COLUMBIA UNIVERSITY MEDICAL CENTER
Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”)
Privacy & Information Security Training
2010
HIPAA OVERVIEW
Health Insurance
Portability and Accountability
Act (HIPAA)
Administrative
Simplification
Insurance
Reform
[Portability]
Fraud and
Abuse
(Accountability)
[Accountability]
Transactions,
Code Sets, &
Identifiers
Compliance Date:
10/16/2002
and 10/16/03
Privacy
Security
Compliance Date:
4/14/2003
Compliance Date:
4/20/2005
HITECH
Health
Information
Technology for
Economic and
Clinical
Health
9/18/2009
Who Needs HIPAA Training?
All staff working at CUMC should receive HIPAA
Privacy and Security training

Clinical –

Research –

Administration –
Patient Care requirements
HIPAA research requirements
Billing, Fundraising, Marketing, Public Relations
& other Business functions
Privacy & Security Concerns
 Theft of Patient Data



Loss of Patient Data



Identity Theft
Stolen lap top
Incorrect disposal
USB Drives
Misuse of Patient Data
 Privacy Breach
In the News……



THEFT
An employee from the Admissions Department at a prestigious
NYC hospital has been accused of stealing and selling information
of nearly 50,000 patients
LOSS
CVS Caremark Corp. paid $2.25 million to settle allegations that it
dumped credit-card data, Social Security numbers and customer
medical records into garbage containers outside a number of its
stores.
MISUSE
27 employees were disciplined for a privacy breach related to the
Octomom. Two were fired, nine were disciplined, and 16
resigned. The LA Hospital was also fined $250,000.
HIPAA Guidance – Top 5
Privacy Guidance
1.
2.
3.
4.
5.
Provide patient with the Notice of Privacy Practices
Shred patient information – disposal
Telephone Guidance

Messages & requests for patient information
Use and Disclose Medical Information Correctly
 Release of medical information
 Minimum necessary
Fax patient information utilizing a cover sheet
New Requirements for Patient’s



Notice of Privacy Practices must
be offered to the patient at the
time of their first visit. On first
visit only, not every visit.
Tells patients their specific rights
regarding their health
information.
A signed acknowledgement must
be placed in the patient’s
medical record and documented
in IDX.
8
Notice of Privacy Practices

Patients have the right to:







Request restrictions on release of their PHI
Receive confidential communications
Inspect and copy medical records (access)
Request amendment to medical records
Make a complaint
Receive an accounting of any external
releases.
Obtain a paper copy of the Notice of Privacy
Practices on request
Use or Disclosure of Medical Information



Written Authorization required
to release medical information
Physician may share
information with referring
physician “patient in common”
without an authorization
Emergency request for medical
information should be
documented in the medical
record.
HIPAA Guidance – Top 5
Information Security
1.
Never share your password
2.
Assure that you sign off of an application after use
3.
Secure (encrypt) portable electronic devices with patient information
4.
SS# number should not be used (i.e. databases) when not required
5.
Promptly Report loss or theft of electronic devices with protected health
information and inform Privacy Officer of improper use/ privacy breach
Electronic Access is Recorded




Your access to Crown, WebCIS,
Eclipsys, and other clinical
electronic systems is recorded
and subject to audit
Periodic audits are done and
access is monitored
If you access medical
information without a legitimate
business purpose you will be
disciplined
Do not access the medical
records of friends, family
members coworkers or anyone
else.
Privacy/Security Breaches
Ponemon Study on Data Breaches (Nov 2007)
Malicious code
4%
Undisclosed
2%
Hacked system
5%
Electronic backup
7%
Malicious insider
9%
Lost laptop/Device
48%
Paper records
9%
Third Party/Outsourcer
16%
13
E-Mail Security
E-Mail is like a “postcard.” It may pass through several post
offices and are readable.
 Use secure, encrypted E-Mail software, if available
If you send an attachment with ePHI: Encrypt the file or do not send
the attachment via e-mail!
 Avoid using individual names, medical record numbers or
account numbers in unencrypted e-mails
 Do not forward E-Mails with ePHI/PII from secure
addresses (CUMC/NYP) to non-secure accounts, e.g.,
google, hotmail, AOL.
HITECH Act (ARRA)
Health Information Technology for Economic and Clinical Health

New Federal Breach Notification Law – Effective Sept 2009






Applies to all electronic “unsecured PHI”
Requires immediate notification to the Federal Government if more than
500 individuals effected
Annual notification if less that 500 individuals effected
Requires notification to a major media outlet
Breach will be listed on a public website
Requires individual notification to patients

Criminal penalties - apply to individual or employee
of a covered entity

Increased Enforcement & Fines for Breaches
15
New York State SSN/PII Laws
Information Security Breach and Notification Act


Effective December 2005
IF… Breach of Personally Identifiable Information occurs
o
o
o

SSN
Credit Card
Driver’s License
THEN… Must notify
o
o
o
16
patients / customers / employees
NY State Attorney General
Consumer reporting agencies
http://www.cumc.columbia.edu/hipaa
17
HIPAA Research Training
All researchers are required to complete
HIPAA Research online training in
addition to the HIPAA general training
Researcher Training
Register on RASCAL: www.rascal.columbia.edu
Information Security Reminders
ENCRYPT!
Password protect
computer/data
Keep office
secured
Dispose of Information Correctly
Use institutional
E-mail
Run Anti-virus &
Anti-spam software,
Anti-spyware
Questions & Answers
Karen Pagliaro-Meyer
Privacy Officer
Columbia University
Medical Center
212-305-7315
kpagliaro@columbia.edu
HIPAA@columbia.edu
Irina Mera
Administrative Assistant
Columbia University Medical Center
212-342-0059
im2119@columbia.edu