OFFICE OF INFORMATION PRIVACY SECURITY HIPAA Privacy Security

OFFICE OF INFORMATION PRIVACY & SECURITY HIPAA Privacy & Security, HITECH & NYS Confidentiality Laws Orientation Stephanie Musso, SBM Chief Information Privacy & Security Officer

OFFICE OF INFORMATION PRIVACY & SECURITY H = Health I = Insurance P = Portability Created to ensure access to health coverage Allows for continuity in health coverage Prevents denial due to a pre-existing condition(s) A = Accountability Healthcare fraud is a federal crime Fines and/or jail time may apply Individuals organizations could face sanctions A = Act Privacy and Security Rules HIPAA

OFFICE OF INFORMATION PRIVACY & SECURITY What is PHI ? Any form of information that can identify, relate or be associated with an individual obtaining health care services What is IIHI? Individually Identifiable Health Information are data elements that make up PHI such as…… Name, Address, SSN, Phone Number, Medical Record Number, Diagnosis, Test Results, Photographs, Doctors notes, Health Plan Information, etc. HIPAA Privacy Rule

OFFICE OF INFORMATION PRIVACY & SECURITY With advances in technology come the potential for misuse and abuse. Electronic storage of data E-mail World Wide Web All easily allow information to travel outside the organization. Why is there a need for this added protection ?

OFFICE OF INFORMATION PRIVACY & SECURITY All manners of communication containing PHI including: Spoken Written Electronic What is Protected?

OFFICE OF INFORMATION PRIVACY & SECURITY Provide Care Obtain payment Health Care Operations When are we permitted to share PHI?

OFFICE OF INFORMATION PRIVACY & SECURITY ØMaintain our patient’s trust (↑ patient safety & satisfaction) Ø Safeguard our patient’s PHI ØEducate our patients as to their rights. What are our Privacy Goals ?

OFFICE OF INFORMATION PRIVACY & SECURITY > request restricted use and disclosure of PHI* > request to receive communications via alternate mechanism > inspect and copy their health information* > request to amend their medical record > request an accounting of disclosures* > file a complaint* PATIENT’S RIGHTS

OFFICE OF INFORMATION PRIVACY & SECURITY Stony Brook Organized Health Care Arrangement (SBOHCA) NOTICE OF PRIVACY PRACTICES Notice of Privacy Practices

OFFICE OF INFORMATION PRIVACY & SECURITY Sets the standards for ensuring that only those who should have access to e- PHI will actually have access and that the integrity of patient information in electronic systems is maintained. e-PHI = Electronic Protected Health Information HIPAA Security Rule

OFFICE OF INFORMATION PRIVACY & SECURITY Information Security is the process of protecting data from accidental or intentional misuse by persons inside or outside of Stony Brook Hospital Information Security

OFFICE OF INFORMATION PRIVACY & SECURITY • Administrative Safeguard (policies, training, audits, etc) • Physical Safeguards (locks, privacy screens, etc) • Technical Controls (firewalls, encryption, virus protection, etc) Note: The Federal HIPAA Security Regulation requirements are in alignment with the NYS Cyber & Information Security Law , TJC standards & the NYS DOH Regs. HIPAA Information Security Requirements

How to create a Password? • Use a combination of aalphanumeric how to create Password? symbols consisting of at least 8 letters, numbers, and symbols. • Passwords are usually case sensitive so capitalizing random letters makes it even harder to guess. • Alphabetic – A to Z and a to z • Numeric – 0 to 9 • Special Characters – ~; !: @; #; $; %; ^; & ; *; (; ); +; =; [; ]; {; }; /; ? ; <; >; , ; ; ; : ; ; |; `; ’; ”; .

OFFICE OF INFORMATION PRIVACY & SECURITY On February 17, 2009 the Federal Stimulus Bill or American Recovery and Reinvestment Act (ARRA) was signed into law and included provisions to address Health Information Technology For Economic and Clinical Health Act (HITECH). Purpose is to create a national health information infrastructure and widespread adoption of electronic health records through monetary incentives. Provide enhanced Privacy & Security Protections under HIPAA including increased legal liability for noncompliance and greater enforcement. Health Information Technology Economic & Clinical Health

OFFICE OF INFORMATION PRIVACY & SECURITY Breach Notification report misdirected faxes, mail, email, lost portable devices, etc. Electronic Copies patient health information from the EHR Individually Directed Privacy Restrictions for insurance billing Vendors/Business Associates (subject to penalties) Accounting for Disclosures proposed access logs Increased Enforcement and New Penalties - Individual’s & Organizations are subject to the criminal provisions; State AG’s can bring civil suit in Federal Courts on behalf of state residents; harmed individuals can receive a % of CMP’s or settlement What changes should we expect?

