Information Privacy and Security - Community Medicine and Health

advertisement
HIPAA/HITECH
Privacy and Security
Student Training
Academic Year 2014-2015
Introduction
Welcome to HIPAA/HITECH Privacy and Security training.
As you may know, all health care organizations are required to comply
with HIPAA/HITECH Privacy and Security Regulations. These
regulations have undergone several updates, the latest of which were
enacted in 2013. As UConn Health School of Medicine, School of
Dental Medicine, and graduate students you most likely will have
access to patients’ confidential health information and, therefore, are
required to complete HIPAA/HITECH education.
Thank you for completing this important training. Continuation in your
educational program is contingent upon completion of this training.
When it comes to privacy and accountability, people
always demand the former for themselves and the
latter for everyone else.
David Brinkley
UConn Health’s Confidentiality Policy
 “All individuals are expected to be professional and
maintain confidentiality at all times, whether dealing with
actual records, projects, or conversations….”
 “All individuals having access to confidential information
are bound by strict ethical and legal restrictions…..”
Refer to UCHC policy # 2002-43 Confidentiality
What types of information must UCHC protect?
 Medical/Dental/Behavioral Health-related patient information
 Research data requiring protections (clinical trials, patient survey






responses, etc.) as required by the NIH.
Student information.
Employee human resources and financial information.
Any information about employees, students, patients, Board
Members, etc. which includes Social Security numbers.
Financial information
IDs and/or Passwords for access to UConn Health computing
resources.
Other confidential or sensitive UConn Health information not in
the public domain.
HIPAA/HITECH
Privacy and Security
HIPAA at a Glance
 HIPAA stands for: Health Insurance Portability and Accountability Act
 The “Health Insurance Portability”(HIP) part of HIPAA was
intended to ensure the continuity of health insurance coverage for
workers changing jobs.
 To facilitate this goal, Congress mandated national standards
for transmitting and protecting health information.
 The “Accountability” part of HIPAA was designed to ensure the
security and confidentiality of patient information/data and
requires uniform standards for electronic transmission of data
relating to patient health information.
HIPAA Privacy
 The HIPAA Privacy Rule was enacted to:
 establish national privacy protection standards for all
forms of health information created by “covered entities”,
including health care providers.
 set limits on the uses and disclosures of such information.
 give patients rights over their health records.
HIPAA Security
 The HIPAA Security Rule was enacted to:
 establish national standards for the security of
electronic health information (ePHI).
 protect individuals’ ePHI that is created, received,
used or maintained by covered entities.
 outline administrative, technical and physical
procedures to ensure the confidentiality, integrity and
availability of ePHI.
What is HITECH?
 HITECH stands for:




Health Information Technology for Economic and Clinical Health Act
It is part of the American Recovery and Reinvestment Act (ARRA).
 Interim rule enacted in 2009.
Widened the scope of privacy and security protections under HIPAA.
Included health care information technology incentives such as:
 creating a national health care infrastructure.
 adopting an electronic health record (EHR) system.
The HITECH final rule was enacted in January, 2013.
 Made a significant number of changes to HIPAA Privacy and Security.
We’ve Come a Long Way…..Maybe
 Electronic data transmission is a double edged sword.
 More technology = increased vulnerability of personal
information.
 As technology changes we have to do more to protect
that information.
 The confidential information we come in contact with
everyday is only as safe as our weakest link.
What is Protected Health Information (PHI)?
 Any type of individually identifiable health information
in any format including:
 Paper or other media
 Verbal
 Photographed or duplicated
 Electronically maintained and/or transmitted
What makes PHI identifiable?
Any unique number, code or characteristic that
links information to a specific individual such as:









Name
Address
Zip Code
Telephone number
Fax number
Photographs
Fingerprints
Email address
Internet address








Dates
Social Security Number
Medical Record Number
Patient Account Number
Insurance Plan Numbers
Vehicle Information
License Numbers
Medical Equipment
Numbers
What is “de-identified” information?
