Health
Insurance
Portability and
Accountability
Act

HIPAA:
• Protects health insurance coverage, improve
access to care
• Ensures the privacy of healthcare information
• Restricts the use and disclosure of healthcare
information

ARRA – American Recovery and Reinvestment Act
of 2009:
• HITECH – Health Information Technology for Economic
and Clinical Health Act
• New Breach Notification Rules
• Applies to covered entities and business associates
• Intent is to promote health information technology with
increased privacy and security
• Increases penalties for violations
• “HIPAA on Steroids”
4
 PHI
is Protected Health Information:
• Health information is any information
whether oral, written or electronic,
regarding a patient
• Information can be related to past,
present, or future physical or mental
health conditions
●
●
●
●
Email Address
Biometric Identifiers
Full Face Photo
Any other Unique
Identifying No.,
Characteristic or Code
●
●
●
Names
All Dates (birth, death,
admission, discharge)
Numbers:
Social Security No.
Medical Record No.
Account No.
Encounter No.
Phone/Fax Numbers
Health Plan No.
Vehicle Identification
No./License Plate No.


A breach is an unauthorized acquisition,
access, use, or disclosure of unsecured PHI
which compromises the privacy, security, or
integrity of the PHI
PHI is unsecured if it is NOT encrypted or
rendered unusable, unreadable, or
indecipherable to unauthorized individuals
7

Students/faculty accessing medical records for information on
friends or family members out of curiosity/without a businessrelated purpose

Student/faculty access to the medical record of a celebrity who is
treated at any facility

Stolen/lost laptop or PDA containing unsecured PHI

Posting of patient’s PHI on social media site by student/faculty

Misdirected e-mail containing PHI to an external group list

Lost flashdrive containing database of patients participating in a
clinical study
8
 Some
HIPAA sensitive student service areas
might include:
•
Lobby information desks
•
Family waiting rooms
•
Patient care areas
•
Clerical/office support

Passwords are like
bubblegum:
◦
◦
◦
◦
Strongest when fresh
Should not be shared
Should not be kept under keyboards
If left lying around, can create a sticky mess!
 HIPAA
rules apply to PHI:
• When you use it
• When you disclose it
• When you store it
• When you see it on your computer
• When you share it with another provider
• When it is lying on your desk
• When you are talking about it in any public area
• When you are talking about it over the phone
 Covered
entities may use or
disclose protected health
information for their own TPO:
• Treatment
• Payment or health care
• Operations activities

Incidental Use and Disclosure covers
communication needed to provide effective
patient care, such as:
• Whiteboards at nurses stations
• Doctors conferring with patients’ families
• Waiting room sign-in sheets
• Patient charts at bedside
Printed or electronic information left in public
view
Patient charts left on counters
PHI in regular trash
Records accessed without a “need to know”
Unauthorized individuals hearing sensitive
patient information such as diagnosis or
treatment
Incorrect phone number when sending a
fax
Laptop or PDA unattended/lost/stolen
Sending PHI outside of hospital system
without encryption
Not signing off, sharing passwords
 Access
to confidential patient information is
allowed if you follow the simple “NEED TO KNOW”
rule:
• If you need to see patient information to perform your
job, access to this information is OK
• If you do not “need to know” confidential information to
perform your job, you are NOT permitted to access it
• If you access confidential patient information, even your
own or that of a family member, you can be subject to
corrective action, including termination or dismissal
from an educational program
 Written
notice provided to all patients:
• Describes patient rights
• Details PHI uses and disclosures
• States how PHI is maintained
 Posted
in prominent locations

If a patient is asked for by their first and last name:
• At Seton, the patient’s location in the facility and general condition
may be shared
• At St. David’s HealthCare the caller will be transferred to the
patient’s location and the patient’s general condition may only be
provided by Clinical Staff only if the patient is unable to
communicate
• At Central Texas Medical Center, we release directory information
only.
*NOTE : Unless the patient has opted out of the directory





A patient may “opt out” of the patient directory, also known as
“Not for Publication” (NFP) status at Seton and “Confidential
Patient” at St. David’s HealthCare
At Seton, if a patient opts out, the letters NFP will appear under
the NFP status column on the patient screen
At St. David’s HealthCare, if a patient opts out, the letter “c”
should appear next to the patient’s name. In addition, a
notification will appear on the computer screen indicating you
are attempting to access a confidential patient and your
activities will be monitored and actions taken if inappropriate
At Central Texas Medical Center, if a patient opts out, “Release
No Information” appears in the Visitor Status Column next to
the patient’s name on the patient list screen.
These patients will not receive mail, phone calls, flowers, or
visitors as we cannot confirm or deny the patient is in the
facility
 Because
social media sites, such as
Facebook and Twitter, enable people to
easily and instantly share information with
friends, family and others around the world,
we all must remember to protect patient
information
 Even
the smallest amount of information
that could possibly identify a patient may
not be shared
 Wisconsin
– a patient was brought into the ER
where 2 RN’s, independently, took cell phone
photos of the patient’s body part. One of the
RN’s posted it on her Facebook page. Both RN’s
were fired. The FBI is investigating this case for
HIPAA violations.
 Washington
– Two certified nurses assistants and
an LVN were fired from their positions for taking
cell phone photos of nude nursing home
residents, most of whom had dementia. These
individuals have also put the nursing facility in
jeopardy of losing their Medicare/Medicaid
funding.

