UBMD Information & Privacy Program HIPAA/HITECH Training BackForward Home.

UBMD Information & Privacy Program

HIPAA/HITECH TrainingBack Forward

Home

The Health Insurance Portability and

Accountability Act (HIPAA) requires that

UBMD, train all workforce members of

“Covered Entities” on the HIPAA policies

and those specific HIPAA-required

procedures that may affect the work you

do for UBMD and/or the University at

Buffalo

The aim of this program is to help you understand:• What are the HIPAA Privacy, Security and the

HITECH laws are about?• Who has to follow the these laws?• How does HIPAA/HITECH affect you and

your job?• Why is HIPAA/HITECH important?• Where can you get answers to your

questions about HIPAA/HITECH?

Aim of the Information Privacy & Security Program

• HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a Federal law!

• HIPAA is a response, by Congress, to reform healthcare.

• HIPAA affects the health care industry.• HIPAA is mandatory

What is HIPAA (Information Privacy & Security)

HIPAA Privacy and Security

Protects the privacy and security of a patient’s health information.

Provides for electronic and physical security of a patient’s health information

Prevents health care fraud and abuse

Simplifies billing and other transactions, reducing health care administrative costs.

The HITECH Act Updated HIPAA in 2009

As part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act updated federal HIPAA privacy and security standards.

The updates include:

• Breach notification requirements• Fine and penalty increases for privacy violations• Right to request copies of the electronic health care record

in electronic format• Mandates that Business Associates are civilly and

criminally liable for privacy and security violations

WHO MUST FOLLOW THE HIPAA LAW?

The Covered Health Care Component (Entity) consists of the UBMD Physicians Group, its participating physicians and clinicians, and all employees and departments that provide management, administrative, financial, legal and operational support services to or on behalf of UBMD to the extent that such employees and departments use and disclose individually identifiable health information in order to provide these services to the UBMD, and would constitute a “business associate” of UBMD if separately incorporated.

UBMD Covered Entity

• A person or entity which performs certain functions, activities, or services for or to the UBMD Medical Group involving the use and/or disclosure of PHI, but the person or entity is not a part of UBMD or its workforce. (Examples: transcription services, temporary staffing services, record copying company etc.)

• The UBMD Medical Group is required to have agreements with business associates that protect a patient’s PHI.

What is a Business Associate?

Once you are part of a covered entity, you are a covered entity with respect to all Protected Health Information (PHI),

whether it is transmitted electronically, in paper format, or transmitted orally

Covered Entity…Always

The key to being a covered entity is whether any of the Covered Transactions are performed electronically

The Key to being a Covered Entity

Providers Health Plans

Electronic Billing

Clearing Houses

Business Associates

(via Contracts)

Examples of Covered Entities

• Enrollment and dis-enrollment• Premium payments • Eligibility• Referral certification and authorization• Health claims• Health care payment and remittance

advice

Examples of Covered Transactions

• Protected Health Information (PHI)• Information that relates to the past,

present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual.

• Is transmitted or maintained in any form (electronic, paper, or oral representation).

• Identifies, or can be used to identify an individual

What is PHI

• Name• Postal address• All elements of dates

except year• Telephone number• Fax number• Email address• URL address• IP address• Social security number• Account numbers• License numbers

Examples of PHI PHI = Health Information with Identifiers

• Medical record number• Health plan beneficiary #• Device identifiers and their

serial numbers• Vehicle identifiers and

serial number• Biometric identifiers (finger

and voice prints)• Full face photos and other

comparable images• Any other unique

identifying number, code, or characteristic

Applies to Written and Electronic Information

The UBMD Covered Entity may not use or disclose an individual’s protected health information, except as otherwise permitted, or required, by law.

The UBMD’s Covered Entity may use and share a patient’s PHI for:

However…

Payment

Healthcare Operations

Treatment

Treatment• Direct patient care• Coordination of care• Consultations• Referrals to other

health care providers

Payment• Includes any

activities required to bill and collect for health care services provided to patients

Healthcare Operations• Includes business

management and administrative activities

• Quality improvement• Compliance• Competency, and

training.

Treatment-Payment-Healthcare Operations (TPO)

• Must use or share only the minimum amount of PHI necessary, except for requests made• For treatment of the patient• By the patient, or as requested by the patient to

others• To complete standardized electronic transactions,

as required by HIPAA• By the Secretary of the Department of Health &

Human Services (DHHS)• As required by law

UBMD’s Covered Entities must

• The patient’s referring physician calls and asks for a copy of the patient’s recent exam at UBMD (Treatment)

• A patient’s insurance company calls and requests a copy of the patient’s medical record for a specific service date (Payment)

• The Quality Improvement office calls and asks for a copy of an operative report (Health Care Operations)

• For these TPO purposes, patient information may be provided

Examples of TPO

• Unless required or permitted by law, UBMD entities must obtain written authorization from the patient to use, disclose, or access patient information.

