1

HIPAAPrivacy and

Security

Cindy Cummings, RHIT

2

Authorization –STILL NEED IT

Facilities must obtain authorization from patients before using or sharing their PHI for reasons other than treatment, payment, or health care operations.

3

What is Confidential?• Medical Record #• Name• Address• Telephone Number• Age• Social Security #• E-mail address• Medical History• Diagnosis• Medications• Observations• And More

4

Breach Notification Requirements – This is New 2010

• Individual Notices• Media Notices• Notice to the Secretary• Notification of a Business Associate

5

Individual Notice

Covered entities… That’s HOB • Must notify affected individuals once we discover a

breach of unsecured protected health information. • Must provide this individual notice in writing by first-class

mail, or alternatively, by e-mail if the affected individual has agreed to receive that way.

•  If HOB has insufficient/ out-of-date contact information for 10 or more individuals, we must provide substitute individual notice– Post the notice on the home page of its web site – Or provide the notice in major print/ broadcast media to where the

affected individuals likely reside. – Must include a toll-free number for individuals to contact HOB to

determine if their protected health information was involved in the breach.

–  If fewer than 10 individuals, HOB may provide substitute notice by an alternative form of written, telephone, or other means.   

6

• The individual notifications must be provided without unreasonable delay– No later than 60 days following the discovery of a breach – Must include, to the extent possible,

• a description of the breach, • a description of the types of information that were involved

in the breach, • the steps affected individuals should take to protect

themselves from potential harm,• a brief description of what the HOB is doing to investigate

the breach, mitigate the harm, and prevent further breaches,

• contact information for the HOB 

Individual Notice

7

Media NoticeIF HOB has a breach affecting more than 500 residents of

a State/ jurisdiction/area…..– Besides notifying the affected individuals, HOB is required

to..– Provide notice to prominent media outlets serving the

State or jurisdiction. – HOB would likely provide this notification in the form of a

press release to appropriate media outlets serving the affected area

Like individual notice, this media notification must be provided without unreasonable delay– No case later than 60 days following the discovery of a

breach – Must include the same information required for the

individual notice

Notify the Secretary

8

Notice to the Secretary HHS

In addition to notifying affected individuals and the media (where appropriate), HOB must notify the Secretary of breaches of unsecured protected health information. 

HOB notifies the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. 

If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach.

If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.  Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.

9

Notification by a Business AssociateIf a breach of unsecured protected health information

occurs at or by a business associate, the business associate must notify HOB following the discovery of the breach.

A business associate must provide notice to HOB without unreasonable delay and no later than 60 days from the discovery of the breach.

To the extent possible, the business associate should provide HOB with the identification of each individual affected by the breach as well as any information required to be provided by HOB in its notification to affected individuals.  

10

No Big DealRight?

Wrong!!!!!

11

Kentucky Hospital

• The Bowling Green Medical Center had a hard drive stolen that contained information on 5,418 patients.

• Information contained on hard drive:– Patient’s name -Weight– Birthdate - Height– Address - Menopause age– MR #– SS #

12

Massachusetts General Hospital• The impermissible disclosure of PHI involved the loss of documents

consisting of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients. These documents were lost on March 9, 2009, when a Mass General employee, while commuting to work, left the documents on the subway train that were never recovered.

The General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General) has agreed to pay the U.S. government $1,000,000 to settle potential violations.

13

Federal Penalties for not Complying For the misuse of personally identifiable health

information:Fines up to $50,000 and/or imprisonment for a term up to 1 Year

For the misuse under false pretenses:Fines up to $100,000 and/or imprisonment for a term up to 5 Years

For the misuse with the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm:Fines up to $250,000 and/or imprisonment for a term up to 10 Years

14

First Person Goes to Jail for HIPAA Violation• Researcher from UCLA School of

Medicine sentenced to 4 months in federal prison.

• Accessed confidential medical records without a valid reason.

15

2010 Breach Notifications• 137 breaches occurred for Hospice of the

Bluegrass • 19 of those breaches required the patient

as well as the Secretary for the Dept. of Health and Human services to be notified.

So How did HOB do in 2010?

16

Patient Variances•110 variances were email related•3 variances involved other patient names included within a mailing•6 variances involved medications sent to wrong patient•12 variances involved a lost pager•2 variances involved staff members allowing non staff members to ride along on patient visits•1 variance involved a page sent to an entire site location rather than supervisor

137 breaches.. The breakdown

17

How to Protect Patient Privacy

18

What is Information Security?

All the protections put into place to ensure ePHI is:– Kept confidential– Is not improperly altered or

destroyed– And readily available to

those who are authorized

19

Protect Patients’ Privacy

• Do not discuss patients in public areas such as elevators and cafeteria lines

•Do not leave information about a patient’s health on an answering machine

20

•Always close curtains and speak softly when discussing treatments in semi-private rooms

•Always log off the computer when you’re finished

•Always dispose of patient information only in locked containers

Protect Patients’ Privacy

21

Protecting Patient Information

Keep your computer login and passwords a secret.

22

Rules for Using Computers

• Do not log into the system using someone else’s password

• Only access patient information that you need to do your job.

• Keep computer screens pointed away from the public

• Do not copy PHI onto a removable device such as a thumb drive, disc, etc.

Protecting Patient Information

23

E-mail • Hospice of the Bluegrass

DOES NOT have encryption software that is needed to e-mail PHI outside of the HOB network.

• If the e-mail address does not end with “hospicebg.org” you CANNOT include PHI.

24

Practice Common Sense Security

• Keep Laptops and other portable devices locked when not in use

• Keep cell phones and pagers on your person at all times.

• Make sure doors and desks are locked as appropriate

Physical Security

25

The most frequent risk to using PDAs and laptops is theft.

• When transporting laptops (or any patient information) it should be stored in the floorboard area or in the trunk.

• Keep your car locked at all times.

XPhysical Security

26

Sanctions• Hospice of the Bluegrass takes seriously the

responsibility of privacy/security of all PHI in its care.

• Failure to adequately ensure the privacy/security of PHI can result in disciplinary action against you, up to and including:• Dismissal• Termination of Business Contract• Reporting the violation to licensing agencies and law

enforcement officials.

27

Scenarios• You’re at the grocery store…….

• You’re at church……..

• You’re at the gas station……..

• Your cell phone rings at home ……..