Compliance EducationCompliance Education

Tulane University( For Staff assigned to TUMG HIPAA Clinics ONLY )

HIPAA & HITECHHIPAA – The Health Insurance Portability & Accountability Act was passed by the U.S.

Congress in 1996. Its provisions were phased in over several years.

HIPAA Privacy – Protection for the privacy of Protected Health Information (PHI) was effective April 14, 2003. It set the standards for how covered entities and business associates are to maintain the privacy of PHI. It states that a covered entity is not allowed to use or disclose PHI without permission from the individual, except as the law allows. The Privacy rule applies to PHI in all formats. The Administration Simplification provision of HIPAA (standardization of electronic data interchange in health care transactions) was effective October, 2003.

HIPAA Security – Protection for the security of electronic Protected Health Information (ePHI) was effective April 20, 2005. It defines the standards which require covered entities to implement basic safeguards to protect ePHI that is created, received, used or maintained by a covered entity.

HITECH is part of the “American Recovery and Reinvestment Act” of 2009. It allocated $20 billion to health information technology projects expanding the reach of HIPAA by extending certain obligations to business associates and imposed a nationwide security breach notification law and increased penalties and enforcement. Like HIPAA, the various procedures will be phased in over several years.

HITECH-Breach Notification Provisions

The law requires covered entities and business associates to notify individuals, the Secretary of Health and Human Services and, in some cases, the media in the event of a breach of unsecured protected health information

– The law applies to the Tulane Health Care Component, which consists of the Tulane University Medical Group (“TUMG”), its participating physicians and clinicians, and all Tulane University employees and departments that provide management, administrative, financial, legal and operational support services to or on behalf of TUMG to the extent that such employees and departments use and disclose individually identifiable health information in order to provide these services to TUMG, and would constitute a “business associate” of TUMG if separately incorporated.

– A business associate is a person or entity that performs certain functions or services for or to TUMG involving the use and/or disclosure of PHI, but the person or entity is not part of TUMG or its workforce (examples include law firms, transcription services and record copying companies).

HITECH-Breach Notification Provisions

Law applies to breaches of “unsecured protected health information”

– Protected Health Information (PHI) Relates to past, present, or future physical or mental condition of an

individual; provisions of healthcare to an individual; or for payment of care provided to an individual.

Is transmitted or maintained in any form (electronic, paper, or oral representation).

Identifies, or can be used to identify the individual. Examples of PHI include

– Health information with identifiers, such as name, address, name of employer, telephone number, or SSN

– Medical Records including medical record number, x-rays, lab or test results, prescriptions or charts

– Unsecured Information must be encrypted or destroyed in order to be considered

“secured”

HITECH-Breach Notification Obligations

If a breach has occurred, Tulane will be responsible for providing notice to

– The affected individuals (without unreasonable delay and in no event later than 60 days from the date of discovery—a breach is considered discovered when the incident becomes known not when the covered entity or Business Associate concludes the analysis of whether the facts constitute a Breach)

– Secretary of Health & Human Services-HHS- (timing will depend on number of individuals affected by the breach)

– Media (only required if 500 or more individuals of any one state are affected)

Is the information PHI?NoNo Notification; Determine if Red Flag Rules or state breach notification laws apply

Is the PHI unsecured?

NoNo Notification

Yes

Yes

Does an exception apply?

No Notification; Determine if accounting and mitigation obligations under HIPAA

No

Notification Required; Determine methods for notification for affected individuals, the Secretary of HHS and, if necessary, media

No

No

Yes

Is there an impermissible

acquisition, access, use or disclosure of PHI?

Yes

Does the impermissible acquisition, access, use or

disclosure compromise the security or privacy of

PHI?

No Notification; Determine if accounting and mitigation obligations under HIPAA

No Notification; Determine if accounting and mitigation obligations under HIPAA

Decision Tree for Breach Notification

Yes

HITECH-Reporting Breaches

Breaches of unsecured PHI (can include information in any form or medium, including electronic, paper, or oral form) or of any of Tulane’s HIPAA policies and procedures must be reported to the Privacy Official at 504-988-7739 or the Office of the General Counsel immediately.

Tulane’s policy (GC-026) states, – “Any member of the Health Care Component who knows, believes,

or suspects that a breach of protected health information has occurred, must report the breach to the Privacy Official or the Office of the General Counsel immediately.”

If a breach is reported, the incident will be thoroughly investigated. The Tulane University Covered Entity is required to attempt to remedy

the harmful effects of a breach, including providing notification to affected individuals

Disciplinary Actions

Internal Disciplinary Actions– Individuals who breach the policies will be subject

to appropriate discipline under policy GC-009

Minimum Privacy Violation Action

Level & Definition of Violation

Example Action

Accidental and/or due to lack of proper education.

•Improper disposal of PHI.•Improper protection of PHI (leaving records on counters, leaving documents in inappropriate areas).•Not properly verifying individuals.

