UBMD Information & Privacy Program HIPAA/HITECH Training BackForward Home.
-
Upload
arabella-horton -
Category
Documents
-
view
217 -
download
1
Transcript of UBMD Information & Privacy Program HIPAA/HITECH Training BackForward Home.
UBMD Information & Privacy Program
HIPAA/HITECH TrainingBack Forward
Home
The Health Insurance Portability and
Accountability Act (HIPAA) requires that
UBMD, train all workforce members of
“Covered Entities” on the HIPAA policies
and those specific HIPAA-required
procedures that may affect the work you
do for UBMD and/or the University at
Buffalo
The aim of this program is to help you understand:• What are the HIPAA Privacy, Security and the
HITECH laws are about?• Who has to follow the these laws?• How does HIPAA/HITECH affect you and
your job?• Why is HIPAA/HITECH important?• Where can you get answers to your
questions about HIPAA/HITECH?
Aim of the Information Privacy & Security Program
• HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a Federal law!
• HIPAA is a response, by Congress, to reform healthcare.
• HIPAA affects the health care industry.• HIPAA is mandatory
What is HIPAA (Information Privacy & Security)
HIPAA Privacy and Security
Protects the privacy and security of a patient’s health information.
Provides for electronic and physical security of a patient’s health information
Prevents health care fraud and abuse
Simplifies billing and other transactions, reducing health care administrative costs.
The HITECH Act Updated HIPAA in 2009
As part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act updated federal HIPAA privacy and security standards.
The updates include:
• Breach notification requirements• Fine and penalty increases for privacy violations• Right to request copies of the electronic health care record
in electronic format• Mandates that Business Associates are civilly and
criminally liable for privacy and security violations
WHO MUST FOLLOW THE HIPAA LAW?
The Covered Health Care Component (Entity) consists of the UBMD Physicians Group, its participating physicians and clinicians, and all employees and departments that provide management, administrative, financial, legal and operational support services to or on behalf of UBMD to the extent that such employees and departments use and disclose individually identifiable health information in order to provide these services to the UBMD, and would constitute a “business associate” of UBMD if separately incorporated.
UBMD Covered Entity
• A person or entity which performs certain functions, activities, or services for or to the UBMD Medical Group involving the use and/or disclosure of PHI, but the person or entity is not a part of UBMD or its workforce. (Examples: transcription services, temporary staffing services, record copying company etc.)
• The UBMD Medical Group is required to have agreements with business associates that protect a patient’s PHI.
What is a Business Associate?
Once you are part of a covered entity, you are a covered entity with respect to all Protected Health Information (PHI),
whether it is transmitted electronically, in paper format, or transmitted orally
Covered Entity…Always
The key to being a covered entity is whether any of the Covered Transactions are performed electronically
The Key to being a Covered Entity
Providers Health Plans
Electronic Billing
Clearing Houses
Business Associates
(via Contracts)
Examples of Covered Entities
• Enrollment and dis-enrollment• Premium payments • Eligibility• Referral certification and authorization• Health claims• Health care payment and remittance
advice
Examples of Covered Transactions
• Protected Health Information (PHI)• Information that relates to the past,
present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual.
• Is transmitted or maintained in any form (electronic, paper, or oral representation).
• Identifies, or can be used to identify an individual
What is PHI
• Name• Postal address• All elements of dates
except year• Telephone number• Fax number• Email address• URL address• IP address• Social security number• Account numbers• License numbers
Examples of PHI PHI = Health Information with Identifiers
• Medical record number• Health plan beneficiary #• Device identifiers and their
serial numbers• Vehicle identifiers and
serial number• Biometric identifiers (finger
and voice prints)• Full face photos and other
comparable images• Any other unique
identifying number, code, or characteristic
Applies to Written and Electronic Information
The UBMD Covered Entity may not use or disclose an individual’s protected health information, except as otherwise permitted, or required, by law.
The UBMD’s Covered Entity may use and share a patient’s PHI for:
However…
Payment
Healthcare Operations
Treatment
Treatment• Direct patient care• Coordination of care• Consultations• Referrals to other
health care providers
Payment• Includes any
activities required to bill and collect for health care services provided to patients
Healthcare Operations• Includes business
management and administrative activities
• Quality improvement• Compliance• Competency, and
training.
