Confidentiality Privacy and Security Awareness Mc Alester Regional

Confidentiality, Privacy and Security Awareness Mc. Alester Regional Health Center Lou Ann Wiedemann, MS, RHIA, CHDA, CDIP, FAHIMA Director HIS/Privacy Officer

Objectives �Understand patient confidentiality �Distinguish indicators for patient privacy �Provide security awareness �Recognize breach reporting responsibilities

Health Insurance Portability and Accountability Act (HIPAA) �Public Law 104 -191, 45 CFR Parts 160 -164. �Establishes a set of national standards for the protection of certain health information. �Privacy Law—addresses the use and disclosures of individuals’ health information, individuals’ right of access, and control how health information is used. �Security Law—addresses protection of certain health information that is held or transferred in electronic form. �Coverage—health plans, health care clearinghouses, and all healthcare providers who transmit health information in electronic form.

MRHC �Everyone is responsible for confidentiality, privacy and security �Executive Leadership �Clinical staff �Employees �Business Associates �Students/Interns �Volunteers

Confidentiality �Every employer, clinic, hospital and employee is required to ensure the confidentiality of a patient’s health information. Public Law 104 -191, 45 CFR Part 160 -164. �Includes a list of 18 specific identifiers such as name, SSN, address, diagnoses, birth date—essentially anything that could identify the patient. 45 CFR 164. 514(b)

Confidentiality �Ensuring confidentiality �Protects patient privacy �Builds loyalty and trust �Provides exceptional customer service

Privacy �Defines and limits the circumstances in which an individuals personal health information (PHI) may be used or disclosed. 45 CFR 164. 502

Privacy �What is PHI? �Protected Health Information � � � Is created or received by a covered entity Relates to past, present, or future conditions Describes the past, present or future payment �Where is PHI found? �Medical records �HER �Billing information �Test results �Labels �Patient menus

Privacy � Access to PHI must be based on Need to Know 45 CFR 164. 512 � All requests for medical records must be answered through the HIS Department (Medical Records) � DO NOT leave PHI unattended � Report suspicious activities to Privacy Officer (Lou Ann Wiedemann ext. 8658)

Privacy �Patient Rights �Right to Access 45 CFR 164. 524 �Right to Amend 45 CFR 164. 526 �Right to an Accounting of Disclosures 45 CFR 164. 528 �Right to Request Special Communications 12 CFR 1026. 46 �Right to Request Restrictions 45 CFR 164. 522 �Right to Receive of Notice of Privacy Practices 45 CFR 164. 520 �Right to File a Complaint 45 CFR 160. 306 and 164. 534

Security �Requires protection of electronic PHI (e-PHI) 45 CFR 160. 103 �Encrypt any email containing PHI sent outside of the facility �Log off computers �DO NOT share your password

Breach Awareness �Requires covered entities to provide notification following a breach of PHI. 45 CFR 164. 400 -414 �A breach is defined as when an unauthorized acquisition, access, use or disclosure of PHI (written, oral, or electronic) occurs

Breach Awareness �Breaches of less than 500 are reported once a year �Breaches of more than 500 must be reported within 60 days �All enforcement is carried out through the Office of Civil Rights (OCR)

Breach Examples �Loss of a laptop, thumb drive, hospital issued phone �Misdirected fax �Hacking of a network server �Paper/electronic records reviewed by an inappropriate person

True or False? �A former cardiothoracic surgeon and researcher at the UCLA School of Medicine. He was fired from his job. After his dismissal, he illegally accessed the UCLA medical records system over 300 times, viewing the health records of his immediate supervisor, his coworkers, and several celebrities. He was fined $2, 000. 00 for his HIPAA violation.

True or False? �A physician’s, president-elect of the National Center for Privacy, has his office staff routinely sends patients with past due accounts to an outside collections firm. The information includes information such as CPT diagnostic codes. OCR attempted to revoke is medical license.

True or False? �In 2014, a Walgreen Co. pharmacist violated the HIPAA act when she shared confidential information about a customer who once dated her husband. The employee was fired and Walgreens settled out of court.

True or False? �A respiratory therapist accessed 596 medical records in a 10 -month period. She was authorized to view records as part of her job, but only for the patients she was treating. Allegedly, she viewed files for unrelated patients. Sentencing is set for October and the RT could face up to a year in jail if convicted.

True or False? �A staff member talked with a patient about procedures for HIV testing, thereby disclosing Protected Health Information (PHI) to others in the waiting room. The waiting room’s setup also allowed patients to see PHI displayed on employee computer screens. After an OCR investigation, staff were required to take regular HIPAA trainings, and computer monitors were repositioned.

True or False? �A hospital received new, state of the art, surgical equipment. Staff and surgeons were so excited to be using the new equipment, they took a picture of themselves in the operative suite with the equipment and posted it to Facebook.

True or False? �A nurse at a hospital based clinic received a call from the school that her child had been hurt and immediate pick up was needed. She brought the child to the clinic and proceeded to check him into the clinic. The child was to be transferred to a pediatric hospital and the nurse was asked to provide report to the receiving hospital by a co-worker, thus accessing the EHR.

True or False? �A hospital received a subpoena for the PHI of one of it’s patients. Because the patient was still on the unit, the unit clerk printed the requested information and provided it to the requestor. This resulted in a HIPAA violation because subpoena’s are not legal documents unless accompanied by a court order, in addition, the hospital’s policy is that incomplete records are not to be disclosed.

True or False? �A hospital laboratory employee presented for his annual physical. His doctor ordered lab tests, EKG, and chest x-ray. The physician told him he could look at the records online in a couple of days. The employee used his access (not the patient portal) to review the results resulting in a violation.

True or False? �A nurse practitioner who has privileges at a multihospital health care system and who is part of the system’s organized health care arrangement impermissibly accessed the medical records of her exhusband. In order to resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner’s access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training.

True or False? � After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the complainant’s medical condition. The local newspaper then featured on its front page the individual’s x-ray and an article that included the date of the accident, the location of the accident, the patient’s gender, a description of patient’s medical condition, and numerous quotes from the hospital about such unusual sporting accidents. The hospital asserted that the disclosures were made to avert a serious threat to health or safety; however, OCR’s investigation indicated that the disclosures did not meet the Privacy Rule’s standard for such actions. The investigation also indicated that the disclosures did not meet the Rule’s de-identification standard and therefore were not permissible without the individual’s authorization. Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy.