Stony Brook Health Sciences Center
Melissa Pinero
HIPAA Privacy Officer
631-444-2148
Health Sciences Center Schools New
Employee & Student Training
FERPA
Family Education Rights & Privacy Act
HIPAA
Health Insurance Portability &
Accountability Act
FERPA
The Family Education Rights & Privacy Act (20 U.S.C.
§1232g:34 CFR Part 99) is a Federal law that protects the
privacy of student education records. The law applies to all
schools that receive funds under an applicable program of the
US Dept of Education.
FERPA gives parents certain rights with respect to their
children’s education records. These rights transfer to the
student when he or she reaches the age of 18 or attends a
school beyond the high school level. Students to whom the
rights have transferred are “eligible students.”
HIPAA is……
The Health Insurance Portability and
Accountability Act of 1996
Portability
Created to ensure access to health coverage
Allows for continuity in health coverage
Prevents denial due to a pre-existing condition(s)
Accountability
• Healthcare fraud is a federal crime
• Fines and / or jail time may apply
• Individuals and organizations face
sanctions
The HIPAA Privacy Rules
&
HITECH 2010
What is HITECH?
• On February 17, 2009, the Federal Stimulus Bill or
American Recovery and Reinvestment Act (ARRA)
was signed into law and included provisions to
address Health Information Technology and
Economic and Clinical Health Act (HITECH)
• Purpose is to create a national health information
infrastructure and widespread adoption of electronic
health records through monetary incentives.
• Provide enhanced Privacy & Security Protections
under HIPAA including increased legal liability for
non-compliance and greater enforcement.
PHI is a culmination of data that is
specific to individual patients.
This data can be used to identify:



A patient
A patient’s health
Health care services received
by a patient
Privacy Goals
We need to:
Maintain our patient’s trust.
Educate our patients as to their rights.
Safeguard our patient’s PHI.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
HIPAA
18 Elements Necessary for De-identification of
Patient Data Before Presenting the Case in Class
The following data must be removed for de-identification:
Name
Location; all geographic subdivisions smaller than a state, including street address, city, county, precinct,
zip code, and their equivalent geocodes.
Dates (all dates related to the subject of the information, e.g. birth dates, admission dates, discharge dates,
encounter dates, surgery dates, etc.)
Telephone numbers
Fax numbers
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate / license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code
The following data may be used:
Age (age 90 and over must be aggregated to prevent the identification of older individuals)
Race
Ethnicity
Marital status
Codes (a random or fictional code may be used to link cases or re-identify the health information at a later
time; codes may not be a derivative of the individual’s social security number or other identifiable numerical
codes, e.g. birth date, fax number, etc.)
Authorization
Authorization is required when disclosing PHI for
purposes other than treatment, payment, or
operations.
Patients Rights Under HIPAA
• request restricted use and disclosure of
PHI;
• inspect and copy their health information;
• request to amend their medical record;
• request an accounting of disclosures; and
• file a complaint.
How is HIPAA Enforced?
• Civil monetary penalty:
Civil penalty for inadvertent violation= fines of
$100/per incident up to $25,000/per year for
each similar offense.
Example:
A hospital employee violates HIPAA by misdialing
a fax number and sending 100 patient records to
Starbucks. The hospital & the employee may
have to pay a $10,000 ($100 x 100) fine.
Worse Case Scenario
• Criminal Penalties:
Criminal penalties= large fines + jail time,
and increase with the degree of the
offense.
Example:
A hospital employee steals and sells patient
information for personal profit. Criminal
penalties could be as much as $1.5 million
and / or 10 years in jail.
Security
Health Insurance Portability and
Accountability Act HIPAA
Electronic Security to Ensure
Privacy, Trust, and Quality Care
Edward W. Hines
Information Security Officer, SBUMC, HSC, and Dental School
What is Security
The Protection of Electronic and Physical Assets
Merriam-Webster
Measures taken to guard against espionage or
sabotage, crime, attack, or escape an
organization or department who task is security.
The best way to protect yourself…
make your passwords difficult to guess
NEVER tell anyone your password
NEVER write your password down, such as on a post-it note.
Don’t use common info about you or your family, pets, or friends names,
Soc. Sec #;birthdates; anniversary, credit card number; telephone
number, etc.
Don’t use names you have used before, variation of your user ID, or
something significant about yourself as a password.
Don’t let someone see what you are entering as your password.
If you thing there is even a slight chance someone knows your password,
CHANGE IT !!
Remember if someone logs on as you and does something improper, you
can be held responsible.
Removable Media
If lost, removable media can allow unscrupulous
people access to confidential patient information.
Removable drives can also introduce malicious
software to the network.
USB drives, CD-RW, and any other flash media
must be approved by the ISO
If you need to take your work home, do it safely from
home and request a VPN account…..
1. Understanding Ethics and Compliance
Ethics are based on……
•
•
•
•
Values
Morals
Integrity
Knowledge of Right vs. Wrong
What is a Compliance
Program?
A Compliance Program is a system to detect and
prevent violations of law or policy. An effective
Compliance Program will:
-Promote an ethical environment
-Reduce risks
-Improve operational efficiency
-Ensure quality of care
-Promote a strong control environment
Ethical Business Practices
Refrain from Misrepresentations
-Remember to keep it honest
(e.g. Falsification of documentation= violation)
“Doing the right thing each and every time,
even when no one is watching.”
Ethical Business Practices
Avoid Conflicts of Interest….
SBU property should never be used for
personal business.
Employees should not supervise family
members.
Reporting of Possible Violations
• Where to Report: Immediate Supervisor, Departmental
Chain of Command, or Compliance Officer
• What to Report: An actual or reasonable belief of a
violation
• Consequences of Reporting: No retaliation or discipline
for reporting in good faith
• Investigations of Violations: All allegations of wrongdoing
will be assessed and investigated
• Discipline for Violations: In accordance with labor union
contracts, and may include termination.
Call the Compliance HOTLINE
(631) 444-6666