Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 1
HIPAA&Confidentiality101
KatieMalinski,LCSWwww.HIPAAforTherapists.com
WhoIam
• KatieMalinski,LCSW• TherapistinprivatepracticeinAustin• Specialistinparenting&childhoodsexualdevelopment
• ThefounderofHIPAAforTherapists,anin-personandonlineHIPAAtrainingprogramforprivatepracticetherapists.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 2
WhoIamnot
• Anattorney(thisisnotlegaladvice)• Asecurityexpert• Amemberofyouragency(i.e.,I’mnotintheknowaboutallcurrentprocedures,etc.)
• ThesourceofeverythingHIPAAthatyouneedtoknow.
CourseObjectives
• IncreaseknowledgeofbasicHIPAArequirementsasappliedtofront-linestaff.
• Identifytypicalproblemsthatmightariseinanagencysetting
• Understandpossiblesolutions,andtheirethicalimplications
• Increasetheagencycultureofprioritizingprivacy&security
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 3
BasicTermsHIPAA:HealthInsurancePortability&AccountabilityAct.– 2003FederalLawwithnewrequirementsfor2013.Compliancedeadlinehasnowpassed.Privacyrule&securityrule.
PHI:ProtectedHealthInformation.– Clients’individuallyidentifiableinformation:name,contactinformation,diagnosis,treatment,progress,appointmenttimes,fee,status,etc.
BasicTerms2TexasMedicalPrivacyAct/TMPA:ThisisaTexas lawpassed2012.AlsoknownasHB300&TMRPA/TMPA.ItismorestrictthanHIPAAinseveralways,mostsignificantly:thedefinitionofCoveredEntities.
CoveredEntities:Providers/organizations thathavetofollowHIPAA.BeforeTMPA,Texastherapiststhatdidn’tfileinsuranceelectronicallymightnothavehadtocomply.TMPAprettymuchsaysthatanyonewhohascontactwithany PHIhastofollowHIPAAguidelines.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 4
The Bird’s Eye View: HIPAAin4Sentences
Thinkveryhardandmethodicallyaboutprivacyandsecurityinyouragency.
Identifyallplaceswhereprivacyandsecuritymightbeatrisk.
Developaplantoaddressthoserisks,&takeaction.
Documenteverything,continuallymaintain&updatethosedocuments,andkeepthinking,evaluating,training,learningandmitigating.
Agency-Level HIPAA Requirements, over-simplified
• DesignatedPrivacy&SecurityOfficer• RiskAssessment.• Identify,evaluate,andmitigateriskofallpossiblePHIloss/breachevents.
• Strongtechnicalsecuritymeasures.• Strongprocedures&agencypoliciesthatprotectprivacy&security.
• Appropriate employeetraining• AgencycultureofPHIprivacy&security• Formalagreementswith3rd parties.• Lotsofpaperwork.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 5
HIPAA vs. MentalHealthEthicalCodes
• UnderHIPAA– Easierforfamilytohaveinvolvementincare– AllowsreleaseofPHIfortreatmentorfinancialreasonswithoutconsent
• MentalHealthEthicalCodes– Clienthascontrolofwhocanbeinvolved– Consentrequiredevenfortreatmentpurposes,financials
• FollowEthicalCodesorStateLawsthataremorestrict
Top6ReasonstoCareaboutHIPAA
1. Thelawschangedin2013.Enforcementhasbeenincreased,penaltiesarehigher.
2. OverallcommunityawarenessofHIPAAandprivacystandardsisincreasingrapidly.HIPAAisbecominga‘standardofcare’&clientsexpectit.
3. Clientscancomplaintothefederalgovernment,triggeringinvestigations.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 6
Top6ReasonstoCareaboutHIPAA
4.Randomaudits.5. Thepenaltiesarepotentiallyhuge:reportsof
finesfrom50K-5.5M.Canbemoreorless.6. Andprobablythemostimportantreason:
focusingonprivacyandsecuritygenerallyincreasesprivacyandsecurity,andthat’sgoodforeveryone.
WorthRepeating
PHImustbekeptsecretandsafe.
Itmustnotbeaccessed,overheard,oroverseenbyanyonewithoutauthorization&anofficialsanctioned
reasontoaccessit.
Theagencymustevaluate,anticipate,andmitigatepossiblerisks.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 7
Common Problem:Laptops
• Lost/stolenlaptopsareaverycommoncauseofHIPAAbreaches.