OFFICE OF INFORMATION PRIVACY & SECURITY HIPAA provides for basic privacy protections If state law is more restrictive HIPAA then state law prevails. In NYS those laws include: Article 27 -F NYS PHL Confidentiality of HIV – related information NYS MHL – Confidentiality of mental health information applicable to OMH certified providers & locations GINA (Fed & NYS) Genetic Information Non-Disclosure. NYS Confidentiality Laws

OFFICE OF INFORMATION PRIVACY & SECURITY Use, Access and Disclose the minimum necessary to perform your assigned responsibilities (provide treatment to a patient; obtain payment for the services rendered; or perform a healthcare related function or operation as assigned (QA/QI, audit, care management/ utilization review, teaching, etc. definitions can be found Admin P&P LD: 0075) Do Not Snoop even if they ask/beg (neighbors, friends, relatives, immediate family members, colleagues) Dispose of PHI properly and ensure PHI that is sent electronically is sent to the proper recipient When in doubt ask the HIPAA Privacy Officer phone 4 -5796 or e-mail “HIPAA” As an employee what is expected of me ?

OFFICE OF INFORMATION PRIVACY & SECURITY Remember your username and password are your signature Do Not Share usernames/passwords Do Not use a generic sign-on/log-on Log-Off before walking away from a workstation Do not place or post patient information on MOBILE DEVICES (Laptops, cellphones, usb/thumb drives) or SOCIAL NETWORK sites Be on the look out for and report immediately all unusual, unfamiliar, phishing attempts to the HELP-Desk (email Helpdesk or call 4 -4357). Do not open or click on any links in these attempts. Do Not take pictures of patients with non approved devices and without patient consent Do Not install/download on a SBUH computer without IT approval When sending patient information via e-mail use only SBUH Outlook and send only to another SBUH Outlook user only. Remember send the minimum necessary amount of information needed, ensure you have the correct recipient and when in doubt contact the HELP-DESK or email “Information Security” As an employee what is expected of me when using electronic information?

OFFICE OF INFORMATION PRIVACY & SECURITY Civil monetary penalty: Civil penalty for inadvertent violation Fines $100 -$1000/per incident EXAMPLE A hospital employee violates HIPAA by misdialing a fax number and sending 100 patient records to Starbucks. The hospital & the employee may have to pay a $10, 000 - $100, 000 fine. How is HIPAA Enforced?

OFFICE OF COMPLIANCE & AUDIT SERVICES & INFORMATION SECURITY Criminal Penalties : Criminal penalties = large fines + jail time, and increase with the degree of the offense. Example: A hospital employee steals and sells patient information for personal profit. Criminal penalties could be as much as $250, 000 to 1. 5 million and/or 10 years in jail. Worse Case Scenario…….

OFFICE OF INFORMATION PRIVACY & SECURITY CALIFORNIA SURGEON SENTENCED TO JAIL FOLLOWING HIPAA VIOLATION - Former UCLA cardiothoracic surgeon caught snooping in celebrities medical records and the medical record of his colleagues. Sentenced reduced to 4 months in jail and $2000 fine. TUCSON UNIVERSITY MEDICAL CENTER - January 13, 2011 three clinical support staff and a contracted nurse are fired for “inappropriately accessing the medical records” of the Saturday supermarket shooting victims. EMPLOYEES FIRED AT LAS VEGAS-BASED SUNRISE HOSPITAL – Fired after allegedly snooping on basketball star Lamar Odom’s medical records and attempting to take photos while he was recovering from a drug overdose. LONG ISLAND HEALTH CARE PROVIDER SENTENCED TO 12 YEARS IN PRISON FOR $10 MILLION MEDICARE FRAUD AND HIPAA IDENTITY THEFT – Operated a medical equipment company in Hicksville and user her position to enter nursing homes in order to access/steal patient records. Also falsely resumed roles as doctor, NP, etc. and accompanied doctors on patient evaluation rounds. Spent stolen Medicare funds on LI multi-million dollar home, half-million dollar pension account and luxury items. Was ordered to forfeit $1. 3 million seized by government at indictment. But are they really taking this seriously?

OFFICE OF INFORMATION PRIVACY & SECURITY The Most Expensive Subway Ride – Massachusetts General Hospital recently entered into a $1 million Resolution Agreement & Corrective Action Plan with the DHHS Office of Civil Rights. The settlement stemmed from an incident on March 9, 2009, when an employee was commuting on the subway, removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals including HIV information. CVS/CAREMARK PAYS $2. 25 M TOI SETTLE HIPAA VIOLATION – CVS/Caremark employees were found to be improperly disposing of pill bottles with labels containing patient information into dumpsters, along with medication instruction sheets. (Rite Aid and Walgreen’s were fined for the same violation) Cignet Health slapped with a $4. 3 M fine - February 2011 Maryland-based Cignet Health has been slapped with a $4. 3 million fine for its refusal to provide patients with copies of their health records, and for willfully failing to cooperate with the federal government's attempts to resolve the complaint. Really ?

OFFICE OF INFORMATION PRIVACY & SECURITY

OFFICE OF INFORMATION PRIVACY & SECURITY

OFFICE OF INFORMATION PRIVACY & SECURITY File a HIPAA Concern

OFFICE OF INFORMATION PRIVACY & SECURITY HIPAA Resources

OFFICE OF INFORMATION PRIVACY & SECURITY REVISED 1/11/2016 Questions Call 4 -5796 or Email: HIPAA@stonybrookmedicine. edu BEST WISHES ON YOUR STONY BROOK CAREER