• Patient Authorization allows UBMD entities to disclose information for purposes not related to treatment, payment, or operations– For human subjects research, additional rules and training apply (See the UB

HIPAA IRB website for guidance at:

http://www.hpitp.buffalo.edu/hipaa/Research/UB_HIPAA_ResearchHomePage.htm– PHI may not be accessed for human subjects research unless the UB

Institutional Review Board (IRB) has approved the research

and – BOTH Informed Consent and HIPAA Authorization have been obtained from the

subject, OR the UB IRB has approved a Waiver of Informed Consent and HIPAA Authorization.

For Purposes other than TPO

NOTE: if you obtain or use PHI for research purposes with only an Informed Consent but without a HIPAA Authorization, it is considered an

unauthorized disclosure under HIPAA

http://www.hpitp.buffalo.edu/hipaa/Research/UB_HIPAA_ResearchHomePage.htm

http://www.hpitp.buffalo.edu/hipaa/Research/UB_HIPAA_ResearchHomePage.htm

PHI may be used in research if appropriate authorization from research participants is obtained, or if the PHI is obtained through one of the following alternatives:• Certified De-identified data sets;• Limited data sets (when accompanied by an appropriate Data Use Agreement);• Waiver or alteration of the authorization requirement by an Institutional Review

Board (IRB) or Privacy Board;• Research involving decedents’ PHI (when appropriate representations are

made by the researcher to UBMD that the PHI is necessary and sought solely for research on decedents); or

• Reviews preparatory to research when UBMD receives representations from the researcher that access to the PHI is necessary and will not be removed from UBMD.

• PHI may be used in research only by those individuals authorized to access the information by the person(s) responsible for the project (principal investigator, project director, project coordinator) or the department head. The person(s) responsible must protect the information from unauthorized access and must maintain and regularly update a list of staff that is authorized to have access to the PHI.

Use and Disclosures of PHI for Research

For other disclosures, the UBMD Covered Entity must get a signed authorization from the patient (E.g., to disclose PHI to a marketing or pharmaceutical company.)

For Other Uses and Disclosures

• A UBMD Medical Group health care provider may use PHI to communicate to the patient about a health-related product or service that UBMD provides.

• A UBMD health care provider may use PHI to communicate to the patient about general health issues: disease prevention, wellness classes, etc.

• For all other marketing, a patient authorization must be obtained, unless the communication is in the form of• A face-to-face communication made

by UBMD to an individual• A promotional gift of nominal value

provided by UBMD

Uses and Disclosures of PHI for Marketing

A physician, while having a new-product orientation meeting with a drug company rep., learns about a new Asthma Inhaler being developed by the pharmaceutical company. The physician provides the rep with the names and phone numbers of a few of his patients with asthma, because he believes that they could benefit from the new treatment. A week later, patients call the doctor’s office complaining about being solicited by the drug company to take part in a clinical trial.

Scenario 1

B.Physicians should stop

meeting with drug company reps, as there are many circumstances that could

result in violations of federal law, including HIPAA

A.Since the physician had

good intentions, this situation should not be

avoided, and the doctor has not violated HIPAA

C.Since PHI was disclosed for

purposes other than what state and federal law allows without a patient’s authorization, an

authorization from the patients should have been obtained before

the PHI was released

That is not correct

Click Here to try again!

The Correct answer is C. PHI was disclosed without patient authorization. Never provide information to a friend, colleague, or business representative UNLESS it is required as part of your job and permitted under HIPAA and/or other state and federal laws. Always keep your patient’s information confidential to maintain your rapport and the patient’s trust. Providing an unauthorized release of information to a drug rep for marketing or research purposes violates state and federal lawA. Since the physician had good intentions, this situation should not be

avoided, and the doctor has not violated HIPAA.B. Physicians should stop meeting with drug company reps, as there

are many circumstances that could result in violations of federal law, including HIPAA.

C. Since PHI was disclosed for purposes other than what state and federal law allows without a patient’s authorization, an authorization from the patients should have been obtained before the PHI was released.

