hipaa - GSBS

advertisement
HIPAA 101:
The Whos, Whats & Whys of
Protecting Patient Privacy
Krista Barnes, Senior Compliance Attorney
Institutional Compliance Office at MD Anderson Cancer Center
GSBS New Student Orientation
August 14, 2013
Name
Title
Krista Barnes, J.D.
Senior Compliance Attorney
Phone: 713-792-2511
Email: kmbarnes@mdanderson.org
Matthew Bourgeouis, J.D., C.H.P.C.
Areas of Expertise
Responsible for providing legal
guidance for and oversight of
Privacy Compliance and general
compliance matters.
Associate Legal Officer
Assists in Privacy Compliance
matters and provides legal and
regulatory guidance/training.
Project Manager
Responsible for managing
Privacy Compliance Program
activities.
Senior Compliance Analyst
Conducts projects and
investigations involving Privacy
Compliance issues.
Senior Compliance Analyst
Conducts projects and
investigations involving Privacy
Compliance issues.
Compliance Analyst
Conducts projects and
investigations involving Privacy
Compliance issues.
Phone: 713-745-0635
Email: mobourgeois@mdanderson.org
Regina Jackson, M.Ed., R.T.R., C.I.R.C.C.,
C.H.P.C., C.P.C.
Phone: 713-745-6042
Email: ryjackso@mdanderson.org
Kendra Moriarty, M.H.A.
Phone: 713-792-6841
Email: kcmoriarty@mdanderson.org
Joe Conley Jr., M.B.A.
Phone: 713-745-9789
Email: JLConley@mdanderson.org
Fadi Brian K. Badaoui
Phone: 713-745-6305
Email: fadi.badaoui@mdanderson.org
2
HI…what?
• Health Insurance Portability & Accountability Act
(HIPAA)
– Define “protected health information” (PHI) and how we
need to protect it
– Gives patients certain rights with respect to PHI (see our
Notice of Privacy Practices)
– Only applies to “covered entities” (health care providers,
insurers, and healthcare clearinghouses)
• Health Information Technology for Economic and
Clinical Health (HITECH) Act
– Imposes breach reporting obligations on covered entities
– Gave HIPAA “teeth”
3
What is PHI?
• Protected Health Information
– Health information + Identifying Information
• Health Information: diagnosis, treatment, lab results,
imaging studies, arguably even the fact that someone is
a patient here because our name suggests a cancer
diagnosis
• Identifying Information: 18 types of identifying
information (see next slide).
4
What are the 18 HIPAA Identifiers?
Identifying information includes the following EIGHTEEN items for an individual and
the individual’s relatives, employers, or household members:
•
•
•
•
•
•
•
•
Names (including initials);
All geographic subdivisions smaller than a State,
including street address, city, county, precinct,
zip code, and their equivalent geocodes, except
for the initial three digits of a zip code as long as
there are more than 20,000 people in the area for
those initial three digits;
All elements of dates (except year) for dates
directly related to an individual, including birth
date, admission date, discharge date, date of
death, treatment dates; and all ages over 89 (can
be combined into a “90 and over” category);
Phone numbers;
Fax numbers;
E-mail addresses;
Social security numbers;
Medical record numbers
•
•
•
•
•
•
•
•
•
•
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including
license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice
prints;
Full face photographic images and any
comparable images; and
Any other unique identifying number,
characteristic, or code (unless totally unrelated
to any other identifying info and cannot be reidentified except by person who holds the key)
5
POP QUIZ
You’re working on a research study. The protocol calls for blood
samples to be sent to the study’s sponsor for banking. The samples
are labeled with date and medical record number (no names). The
informed consent promises that all samples will be “de-identified.”
Can you send the samples out like this?
– NO.
– Dates and MRNs are “identifiers”
– You aren’t authorized to send any identifiers
6
What does HIPAA say?
• HIPAA General Rule: You may not use or disclose PHI
without the patient’s Authorization, unless it falls under a
regulatory exception, which include:
– Treatment (e.g., nurse talking to a doctor, talking to another physician
about a common patient)
– Payment (e.g., billing insurance)
– Healthcare Operations (e.g., for formal internal training programs,
quality improvement)
– Certain research purposes (IRB waiver, preparatory to research)
– De-identified data
• Research uses and disclosures of PHI are governed by the
protocol, informed consent and authorization document, and/or
an IRB waiver
7
Who can look at PHI?
Can only access PHI if you have a legitimate work-related
reason for doing so.
• Six Fired for Keeping up with the Kardashian
• Harris Hospital District Fires 16 Over Privacy
http://www.chron.com/news/houston-texas/article/Harris-hospital-district-fires-16-over-privacy-1736905.php
http://www.healthcareitnews.com/news/kardashian-hipaa-breach-catastrophe
8
POP QUIZ
You are entering data for a study into a spreadsheet. You notice that the mom of
your best friend from Junior High is one of the subjects. You didn’t even know
she had cancer! You feel awful and want to help your friend’s family, maybe by
sending flowers or taking dinner over. You log into ClinicStation to see when her
last appointment was and how she is doing. You’re very sad to learn that she
passed away last month. You post on your friend’s Facebook page, “I just heard
about your mom passing away, I’m so sorry.”