 Information in which specific pieces (identifiers) have
been removed so that it cannot be linked to any individual
or be re-identified.
 If patient information is de-identified it is not considered
PHI and is not protected under the HIPAA privacy
regulations.
Refer to UCHC Policy # 2003-29:
Creation, Use and Disclosure of De-identified PHI
Knowledge Check
Which of the following is not considered Protected Health Information
(PHI) under HIPAA:
A. An EKG report for a participant in a human subject research study.
B. A discharge summary for a John Dempsey Hospital patient.
C. A photo used for medical student education showing only a wound
on the hand of an unidentified patient.
D. A patient invoice that includes a listing of diagnostic lab tests
completed.
Genetic Information
 Genetic information, including family history, is considered
PHI under HIPAA.
 Includes:
 genetic tests, requests for genetic services, or participation in
clinical research that includes genetic services by an
individual or his/her family member.
 any manifestation of a disease in the individual’s family
member.
 Genetic information may not be used for underwriting
purposes.
Protecting PHI
 All health information that can be linked in any way to an
individual must be protected under HIPAA.
 As an institution, UConn Health has an obligation to protect
the privacy of patient information and maintain the security
of that information on our electronic systems.
 Everyone must be vigilant in their efforts to handle
confidential information in a way that prevents improper
exposure.
 HIPAA is ultimately about patients and their right to expect
protection of their health information.
Patient Rights under HIPAA
Patient Rights
 Patients have the right to:
 Receive an accounting of certain disclosures of PHI.
 View and obtain copies of their records.
 Request an amendment to their medical records.
 Request that any communication related to PHI be
directed to a specific location.
 Request restrictions on the use or sharing of their
information.
 Receive the UConn Health “Notice of Privacy
Practices” (NPP) outlining these rights.
Patient Right to an Accounting of Disclosures
 Upon request, patients must be provided a list of all PHI
disclosures made outside of the institution including:
 disclosures of which the patient may not otherwise be
aware.
 improper disclosures resulting in a breach.
 An accounting of such disclosures is maintained in the
patient’s medical record on the “Protected Health
Information Disclosure Tracking Log”
Patient Right to an Accounting of Disclosures
(continued)
 Disclosures exempt from the accounting requirement include:
 those for treatment, payment or healthcare operations
(TPO).
 those directed to the patient or in response to the patient’s
authorization.
Refer to UCHC policy # 2003-18:
Accounting of Disclosures of Protected Health Information to
Patients and to the Protected Health Information Disclosure
Tracking Log
Knowledge Check
Any access, use or disclosure of a patient’s PHI that is determined to
be a breach must be logged on the “Protected Health Information
Disclosure Tracking Log”.
True
False
Patient Right to View His/Her Record
 Patients have a right to view their records upon request.
 Only written requests using the UCHC “Request to View
Record/Notification of Approval or Denial to View” form are accepted.
 Requests are reviewed with the patient’s attending of record to
determine whether the request will be honored.
 UConn Health and the physician will provide a written response to
the patient regarding any request denial.
 Original records are the property of UConn Health and may not be
removed from the facility except by court order.
Refer to UCHC policy #2003-17-A:
Patient Right to View His/Her Medical and/or Billing Record
Patient Right to Obtain a Copy of His/Her
Medical/Dental or Billing Records
 Patients also have the right to request copies of their PHI in any
form they choose or is mutually agreed upon provided PHI is
readily producible in that format.
 If PHI is maintained electronically UConn Health is required to
provide an electronic copy at the patient’s request.
 However, UConn Health is not required to provide unlimited
format choices.
Refer to UCHC policy #2003-17-B:
Patient Right to Copy His/Her Medical and/or Billing Record
Patient Right to Send Record Copies to Others
 Patients may also request that copies of their medical
records be sent to other designated individuals.
 Requests must be made in writing, clearly identifying the
designated recipient and where to send the copy.
 Records may be provided in an unencrypted form if the
patient understands the risk and agrees in writing.
 It is recommended that records not be sent via email.
