HIPAA: Managing HIPAA Violations in a World of Expanded Access Vera Newkirk, MHA, CHC, CHPC Compliance/Privacy Officer August 30, 2016
Learning Objectives
Discuss efforts to strengthen staff awareness of HIPAA and their obligation to prevent inappropriate access and inappropriate disclosure of protected health information.
Understand the challenges of managing access. Describe the anatomy of a HIPAA violation,
including sources of concern and monitoring activities.
Understand the importance of mitigation and notification requirements, as well as thorough documentation.
#NCHICA2016, @nhrmc
New Hanover Regional Medical Center ~ Who We Are Two Hospital Campus Locations (Wilmington)
NHRMC NHRMC Orthopedic Hospital Rehab Hospital Women & Children’s Hospital NHRMC Behavioral Health Hospital
Several outpatient locations Four emergency departments & ASC Pender Memorial Hospital (CAH) Skilled Nursing Facility NHRMC Home Care NHRMC Physician Group Practices
29 Locations 6 Counties
6100 Employees 651 Medical Staff, 304 mid-level providers Physician Quality Partners (ACO) Joint Ventures & Affiliations
#NCHICA2016, @nhrmc
Corporate Compliance Organization Chart
NHRMC Board of Trustees
Jack Barto, CEO
Vera Newkirk, MHA, CHC, CHPC Compliance/Privacy Officer
NHRMC Board of Trustees Audit Committee
Vickie Futrell, RN, BS, RHIA, CHC, COC Compliance Auditor
Robin Pearsall, RN, COC, CHPC Compliance Auditor
Stephanie Snyder, BS Compliance Auditor
Connie Keen, RN Compliance/Regulatory Coordinator
(.5 fte)
#NCHICA2016, @nhrmc
Background
HIPAA Privacy Rule – Effective 4/14/2003 HIPAA Security Rule – Effective 4/20/2005 Health Breach Notification Rule – Effective 9/23/2009 Modifications to HIPAA Rules – Effective 3/26/2013
#NCHICA2016, @nhrmc
NHRMC Hospital & Outpatient Departments – Interface Diagram
#NCHICA2016, @nhrmc
NHRMC Physician Group – Interface Diagram
#NCHICA2016, @nhrmc
Provision of Security Access
Role-Based Access Minimum Necessary HIPAA Core Team Review
“Expanded Access” Access to “all” patients versus a limited list Remote access Access to full Social Security Number Access to specific reports
#NCHICA2016, @nhrmc
Proactive Measures to Prevent Violations
Staff Education New Hire Orientation Annual Compliance Training Compliance and Privacy Newsletters with
Number of Violations (Quarterly) Huddle board discussions (per the discretion
of the leader) LIVE department education following a HIPAA
violation Privacy Monitoring Activities (Quarterly) HIPAA Core Team Review of Expanded
Access Requests Compliance and Privacy Tracers
(Quarterly)
#NCHICA2016, @nhrmc
Violations of Inappropriate Access
A HIPAA access violation has occurred when a User opens a medical record without a job-related “need to know.”
CALENDAR YEAR NUMBER OF VIOLATIONS
2011 3
2012 2
2013 3
2014 16
2015 12
2016 YTD 26
#NCHICA2016, @nhrmc
Anatomy of a HIPAA Violation
5 Major Steps for Compliance with HIPAA
Detection
Teal 3D Piece Chevron
• Patient or representative
• Privacy monitoring • Co-workers • Internal suspicions • Process failure or
human error
Anatomy of a HIPAA Violation (Cont’d)
#NCHICA2016, @nhrmc
Investigation
Orange 3D Piece Chevron
• Review access audits
• Review medical records
• Consult with manager
• Conduct interview(s)
Anatomy of a HIPAA Violation (Cont’d)
#NCHICA2016, @nhrmc
Documentation
Green 3D Piece Chevron
• Initial complaint • Audit findings • Interviews • Staff education • Conclusion • Sanctions • Notifications
Anatomy of a HIPAA Violation (Cont’d)
#NCHICA2016, @nhrmc
Sanction
Gray 3D Piece Chevron
• Disciplinary actions – Written Warning, Final
Written, or Termination
– No Merit Increase
• Re-education, if applicable
Anatomy of a HIPAA Violation (Cont’d)
#NCHICA2016, @nhrmc
Mitigation
Blue 3D Piece Chevron
• Patient Notification • OCR Notification • Medical Record
Disclosure
Anatomy of a HIPAA Violation (Cont’d)
#NCHICA2016, @nhrmc
Why Do HIPAA Access Violations Occur?
#NCHICA2016, @nhrmc
Reasons Provided By Violators
“I needed to verify my co-worker’s address because the department was sending a get well card.”
“I wasn’t sure what she looked like so I looked her up.”
“My co-worker asked me to look up her test results.” “I didn’t do that. Someone must have used my
computer.”
#NCHICA2016, @nhrmc
Other Discoveries During Investigations
User is related to a relative involved in a car accident. User accessed other patient’s account to find out lab results.
User accessed EMRs for high profile patients and media interests out of curiosity.
User accessed EMR of the former spouse. User accessed EMR of a co-worker(s) or relative(s)
out of concern and/or curiosity. User accessed EMR of co-worker at co-worker’s
request because co-worker knew it was against policy to access own record.
#NCHICA2016, @nhrmc
What More Can We Do?
Random security screensavers Provide real, de-identified HIPAA
scenarios to leaders for huddle board discussions
Strengthen Progressive Discipline Policy
#NCHICA2016, @nhrmc
Questions/Discussion
#NCHICA2016, @nhrmc
Top Related