Have you violated HIPAA?
A. No. There’s no way anyone would know that you learned about her death
from looking in her medical record.
B. No. HIPAA doesn’t apply after death.
C. Yes. People who work at covered entities can’t use social media.
D. Yes. You accessed the mom’s record without authorization, and then
disclosed her PHI on Facebook.
Answer: D.
9
What’s the big deal?
• Use or disclosure of protected health information
(“PHI”) in a manner that doesn’t comply with HIPAA is
a violation of federal (and probably state) law
• An unauthorized use or disclosure that compromises
the patient’s privacy may be a “breach” of PHI
– Breaches are reported to the patient, the government, and if
big enough, the media
– Breaches compromise patient privacy; patients’ trust in the
hospital/institution; the hospital’s reputation; can cost big
$$, and may cost you your career
– Fines for HIPAA violations: $100 to $50,000 per day, up to
a maximum of $1.5 million for the same violation in any
one year
10
What is at stake?
• Alaska Medicaid
– Unencrypted USB hard drive stolen from employee’s car
– $1.7 million settlement
• Massachusetts hospital
– Theft of unencrypted laptop containing prescription & clinical
information
– $1.5 million settlement
• UCLA
– Researcher accessed coworkers’ and celebrities’ medical records
without authorization
– Prosecuted and sentenced to 4 months in prison
• MD Anderson examples
http://www.chron.com/news/houston-texas/article/M-D-Andersonloses-device-with-patient-data-3796918.php
11
What happened here
• 2012: laptop stolen from researcher’s home contained
30,000 patients’ data
• 2012: lost jump drive contained 2200 research subjects’ data
• 2013: lost jump drive contained 3600 research subjects’ data
http://www.chron.com/news/houston-texas/article/M-DAnderson-loses-device-with-patient-data-3796918.php
Pop Quiz: What would have prevented all 3 of these breaches?
Answer: ENCRYPTION
12
What you can do to protect PHI
• Accessing PHI
– Access PHI on encrypted devices only (laptops, jump drives, BlackBerry).
– Never access the medical record of a celebrity, friend, family member, or
coworker (unless it is your job to do so).
• Storing PHI
– Do not store PHI in the cloud unless sanctioned by the institution (e.g.,
MDACC box.com account)
– Limit physical access to PHI (lock cabinets, use folders).
– Shred (do not recycle!) paper and wipe devices when finished.
• Transporting PHI
– Do not leave devices or paper files in your car.
– ENCRYPTED DEVICES ONLY!
• Email
– Encrypt emails in transit.
– Don’t email PHI to your personal email account.
• Social Media
– Never post about a patient/subject on social media
13
ONE LAST POP QUIZ
You’re helping an MD Anderson PI and a collaborator from UT Health Science Center
on a research study. The data relates to live human subjects, and is stored in a
spreadsheet that you saved to the MD Anderson server. It contains medical record
numbers, study ID numbers, treatment dates, diagnoses, and drugs administered.
• The collaborator wants you to send him the data on a CD. Should you?
– First, is it PHI?
•
Yes (treatment dates, maybe study ID numbers, maybe genomic sequencing data = identifiers)
– Second, is the data allowed to leave MD Anderson?
•
Check the protocol and informed consent document to see if PHI can leave MD Anderson and be shared
with an outside collaborator.
– Is the CD a permissible way to send PHI?
•
•
Send on an encrypted CD and send the password separately, or ask InfoSec for more options.
The MD Anderson PI is on vacation and wants you to put it on Dropbox (online
cloud sharing/storage) so she can view it remotely while on vacation. Should you?
– No. Dropbox is not necessarily secure, your consent probably doesn’t say that you’ll be storing
data on that site, and we do not have a Business Associate Agreement with Dropbox. Box.com
is the only option right now (through MD Anderson’s institutional box.com account).
14
Reporting Privacy Incidents
• What to do if a privacy incident occurs:
– Report incidents quickly to:
• Institutional Compliance Office at 713-745-6636 or Privacy
Hotline at 1-888-337-7497
– Document everything
– Report to IRB as unanticipated problem (if research)
– Report lost or stolen computers, BlackBerrys, jump drives
to:
• UTPD: 713-792-5890
• 4-INFO: 713-794-4636
• Departmental asset manager
15
Compliance Concerns
• It is every Workforce Member’s responsibility to report a violation or a
potential violation
• Failure to report a violation or potential violation may subject you to
disciplinary action
• To report compliance concerns:
- Call the Institutional Compliance Office (713-745-6636)
- Page the Chief Compliance Officer (713-792-7090)
- Call the Fraud and Abuse Hotline (1-800-789-4448)
- Call the Privacy Hotline (1-888-337-7497)
IMPORTANT: All discussions and reports are treated confidentially and may be
made anonymously
Suspected fraud, waste, and abuse involving state resources
• State Auditor’s Office Hotline (1-800-892-8348).
16
Non-Retaliation
• Workforce Members should not hesitate to report any suspected
violations out of fear of retaliation
• Non-Retaliation Policy
(UTMDACC Institutional Policy #ADM0254)
17
Questions?
Krista Barnes
Senior Compliance Attorney,
Privacy Compliance
kmbarnes@mdanderson.org
713-792-2511
18
Download