Patient Requests for Record Copies
 Patient requests for record copies must be addressed
(granted or denied) within 30 days.
 A one time 30 day extension is allowed with patient notification.
 A reasonable, cost-based fee may be charged.
 Requests for record copies may be denied under
certain circumstances.
 Patients have a right to appeal a denial.
Patient Right to Amend His/Her Medical Record
 Patients can request corrections be made to any inaccurate
or incomplete information in their medical, research, or
billing records.
 Only written requests are accepted.
 A request to amend may be denied.
 The patient may write a disagreement to which UConn
Health may write a rebuttal.
 Copies of all such documentation are maintained in the
patient’s record.
Refer to UCHC policy #2003-17-C:
Patient Right to Amend Their Medical and/or Billing Record
and Request for Amendment of Health Information form.
Patient Right to Confidential Communications
 UConn Health must honor all patient requests to receive
communications of PHI from UConn Health by alternative
means or at alternative locations.
 Follow the steps outlined in UCHC policy #2003-15 Patient
Right to Request Confidential Communications
Patient Right to Restrict Disclosures to Health Care Plans
 UConn Health must honor patient requests to restrict
certain disclosures of PHI to health plans if:
 the disclosure is to carry out payment or healthcare
operations.
 the disclosure is not required by law.
 the PHI pertains solely to a health care item or service for
which the patient or other person has paid out of pocket and
in full.
Notice of Privacy Practices (NPP)
 The Notice of Privacy Practices is UConn Health’s pledge
to patients to keep their medical, dental and billing
information private.
 The NPP describes to patients:
 How their PHI is used and disclosed.
 Their rights regarding health information.
 How to exercise those rights.
Notice of Privacy Practices (NPP)
 The NPP must be:
 provided to all patients (excluding inmate/patients)
 acknowledged by anyone receiving the notice.
 posted in a prominent location.
 available on UConn Health’s website.
Refer to UCHC policy # 2003-13:
Permission to Treat/Assignment of Benefits/Authorization to
Release Medical/Dental Records/Acknowledgment of
Receipt: Notice of Privacy Practices (Privacy and Security
of Protected Health Information (PHI)
Patient Authorizations
Regarding Their PHI
Sharing PHI Without Authorization:
Remember “TPO”
 In order to access, use or share PHI without a signed
patient authorization the purpose must be related to:
 Treatment within and between healthcare providers
across UCHC or in the community.
 Payment for treatment
 Operations i.e. normal UConn Health business activities:




Quality improvement
Training
Audit/legal/compliance reviews
Evaluating caregiver performance
Sharing PHI without Authorization
 Other than TPO, Protected Health Information (PHI) may be
shared without a signed authorization for the following
reasons:
 Public Health Activities
 Preventing or controlling disease
 Reporting abuse, neglect or domestic violence
 FDA-regulated product safety
 To provide information to coroners, medical examiners, or
funeral directors.
Refer to UCHC policy #2003-27:
Use and Disclosure of PHI Where Authorization or Opportunity
for Patient to Agree or Object is NOT Required
Sharing PHI without Authorization
 Reasons other than TPO (continued):
 Organ donation.
 Health oversight activities:



Audits
Civil, administrative, or criminal investigations
Inspections
 Court order or subpoena.
 For law enforcement purposes related to crimes,
provided certain criteria are met.
Disclosure of Patient Information to the Public
and Community Clergy Members
 Unless a patient objects, UConn Health may disclose that
patient’s location (hospital room and telephone number) to
persons that inquire about that patient by name.
 Members of the clergy will also be provided with a patient’s
religious affiliation unless the patient objects.
Refer to UCHC policy #2003-26:
Directory Information: Disclosure of a Patient’s Information
Communicating with a Patient’s Family and Friends
 PHI should never be shared with a patient’s family member, friend
or others involved in a patient’s care unless the patient has given
permission to do so.
 A patient can indicate during a discussion with caregivers that a
particular person may be included in that discussion of medical
and/or financial information.