• Encryptionisverystronglyrecommended.• AgenciesneedtoprioritizelaptopsintheirRiskAssessments,andcreatestrongpolicies,trainingandsupporttomitigatethisrisk.
Common Problem: UnsecuredPaperwork
• ClientPHIisonmostpaperworkthatisgeneratedinanagency.
• Unfiled,unlockedpaperworkisatriskforbeingseen,taken,copied,lost,stolen,etc.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 8
FileSafekeeping• Yourclientsmaynotbefamous,buttheworldisverysmallandalltoooften,unsecuredpaperworkmagicallyfindsitswaytotheworstpossibleoutcome.
• Goaheadandbealittlebitparanoid.• Chartsshouldn’tbeleftout.• Filecabinetsshouldalwaysbelockedwhennotinuse.• Mostprofessionaltrainingprogramsrecommend2locks.(i.e.,cabinetandroom.)
• Usesecuremethodstotravelwithfiles ifnecessary.
Common Problem:LeavingMessages
• Getpermissionfromaclientbeforeleavingamessageatanynumber.
• Double-checkthenumber.• Leavethe“minimumnecessary”amountofinformation.
• ACGCpermitsleavingvoicemails--limitedtoscheduling.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 9
Common Problem: Faxing
• Double- andtriple-checkthatthenumberiscorrectbeforesending.
• Usecoverletterwithconfidentiallabel.• Don’twalkaway.• Agencyneedspolicy(&training)aboutwherefaxmachinesarekept,whocanretrievefaxes,wheretheincomingfaxesarestoredtemporarily,etc.
• Goodarticleonfaxriskshere:• http://www.goldfax.com/pdf/Security_Risk_in_Healthcare-DPDWhitepaper.pdf
Common Problem: DeviceRetirement
• Laptops,mobiledevices,desktops,andfancyprinters/copiershaveharddrivesthatlikelyhavePHIonthem.
• Whenyouortheagencyretiresthosedevices,theymustbeproperlysanitizedordestroyed.Thismustbeplannedfor&documented.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 10
Common Problem: TheWallsHaveEars
• Beawareandveryconservativewhendiscussingclientinfowithothers.
• Thinkaboutwhoisevenremotely closeenoughtohear.
• Completevisualandauditoryprivacyisyoursafestbet.Ifyoudon’thaveaprivateroom,pointthisouttotheclientandproceedaccordingtotheirwishes(andmaybealsowhisper.)
• Theworldismuchsmallerthanwethinkitis.Talkingaboutclients,evenwithoutusingtheirname,isverydangerous.
Common Problem: InappropriateAccess
• HIPAAsaysPHImustnotbeaccessedunlessthereisalegitimatereasontodoso.
• Lookingatarecordw/oauthorizationisaviolation.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 11
Common Problem:LogInSharing
• Agencyshouldbetrackingaccesstorecords.• Ifyourco-workerusesyourlogintocheckoutrecordstheyshouldnothaveaccessto,youmightbeheldresponsible.
• Lettingsomeoneuseyourloginmightmakeyouappeartobetheculpritofastate&federalcrime.
Common Problem:Screens
• Cananyscreensbeseenbyanyoneunauthorized?
• Positionscreens• Usescreenprivacyfilter• Closeyourlaptop,turnoffyourmonitor.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 12
Common Problem:SocialMedia
• Individualsshouldnever,evertalkaboutclientsortheworkyoudoonsocialmedia.
• Ifyouragencyusessocialmediaaspartoftheirmarketing,advertising,oroutreachpractices,itshouldbeincludedintheriskassessment.Thisisanimportantthingaboutwhichtohavethoughtful,clearpolicies&procedures.
Common Problem:Redisclosure
• Redisclosureisreleasingsomeoneelse’sdocument.IE,anexternalpsychologicalassessment,ahospitaldischargesummary,etc.
• Redisclosurenotrecommendedingeneral• SubstanceAbuseinformationredisclosuregenerallyprohibitedbylaw
• MentalHealthredisclosure sometimesprohibited.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 13
Common Problem:EmailandTexting
• Ingeneral:it’snotsecure!– PHItransmittedwhenemailingortexting– PHIisavailabletocompanies/providers– Opentohacking– Couldbemisdeliveredorseenbywrongperson– Phishing
• Solutions(agency-level)– Consideranencryptedemailportal– Alwaysexercisegreatcaution(individuals)– Informedconsentisimportant.
