Health Insurance Portability and Accountability Act HIPAA: • Protects health insurance coverage, improve access to care • Ensures the privacy of healthcare information • Restricts the use and disclosure of healthcare information ARRA – American Recovery and Reinvestment Act of 2009: • HITECH – Health Information Technology for Economic and Clinical Health Act • New Breach Notification Rules • Applies to covered entities and business associates • Intent is to promote health information technology with increased privacy and security • Increases penalties for violations • “HIPAA on Steroids” 4 PHI is Protected Health Information: • Health information is any information whether oral, written or electronic, regarding a patient • Information can be related to past, present, or future physical or mental health conditions ● ● ● ● Email Address Biometric Identifiers Full Face Photo Any other Unique Identifying No., Characteristic or Code ● ● ● Names All Dates (birth, death, admission, discharge) Numbers: Social Security No. Medical Record No. Account No. Encounter No. Phone/Fax Numbers Health Plan No. Vehicle Identification No./License Plate No. A breach is an unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the privacy, security, or integrity of the PHI PHI is unsecured if it is NOT encrypted or rendered unusable, unreadable, or indecipherable to unauthorized individuals 7 Students/faculty accessing medical records for information on friends or family members out of curiosity/without a businessrelated purpose Student/faculty access to the medical record of a celebrity who is treated at any facility Stolen/lost laptop or PDA containing unsecured PHI Posting of patient’s PHI on social media site by student/faculty Misdirected e-mail containing PHI to an external group list Lost flashdrive containing database of patients participating in a clinical study 8 Some HIPAA sensitive student service areas might include: • Lobby information desks • Family waiting rooms • Patient care areas • Clerical/office support Passwords are like bubblegum: ◦ ◦ ◦ ◦ Strongest when fresh Should not be shared Should not be kept under keyboards If left lying around, can create a sticky mess! HIPAA rules apply to PHI: • When you use it • When you disclose it • When you store it • When you see it on your computer • When you share it with another provider • When it is lying on your desk • When you are talking about it in any public area • When you are talking about it over the phone Covered entities may use or disclose protected health information for their own TPO: • Treatment • Payment or health care • Operations activities Incidental Use and Disclosure covers communication needed to provide effective patient care, such as: • Whiteboards at nurses stations • Doctors conferring with patients’ families • Waiting room sign-in sheets • Patient charts at bedside Printed or electronic information left in public view Patient charts left on counters PHI in regular trash Records accessed without a “need to know” Unauthorized individuals hearing sensitive patient information such as diagnosis or treatment Incorrect phone number when sending a fax Laptop or PDA unattended/lost/stolen Sending PHI outside of hospital system without encryption Not signing off, sharing passwords Access to confidential patient information is allowed if you follow the simple “NEED TO KNOW” rule: • If you need to see patient information to perform your job, access to this information is OK • If you do not “need to know” confidential information to perform your job, you are NOT permitted to access it • If you access confidential patient information, even your own or that of a family member, you can be subject to corrective action, including termination or dismissal from an educational program Written notice provided to all patients: • Describes patient rights • Details PHI uses and disclosures • States how PHI is maintained Posted in prominent locations If a patient is asked for by their first and last name: • At Seton, the patient’s location in the facility and general condition may be shared • At St. David’s HealthCare the caller will be transferred to the patient’s location and the patient’s general condition may only be provided by Clinical Staff only if the patient is unable to communicate • At Central Texas Medical Center, we release directory information only. *NOTE : Unless the patient has opted out of the directory A patient may “opt out” of the patient directory, also known as “Not for Publication” (NFP) status at Seton and “Confidential Patient” at St. David’s HealthCare At Seton, if a patient opts out, the letters NFP will appear under the NFP status column on the patient screen At St. David’s HealthCare, if a patient opts out, the letter “c” should appear next to the patient’s name. In addition, a notification will appear on the computer screen indicating you are attempting to access a confidential patient and your activities will be monitored and actions taken if inappropriate At Central Texas Medical Center, if