New Employee Orientation HIPAA Privacy Marcia Matthias

New Employee Orientation – HIPAA Privacy Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

Definitions • • HIPAA – Health Insurance Portability and Accountability Act PHI – Protected Health Information HHS – Department of Health and Human Services OCR – Office for Civil Rights – Enforces HIPAA Privacy and Security rules.

What is identifiable protected health information (PHI) under HIPAA • Includes: – Name – Address – Employer – Relative’s names – Birth date – Phone/fax numbers – Email address – Social Security # – Medical Record # – Member/Acct # – – – Certificate # Voiceprints Fingerprints Photos Codes Any other characteristics, such as occupation that can be used to identify an individual.

Forms of Information Paper Verbal Electronic It is the responsibility of every employee to protect the privacy and security of PHI in ALL forms

Goals of the Privacy Rule • Provide strong federal protections for privacy rights – Ensure patient’s TRUST the privacy and security of his/her health information • Preserve QUALITY health care – Encourages frank communication with healthcare providers • Makes sure that the right information is flowing to the right people at the right time.

Breaches • A breach occurs when information that, by law, must be protected is: – Lost, stolen, or improperly disposed of – “hacked” into by people or computer programs – Communicated or sent to others who do not have an official need to receive the information

The U. S. Attorney for the Southern District of Illinois announced today that Susan L Harris , 28 of Marissa, Illinois, and Ashley C. Drummond, 25, of East St. Louis, Illinois were sentenced for aggravated identity theft and conspiracy to commit mail fraud in the U. S. District Court for the Southern District of Illinois, East St. Louis Division. Harris was convicted following a 2 -day jury trial in December 2012 Today, the U. S. District Court sentenced Harris to 4 years in prison, to be followed by 3 years of supervised release. Harris was ordered to pay $7, 648. 97 in restitution and a $200 special assessment. Drummond, who pleaded guilty in November 2012, was previously sentenced to 2 years in prison, to be followed by a 3 year term of supervised release. Drummond also was ordered to pay $8, 675. 27 in restitution to various victims and a $200 special assessment.

Evidence presented at the trial of Susan Harris showed that Harris conspired with Ashley Drummond to steal personal identifying information of patients of a Southern Illinois hospital. The two women targeted elderly patients, particularly patients who came in to the hospital from the nursing homes and assisted living facilities. Drummond and Harris used the stolen personal information to apply for new credit card accounts in the victims’ names Drummond was a radiology technician, and it was her job to transport patients to and from the radiology department as needed. While transporting the patients, Drummond would steal victims’ personal information from their charts. Harris was later caught on camera at a retail stores using one of the credit cards obtained with the personal information of a 90 -year-old woman who lives in an assisted living center and had been a patient at the hospital where Drummond worked. The case was investigated by the Southern District of Illinois Identity Theft Task Force, the U. S. Postal Inspection Service, the Internal Revenue Service Criminal Investigation Division, the Social Security Administration Office of the Inspector General, the Maryville Police Department, the Glen Carbon Police Department, and the Collinsville Police Department.

Other recent nationwide reports of breaches • • • A Nevada man pleaded guilty to violating HIPAA by using patient records to generate referrals for personal injury attorneys. Midwest Women’s Healthcare Specialist in Kansas City, MO reached a $400, 000 settlement agreement with attorney’s representing the practices 1, 532 patients whose PHI (medical records) was improperly disposed in a dumpster. In January, hackers gained access to several employee email accounts at St Mary’s Medical Center in Evansville, Indiana. The email accounts hacked included health information of 4400 patients. New York Presbyterian Hospital & Columbia University agreed to pay 4. 8 million fine after the health records of more than 6000 people were mistakenly released on the Internet. 4 employees were fired from University Medical Center in Tucson after 1 employee took a picture of a patient with a cell phone camera.

noteworthy facts • Data breaches are occurring in health care at nearly 3 times the rate as in banking and finance. • A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a social security number. • Victim’s can suffer monetary loss, possible inability to obtain or retain insurance, and corruption of their medical history.

Breaches involving 500 or more individuals reported to OCR (as of 3/2014)

Breaches involving 500 or more individuals that have been reported to OCR

Breaching Patient Privacy Requires Notification of the Patient Breach definition: The unauthorized acquisition, access, use, or disclosure of PHI which compromise the security or privacy of protected health information, except where an unauthorized person to whom such information is disclosed would not have reasonably have been able to retain such information Applies to paper, electronic or verbal breaches The healthcare facility MUST: • notify the individual (patient) within 60 days (of knowledge of breach) that their PHI has been or may have been accessed, acquired or disclosed as a result of a breach. o Notification must include: – Description of what happened – Type of information disclosed – Steps the patient should take to protect themselves from potential harm – Steps SIH is taking to investigate the breach, alleviate any potential harm, and protect against further breaches. • report breaches annually to Department of Health & Human Services.