Scenario 1 Answer

• Describe the PHI to be used or released• Identify who may use or release the PHI• Identify who may receive the PHI• Describe the purposes of the use or

disclosure• Identify when the authorization expires• Be signed by the patient or someone making

health care decisions (E.g., personal representative) for the patient

The Patient Authorization must

The UBMD Covered Entity is required to:

• Give each patient a Notice of Privacy Practices that describes a patient’s privacy rights and how the UBMD Medical Practice can use and share his or her Protected Health Information (PHI)

• Request each patient to sign a written acknowledgement that he/she has received the Notice of Privacy Practices.

Requirements by HIPAA

• Notice of Privacy Practices:– A statement given to each patient

describing how the practice will use and disclose health information and outlining the patient’s rights under HIPAA

• Acknowledgment:– Written documentation that the notice was

provided to a patient, either signed by the patient or completed by a staff member explaining why the patient did not sign it

Notice and Acknowledgement

• The right to request restriction of PHI uses & disclosures

• The right to request alternative forms of communications (mail to P.O. Box, not street address; no message on answering machine, etc.)

• The right to access and copy patient’s PHI

• The right to an accounting of the disclosures of PHI

• The right to request amendments to information

Our Patients’ Rights

How Does HIPAA Affect my Job

HIPAA requires that UBMD train all workforce members about the organization’s HIPAA policies and specific procedures which may affect the work you do. These rules apply to you when you look at, use, or share Protected Health Information (PHI).

• Anyone who works with or may view health, financial, or confidential information with HIPAA protected health identifiers

• Everyone who uses a computer or electronic device which stores and/or transmits UBMD Patient information

• The following constitute workforce members: • Faculty Group Practice staff• Schools of Medicine, Nursing, Dentistry: staff and faculty• UBMD/University staff who work in clinical areas• Administrative staff with access to PHI• Volunteers• Students who work with patients• Researchers and staff investigators • Accounting and payroll staff• Contractors/Temporary Workers• Almost EVERYONE, at one time or another

Who uses PHI at UBMD?

When can you use PHI?

Only to do your job!

Treat Patients’ Information as if it were your own information

Look at a patient’s PHI only if you need it to

perform your job.

Use a patient’s PHI only if you need it to

perform your job.

Give a patient’s PHI

to others only when

it’s necessary for them to

perform their jobs.

Talk to others about

a patient’s PHI only if it is necessary to perform your job, and do it discreetly

I do not work with patients or have access to medical records, however I see patients pass by my desk in the clinic. Can I talk about the patients with my coworkers, family and friends even if it has nothing to do with my job?

Scenario 2

A.You may not discuss any patient information with anyone unless required

for your job

C.You may only talk about

the patient with your family and friends

B.You may only talk about

the patient with our coworkers

That is not correct


The correct answer is A. Information can only be used as needed for your job.

A. You may not discuss any patient information with anyone unless required for your job

B. You may only talk about the patient with our coworkers

C. You may only talk about the patient with your family and friends

Scenario 2 Answer

I work in Radiology on the 4th Floor and my friend, who works at the Front Desk, told me that she just saw a famous athlete get on the elevator. My friend read in the paper that the star athlete has some sports injuries and asked me to find out what clinic that star is being seen at. Can I give my friend the information?

Scenario 3

A.It is okay as I am only looking up his location,

not his medical condition

C.It is not necessary for my job, so I would be violating the patient’s privacy by checking on her location and

by sharing this information with my friend

B.I already have approval to access patient clinical systems, so no one will know that I accessed it

That is not correct


The correct answer is C. It is not part of your or your friend’s job, even if you are a system user. Your access to the record will automatically be recorded and can be tracked. Both you and your friend are not protecting the privacy of this patient. There could be serious consequences to your employment.A. It is okay as I am only looking up his location, not his medical

condition

B. I already have approval to access patient clinical systems, so no one will know that I accessed it

C. It is not necessary for my job, so I would be violating the patient’s privacy by checking on her location and by sharing this information with my friend

Scenario 3 Answer

B.I should not have used the

information as it was not my job to discuss lab results, to

provide a diagnosis, or to use her information outside

of my job duties

As a file clerk, it is my job to see PHI, but while opening lab reports, I saw my manager’s pregnancy test results. Her pregnancy test was positive! I congratulated her, but found out that I was the first person to tell her. Did I do the right thing?

