COLUMBIA UNIVERSITY MEDICAL CENTER Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2010 HIPAA OVERVIEW Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Insurance Reform [Portability] Fraud and Abuse (Accountability) [Accountability] Transactions, Code Sets, & Identifiers Compliance Date: 10/16/2002 and 10/16/03 Privacy Security Compliance Date: 4/14/2003 Compliance Date: 4/20/2005 HITECH Health Information Technology for Economic and Clinical Health 9/18/2009 Who Needs HIPAA Training? All staff working at CUMC should receive HIPAA Privacy and Security training Clinical – Research – Administration – Patient Care requirements HIPAA research requirements Billing, Fundraising, Marketing, Public Relations & other Business functions Privacy & Security Concerns Theft of Patient Data Loss of Patient Data Identity Theft Stolen lap top Incorrect disposal USB Drives Misuse of Patient Data Privacy Breach In the News…… THEFT An employee from the Admissions Department at a prestigious NYC hospital has been accused of stealing and selling information of nearly 50,000 patients LOSS CVS Caremark Corp. paid $2.25 million to settle allegations that it dumped credit-card data, Social Security numbers and customer medical records into garbage containers outside a number of its stores. MISUSE 27 employees were disciplined for a privacy breach related to the Octomom. Two were fired, nine were disciplined, and 16 resigned. The LA Hospital was also fined $250,000. HIPAA Guidance – Top 5 Privacy Guidance 1. 2. 3. 4. 5. Provide patient with the Notice of Privacy Practices Shred patient information – disposal Telephone Guidance Messages & requests for patient information Use and Disclose Medical Information Correctly Release of medical information Minimum necessary Fax patient information utilizing a cover sheet New Requirements for Patient’s Notice of Privacy Practices must be offered to the patient at the time of their first visit. On first visit only, not every visit. Tells patients their specific rights regarding their health information. A signed acknowledgement must be placed in the patient’s medical record and documented in IDX. 8 Notice of Privacy Practices Patients have the right to: Request restrictions on release of their PHI Receive confidential communications Inspect and copy medical records (access) Request amendment to medical records Make a complaint Receive an accounting of any external releases. Obtain a paper copy of the Notice of Privacy Practices on request Use or Disclosure of Medical Information Written Authorization required to release medical information Physician may share information with referring physician “patient in common” without an authorization Emergency request for medical information should be documented in the medical record. HIPAA Guidance – Top 5 Information Security 1. Never share your password 2. Assure that you sign off of an application after use 3. Secure (encrypt) portable electronic devices with patient information 4. SS# number should not be used (i.e. databases) when not required 5. Promptly Report loss or theft of electronic devices with protected health information and inform Privacy Officer of improper use/ privacy breach Electronic Access is Recorded Your access to Crown, WebCIS, Eclipsys, and other clinical electronic systems is recorded and subject to audit Periodic audits are done and access is monitored If you access medical information without a legitimate business purpose you will be disciplined Do not access the medical records of friends, family members coworkers or anyone else. Privacy/Security Breaches Ponemon Study on Data Breaches (Nov 2007) Malicious code 4% Undisclosed 2% Hacked system 5% Electronic backup 7% Malicious insider 9% Lost laptop/Device 48% Paper records 9% Third Party/Outsourcer 16% 13 E-Mail Security E-Mail is like a “postcard.” It may pass through several post offices and are readable. Use secure, encrypted E-Mail software, if available If you send an attachment with ePHI: Encrypt the file or do not send the attachment via e-mail! Avoid using individual names, medical record numbers or account numbers in unencrypted e-mails Do not forward E-Mails with ePHI/PII from secure addresses (CUMC/NYP) to non-secure accounts, e.g., google, hotmail, AOL. HITECH Act (ARRA) Health Information Technology for Economic and Clinical Health New Federal Breach Notification Law – Effective Sept 2009 Applies to all electronic “unsecured PHI” Requires immediate notification to the Federal Government if more than 500 individuals effected Annual notification if less that 500 individuals effected Requires notification to a major media outlet Breach will be listed on a public website Requires individual notification to patients Criminal penalties - apply to individual or employee of a covered entity Increased Enforcement & Fines for Breaches 15 New York State SSN/PII Laws Information Security Breach and Notification Act Effective December 2005 IF… Breach of Personally Identifiable Information occurs o o o SSN Credit Card Driver’s License THEN… Must notify o o o 16 patients / customers / employees NY State Attorney General Consumer reporting agencies http://www.cumc.columbia.edu/hipaa 17 HIPAA Research Training All researchers are required to complete HIPAA Research online training in addition to the HIPAA general training Researcher Training Register on RASCAL: www.rascal.columbia.edu Information Security Reminders ENCRYPT! Password protect computer/data Keep office secured Dispose of Information Correctly Use institutional E-mail Run Anti-virus & Anti-spam software, Anti-spyware Questions & Answers Karen Pagliaro-Meyer Privacy Officer Columbia University Medical Center 212-305-7315 kpagliaro@columbia.edu HIPAA@columbia.edu Irina Mera Administrative Assistant Columbia University Medical Center 212-342-0059 im2119@columbia.edu