 If a patient is unable to communicate his/her wishes for any
reason, UConn Health may determine whether a particular
disclosure is in the best interest of the patient.
Refer to policy # 2003-25:
Use and Disclosure Involving Family and Friends
Knowledge Check
Maria is a dental student and has assisted with a procedure in the dental
surgery center. The patient’s neighbor has arrived to give the patient a ride
home after the procedure and is waiting with the patient. Maria needs to
review some information with the patient related to the procedure and
follow-up recommendations but she isn’t sure if the patient has given
permission to communicate with her neighbor. What should she do?
A. Review the information privately with the neighbor first since she is
taking the patient home.
B. Review the information with the patient and neighbor together since
the patient must approve if the neighbor is in the room.
C. Ask the patient’s permission to review the information in front of her
neighbor.
D. Discharge the patient and plan to review the information during her
next clinic appointment.
Disclosures Regarding Decedents
 Care providers may disclose PHI to a family member or
person who was involved in the care of a deceased
patient unless otherwise expressed by the decedent
while he or she was alive.
 Use your knowledge or best judgment regarding
disclosure.
 HIPAA will no longer apply to individuals deceased more
than 50 years.
When is a patient authorization required?
 In general, if the reason for access, use, or disclosure of
information is not related to “TPO” you must have a
signed patient authorization.
 Never access, use or disclose PHI without a patient’s
consent, if indicated.
Refer to UCHC policy # 2003-16:
Authorization for Release of Information and associated
authorization form.
Patient Authorizations
 A valid authorization includes specific requirements:
 PHI to be released
 Who may release the information
 Who may receive the information
 Purpose of the disclosure
 Expiration date
 Signature of patient or patient representative
 Use only UConn Health HIPAA-compliant authorization forms.
 A patient may withdraw authorization at any time except to the
extent that UConn Health has already used or released
information under a valid authorization.
Refer to policy # 2003-16: Authorization for Release of Information.
Knowledge Check
A signed patient authorization gives UCHC permission
to disclose any and all parts of a patient record.
True
False
Protecting Confidential
Patient Information
Minimum Necessary Rule
 Except for treatment purposes, limit access, use or disclosure of PHI
to the minimum necessary to accomplish the intended purpose.
 Access, use or disclose:
 Only PHI needed to complete an assigned task in your student role
and
 Only when the specific PHI is necessary to perform that task.
 Unless you need certain patient information to carry out your student
responsibilities, do not access that information.
Refer to policy # 2003-21: Minimum Necessary Data
Students’ friends and family: Access and Disclosure
 Unless required for a specific treatment-related task, students may not:
 Access family’s or friends’ information, even if they ask you to do so.
 Access supervisors’ or other residents’/students’ information, even if
they ask you to do so.
 Students may not disclose patient information to anyone that is not
authorized to have the PHI including:
 Family
 Friends/neighbors
 Fellow students
 UConn Health policy prohibits students who are also patients from
accessing their own medical information for personal reasons.
Verifying Information Requests
 Before sharing any PHI, UConn Health must verify:
 The identity of the individual requesting the information.
 That this individual has the right to obtain the information requested.
 If a patient calls to obtain information about him/herself, UConn
Health will verify the individual’s identity using information available
in the Patient Registration system.
 In the event that an individual’s identity and/or legal authority cannot
be verified, UConn Health staff members will not disclose the PHI
and will report the request to their immediate supervisor.
Refer to policy # 2003-20:
Verification of Individuals or Entities Requesting Disclosure of
Protected Health Information
Verbal Exchanges Involving PHI
 Discuss PHI only with those that have a “need to know”
for specific assigned job functions.
 Be aware of your surroundings when discussing patient
information.
 Move to a private area if needed.
 Avoid discussions involving PHI in areas where you may
be overheard such as cafeterias, hallways, elevators,
patient waiting rooms etc.
Knowledge Check
While eating lunch in the cafeteria, you overhear a group of students and residents
discussing a patient they saw on rounds that morning. You hear them reviewing
the patient’s diagnosis, prognosis and treatment plan. You notice other employees
as well as visitors at nearby tables.