Scenario 4

A.It is okay as it was part of

my job to see PHI

C.She is an employee at

UBMD, so it is okay to look at other UBMD employee

records

That is not correct


The correct answer is B. There was impermissible disclosure of her information. UBMD employees can also be patients; they have all the same rights to privacy of their information as does any other patient. This was also a violation of UBMD policy, which could impact your employment.A. It is okay as it was part of my job to see PHI

B. I should not have used the information as it was not my job to discuss lab results, to provide a diagnosis, or to use her information outside of my job duties

C. She is an employee at UBMD, so it is okay to look at other UBMD employee records

Scenario 4 Answer

Because I have access to confidential patient information as part of my job, I can look up anybody’s record, even if they are not my patient, as long as I keep the information to myself.

Scenario 5

C.I can access hard copy medical charts, but not

electronic records, anytime I want

A.True, as long as I do not

share this information

B.I can only look at records when it is required by my

job

That is not correct


The correct Answer is B. It is acceptable only when it is necessary for your job and only the minimum information necessary to do your job. Idle curiosity can jeopardize the patient’s privacy and your employment.

A. True, as long as I do not share this information

B. I can only look at records when it is required by my job

C. I can access hard copy medical charts, but not electronic records, anytime I want

Scenario 5 Answer

Protecting Patient Privacy Requires us to Secure Patient Information

• Employees should not download, copy, or remove from the clinical areas any PHI, except as necessary to perform their jobs.

• Upon termination of employment, or upon termination of authorization to access PHI, the employee must return to UBMD all copies of PHI in his or her possession.

Downloading/Copying/Removal

• Shred or destroy PHI before throwing it away• Dispose of paper and other records with PHI

in secured shredding bins. Recycling and Trash bins are NOT secure.

• Shredding bins work best when papers are put inside the bins. When papers are left outside the bin, they are not secured from:– Daily gossip– Daily trash– The public

Dealing with PHI on paper

• Check printers, faxes, copier machines when you are done using them

• Ensure paper charts are returned to applicable areas in nursing stations, medical records, or designated file rooms

• Do not leave hard copies of PHI laying on your desk; lock it up in your desk at the end of the day

• Seal envelopes well when mailing

Know where you left your paperwork

• Faxing is permitted. Always include, with the faxed information, a UBMD cover sheet containing a Confidentiality Statement:

• Limit manual faxing to urgent transmittals-In an emergency, faxing PHI is appropriate when the information is needed immediately for patient care

• Other situations considered urgent (e.g., results from lab to physician)

• Place Fax machine in a secure area

Faxing

in an emergency:– Drug dependency

– Alcohol dependency– Mental illness or

psychological information– Sexually-transmitted

disease (STD) information– HIV status

Information that should not be Faxed except…

• Location should be secure whenever possible

• In an area that is not accessible to the public and

• Whenever possible, in an area that requires security keys or badges for entry.

Locations of Fax Machines/Printers

If information is inadvertently faxed to a patient-restricted party or a recipient where there is a risk of release of the PHI (e.g., newspaper), the Privacy Official should be notified @ NNN-NNN-NNNN, and legal counsel should become involved.

• PHI should not be left in conference rooms, out on desks, or on counters where the information may be accessible to the public, or to other employees or individuals who do not have a need to know the protected health information.

Public Viewing/Hearing

• Patients may see normal clinical operations as violating their privacy

• Be aware of your surroundings when talking

• Do not leave PHI on answering machines

• Ask yourself, “What if it was my information being discussed like this?”

Public Viewing/Hearing

Susan, who works at the front desk, called a patient’s phone number and left a voice mail for Mrs. Becky Jones to contact the office regarding her scheduled lap band procedure. Was this a privacy breach?

Scenario 6

A.No, the patient provided

this phone number

C.No, I did not state the medical reason for the

surgery

B.Yes, I stated her name and medical procedure

That is not correct


The correct answer is B. Patient name in conjunction with any medical information constitutes PHI. You do not know who will hear the message; the patient may not have told her family, friend or roommate. It is best practice to leave the minimum amount of information needed: your name, phone number, and that you are from the UBMD office. Never leave PHI on an answering machine.

A. No, the patient provided this phone number

B. Yes, I stated her name and medical procedure

C. No, I did not state the medical reason for the surgery

Scenario 6 Answer

• HIPAA Security is focused on e-PHI.– e-PHI (electronic Protected Health Information) is computer-

based patient health information that is used, created, stored, received or transmitted by the UBMD using any type of electronic information resource.

– Information in an electronic medical record, patient billing information transmitted to a payer, digital images and print outs, information when it is being sent by UBMD to another provider, a payer or a researcher.

HIPAA Security

Adm

inis

trat

ive

Saf

egua

rds • Administrative

Safeguards require written documentation of the security measures.

