechanisms used to protect privacy and confidentiality.

• The security regulations are designed to safeguard electronic PHI, although the privacy regulations require you to secure and protect all forms of PHI.

• Security requirements cover data stored on hard drives, removable or portable memory devices (laptops, thumb and USB drives) as well as data sent via the internet or contained in e-mail.

SECURITY REGULATION:WHAT WE MUST DO

• We must have certain security measures in place to protect patient information. These include: Monitoring logon attempts. Responding to information security incidents. Employing appropriate measures to protect computers from

viruses and malicious software. Protecting patient information that is removed from the facility or

accessed from home. Educating staff members about security practices Conducting random security audits to ensure that only staff

members who need to know are accessing PHI and that they are accessing only the minimum records necessary to perform their jobs

Using appropriate physical security measures, such as doors locked.

Implementing data recovery plans and downtime procedures. Implementing role-based access so that staff members access

only the information they need to perform their jobs.

SECURITY:PASSWORDS• One essential step in securing information is to pick good

passwords. Pick a password that is easy for you to remember, but hard

for someone else to guess. Using family member names, pet names, and/or birthdays are not advised.

Use one that includes letters and numbers, consists of six characters that incorporates upper and lower case letters and if the system permits use of a special character use those too.

Passwords should be changed regularly, at least every 90 days

Do not share your password. If someone else asks you for it to get into a system you should refer them to their Supervisor/Manager to get appropriate access. Sharing a password, even if you think it is for a good reason is still a violation of the security policy.

Do not post passwords on or near computers or in workstations. Your passwords should be kept in a secure place at all times.

SECURITY:PROTECTING AGAINST COMPUTER VIRUSES

• A computer virus or other malicious software can destroy information stored on your computer. It can also copy your passwords or PHI that you store or send.

• Viruses are often transmitted via e-mail attachments or by visiting certain websites.

• What you can do to help eliminate the threat of viruses: Don’t open suspicious e-mail or attachments from

unknown senders. Contact IT immediately. Pay attention to emails sent by IT warning of viruses going

around Do not uninstall the anti-virus software that was

preinstalled on your computer. Also, do not install any additional anti-virus software.

Use your work e-mail account in a manner appropriate for work related items.

Do not access any unapproved personal email accounts or websites at work.

SECURITY:UNAUTHORIZED SOFTWARE OR HARDWARE

• Music-sharing and remotes-access software, games, and other programs that you may want to install can disable your computer and threaten the network, possibly allowing someone to access your computer.

• Do not install any software on your computer without permission from IT.

• Watch for files that you work with that end with .exe as these are executable files or software programs that can often contain malicious programs or viruses. Do not open these files without permission from IT.

• You should never connect devices to your computer (i.e. through the USB port) without permission from IT.

SECURITY:E-MAIL AND ENCRYPTION

• Information that is sent by e-mail is usually not secure.

• CFH does not have a current e-mail program that allows e-mail to be encrypted before sending so you may not send any PHI through our e-mail system.

• Encryption means that the information is coded or scrambled so that it cannot be read by anyone who doesn’t have the key to read it.

SECURITY:HANDHELD DEVICES AND LAPTOP COMPUTERS

• A frequent risk with using handheld devices and/or laptop computers is loss or theft. This could mean a potential loss of data confidentiality.

• Keep devices locked up when not in use and if lost or stolen report this immediately to the Security Officer.

• Tips when using portable devices: Do not save PHI on them unless protected by a secure password. Do not store passwords and access codes on portable devices. Pay special attention to portable media (disks, CD’s, thumb

drives) that you take off-site. Secure portable devices in a locked area when not in use.

PRIVACY & SECURITY COMPLAINTS

Link: Privacy Complaint Form

• A patient or personal representative has a right to file a complaint regarding the center’s privacy policies, procedures or actions and expect a response to his or her complaint within 30 days.

• Patients are notified of their right to submit complaints regarding the privacy of their health information in the center’s Notice of Privacy Practices.