Treatment-Payment-Healthcare Operations (TPO)
• Must use or share only the minimum amount of PHI necessary, except for requests made• For treatment of the patient• By the patient, or as requested by the patient to
others• To complete standardized electronic transactions,
as required by HIPAA• By the Secretary of the Department of Health &
Human Services (DHHS)• As required by law
UBMD’s Covered Entities must
• The patient’s referring physician calls and asks for a copy of the patient’s recent exam at UBMD (Treatment)
• A patient’s insurance company calls and requests a copy of the patient’s medical record for a specific service date (Payment)
• The Quality Improvement office calls and asks for a copy of an operative report (Health Care Operations)
• For these TPO purposes, patient information may be provided
Examples of TPO
• Unless required or permitted by law, UBMD entities must obtain written authorization from the patient to use, disclose, or access patient information.
• Patient Authorization allows UBMD entities to disclose information for purposes not related to treatment, payment, or operations– For human subjects research, additional rules and training apply (See the UB
HIPAA IRB website for guidance at:
http://www.hpitp.buffalo.edu/hipaa/Research/UB_HIPAA_ResearchHomePage.htm– PHI may not be accessed for human subjects research unless the UB
Institutional Review Board (IRB) has approved the research
and – BOTH Informed Consent and HIPAA Authorization have been obtained from the
subject, OR the UB IRB has approved a Waiver of Informed Consent and HIPAA Authorization.
For Purposes other than TPO
NOTE: if you obtain or use PHI for research purposes with only an Informed Consent but without a HIPAA Authorization, it is considered an
unauthorized disclosure under HIPAA
PHI may be used in research if appropriate authorization from research participants is obtained, or if the PHI is obtained through one of the following alternatives:• Certified De-identified data sets;• Limited data sets (when accompanied by an appropriate Data Use Agreement);• Waiver or alteration of the authorization requirement by an Institutional Review
Board (IRB) or Privacy Board;• Research involving decedents’ PHI (when appropriate representations are
made by the researcher to UBMD that the PHI is necessary and sought solely for research on decedents); or
• Reviews preparatory to research when UBMD receives representations from the researcher that access to the PHI is necessary and will not be removed from UBMD.
• PHI may be used in research only by those individuals authorized to access the information by the person(s) responsible for the project (principal investigator, project director, project coordinator) or the department head. The person(s) responsible must protect the information from unauthorized access and must maintain and regularly update a list of staff that is authorized to have access to the PHI.
Use and Disclosures of PHI for Research
For other disclosures, the UBMD Covered Entity must get a signed authorization from the patient (E.g., to disclose PHI to a marketing or pharmaceutical company.)
For Other Uses and Disclosures
• A UBMD Medical Group health care provider may use PHI to communicate to the patient about a health-related product or service that UBMD provides.
• A UBMD health care provider may use PHI to communicate to the patient about general health issues: disease prevention, wellness classes, etc.
• For all other marketing, a patient authorization must be obtained, unless the communication is in the form of• A face-to-face communication made
by UBMD to an individual• A promotional gift of nominal value
provided by UBMD
Uses and Disclosures of PHI for Marketing
A physician, while having a new-product orientation meeting with a drug company rep., learns about a new Asthma Inhaler being developed by the pharmaceutical company. The physician provides the rep with the names and phone numbers of a few of his patients with asthma, because he believes that they could benefit from the new treatment. A week later, patients call the doctor’s office complaining about being solicited by the drug company to take part in a clinical trial.
Scenario 1
B.Physicians should stop
meeting with drug company reps, as there are many circumstances that could
result in violations of federal law, including HIPAA
A.Since the physician had
good intentions, this situation should not be
avoided, and the doctor has not violated HIPAA
C.Since PHI was disclosed for
purposes other than what state and federal law allows without a patient’s authorization, an
authorization from the patients should have been obtained before
the PHI was released
That is not correct
Click Here to try again!
The Correct answer is C. PHI was disclosed without patient authorization. Never provide information to a friend, colleague, or business representative UNLESS it is required as part of your job and permitted under HIPAA and/or other state and federal laws. Always keep your patient’s information confidential to maintain your rapport and the patient’s trust. Providing an unauthorized release of information to a drug rep for marketing or research purposes violates state and federal lawA. Since the physician had good intentions, this situation should not be
avoided, and the doctor has not violated HIPAA.B. Physicians should stop meeting with drug company reps, as there
are many circumstances that could result in violations of federal law, including HIPAA.
C. Since PHI was disclosed for purposes other than what state and federal law allows without a patient’s authorization, an authorization from the patients should have been obtained before the PHI was released.