• Policies and procedures must ensure prevention, detection, containment and correction of security violations. Policies and procedures must also ensure that all workforce members have appropriate access to electronic PHI in order to perform their jobs.

Phy

sica

l Saf

egua

rds • Physical safeguards

protect UBMD’s electronic information system hardware and related buildings and equipment.

• Security measures include protections from natural or environmental hazards and unauthorized access.

Tech

nica

l Saf

egua

rds • Technical Safeguards

involve the use of computer technology solutions to protect the integrity, confidentiality and availability of electronic PHI

• Access Controls• Audit controls• Integrity• Person/entity

Authentication• Transmission Security

HIPAA Security Rule Provisions

• Ensure the confidentiality, integrity, and availability of information through safeguards (Information Security)

– Confidentiality - Ensure that the information will

not be disclosed to unauthorized individuals or processes

– Integrity - Ensure that the condition of information has not been altered or destroyed in an unauthorized manner, and data is accurately transferred from one system to another

– Availability - Ensure that information is accessible and useable upon demand by an authorized person

Protecting e-PHI

Good Computing PracticesSafeguards for Users

• Users are assigned a unique “User ID” for log-in purposes (UBIT), which limits access to the minimum information needed to do your job. Never use anyone else’s log-in, or a computer someone else is logged on to. Log them out before you use it.

• Use of information systems is audited for inappropriate access or use.

• Access is cancelled for terminated

employees.

Safeguard #1: Access Controls (Unique User Identification)

UBMD requires that: • All passwords be changed at least once every 90 days, or

immediately if a breach of a password is suspected• User accounts that have system-level privileges granted

through group memberships or programs have a unique password from all other accounts held by that user;

• Passwords not be inserted into email messages or other forms of electronic communication;

• Personal Computers and other portable devices such as Laptops and PDAs which may contain e-PHI must be password protected, and when possible, encrypt the e-PHI;

• Default vendor passwords be changed immediately upon installation of hardware or software;

Safeguard #2: Password Protection

• Notify the Support Desk or your

computer support person, and

• Change your password IMMEDIATELY (if you need assistance, ask the Help Desk)

If you think somebody knows your password…

Remember: You are responsible for everything that occurs under your UBMD login.

• Practice Safe Emailing– Do not open, forward, or reply to suspicious emails– Do not forward UBMD email to personal accounts– Do not open suspicious email attachments or click on

unknown website addresses– NEVER provide your username and password to an email

request– Delete spam and empty the “Deleted Items” folder– Use a secure email solution whenever sending email

outside UBMD (Use Encryption if available)– Use all the tools and methods available to you to encrypt

your email.

Check with your UBMD IT personnel for details

Safeguard #3: E-mail Considerations

Safeguard #4: Workstation Security

Workstations• Electronic computing devices• Laptops, desktop computers, or other devices that perform

similar functions (Tablets, Smartphones)• Electronic media stored in or near them

Physical Security Measures• Disaster Controls• Physical Access Controls• Device and Media Controls

Malware Controls• Measures taken to protect against any software that causes

unintended results

Workstation Security Contd.

• Disaster Controls– Protect workstations from

natural

and environmental hazards– Locate equipment above

ground

level to protect it against flood damage

– Use electrical surge protectors

– Move workstations away from

overhead sprinklers


• Access Controls– Create a strong password and do not share your

username or password with anyone– Lock/Log-off before leaving a workstation

unattended. This will prevent other individuals from accessing e-PHI under your User-ID, and limit access by unauthorized users.


You have logged out

successfully!

Device Controls• Ensure information on computer screens is not visible to

passersby– Auto Log-Off - Where possible and appropriate, devices

must be set to “lock” or “log-off” and require a user to sign in again after 5 minutes

– Automatic Screen Savers - Password protect, and set to activate in 5 minutes

– Use a privacy screen– Manually lock your PC by using the keyboard command

(Press the Ctrl + Alt + Delete keys simultaneously and select appropriate action)

– Use a password to start up or wake-up your computer


• Malicious software that designed to harm or secretly access computers without the users knowledge– Viruses– Worms– Spyware– Keystroke Loggers– Remote access Trojans

Malware

Viruses•Malicious programs that attempt to spread throughout your computer system and the entire network•They can be prevented by installing antivirus software on your computer, and updating it frequently

Worms•Malicious software that spreads without any user action. They take advantage of security holes in the operating system or software package

•They can be prevented by making sure that your system has all security updates installed

Spyware•A class of malicious programs that monitors your computer usage habits and reports them for storage in a marketing database

•They are installed without you knowing while installing another program or browsing the Internet•They can open advertising windows (popups)•They can be prevented by installing and running an updated spyware scanner

Keystroke Loggers•They can be software programs or hardware (devices installed between your keyboard and computer) that log every keystroke typed.