• The center’s Notice of Privacy Practices contains a statement informing patients that they have the right to complain to the center and/or the Secretary of Health and Human Services (HHS), if they believe that their privacy rights have been violated.

• The notice also contains a statement that patients will not be retaliated against for filing a complaint.

• The patient or personal representative must submit their complaint in writing, to the Privacy Officer, using our Privacy Complaint Form.

PRIVACY & SECURITY COMPLAINTS

• CFH has the responsibility of monitoring compliance and investigating any breaches in privacy and security.

• Patients and employees are expected to report violations and/or suspected violations to the Privacy Officer and/or Security Officer:

Privacy OfficerMichelle Caryl, Health Information Manager

mcaryl@cfhinc.org 505 N. Jackson St. ~ 748-5500 ext. 1132

Security OfficerKim Hinkle, Quality Improvement Director

khinkle@cfhinc.org505 N. Jackson St. ~ 748-5500 ext. 1526

• Reporting suspected violations is part of your job and you should feel comfortable reporting for any kind of retaliation for doing so is prohibit by law.

VIOLATION PENALTIES

• Violation of the HIPAA privacy or security rules can result in civil or criminal penalties.

• With the enactment of the HITECH Act, individual employees can now be fined these penalties as well as organizations.

• Criminal penalties can include not only large fines, but also incarceration. These penalties can be as high as $250,000 or a prison sentence of 10 years.

• Criminal penalties increase as the severity of the offense increases.

• Civil penalties for a HIPAA violation are based on a tier system.

Civil Penalty Tier System

• Tier A: The offender did not know he or she violated the law. The fine is $100 for each violation, with a maximum fine of $25,000 for multiple violations of the same requirement or prohibition in one calendar year.

• Tier B: Violation due to reasonable cause, but not willful neglect. The fine is $1,000 for each violation, with a maximum fine of $100,000 for multiple violations of the same requirement or prohibition in one calendar year.

• Tier C: Violation due to willful neglect, but corrected within a required time period. The fine is $10,000 for each violation, with a maximum fine of $250,000 for multiple violations of the same requirement or prohibition in one calendar year.

• Tier D: Violation due to willful neglect and the organization did not correct it. The fine is $50,000 for each violation, with a maximum fine of $1,500,000 for multiple violations of the same requirement or prohibition in one calendar year.

Breach Notification Rule• When a breach of unsecured PHI happens it is important that it

be reported to the Privacy Officer and or your Supervisor/Manager immediately.

• We are required to perform a risk assessment on each breach in order to determine if the breach poses a significant risk of financial, reputational or other harm to the affected patient.

• If the risk assessment does show a significant risk, we must inform the patient in writing within 60 days of the breach. This allows the patient to be informed and take necessary steps to ensure their protection.

• If a breach occurs and it pertains to more than 500 patients, a notice must be made immediately to the Secretary of Health and Human Services and we must send a notice using prominent media outlets serving the state and regional areas so that patients are informed and can take the necessary steps to ensure their protection.

• Once a year, all breaches of unsecured PHI must be reported to the Secretary of Health and Human Services no matter how many patients were affected.

Forms and Documents:

CFH Fax Cover Sheet

Return to Presentation

Forms and Documents:

Authorization to Release or Disclose Confidential Information Form

Return to Presentation

Forms and Documents:

Notice of Privacy PracticesThis is only page 1 of 6

Return to Presentation

Forms and Documents:

Affidavit of Heir or Life Insurance Beneficiary Requesting Records Form

Return to Presentation

Forms and Documents:

Request for Amendment to Protected Health Information Form

Return to Presentation

Forms and Documents:

Request for Accounting of Disclosures on Protected Health Information

Return to Presentation

Forms and Documents: Request for Restriction of Confidential Communication of Protected Health Information Form

Return to Presentation

Forms and Documents:

Privacy Complaint Form

Return to Presentation