Stony Brook Health Sciences Center Melissa Pinero HIPAA Privacy Officer 631-444-2148 Health Sciences Center Schools New Employee & Student Training FERPA Family Education Rights & Privacy Act HIPAA Health Insurance Portability & Accountability Act FERPA The Family Education Rights & Privacy Act (20 U.S.C. §1232g:34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the US Dept of Education. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.” HIPAA is…… The Health Insurance Portability and Accountability Act of 1996 Portability Created to ensure access to health coverage Allows for continuity in health coverage Prevents denial due to a pre-existing condition(s) Accountability • Healthcare fraud is a federal crime • Fines and / or jail time may apply • Individuals and organizations face sanctions The HIPAA Privacy Rules & HITECH 2010 What is HITECH? • On February 17, 2009, the Federal Stimulus Bill or American Recovery and Reinvestment Act (ARRA) was signed into law and included provisions to address Health Information Technology and Economic and Clinical Health Act (HITECH) • Purpose is to create a national health information infrastructure and widespread adoption of electronic health records through monetary incentives. • Provide enhanced Privacy & Security Protections under HIPAA including increased legal liability for non-compliance and greater enforcement. PHI is a culmination of data that is specific to individual patients. This data can be used to identify: A patient A patient’s health Health care services received by a patient Privacy Goals We need to: Maintain our patient’s trust. Educate our patients as to their rights. Safeguard our patient’s PHI. • • • • • • • • • • • • • • • • • • • • • • • • HIPAA 18 Elements Necessary for De-identification of Patient Data Before Presenting the Case in Class The following data must be removed for de-identification: Name Location; all geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes. Dates (all dates related to the subject of the information, e.g. birth dates, admission dates, discharge dates, encounter dates, surgery dates, etc.) Telephone numbers Fax numbers Electronic mail addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate / license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code The following data may be used: Age (age 90 and over must be aggregated to prevent the identification of older individuals) Race Ethnicity Marital status Codes (a random or fictional code may be used to link cases or re-identify the health information at a later time; codes may not be a derivative of the individual’s social security number or other identifiable numerical codes, e.g. birth date, fax number, etc.) Authorization Authorization is required when disclosing PHI for purposes other than treatment, payment, or operations. Patients Rights Under HIPAA • request restricted use and disclosure of PHI; • inspect and copy their health information; • request to amend their medical record; • request an accounting of disclosures; and • file a complaint. How is HIPAA Enforced? • Civil monetary penalty: Civil penalty for inadvertent violation= fines of $100/per incident up to $25,000/per year for each similar offense. Example: A hospital employee violates HIPAA by misdialing a fax number and sending 100 patient records to Starbucks. The hospital & the employee may have to pay a $10,000 ($100 x 100) fine. Worse Case Scenario • Criminal Penalties: Criminal penalties= large fines + jail time, and increase with the degree of the offense. Example: A hospital employee steals and sells patient information for personal profit. Criminal penalties could be as much as $1.5 million and / or 10 years in jail. Security Health Insurance Portability and Accountability Act HIPAA Electronic Security to Ensure Privacy, Trust, and Quality Care Edward W. Hines Information Security Officer, SBUMC, HSC, and Dental School What is Security The Protection of Electronic and Physical Assets Merriam-Webster Measures taken to guard against espionage or sabotage, crime, attack, or escape an organization or department who task is security. The best way to protect yourself… make your passwords difficult to guess NEVER tell anyone your password NEVER write your password down, such as on a post-it note. Don’t use common info about you or your family, pets, or friends names, Soc. Sec #;birthdates; anniversary, credit card number; telephone number, etc. Don’t use names you have used before, variation of your user ID, or something significant about yourself as a password. Don’t let someone see what you are entering as your password. If you thing there is even a slight chance someone knows your password, CHANGE IT !! Remember if someone logs on as you and does something improper, you can be held responsible. Removable Media If lost, removable media can allow unscrupulous people access to confidential patient information. Removable drives can also introduce malicious software to the network. USB drives, CD-RW, and any other flash media must be approved by the ISO If you need to take your work home, do it safely from home and request a VPN account….. 1. Understanding Ethics and Compliance Ethics are based on…… • • • • Values Morals Integrity Knowledge of Right vs. Wrong What is a Compliance Program? A Compliance Program is a system to detect and prevent violations of law or policy. An effective Compliance Program will: -Promote an ethical environment -Reduce risks -Improve operational efficiency -Ensure quality of care -Promote a strong control environment Ethical Business Practices Refrain from Misrepresentations -Remember to keep it honest (e.g. Falsification of documentation= violation) “Doing the right thing each and every time, even when no one is watching.” Ethical Business Practices Avoid Conflicts of Interest…. SBU property should never be used for personal business. Employees should not supervise family members. Reporting of Possible Violations • Where to Report: Immediate Supervisor, Departmental Chain of Command, or Compliance Officer • What to Report: An actual or reasonable belief of a violation • Consequences of Reporting: No retaliation or discipline for reporting in good faith • Investigations of Violations: All allegations of wrongdoing will be assessed and investigated • Discipline for Violations: In accordance with labor union contracts, and may include termination. Call the Compliance HOTLINE (631) 444-6666