a patient opts out, “Release No Information” appears in the Visitor Status Column next to the patient’s name on the patient list screen. These patients will not receive mail, phone calls, flowers, or visitors as we cannot confirm or deny the patient is in the facility Because social media sites, such as Facebook and Twitter, enable people to easily and instantly share information with friends, family and others around the world, we all must remember to protect patient information Even the smallest amount of information that could possibly identify a patient may not be shared Wisconsin – a patient was brought into the ER where 2 RN’s, independently, took cell phone photos of the patient’s body part. One of the RN’s posted it on her Facebook page. Both RN’s were fired. The FBI is investigating this case for HIPAA violations. Washington – Two certified nurses assistants and an LVN were fired from their positions for taking cell phone photos of nude nursing home residents, most of whom had dementia. These individuals have also put the nursing facility in jeopardy of losing their Medicare/Medicaid funding. Cell phone use can represent a security and privacy risk: • Most cell phones have cameras and there is a privacy concern that pictures will be taken of patients or patient information • Text messaging is not secure and represents a security risk if the text message includes PHI Protecting the confidential health information of patients is the responsibility of everyone involved Be sensitive to confidential information Think before you talk about patient-specific information Keep information to yourself if you see or overhear PHI Elevators, hallways, cafeterias, gift shops or other common areas are not appropriate places to share PHI Hospitals must protect the information we collect on patients and their care Assure proper disposal of PHI by placing in secure containers for future shredding: Examples: • Surgery Schedules • Daily Patient Census NOTE: Students are not allowed to print PHI at any of the hospitals Safeguard Workstations ALWAYS log off or lock your computer whenever you leave your workstation Use a password protected screensaver as an additional safeguard Lock office doors when you’re going to be away from your workstation for long periods of time User Identification and Passwords: • You are responsible for any activity done with your Logon User ID • You are responsible for keeping your password secure • NEVER share your Logon ID or password • Protect your computer access Civil and criminal penalties (hospital and individual) Exclusion from participation in Medicare programs Damaged reputation Place accreditation at risk Lawsuit for breach of confidentiality Violation Category Each Violation All such violation of an identical provision in a calendar year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect – $10,000 - $50,000 $1,500,000 Willful Neglect – Not $50,000 $1,500,000 Corrected Corrected For health plans, providers, clearinghouses and business associates that: • Knowingly and improperly disclose information • Obtain information under false pretenses Penalties can apply to any ‘person’ Penalties are higher for actions designed to generate monetary gain Action Fine Prison Obtaining/disclosing PHI Up to $50,000 Up to 1 year Obtaining PHI under ‘false pretenses’ Up to $100,000 Up to 5 years Obtaining/disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm Up to $250,000 Up to 10 years Former UCLA Health System employee first person to be sentenced to prison 4/2010: • China-licensed cardiothoracic surgeon performing research at UCLA School of Medicine • Received notice of intent to terminate • Accessed supervisor’s, co-workers’ and celebrities’ medical records – no legitimate reason • No attempt to improperly use or sell any information • Incarcerated on misdemeanor counts; fined $2,000 Individuals committing HIPAA violations can: • Lose opportunities to participate in educational programs • Lose professional licenses • Be subject to criminal conviction • Be fined • Be subject to civil suit HIPAA violations can ruin careers HIPAA and IS Intranet sites Policies and Procedures Hotline: • Seton Values Line: 1-800-707-2198 • St. David’s Corporate Ethics Hot Line: 1-800-455-1996 • Central Texas Medical Center Ethics Hotline: 1-888-924-8433 Seton Family of Hospitals • • • • • Seton’s Privacy Officer, Vickie Saucedo 512-324-3280 Seton’s IS Security Officer, Patricia Perry-Williams 512-324-3393 St. David’s HealthCare Margie Novak, St. David’s Round Rock Medical Center 512-942-4212 and St. David’s Medical Center / Georgetown Campus 512-341-6441 Margie.novak@stdavids.com Chelsea Martel, St. David’s South Austin Medical Center 512-816-7138 Chelsea.Martel@stdavids.com Cynthia Colovas, St. Davids Medical Center 512-544-4288 and St. David’s North Austin Medical Center 512-901-1607 Cynthia.Colovas@stdavids.com Central Texas Medical Center • Director of Performance Improvement, Angie Loftin 512-753-3690 Reviewed and approved by all parties as of January 10, 2011