Cell phone use can represent a security
and privacy risk:
• Most cell phones have cameras and there is a
privacy concern that pictures will be taken of
patients or patient information
• Text messaging is not secure and represents a
security risk if the text message includes PHI
 Protecting the confidential health information of
patients is the responsibility of everyone involved
 Be sensitive to confidential information
 Think before you talk about patient-specific
information
 Keep information to yourself if you see or overhear PHI
 Elevators, hallways, cafeterias, gift shops or other
common areas are not appropriate places to share PHI
Hospitals must
protect the
information we
collect on patients
and their care
Assure proper
disposal of PHI by
placing in secure
containers for future
shredding:

Examples:
• Surgery Schedules
• Daily Patient Census
NOTE: Students are not allowed to print PHI at any of the hospitals
Safeguard Workstations



ALWAYS log off or lock
your computer whenever
you leave your workstation
Use a password protected
screensaver as an
additional safeguard
Lock office doors when
you’re going to be away
from your workstation for
long periods of time
 User Identification and Passwords:
•
You are responsible for any
activity done with your Logon
User ID
•
You are responsible for
keeping your password secure
•
NEVER share your Logon ID or
password
•
Protect your computer access


Civil and criminal penalties
(hospital and individual)
Exclusion from participation
in Medicare programs

Damaged reputation

Place accreditation at risk

Lawsuit for breach of
confidentiality
Violation Category
Each Violation
All such violation of an
identical provision in a
calendar year
Did Not Know
$100 - $50,000
$1,500,000
Reasonable Cause
$1,000 - $50,000
$1,500,000
Willful Neglect –
$10,000 - $50,000
$1,500,000
Willful Neglect – Not
$50,000
$1,500,000
Corrected
Corrected

For health plans, providers, clearinghouses
and business associates that:
• Knowingly and improperly disclose information
• Obtain information under false pretenses


Penalties can apply to any ‘person’
Penalties are higher for actions designed to
generate monetary gain
Action
Fine
Prison
Obtaining/disclosing
PHI
Up to $50,000
Up to 1 year
Obtaining PHI under
‘false pretenses’
Up to $100,000
Up to 5 years
Obtaining/disclosing
PHI with the intent to
sell, transfer or use it
for commercial
advantage, personal
gain or malicious
harm
Up to $250,000
Up to 10 years

Former UCLA Health System employee first
person to be sentenced to prison 4/2010:
• China-licensed cardiothoracic surgeon performing
research at UCLA School of Medicine
• Received notice of intent to terminate
• Accessed supervisor’s, co-workers’ and celebrities’
medical records – no legitimate reason
• No attempt to improperly use or sell any information
• Incarcerated on misdemeanor counts; fined $2,000

Individuals committing HIPAA violations can:
• Lose opportunities to participate in educational
programs
• Lose professional licenses
• Be subject to criminal conviction
• Be fined
• Be subject to civil suit

HIPAA violations can ruin careers
 HIPAA
and IS Intranet sites
 Policies
and Procedures
 Hotline:
• Seton Values Line: 1-800-707-2198
• St. David’s Corporate Ethics Hot Line:
1-800-455-1996
• Central Texas Medical Center Ethics Hotline:
1-888-924-8433
Seton Family of Hospitals

•
•

•
•
•
Seton’s Privacy Officer, Vickie Saucedo 512-324-3280
Seton’s IS Security Officer, Patricia Perry-Williams 512-324-3393
St. David’s HealthCare
Margie Novak, St. David’s Round Rock Medical Center 512-942-4212
and St. David’s Medical Center / Georgetown Campus 512-341-6441
Margie.novak@stdavids.com
Chelsea Martel, St. David’s South Austin Medical Center 512-816-7138
Chelsea.Martel@stdavids.com
Cynthia Colovas, St. Davids Medical Center 512-544-4288 and
St. David’s North Austin Medical Center 512-901-1607
Cynthia.Colovas@stdavids.com
 Central Texas Medical Center
•
Director of Performance Improvement, Angie Loftin 512-753-3690
Reviewed and approved by all
parties as of January 10, 2011