Scenario 1 Answer
• Describe the PHI to be used or released• Identify who may use or release the PHI• Identify who may receive the PHI• Describe the purposes of the use or
disclosure• Identify when the authorization expires• Be signed by the patient or someone making
health care decisions (E.g., personal representative) for the patient
The Patient Authorization must
The UBMD Covered Entity is required to:
• Give each patient a Notice of Privacy Practices that describes a patient’s privacy rights and how the UBMD Medical Practice can use and share his or her Protected Health Information (PHI)
• Request each patient to sign a written acknowledgement that he/she has received the Notice of Privacy Practices.
Requirements by HIPAA
• Notice of Privacy Practices:– A statement given to each patient
describing how the practice will use and disclose health information and outlining the patient’s rights under HIPAA
• Acknowledgment:– Written documentation that the notice was
provided to a patient, either signed by the patient or completed by a staff member explaining why the patient did not sign it
Notice and Acknowledgement
• The right to request restriction of PHI uses & disclosures
• The right to request alternative forms of communications (mail to P.O. Box, not street address; no message on answering machine, etc.)
• The right to access and copy patient’s PHI
• The right to an accounting of the disclosures of PHI
• The right to request amendments to information
Our Patients’ Rights
How Does HIPAA Affect my Job
HIPAA requires that UBMD train all workforce members about the organization’s HIPAA policies and specific procedures which may affect the work you do. These rules apply to you when you look at, use, or share Protected Health Information (PHI).
• Anyone who works with or may view health, financial, or confidential information with HIPAA protected health identifiers
• Everyone who uses a computer or electronic device which stores and/or transmits UBMD Patient information
• The following constitute workforce members: • Faculty Group Practice staff• Schools of Medicine, Nursing, Dentistry: staff and faculty• UBMD/University staff who work in clinical areas• Administrative staff with access to PHI• Volunteers• Students who work with patients• Researchers and staff investigators • Accounting and payroll staff• Contractors/Temporary Workers• Almost EVERYONE, at one time or another
Who uses PHI at UBMD?
When can you use PHI?
Only to do your job!
Treat Patients’ Information as if it were your own information
Look at a patient’s PHI only if you need it to
perform your job.
Use a patient’s PHI only if you need it to
perform your job.
Give a patient’s PHI
to others only when
it’s necessary for them to
perform their jobs.
Talk to others about
a patient’s PHI only if it is necessary to perform your job, and do it discreetly
I do not work with patients or have access to medical records, however I see patients pass by my desk in the clinic. Can I talk about the patients with my coworkers, family and friends even if it has nothing to do with my job?
Scenario 2
A.You may not discuss any patient information with anyone unless required
for your job
C.You may only talk about
the patient with your family and friends
B.You may only talk about
the patient with our coworkers
That is not correct
Click Here to try again!
The correct answer is A. Information can only be used as needed for your job.
A. You may not discuss any patient information with anyone unless required for your job
B. You may only talk about the patient with our coworkers
C. You may only talk about the patient with your family and friends
Scenario 2 Answer
I work in Radiology on the 4th Floor and my friend, who works at the Front Desk, told me that she just saw a famous athlete get on the elevator. My friend read in the paper that the star athlete has some sports injuries and asked me to find out what clinic that star is being seen at. Can I give my friend the information?
Scenario 3
A.It is okay as I am only looking up his location,
not his medical condition
C.It is not necessary for my job, so I would be violating the patient’s privacy by checking on her location and
by sharing this information with my friend
B.I already have approval to access patient clinical systems, so no one will know that I accessed it
That is not correct
Click Here to try again!
The correct answer is C. It is not part of your or your friend’s job, even if you are a system user. Your access to the record will automatically be recorded and can be tracked. Both you and your friend are not protecting the privacy of this patient. There could be serious consequences to your employment.A. It is okay as I am only looking up his location, not his medical
condition
B. I already have approval to access patient clinical systems, so no one will know that I accessed it
C. It is not necessary for my job, so I would be violating the patient’s privacy by checking on her location and by sharing this information with my friend
Scenario 3 Answer
B.I should not have used the
information as it was not my job to discuss lab results, to
provide a diagnosis, or to use her information outside
of my job duties
As a file clerk, it is my job to see PHI, but while opening lab reports, I saw my manager’s pregnancy test results. Her pregnancy test was positive! I congratulated her, but found out that I was the first person to tell her. Did I do the right thing?
Scenario 4
A.It is okay as it was part of
my job to see PHI
C.She is an employee at
UBMD, so it is okay to look at other UBMD employee
records
That is not correct
Click Here to try again!