What should you do?
A. Move to another table so you won’t hear the discussion.
B. Stare at the group in hopes that they get the message to end their
conversation.
C. Politely remind them that they should not discuss patients in a public area.
D. Sit down and join them since the discussion sounds really interesting.
Telephone/Voicemail/Answering Machine
Disclosure of PHI
 Never leave information containing PHI over the phone
with someone other than the patient.
 Leave only generic information on voicemail or answering
machines.
 Never leave any PHI, including indication of the services
being performed or the service provider.
Refer to UCHC policy # 2003-24:
Telephone/Voicemail/Answering Machine Disclosure of PHI
Knowledge Check
Sarah works in the Cancer Center. At the request of her patient, she calls
the patient to report her recent lab results. The patient has indicated on
the UConn Health “Permission to Communicate” form that information
may be shared with her husband, who she has identified by name. When
Sarah calls the patient’s home, she reaches the patient’s sister who tells
her that the patient is not at home. What should Sarah do?
a. Hang up and call back at another time.
b. Tell the patient’s sister that she is calling from UConn Health and ask
that the patient return her call.
c. Tell the patient’s sister that she is calling from the UConn Health
Cancer Center with lab results and ask that the patient call her back.
d. Ask the sister to get a pen and paper to write down the results to give
to the patient.
Managing Written PHI
 Documents containing PHI must be:
 Turned face down when not in use.
 Kept locked in an office, file cabinet or other storage
location.
 Check printers, fax machines and copiers after using to
ensure that no papers are left behind.
 Never remove paper documents containing PHI from any
facility.
Mailing PHI
 If it is necessary to mail PHI outside of UConn Health, before
doing so you must:
 Confirm that you are mailing documents to the intended recipient and
that the PHI may be permissibly disclosed to that individual or entity.
 Ensure that the recipient’s name and address are accurate and that
the address on the envelope matches the address of the intended
recipient.
 Check all documents to see that no other patients’ PHI is included by
mistake.
 Be sure that no PHI is visible outside of the envelope or in an address
window.
Faxing PHI
 Faxing patient information outside of UConn Health is
allowed in situations when health information is needed
immediately or when mail or courier delivery will not meet a
necessary timeframe.
 Employees authorized to fax PHI must confirm the accuracy
of the fax numbers and security of recipient machines.
 Any fax that is sent to a location outside of UConn Health
must be accompanied by a UConn Health-approved fax
cover sheet.
Faxing PHI
 Fax machines used to receive or transmit health information
must be located in a secure area to protect the information
from unauthorized users.
 Receiving faxes:
 Schedule with the sender whenever possible so that the faxed
documents can be promptly removed from the fax machine.
 Notify the sender if you receive a misdirected fax so the fax can
be sent to the correct party.
Refer to UCHC policy # 2003-23:
Faxing of Protected Health Information and fax cover sheet.
Disposal of Paper Containing PHI
 Dispose of documents with PHI (faxes, printed emails,
informal notes or copies of patient notes) either by tearing
them up or placing in secured shredder bins.
 Never dispose of documents containing PHI in a trash or
recycle receptacle or in a publicly accessible area.
 Copies of PHI used for case presentations or other academic
requirements must be destroyed in a confidential manner.
Refer to policy # 2008-01:
Disposal of Documents/Materials Containing PHI and Receipt,
Tracking and Disposal of Equipment and Electronic Media
Containing Electronic Protected Health Information.
Managing Electronic Information
You can't hold firewalls and intrusion detection systems
accountable. You can only hold people accountable.
Daryl White
Acceptable Use of UConn Health’s
Information Technology Resources
 UConn Health workforce members are responsible for
the appropriate use and security of ePHI when using any
IT resource.
 Using IT resources that are unauthorized or that could
disrupt operations or compromise security is prohibited.
Refer to policy # 2011-02:
UCHC Information Security: Acceptable Use
Data Authentication and Physical Safeguards
 To protect from unauthorized access, IT resources must
be physically secured.