Phishing(neverclickonanythingsuspicious)
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 14
Common Problem:MobileDevices
• Huge potentialHIPAAproblem.• Ifyoutextwith/aboutclients,emailwith/aboutclients,orstoretheirinfoinyourcontacts,youhavePHIonyourphone.
• Apps canaccessthatPHI,too.• Easilylost/stolen,&then:breach.• Mobiledevicesareincludedintheagency’sRiskAssessment.Agencyneedsstrongpolicies,training&techsupporthere.
• Fortoday,atleastmakesureyouhavethepasswordfeatureturnedon.
• Forthefuture,considerseparatework/personaldevices.
Breachexample:HospiceofNIdaho
• HospiceofNorthIdaho• Stolenunencryptedlaptop• 50Kfine• Significantbecauseitwasthefirstsettlementfor<500casesPHI(441)
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 15
Breachexample:AnchorageCommunityMentalHealthServices
• Breachresultedfrommalware(hacking)• 2700+incidencesPHI• ACMHShadadoptedthesampleSecurityRulepoliciesandproceduresin2005,buttheywereneverfollowed.
• SignificantbecausetheirfinewaslargelyduetonotregularlyupdatingtheirITresourceswithavailablepatchesandrunningoutdated,unsupportedsoftware.
• 150Kfine
Breachexample:AlaskaDHHS
• AlaskaDHHS.• UnencryptedUSBdrivew501casesPHIwas
stolenfromemployee’scar• Investigationfoundnoriskassessment,no
security,notraining:• 1.7Mfine.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 16
Breachexample:NYP&CU• NewYorkPresbyterian&ColumbiaUniversityhospitals
• 6800patients’PHIsearchableviainternet.• Physicianattemptedtodeactivateapersonally-ownedcomputerserveronthenetwork.
• Lackoftechnicalsafeguards,deactivationoftheserverresultedinePHI beingaccessibleoninternetsearchengines. TheentitieslearnedofthebreachafterreceivingacomplaintbyanindividualwhofoundtheePHI oftheindividual’sdeceasedpartner,aformerpatientofNYP,ontheinternet.
• 4.8Mfine—largestevertodate.
Breach example: PhoenixCardiacSurgery
• PostingclinicalandsurgicalappointmentsfortheirpatientsonanInternet-basedcalendarthatwaspubliclyaccessible
• 2012• 100Kfine
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 17
Breachexample:Arkansasnurse
• ARNurse,sharedPHIwspouse,whocalledpatient&threatedlegaluseofPHI.2006
• Fired• Convicted:14monthsprobationand100hourscommunity
service• Criminalchargescarriedmaximumpenaltiesof10yearsjail
250Kfineorboth.
RiskAssessment
• TheassessmentandmitigationofriskisaTOPpriorityiteminHIPAAcompliance.
• It’sanethicalissueaswell.• HIPAAtechnicallyonlyrequiresePHItobeincludedintheRiskAssessment,butIstronglyrecommendincludingallPHI.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 18
RiskAssessment:Step1
o Laptopo Cellphoneo Faxingo Email
o paperfileso printer’sharddriveo deletedcomputerfileso deskorfilecabinet
WhereisPHIstored,created,ortransmitted?
RiskAssessment:Step2
• Whatcouldpossiblygowrong?
• Whatisthelikelihoodofthathappening?
• Whatsizemesswoulditcause?
• Document.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 19
RiskAssessment:Step3
• Makeaplantoaddressidentifiedrisks.
• PrioritizethosethatareHighRiskand/or
HighImpact
• Document
Crowd-Sourced Brilliance(DIYRiskAssessment*)
• Brainstormproblemsthatmightbeincludedinariskassessmentforyourdivision.Seenextslide.
• Foreachproblem,proposepotentialproceduralorsecuritysolutions.
*Nottherealthing.
1/5/18
©HIPAAforTherapists,LLCPleasedonotduplicate. 20
Location Problem Likelihood Impact Mitigation
Personal cellphone
Drivingfilestocourt
Fax machine
Etc,etc,etc
Thankyou!
KatieMalinski,LCSWwww.HIPAAforTherapists.com