•They can be detected by most antivirus programs and spyware scanners•They can be spotted if you check your hardware for anything unfamiliar (do it often)

Remote Access Trojans•They allow remote users to connect to your computer without your permission, letting them take screenshots of your desktop, take control of your mouse and keyboard and access your programs at will.

•Most regularly updated antivirus programs can detect and remove them

Malware Contd.

• Reduced performance (your computer slows or “freezes”)

• Windows opening by themselves

• Missing data• Slow network

performance• Unusual toolbars added

to your web browser

Symptoms of Malware Infection

Contact the UBMD Support Desk @ 716-842-2112 if you suspect that your computer has been infected

with malware.

• Any unsolicited email you receive with an attachment

• Any email from someone whose name you don’t recognize

• Phishing– Emails that ask you to provide personal or

sensitive information. Verify by calling on the phone before providing any information.

Be aware of Suspicious Email

• Your account is locked when you try to open it

• Your password isn’t accepted

• You are missing data• Your computer settings

have mysteriously changed

Indications of a Tampered Account

If you suspect someone has tampered with your account, contact the UBMD Support Desk @ 716-842-2112

• Always encrypt portable devices and media with confidential information on them (laptops, flash drives, memory sticks, external drives, CDs, etc.)

• Encryption must be an approved UBMD data encryption solution. A UBMD or UB campus owned device may have already been encrypted for you. Check with the IT department.

• Purchase only electronic devices and media which can be encrypted.

Portable Device Security Tips

Best Practice: Do not keep confidential data on portable devices unless absolutely necessary and if necessary, the information

must be encrypted.

Dr. Gordon is very busy and asks you to log into the clinical information system using his User ID and password to retrieve some patient reports. What should you do?

Scenario 7

A.It is a physician, so it

is okay to do this

C.Decline the request and refer him to the UBMD information Security Policies

B.Ignore the request

and hope he forgets

D.None of the above

That is not correct


The correct answer is C. Always login under your own user ID and password. If you do not have system owner permission to access the system, then do not access the system. This would have been a violation of privacy and security policies.

A. It is a physician, so it is okay to do this

B. Ignore the request and hope he forgets

C. Decline the request and refer him to the UBMD information Security Policies

D. None of the above

Scenario 7 Answer

In your role as a Resident, you need to use a laptop as you work at various UBMD Practices. You have patient emails, addresses, and medical information files on the laptop. What is the best way to protect this device?

Scenario 8

C.The information on my

portable device is encrypted, I use a complex password, and I physically secure the

device when leaving it unattended

A.It is secured as I use a

complex password and when unattended, I always lock it

up in the trunk of my car

B.I only need a complex

password to secure the laptop

D.None of the above

That is not correct


The correct answer is A. Your laptop must be encrypted if it contains UBMD patient information or other sensitive confidential information. Password protection by itself is not enough but you do need to use complex passwords for the device and physically secure it when unattended. Unencrypted devices are considered unsecured in the event of a loss or theft by federal and state privacy laws and therefore reportable to federal and state agencies!

A. It is secured as I use a complex password and when unattended, I always lock it up in the trunk of my car

B. I only need a complex password to secure the laptop

C. The information on my portable device is encrypted, I use a complex password, and I physically secure the device when leaving it unattended

D. None of the above

Scenario 8 Answer

Always use the physical security measures listed in Safeguard #4, including this “Check List”– Use an Internet Firewall, if applicable– Always use Anti-virus software, and keep it up-to-date– Always install computer software updates, such as

Microsoft patches routinely– Encrypt and password-protect portable devices (PDAs,

laptops, etc.)– Lock-it-up! Lock office or file cabinets, lock up laptops– Use automatic log-off from programs– Use password-protected screen savers– Use physical privacy screens– Back up critical data and software programs

Safeguard #5: Workstation Security Check List

Security for USB Memory Sticks and

Storage Devices• Don’t store e-PHI on flash drive/memory

cards• If you must store it, either de-identify it,

and/or encrypt it• Delete the e-PHI when no longer needed• Protect the devices from loss and damage

Safeguard #5: Workstation Security - when you take it with you…

• Don’t store e-PHI on mobile devices• If you must store it, de-identify it and/or• Encrypt it and password-protect it• Back up original files• Synchronize with computers as often as

practical• Delete e-PHI files from all portable media

when no longer needed• Protect your device from loss or theft-Report

any incident immediately.