The correct answer is B. There was impermissible disclosure of her information. UBMD employees can also be patients; they have all the same rights to privacy of their information as does any other patient. This was also a violation of UBMD policy, which could impact your employment.A. It is okay as it was part of my job to see PHI
B. I should not have used the information as it was not my job to discuss lab results, to provide a diagnosis, or to use her information outside of my job duties
C. She is an employee at UBMD, so it is okay to look at other UBMD employee records
Scenario 4 Answer
Because I have access to confidential patient information as part of my job, I can look up anybody’s record, even if they are not my patient, as long as I keep the information to myself.
Scenario 5
C.I can access hard copy medical charts, but not
electronic records, anytime I want
A.True, as long as I do not
share this information
B.I can only look at records when it is required by my
job
That is not correct
Click Here to try again!
The correct Answer is B. It is acceptable only when it is necessary for your job and only the minimum information necessary to do your job. Idle curiosity can jeopardize the patient’s privacy and your employment.
A. True, as long as I do not share this information
B. I can only look at records when it is required by my job
C. I can access hard copy medical charts, but not electronic records, anytime I want
Scenario 5 Answer
Protecting Patient Privacy Requires us to Secure Patient Information
• Employees should not download, copy, or remove from the clinical areas any PHI, except as necessary to perform their jobs.
• Upon termination of employment, or upon termination of authorization to access PHI, the employee must return to UBMD all copies of PHI in his or her possession.
Downloading/Copying/Removal
• Shred or destroy PHI before throwing it away• Dispose of paper and other records with PHI
in secured shredding bins. Recycling and Trash bins are NOT secure.
• Shredding bins work best when papers are put inside the bins. When papers are left outside the bin, they are not secured from:– Daily gossip– Daily trash– The public
Dealing with PHI on paper
• Check printers, faxes, copier machines when you are done using them
• Ensure paper charts are returned to applicable areas in nursing stations, medical records, or designated file rooms
• Do not leave hard copies of PHI laying on your desk; lock it up in your desk at the end of the day
• Seal envelopes well when mailing
Know where you left your paperwork
• Faxing is permitted. Always include, with the faxed information, a UBMD cover sheet containing a Confidentiality Statement:
• Limit manual faxing to urgent transmittals-In an emergency, faxing PHI is appropriate when the information is needed immediately for patient care
• Other situations considered urgent (e.g., results from lab to physician)
• Place Fax machine in a secure area
Faxing
in an emergency:– Drug dependency
– Alcohol dependency– Mental illness or
psychological information– Sexually-transmitted
disease (STD) information– HIV status
Information that should not be Faxed except…
• Location should be secure whenever possible
• In an area that is not accessible to the public and
• Whenever possible, in an area that requires security keys or badges for entry.
Locations of Fax Machines/Printers
If information is inadvertently faxed to a patient-restricted party or a recipient where there is a risk of release of the PHI (e.g., newspaper), the Privacy Official should be notified @ NNN-NNN-NNNN, and legal counsel should become involved.
• PHI should not be left in conference rooms, out on desks, or on counters where the information may be accessible to the public, or to other employees or individuals who do not have a need to know the protected health information.
Public Viewing/Hearing
• Patients may see normal clinical operations as violating their privacy
• Be aware of your surroundings when talking
• Do not leave PHI on answering machines
• Ask yourself, “What if it was my information being discussed like this?”
Public Viewing/Hearing
Susan, who works at the front desk, called a patient’s phone number and left a voice mail for Mrs. Becky Jones to contact the office regarding her scheduled lap band procedure. Was this a privacy breach?
Scenario 6
A.No, the patient provided
this phone number
C.No, I did not state the medical reason for the
surgery
B.Yes, I stated her name and medical procedure
That is not correct
Click Here to try again!
The correct answer is B. Patient name in conjunction with any medical information constitutes PHI. You do not know who will hear the message; the patient may not have told her family, friend or roommate. It is best practice to leave the minimum amount of information needed: your name, phone number, and that you are from the UBMD office. Never leave PHI on an answering machine.
A. No, the patient provided this phone number
B. Yes, I stated her name and medical procedure
C. No, I did not state the medical reason for the surgery
Scenario 6 Answer
• HIPAA Security is focused on e-PHI.– e-PHI (electronic Protected Health Information) is computer-
based patient health information that is used, created, stored, received or transmitted by the UBMD using any type of electronic information resource.
– Information in an electronic medical record, patient billing information transmitted to a payer, digital images and print outs, information when it is being sent by UBMD to another provider, a payer or a researcher.
HIPAA Security
Adm
inis
trat
ive
Saf
egua
rds • Administrative
Safeguards require written documentation of the security measures.