 Never leave computers or laptops unattended or
unsecured in public areas.
 Where feasible, authentication to systems or devices
containing ePHI must:
 Include a unique logon or password.
 Be encrypted.
Refer to policy # 2011-01:
UCHC Information Security: Data Authentication, Physical
Safeguards
Access Control to Facilities
 UConn Health limits physical access to all
confidential information, including to the
facilities in which it is housed.
 Lock all file cabinets and rooms that contain
confidential information.
 Always wear your UConn Health
identification badge for proper access.
Refer to policy # 2005-04:
UCHC HIPAA Security Facility Access Control
Virus Protection
 All computer equipment connected to the UConn Health
network must:
 have UConn Health approved, updated anti-virus protection
software installed.
 remain current with the manufacturer’s operating system’s
security software updates.
Refer to policy # 2005-10:
UCHC HIPAA Security Virus Protection Policy
Mobile Computing Devices (MCD)
 MCDs include:
 UConn Health laptop computers
 Smartphones
 Tablet devices
 USB storage devices
 Confidential data may not be stored on UConn Health or
non-UConn Health MCDs unless:
 Only information needed for a particular function is stored.
 Information is stored only for the time period needed to
perform that function.
 The device is encrypted by UConn Health IT.
 Data is protected from unauthorized access and disclosure.
Bring Your Own Device (BYOD)
 Users will be granted the authority to configure their
personally-owned MCDs to access UConn Health’s
electronic information.
 Personally-owned MCDs must be registered and secured
at UConn Health’s BYOD website.
Additional information about BYOD can be found at
http://its.uchc.edu/Help/BYOD.aspx
Refer to policy # 2008-03:
Mobile Computing Device (MCD) Security
Disposing of Electronic Confidential Information
 Secure methods must be used to dispose of electronic data
and output.
 Prior to the removal or sale of any electronic storage
media/devices, contact the UConn Health Materials
Management Department to remove all UConn Health
information, including PHI, residing on the devices.
 Never leave computers/laptops or other devices unattended
when planning disposal.
Refer to policy # 2008-01:
Disposal of Documents/Materials Containing PHI and Receipt,
Tracking and Disposal of Equipment and Electronic Media
Containing Electronic Protected Health Information.
Electronic Systems Access Control
 Access to UConn Health’s information systems is granted
only to appropriately identified, validated and authorized
individuals.
 Users must each have a unique login and password.
 Memorize your password and do not share your account
information (username/password), password creation or
password changes.
 Do not log in to your computer to allow a fellow student to
work under your username or request that another
student do the same for you.
Knowledge Check
Bert and Ernie are medical students and friends that are each completing a
rotation in the Internal Medicine Clinic. Ernie runs into a problem with his
username and password and finds that he cannot log onto the computer to
write his patient note. To save time, he asks to borrow Bert’s username and
password until he has a moment to contact the IT Helpdesk.
What should Bert do?
A. Give Ernie his username and password to log on.
B. Offer to log on himself to allow Ernie to write his note.
C. Explain to Ernie that UConn Health policy does not allow him to share
his username and password.
D. Get another student to log on and let Ernie complete his note.
Electronic Systems Access Control
 Ensure that all laptops are encrypted as required by UConn
Health policy.
 Always log off your computer or use a screen saver after using
a shared computer or when your computer is left unattended.
 You may be held responsible for improper access by
another individual under your username and password.
Refer to policy # 2011-03:
UCHC Information Security: Systems Access Control
Electronic PHI (ePHI)
 ePHI is Protected Health Information stored on electronic systems
or transmitted through electronic means.
 Includes personal information stored on:
 Personal Computers with internal hard drives.
 Removable storage devices such as:






USB memory sticks/keys
CDs/DVDs
Disks
Back-up tapes
External hard drives
Mobile Devices
 Electronic transmission is data exchanged via the network,
including wireless and DSL/cable home network connections.