Safeguard #5: Workstation Security PDAs/Tablets/Smartphones

Safeguard #6: Data Management and Security

Storage – Portable Devices• Permanent copies of e-PHI should not be

stored on portable equipment, such as laptop computers, PDAs, Smartphones and storage medium like memory sticks/flash drives

• If necessary, temporary copies can be used on portable computers only while using the data, and if encrypted to safeguard the data if the device is lost or stolen

Data Management and Security

Destroy e-PHI data which are no longer needed:

• Know where to take hard drives, CDs, flash drives, or any backup devices for appropriate safe disposal or recycling (Check with your IT professional)

Data Management and Security - Disposal

A “Security Incident” is:

“The attempted or successful unauthorized access, use, disclosure, modification, or destruction of

information or interference with system operations in an information system.’’ [45 CFR 164.304]

What is your role?

Security Incidents and e-PHI

A good Security Standard to follow is the “90 / 10” Rule:

• 10% of security safeguards are technical• 90% of security safeguards rely on the YOU to

adhere to good computing practices– Example: The lock on the door is the 10%. Your

responsibility is 90%• Remembering to lock it• Checking to see if it is closed• Ensuring others do not prop the door open• Keeping control of the keys

Security Reminders!

10% security is worthless without YOU!

A privacy breach can occur when information is:• Physically lost or stolen

– Paper copies, films, tapes, electronic devices– Anytime, anywhere - even while on public transportation, crossing the

street, in the building, in your office

• Misdirected to others outside of UBMD– Verbal messages sent to or left on the wrong voicemail or sent to or left for

the wrong person– Mislabeled mail, misdirected email– Wrong fax number, wrong phone number– Placed on UBMD intranet, internet, websites, Facebook, Twitter

Privacy Breach from Lost, Stolen, or Misdirected Information

Definition of “Breach”• An impermissible acquisition, access, use or disclosure not

permitted by the HIPAA Privacy Rule• Examples include

– Laptop containing PHI is stolen– Receptionist who is not authorized to access PHI looks

through patient files in order to learn of a person’s treatment

– Nurse gives discharge papers to the wrong individual– Billing statements containing PHI mailed or faxed to the

wrong individual/entity

What constitutes a Breach?

• Talking in public areas, talking too loudly, talking to the wrong person

• Lost/stolen or improperly disposed of paper, mail, films, notebooks

• Lost/stolen laptops, PDAs, cell phones, media devices (video and audio recordings)

• Lost/stolen media like CDs, flash drives, memory cards • Hacking of unprotected computer systems• Email or faxes sent to the wrong address, wrong person, or

wrong number• User not logging off of computer systems, allowing others to

access their computer or system

Examples of Privacy Breach

• Exceptions to Breach• Unintentional acquisition, access, use or disclosure by a workforce

member (“employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity”) acting under the authority of a covered entity or business associate

• Inadvertent disclosures of PHI from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate, or organized healthcare arrangement in which covered entity participates

• If a covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information

Exceptions to Breach

• If a breach has occurred, UBMD will be responsible for providing notice to: – The affected individuals (without unreasonable

delay and in no event later than 60 days from the date of discovery—a breach is considered discovered when the incident becomes known not when the covered entity or Business Associate concludes the analysis of whether the facts constitute a Breach)

– Secretary of Health & Human Services-HHS- (timing will depend on number of individuals affected by the breach)

– Media (only required if 500 or more individuals of any one state are affected)

Breach Notification Obligations

Breach Notification Decision Tree

• Breaches of the policies and procedures or a patient’s confidentiality must be reported to the UBMD Privacy Official at NNN-NNN-NNNN.

• UBMD’s Breach Mitigation Policy states:

“Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to his or her supervisor and the UBMD’s Information Privacy and Security Office.”

What if there is a Breach of Confidentiality?

• The incident will be thoroughly investigated.

• The UBMD Covered Entity is required to attempt to fix the harmful effects of any breach

…if a breach is reported?

• Internal Disciplinary Actions• Individuals who breach the policies

will be subject to appropriate discipline under UBMD Sanction Policy.

• Civil/Criminal Penalties• An employee who does not protect a

patient’s privacy and follow all required UBMD policies and procedures could lose his or her job and also (See below)

• Covered entities and individuals who violate these standards will be subject to civil and/or criminal liability.

Disciplinary Actions (Sanctions)

Minimum Privacy Violation

Level & Definition of Violation

Example Possible Actions may include:

Accidental and/or due to lack of proper education.