• Policies and procedures must ensure prevention, detection, containment and correction of security violations. Policies and procedures must also ensure that all workforce members have appropriate access to electronic PHI in order to perform their jobs.
Phy
sica
l Saf
egua
rds • Physical safeguards
protect UBMD’s electronic information system hardware and related buildings and equipment.
• Security measures include protections from natural or environmental hazards and unauthorized access.
Tech
nica
l Saf
egua
rds • Technical Safeguards
involve the use of computer technology solutions to protect the integrity, confidentiality and availability of electronic PHI
• Access Controls• Audit controls• Integrity• Person/entity
Authentication• Transmission Security
HIPAA Security Rule Provisions
• Ensure the confidentiality, integrity, and availability of information through safeguards (Information Security)
– Confidentiality - Ensure that the information will
not be disclosed to unauthorized individuals or processes
– Integrity - Ensure that the condition of information has not been altered or destroyed in an unauthorized manner, and data is accurately transferred from one system to another
– Availability - Ensure that information is accessible and useable upon demand by an authorized person
Protecting e-PHI
Good Computing PracticesSafeguards for Users
• Users are assigned a unique “User ID” for log-in purposes (UBIT), which limits access to the minimum information needed to do your job. Never use anyone else’s log-in, or a computer someone else is logged on to. Log them out before you use it.
• Use of information systems is audited for inappropriate access or use.
• Access is cancelled for terminated
employees.
Safeguard #1: Access Controls (Unique User Identification)
UBMD requires that: • All passwords be changed at least once every 90 days, or
immediately if a breach of a password is suspected• User accounts that have system-level privileges granted
through group memberships or programs have a unique password from all other accounts held by that user;
• Passwords not be inserted into email messages or other forms of electronic communication;
• Personal Computers and other portable devices such as Laptops and PDAs which may contain e-PHI must be password protected, and when possible, encrypt the e-PHI;
• Default vendor passwords be changed immediately upon installation of hardware or software;
Safeguard #2: Password Protection
• Notify the Support Desk or your
computer support person, and
• Change your password IMMEDIATELY (if you need assistance, ask the Help Desk)
If you think somebody knows your password…
Remember: You are responsible for everything that occurs under your UBMD login.
• Practice Safe Emailing– Do not open, forward, or reply to suspicious emails– Do not forward UBMD email to personal accounts– Do not open suspicious email attachments or click on
unknown website addresses– NEVER provide your username and password to an email
request– Delete spam and empty the “Deleted Items” folder– Use a secure email solution whenever sending email
outside UBMD (Use Encryption if available)– Use all the tools and methods available to you to encrypt
your email.
Check with your UBMD IT personnel for details
Safeguard #3: E-mail Considerations
Safeguard #4: Workstation Security
Workstations• Electronic computing devices• Laptops, desktop computers, or other devices that perform
similar functions (Tablets, Smartphones)• Electronic media stored in or near them
Physical Security Measures• Disaster Controls• Physical Access Controls• Device and Media Controls
Malware Controls• Measures taken to protect against any software that causes
unintended results
Workstation Security Contd.
• Disaster Controls– Protect workstations from
natural
and environmental hazards– Locate equipment above
ground
level to protect it against flood damage
– Use electrical surge protectors
– Move workstations away from
overhead sprinklers
Workstation Security Contd.
• Access Controls– Create a strong password and do not share your
username or password with anyone– Lock/Log-off before leaving a workstation
unattended. This will prevent other individuals from accessing e-PHI under your User-ID, and limit access by unauthorized users.
Workstation Security Contd.
You have logged out
successfully!
Device Controls• Ensure information on computer screens is not visible to
passersby– Auto Log-Off - Where possible and appropriate, devices
must be set to “lock” or “log-off” and require a user to sign in again after 5 minutes
– Automatic Screen Savers - Password protect, and set to activate in 5 minutes
– Use a privacy screen– Manually lock your PC by using the keyboard command
(Press the Ctrl + Alt + Delete keys simultaneously and select appropriate action)
– Use a password to start up or wake-up your computer
Workstation Security Contd.