Electronic PHI (ePHI)
 ePHI also includes patient information located on any
UConn Health electronic information management system
including:
 IDX
 LCR
 eHIMS
 NextGen
 IBEX
 Others
Monitoring of Electronic Patient Information Systems
 Access to patient records is logged by each UConn
Health system.
 Audit logs are reviewed to ensure information is
accessed only on a “need to know” basis.
 If you do not have a legitimate educational purpose for
accessing a patient’s PHI you are not allowed to view
that information.
Think before you click……
 “Minimum necessary” also
applies to electronic PHI.
 Access/use PHI stored in
electronic systems only when
it is necessary to perform your
assigned job functions.
 Access/use only the minimum
necessary PHI to complete
your assigned task.
Knowledge Check
Jack, a medical student, is searching in an electronic system for the record of a
patient. The patient happens to have the same last name as a fellow student, Jill.
During his search he sees Jill’s name on the list of patients and notes that she has a
medical record in the system. Jack is curious about Jill’s medical information so he
looks and finds that she recently had surgery.
Did Jack do the right thing?
A.
B.
C.
D.
Since Jack “inadvertently” discovered that Jill is a patient, it’s OK to view her
record.
Jack may view Jill’s medical record, but he shouldn’t tell her that he knows she
had surgery.
Because Jill is a student, she cannot expect her information to be kept private.
Anyone with access to a patient information system is allowed to access her
record.
Jack may not access any patient’s record, unless the reason is specifically
related to his student responsibilities.
Patient Portals
 Several patient portals are in use or under development
across UConn Health including John Dempsey Hospital,
University Medical Group and School of Dental Medicine
clinics.
 The primary purpose of a patient portal is to:
 Allow patients to view, download or print to certain parts of their
medical records such as lab results and medications.
 Increase communication between patients and providers.
 Enable patients to be more involved in their treatment.
 Improve patient/provider partnerships in the delivery of care.
Emailing PHI
 Hand deliver or mail PHI whenever possible.
 When necessary for treatment, payment or operations, email PHI only
to individuals that are authorized to receive the information.
 E-mail only from and to secure addresses with the UConn Health
network (i.e. addresses ending in uchc.edu)
 Verify the recipient’s address as secure before sending PHI via e-mail.
 Email encryption must be used to send any confidential information
outside of the UConn Health network.
Refer to policies:
# 2012-01 E-mail Communication with Patients/Research Participants
# 2011-04 Electronic Communication of UCHC Confidential Data: Use of
Email Encryption
Using Email Encryption
 To send a secure email:
 Click the icon in the upper left hand corner of the email message
screen OR
 Include [secure] (brackets and the word) in the email subject line.
[secure]
Knowledge Check
An outside practitioner will be treating a UConn Health patient.
The practitioner sends you an email asking for a summary of the
patient’s condition and treatment.
Which of the following should you do?
A. Simply reply with the details.
B. Reply with the details clicking the “Secure” button prior to
sending the email.
C. Reply with the details typing [secure] in the message.
D. Either B or C.
Texting PHI
 Texting confidential information, including PHI, is
not permitted unless a secure text application,
approved by UConn Health, is installed and
active.
 Without appropriate software, text messages are
not encrypted and, therefore, are never secure.
 Sending any text message containing confidential
information, including PHI, without using an
approved secure text application, is a violation of
UConn Health policy, state and federal laws and
must be reported immediately.
Social Media
 PHI or other confidential information should never be
shared on social media sites.
 Any medical/dental information that is posted must be
completely de-identified.
 Although you may think information has been de-
identified, it may be possible to identify an individual,
even with minimal information.
Knowledge Check
Dennis is a medical student who recently assisted in treating a patient
in the UConn Health Emergency Department (ED) that had been
involved in a serious car accident. The accident was reported on the
local news and on the front page of several newspapers. Dennis can’t
wait to tell his friends about his ED experience so he posts details about
the accident, the patient’s injuries and a picture he took with his cell
phone on his Facebook page. He is careful not to disclose the patient’s
name or to expose the patient’s face but assumes it is OK to share other
information including the patient’s age, sex and town he lives in.