•Improper disposal of PHI.•Improper protection of PHI (leaving records on counters, leaving documents in inappropriate areas).•Not properly verifying individuals.

•Re-training and re-evaluation.•Oral warning with documented discussions of policy, procedures, and requirements.

Purposeful violation of privacy or an unacceptable number of previous violations

•Accessing or using PHI without have a legitimate need.•Not forwarding appropriate information or requests to the privacy official for processing.

•Re-training and re-evaluation.•Written warning with discussion of policy, procedures, and requirements or Termination

Purposeful violation of privacy policy with associated potential for patient harm.

•Disclosure of PHI to unauthorized individual or company.•Sale of PHI to any source.•Any uses or disclosures that could invoke harm to a patient.

Termination.

• Covered entities and individuals who violate these standards will be subject to civil liability

Civil Penalties

Tiered Civil PenaltiesHIPAA Violation Minimum Penalty Maximum PenaltyIndividual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA

$100 per violation, with an annual maximum of $25,000 for repeat

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation due to reasonable cause and not due to willful neglect

$1,000 per violation, with an annual maximum of $100,000 for repeat violations


HIPAA violation due to willful neglect but violation is corrected within the required time period

$10,000 per violation, with an annual maximum of $250,000 for repeat violations


HIPAA violation is due to willful neglect and is not corrected



HIPAA Violation Criminal Penalty An Individual who knowingly obtains or discloses individually identifiable health information in violation of HIPAA regulations

Up to $50,000 and up to one-year imprisonment

If wrongful conduct involves false pretenses

Criminal penalties increase to $100,000 and up to five years

imprisonment If the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.

$250,000 and up to 10 years imprisonment

UBMD is SERIOUS about protecting our Patients’ Privacy

HIPAA Criminal Penalties

You are required to:• Respond to security incidents and report

them first to your practice Information Privacy and Security personnel and/or to the Practice Administrator as well as to the:

Reporting Security Incidents

UBMD Information Privacy and Security Officer

First Name Last [email protected]

Immediately report any known or suspected privacy breaches (such as paper, conversations, suspected unauthorized or inappropriate access or use of PHI) report them first to your practice Information Privacy and Security personnel and/or to the Practice Administrator as well as to the UBMD’s Information Privacy and Security Office at (NNN) NNN-NNN

How to Report Privacy Breaches

From the patients’ point of view, ALL information is private• This includes a patient’s:

– Personal information– Financial information– Medical information– Protected Health Information– Information in any format: spoken, written, or

electronic

Remember…

• Your Immediate Supervisor/Manager• The UBMD HIPAA SharePoint site:https://prv-sharepoint.pn.buffalo.edu/VPHS/UBMD/HIPAA/default.aspx

• Your Practice’s designated Information Privacy and Security person

• UBMD Information Privacy and Security Program Office– Contact Number: (NNN) NNN-NNNN

• UBMD Chief Privacy and Security Officer: First Name Last Name

Telephone #: (NNN) NNN-NNNN

Resources for Privacy and Security

https://prv-sharepoint.pn.buffalo.edu/VPHS/UBMD/HIPAA/default.aspx



Which workstation security safeguards are you responsible for using and/or protecting?

Summary Question 1

A. Your User ID

D. All of the safeguards

listed

C. Logging out of

programs that

access PHI when not in use

B. Your Password

That is not correct


The correct answer is D. Always log off programs and always protect your user ID and password. Never share these with anyone.A. Your User ID

B. Your Password

C. Logging out of programs that access PHI when not in use

D. All of the above

Summary Question 1 Answer

You can protect patient information by:

Summary Question 2

A. Protecting verbal,

written, and electronic information

D.By Following UBMD

Policies

C. Reporting suspected privacy and security

incidents

B. Utilizing safe

computing skills

E. All of the above

methods

That is not correct


The correct answer is E. All of these actions helps to protect the privacy and security of patient information.

A. Protecting verbal, written, and electronic information

B. Utilizing safe computing skills

C. Reporting suspected privacy and security incidents

D. Following UBMD policies

E. All of the above

Summary Question 2 Answer

Thank you for taking the time to review this important Training Presentation. If you have any questions or comments, please refer to the UBMD Information Privacy and Security Program office.

Proceed to the following section to acknowledge the attestation statement and then take complete the Competency Assessment

END

UBMD Information & Privacy Program HIPAA/HITECH Training BackForward Home.

Documents

Transcript of UBMD Information & Privacy Program HIPAA/HITECH Training BackForward Home.