• Malicious software that designed to harm or secretly access computers without the users knowledge– Viruses– Worms– Spyware– Keystroke Loggers– Remote access Trojans
Malware
Viruses•Malicious programs that attempt to spread throughout your computer system and the entire network•They can be prevented by installing antivirus software on your computer, and updating it frequently
Worms•Malicious software that spreads without any user action. They take advantage of security holes in the operating system or software package
•They can be prevented by making sure that your system has all security updates installed
Spyware•A class of malicious programs that monitors your computer usage habits and reports them for storage in a marketing database
•They are installed without you knowing while installing another program or browsing the Internet•They can open advertising windows (popups)•They can be prevented by installing and running an updated spyware scanner
Keystroke Loggers•They can be software programs or hardware (devices installed between your keyboard and computer) that log every keystroke typed.
•They can be detected by most antivirus programs and spyware scanners•They can be spotted if you check your hardware for anything unfamiliar (do it often)
Remote Access Trojans•They allow remote users to connect to your computer without your permission, letting them take screenshots of your desktop, take control of your mouse and keyboard and access your programs at will.
•Most regularly updated antivirus programs can detect and remove them
Malware Contd.
• Reduced performance (your computer slows or “freezes”)
• Windows opening by themselves
• Missing data• Slow network
performance• Unusual toolbars added
to your web browser
Symptoms of Malware Infection
Contact the UBMD Support Desk @ 716-842-2112 if you suspect that your computer has been infected
with malware.
• Any unsolicited email you receive with an attachment
• Any email from someone whose name you don’t recognize
• Phishing– Emails that ask you to provide personal or
sensitive information. Verify by calling on the phone before providing any information.
Be aware of Suspicious Email
• Your account is locked when you try to open it
• Your password isn’t accepted
• You are missing data• Your computer settings
have mysteriously changed
Indications of a Tampered Account
If you suspect someone has tampered with your account, contact the UBMD Support Desk @ 716-842-2112
• Always encrypt portable devices and media with confidential information on them (laptops, flash drives, memory sticks, external drives, CDs, etc.)
• Encryption must be an approved UBMD data encryption solution. A UBMD or UB campus owned device may have already been encrypted for you. Check with the IT department.
• Purchase only electronic devices and media which can be encrypted.
Portable Device Security Tips
Best Practice: Do not keep confidential data on portable devices unless absolutely necessary and if necessary, the information
must be encrypted.
Dr. Gordon is very busy and asks you to log into the clinical information system using his User ID and password to retrieve some patient reports. What should you do?
Scenario 7
A.It is a physician, so it
is okay to do this
C.Decline the request and refer him to the UBMD information Security Policies
B.Ignore the request
and hope he forgets
D.None of the above
That is not correct
Click Here to try again!
The correct answer is C. Always login under your own user ID and password. If you do not have system owner permission to access the system, then do not access the system. This would have been a violation of privacy and security policies.
A. It is a physician, so it is okay to do this
B. Ignore the request and hope he forgets
C. Decline the request and refer him to the UBMD information Security Policies
D. None of the above
Scenario 7 Answer
In your role as a Resident, you need to use a laptop as you work at various UBMD Practices. You have patient emails, addresses, and medical information files on the laptop. What is the best way to protect this device?
Scenario 8
C.The information on my
portable device is encrypted, I use a complex password, and I physically secure the
device when leaving it unattended
A.It is secured as I use a
complex password and when unattended, I always lock it
up in the trunk of my car
B.I only need a complex
password to secure the laptop
D.None of the above
That is not correct
Click Here to try again!
The correct answer is A. Your laptop must be encrypted if it contains UBMD patient information or other sensitive confidential information. Password protection by itself is not enough but you do need to use complex passwords for the device and physically secure it when unattended. Unencrypted devices are considered unsecured in the event of a loss or theft by federal and state privacy laws and therefore reportable to federal and state agencies!
A. It is secured as I use a complex password and when unattended, I always lock it up in the trunk of my car
B. I only need a complex password to secure the laptop
C. The information on my portable device is encrypted, I use a complex password, and I physically secure the device when leaving it unattended
D. None of the above
Scenario 8 Answer
Always use the physical security measures listed in Safeguard #4, including this “Check List”– Use an Internet Firewall, if applicable– Always use Anti-virus software, and keep it up-to-date– Always install computer software updates, such as
Microsoft patches routinely– Encrypt and password-protect portable devices (PDAs,
laptops, etc.)– Lock-it-up! Lock office or file cabinets, lock up laptops– Use automatic log-off from programs– Use password-protected screen savers– Use physical privacy screens– Back up critical data and software programs
Safeguard #5: Workstation Security Check List
Security for USB Memory Sticks and
Storage Devices• Don’t store e-PHI on flash drive/memory
cards• If you must store it, either de-identify it,
and/or encrypt it• Delete the e-PHI when no longer needed• Protect the devices from loss and damage
Safeguard #5: Workstation Security - when you take it with you…
• Don’t store e-PHI on mobile devices• If you must store it, de-identify it and/or• Encrypt it and password-protect it• Back up original files• Synchronize with computers as often as
practical• Delete e-PHI files from all portable media
when no longer needed• Protect your device from loss or theft-Report
any incident immediately.