Did Dennis breach this patient’s confidentiality.
Yes
No
Managing Breaches of PHI
Breaches
 A breach is defined as any improper access, acquisition,
use or disclosure of PHI that compromises the security or
privacy of the information unless it can be proven that the
risk of compromise to the information is low.
 Includes situations in which more than the minimum
necessary PHI is involved.
 All potential breaches are evaluated by UConn Health
and may result in notifying the affected patient(s) and
the Federal Office for Civil Rights (OCR).
 OCR may investigate any breach that is reported.
Managing Breaches
 Known or suspected breaches must be acted upon
without delay to assess the situation and mitigate risk.
 There are strict timeframes for notifying:
 Affected patient(s)
 Office for Civil Rights
 If you know or suspect that a breach has occurred, report
the incident to your preceptor or a UConn Health
department manager immediately.
 The Privacy and/or Security Office will be notified and
provide guidance.
Examples of Breaches that Have
Occurred at UConn Health
 Paper:
 Lab requisitions, test results or other confidential
communication mailed to the incorrect patient.
 Discharge paperwork handed to the wrong patient.
 Paperwork containing PHI left in public areas (cafeteria,
rest rooms, parking lots).
 Verbal:
 Discussing a patient’s medical information in a public area.
 Discussing a patient’s medical information in front of others
without the patient’s permission to communicate.
Examples of Breaches that Have
Occurred at UConn Health
 Electronic
 Accessing patient information for purposes that are not related to
job functions, educational responsibilities and/or assigned tasks
including the PHI of:




co-workers
family members
friends
VIPs.
 Lost unencrypted laptops or other mobile devices containing PHI.
 Texting PHI without appropriate security safeguards in place.
 Computer screens with PHI visible to unauthorized individuals.
Tips for Preventing Breaches
 Keep track of documents containing PHI (don’t leave
papers unattended, avoid taking documents into the
cafeteria or restroom).
 Keep private conversations private if PHI is being
discussed (you never know who may overhear).
 Never text PHI without using appropriate software.
 Do not share PHI via social media.
Tips for Preventing Breaches
 Obtain a patient’s permission before involving others in
discussions that include PHI.
 Do not access or use patient information that is not
related to your student responsibilities.
 Never disclose PHI to anyone that is not authorized to
have the information.
 Encrypt all electronic equipment that may contain PHI.
Patient Complaints Regarding Breaches of PHI
 Patients who have any concerns related to the privacy or
security of their PHI may:
 contact the UConn Health Patient Relations Department.
 file a complaint with the U.S. Department of Health and
Human Services, Office for Civil Rights.
Refer to UCHC Policy #2003-19:
Patient Complaint Regarding Use and Disclosure of PHI
UConn Health Policies
Please review UConn Health’s Confidentiality Policy at:
http://www.policies.uchc.edu/policies/policy_2002_43.pdf
All HIPAA Privacy and Security policies are located at:
http://www.policies.uchc.edu/area/hipaa_privacy.html
http://www.policies.uchc.edu/area/hipaa_security.html
UConn Health Contacts
 For Privacy questions or to report Privacy violations contact:
Iris Mauriello, Privacy Officer
860-679-3501
mauriello@uchc.edu
 For Security questions or to report Security violations contact:
Jon Carroll, Information Security Officer
860-679-3528
jcarroll@uchc.edu
 You may also report any Privacy or Security concern anonymously
through UConn Health REPORTLINE: 1-888-685-2637
Thank you for completing the HIPAA/HITECH
Privacy and Security training.
Please complete the training acknowledgment
on the next slide.
Training Acknowledgment
 I have completed this “HIPAA/HITECH Privacy and Security”
training.
 I agree to abide by UConn Health’s Confidentiality and HIPAA
Privacy and Security policies.
 I have been informed where to obtain additional information on
HIPAA Privacy and Security.
 I acknowledge my obligation to report a HIPAA Privacy or
Security concern.
Yes
Download