• If breach involves PHI of 500 patients or more, then SIH will be required to notify local media and the Department of Health and Human Service

Illinois “Wall of Shame”

Information is accessible for authorized use and to Authorized users only • When requested by the individual (patient), with proper identification • For treatment of the individual (example: practitioner caring for the patient) • For payment purposes (example: sending billing information to patient’s insurance company), and • Certain healthcare operations (example: TJC survey, quality improvement, Peer Review)

Patient’s Privacy Rights Under HIPAA 1. To view and keep a copy of our Notice of Privacy Practices (document patient receives that explains how SIH uses their PHI and their rights regarding their PHI) 2. To view and copy their own protected health information (PHI) found in their medical/billing records 3. To request an amendment to documentation in their medical/billing record they think is inaccurate or incomplete. (Example: medical record documents patient has no allergies. The patient requests their medical record be amended to reflect an allergy to penicillin) 4. To request confidential communication

5. To ask for restrictions on how SIH uses and discloses their PHI for treatment, payment and healthcare operations (TPO). 6. To receive an Accounting of Disclosures. A document that identifies disclosures of their PHI made: – – To agencies, work comp, law enforcement, registries, when patient authorization is not required, and/or accidentally (example, faxed medical records to the wrong place). 7. To complain to SIH or with the U. S. Department of Health & Human Services about privacy violations 8. To opt out of the patient directory – (do not want name on hospital publish list (do not want public to know of hospitalization)

Definitions • Sensitive Information = Information in any form, including but not limited to paper, electronic, or oral, which if improperly disclosed could cause damage to the reputation, privacy, image and/or financial viability of the patient, medical staff, employees, board of trustees and/or Southern Illinois Health. Care. – Sensitive information includes, but is not limited to – All individually identifiable health information; – Anything marked or stated as confidential – Employee information; – Financial information; – Guarded Operational Information; – Marketing and general business strategies – Patient billing information; – Physician information; and – Proprietary products and product development

Are you an authorized user of Sensitive Information and PHI? • Ask yourself. . . – “Do I need this information to do my job? ” • Two rules of thumb. Rule 1: Is using or disclosing this information in the best interest of the patient? Yes = Do it and document No = Don’t do it Rule 2: Do I need to access/know this information, (whether paper or electronic) to perform my job function? Yes = Go ahead and access the information No = Don’t even think about accessing the information.

What does protecting health information & sensitive information mean? • Keeping this information private • Making sure this information is only accessible to the appropriate workforce and/or providers • Safeguarding this information from unauthorized users

How to keep PHI & Sensitive Information private- paper world Private • Medical records/documents are placed in a secure location • Documents containing identifiable information that can be discarded are shredded • Use fax cover sheet • Timely removal of documents from fax machine tray, printer tray or copier • Documents do not leave SIH premises, unless authorized to do so

How to keep PHI & Sensitive Information private – electronic world Private • • Monitors are turned away from public view Patient information is not left up on computer screen User ID, passwords are not shared PHI is not downloaded/copied on personal storage media such as home computer, PDA, jump drive, etc

How to keep PHI and Sensitive Information private – verbal world NO PHI Discussion: üElevators üSmoke Areas üPublic or Private Dining Areas üEmployee Break Areas üPublic places – restaurants, bars, etc. üSocial Networking Sites – myspace, facebook, etc. üHallway üHome

Civil and Criminal Penalties for Breaches • Enforced by Office for Civil Rights & Department of Justice Unknown Violations $100 -$50, 000 (not to exceed $1. 5 million in calendar year) Violations with reasonable cause $1, 000 -$10, 000 (not to exceed $1. 5 million in calendar year) Violations resulting from willful neglect $10, 000 -$250, 000 (not to exceed $1. 5 million in calendar year) Violations from willful neglect and $50, 000 -$1. 5 million( not to not corrected exceed $1. 5 million in calendar year)

Encrypt all email containing PHI addressed to non-sih email addresses. Do not send email containing PHI to your personal email account Do not text any type of PHI Securely store lap tops when unattended Log off of computer when walking away Keep your password confidential Turn computer monitors away from public eyesight Faxing: Double check fax numbers Complete fax cover sheet Securely seal mailing envelopes and containers that contain patient health information Before handing a patient medical record documents make sure the patient name matches the patient name on the documents. Refrain from taking pictures in patient care areas with your personal cell phone. Do not post information via social networking (face book, twitter, etc) that involves patient information you know about from being a workforce member at SIH.