Safeguard #5: Workstation Security PDAs/Tablets/Smartphones
Safeguard #6: Data Management and Security
Storage – Portable Devices• Permanent copies of e-PHI should not be
stored on portable equipment, such as laptop computers, PDAs, Smartphones and storage medium like memory sticks/flash drives
• If necessary, temporary copies can be used on portable computers only while using the data, and if encrypted to safeguard the data if the device is lost or stolen
Data Management and Security
Destroy e-PHI data which are no longer needed:
• Know where to take hard drives, CDs, flash drives, or any backup devices for appropriate safe disposal or recycling (Check with your IT professional)
Data Management and Security - Disposal
A “Security Incident” is:
“The attempted or successful unauthorized access, use, disclosure, modification, or destruction of
information or interference with system operations in an information system.’’ [45 CFR 164.304]
What is your role?
Security Incidents and e-PHI
A good Security Standard to follow is the “90 / 10” Rule:
• 10% of security safeguards are technical• 90% of security safeguards rely on the YOU to
adhere to good computing practices– Example: The lock on the door is the 10%. Your
responsibility is 90%• Remembering to lock it• Checking to see if it is closed• Ensuring others do not prop the door open• Keeping control of the keys
Security Reminders!
10% security is worthless without YOU!
A privacy breach can occur when information is:• Physically lost or stolen
– Paper copies, films, tapes, electronic devices– Anytime, anywhere - even while on public transportation, crossing the
street, in the building, in your office
• Misdirected to others outside of UBMD– Verbal messages sent to or left on the wrong voicemail or sent to or left for
the wrong person– Mislabeled mail, misdirected email– Wrong fax number, wrong phone number– Placed on UBMD intranet, internet, websites, Facebook, Twitter
Privacy Breach from Lost, Stolen, or Misdirected Information
Definition of “Breach”• An impermissible acquisition, access, use or disclosure not
permitted by the HIPAA Privacy Rule• Examples include
– Laptop containing PHI is stolen– Receptionist who is not authorized to access PHI looks
through patient files in order to learn of a person’s treatment
– Nurse gives discharge papers to the wrong individual– Billing statements containing PHI mailed or faxed to the
wrong individual/entity
What constitutes a Breach?
• Talking in public areas, talking too loudly, talking to the wrong person
• Lost/stolen or improperly disposed of paper, mail, films, notebooks
• Lost/stolen laptops, PDAs, cell phones, media devices (video and audio recordings)
• Lost/stolen media like CDs, flash drives, memory cards • Hacking of unprotected computer systems• Email or faxes sent to the wrong address, wrong person, or
wrong number• User not logging off of computer systems, allowing others to
access their computer or system
Examples of Privacy Breach
• Exceptions to Breach• Unintentional acquisition, access, use or disclosure by a workforce
member (“employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity”) acting under the authority of a covered entity or business associate
• Inadvertent disclosures of PHI from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate, or organized healthcare arrangement in which covered entity participates
• If a covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information
Exceptions to Breach
• If a breach has occurred, UBMD will be responsible for providing notice to: – The affected individuals (without unreasonable
delay and in no event later than 60 days from the date of discovery—a breach is considered discovered when the incident becomes known not when the covered entity or Business Associate concludes the analysis of whether the facts constitute a Breach)
– Secretary of Health & Human Services-HHS- (timing will depend on number of individuals affected by the breach)
– Media (only required if 500 or more individuals of any one state are affected)
Breach Notification Obligations
Breach Notification Decision Tree
• Breaches of the policies and procedures or a patient’s confidentiality must be reported to the UBMD Privacy Official at NNN-NNN-NNNN.
• UBMD’s Breach Mitigation Policy states:
“Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to his or her supervisor and the UBMD’s Information Privacy and Security Office.”
What if there is a Breach of Confidentiality?
• The incident will be thoroughly investigated.
• The UBMD Covered Entity is required to attempt to fix the harmful effects of any breach
…if a breach is reported?
• Internal Disciplinary Actions• Individuals who breach the policies
will be subject to appropriate discipline under UBMD Sanction Policy.
• Civil/Criminal Penalties• An employee who does not protect a
patient’s privacy and follow all required UBMD policies and procedures could lose his or her job and also (See below)
• Covered entities and individuals who violate these standards will be subject to civil and/or criminal liability.
Disciplinary Actions (Sanctions)
Minimum Privacy Violation
Level & Definition of Violation
Example Possible Actions may include:
Accidental and/or due to lack of proper education.
•Improper disposal of PHI.•Improper protection of PHI (leaving records on counters, leaving documents in inappropriate areas).•Not properly verifying individuals.
•Re-training and re-evaluation.•Oral warning with documented discussions of policy, procedures, and requirements.
Purposeful violation of privacy or an unacceptable number of previous violations
•Accessing or using PHI without have a legitimate need.•Not forwarding appropriate information or requests to the privacy official for processing.
•Re-training and re-evaluation.•Written warning with discussion of policy, procedures, and requirements or Termination
Purposeful violation of privacy policy with associated potential for patient harm.
•Disclosure of PHI to unauthorized individual or company.•Sale of PHI to any source.•Any uses or disclosures that could invoke harm to a patient.
Termination.
• Covered entities and individuals who violate these standards will be subject to civil liability
Civil Penalties
Tiered Civil PenaltiesHIPAA Violation Minimum Penalty Maximum PenaltyIndividual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA
$100 per violation, with an annual maximum of $25,000 for repeat
$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect
$1,000 per violation, with an annual maximum of $100,000 for repeat violations
$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period
$10,000 per violation, with an annual maximum of $250,000 for repeat violations
$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected
$50,000 per violation, with an annual maximum of $1.5 million
$50,000 per violation, with an annual maximum of $1.5 million
HIPAA Violation Criminal Penalty An Individual who knowingly obtains or discloses individually identifiable health information in violation of HIPAA regulations
Up to $50,000 and up to one-year imprisonment
If wrongful conduct involves false pretenses
Criminal penalties increase to $100,000 and up to five years
imprisonment If the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.
$250,000 and up to 10 years imprisonment
UBMD is SERIOUS about protecting our Patients’ Privacy
HIPAA Criminal Penalties
You are required to:• Respond to security incidents and report
them first to your practice Information Privacy and Security personnel and/or to the Practice Administrator as well as to the:
Reporting Security Incidents
UBMD Information Privacy and Security Officer
First Name Last [email protected]
Immediately report any known or suspected privacy breaches (such as paper, conversations, suspected unauthorized or inappropriate access or use of PHI) report them first to your practice Information Privacy and Security personnel and/or to the Practice Administrator as well as to the UBMD’s Information Privacy and Security Office at (NNN) NNN-NNN
How to Report Privacy Breaches
From the patients’ point of view, ALL information is private• This includes a patient’s:
– Personal information– Financial information– Medical information– Protected Health Information– Information in any format: spoken, written, or
electronic
Remember…
• Your Immediate Supervisor/Manager• The UBMD HIPAA SharePoint site:https://prv-sharepoint.pn.buffalo.edu/VPHS/UBMD/HIPAA/default.aspx
• Your Practice’s designated Information Privacy and Security person
• UBMD Information Privacy and Security Program Office– Contact Number: (NNN) NNN-NNNN
• UBMD Chief Privacy and Security Officer: First Name Last Name
Telephone #: (NNN) NNN-NNNN
Resources for Privacy and Security
Which workstation security safeguards are you responsible for using and/or protecting?
Summary Question 1
A. Your User ID
D. All of the safeguards
listed
C. Logging out of
programs that
access PHI when not in use
B. Your Password
That is not correct
Click Here to try again!
The correct answer is D. Always log off programs and always protect your user ID and password. Never share these with anyone.A. Your User ID
B. Your Password
C. Logging out of programs that access PHI when not in use
D. All of the above
Summary Question 1 Answer
You can protect patient information by:
Summary Question 2
A. Protecting verbal,
written, and electronic information
D.By Following UBMD
Policies
C. Reporting suspected privacy and security
incidents
B. Utilizing safe
computing skills
E. All of the above
methods
That is not correct
Click Here to try again!
The correct answer is E. All of these actions helps to protect the privacy and security of patient information.
A. Protecting verbal, written, and electronic information
B. Utilizing safe computing skills
C. Reporting suspected privacy and security incidents
D. Following UBMD policies
E. All of the above
Summary Question 2 Answer
Thank you for taking the time to review this important Training Presentation. If you have any questions or comments, please refer to the UBMD Information Privacy and Security Program office.
Proceed to the following section to acknowledge the attestation statement and then take complete the Competency Assessment
END