•Re-training and re-evaluation.•Oral warning with documented discussions of policy, procedures, and requirements.

Purposeful violation of privacy or an unacceptable number of previous violations

•Accessing or using PHI without have a legitimate need.•Not forwarding appropriate information or requests to the privacy official for processing.

•Re-training and re-evaluation.•Written warning with discussion of policy, procedures, and requirements.

Purposeful violation of privacy policy with associated potential for patient harm.

•Disclosure of PHI to unauthorized individual or company.•Sale of PHI to any source.•Any uses or disclosures that could invoke harm to a patient.

Termination.

Disciplinary Actions

Civil Penalties– Covered entities and individuals who violate these

standards will be subject to civil liability.

Tiered Civil Penalties

Circumstance of Violation

Minimum Penalty Maximum Penalty

Entity did not know (even with reasonable diligence)

$100 per violation ($25,000 per year for violating same requirement)

$50,000 per violation ($1.5 million annually)

Reasonable cause, not willful neglect

$1,000($100,000)

$50,000($1.5 million)

Willful neglect, but corrected within 30 days

$10,000($250,000)

$50,000($1.5 million)

Willful neglect, not corrected

$50,000($1.5 million)

None

Disciplinary Actions

An employee who does not report a breach in accordance with the policies and procedures could lose his or her job.

Employee Obligations

Do not disclose PHI without patient authorization. If you have questions about whether a disclosure is permitted, ask your supervisor.

If you think there has been an unauthorized disclosure of PHI, contact the Security or Privacy Official or the Office of the General Counsel immediately.

When removing PHI from Tulane (i.e., by physician removal of medical records or through the use of a laptop), act in accordance with Tulane’s security measures.

Review

Review of HIPAA Policies & Procedures that were revised 2010

Patient Access to Protected Health Information Fees – GC-008

Policy Revised November 2010

Copies – 0.25¢ per page and a handling fee of $10.00

A fee of $25.00 will be charged for an expedited request.

A fee of $25.00 will be charged to prepare a summary of the information.

A fee of $25.00 will be charged to prepare an explanation of the information.

Patient Access to Protected Health Information – GC-008 continued

If a patient requesting copies of the record is unable to pay because the cost would constitute a hardship, the TUMG Financial Hardship form must be completed and become part of the patient’s record.

If any of the TUMG clinics have a third party vendor handling the copying of records then this policy is not applicable for the vendor.

Authorization for Release of Protected Health Information – GC-010

Policy revised August 2010

An additional authorization was added to this policy.

Form is specific “to use / disclose protected health information for marketing, public relations, and external communications.”

HIPAA Security Policies

Protecting Data in Copiers & Multifunction Devices

Copiers, faxes, and/or scanners1. Purchasing / leasing: If you are in the process of purchasing, leasing or renting a copier, fax, and/or scanner, please ask your supplier or vendor about security options now available by most manufactures that regularly clear the memory of these devices and also encrypt the hard drives so that privacy breaches can be prevented.

Protecting Data in Copiers & Multifunction Devices continued

Copiers, faxes, and/or scanners2. Existing Equipment: If you are currently in the

middle of a product’s life, TS recommends you carefully follow the following guide.

– Determine if it has a hard disk drive Consult the device manual, if available Contact your service rep It may be possible to look up online by model on the

vendor web site

– If it does have a hard disk drive, you must ensure the data stored on the device does not leave our control

Protecting Data in Copiers & Multifunction Devices continued

3. Disposing of, transferring, or retiring old equipment:

• Since it has become public knowledge that copiers/multifunction office devices may contain sensitive personal information, their disposal must be handled carefully. The university already has the following existing resources related to the disposal of hard drives

and the secure removal of data, which should be applied to this type of equipment:

• HIPAA Disposal Policy– http://www.tulane.edu/~hipaa/TS30Disposal_Policy.pdf

• Computer Recycling– http://recycle.tulane.edu/recycle-news.html

Protecting Data in Copiers & Multifunction Devices continued

Each link below contains documentation for how to wipe the hard drive of a printing device by the particular manufacture. Some manufactures provide a feature whereby the printer will continuously or periodically wipe its hard drive. You should enable this feature where available.

– Xerox Devices:http://www.xerox.com/information-security/product-security/enus.html

– Ricoh Devices:http://www.ricoh.com/about/security/product/index.html

– HP Devices:http://www.hp.com/large/solutions/hp-disk-erase-white-paper.pdf

– Lexmark Multi-function Printer security features:http://www1.lexmark.com/documents/en_us/CIP_Piece_POD.pdf

– Cannon Image RUNNER Devices:http://www.usa.canon.com/CUSA/assets/app/pdf/ISG_Security/brochure__ir_hard_disk_drive_security_kit_061009.pdf

For more information on best practices, see:– http://www.prlog.org/10640424-how-to-protect-your-photocopier-hard-drive– http://www.dataerasure.com/printer_hard_drive.php

HIPAA Security Phishing

WARNING: Be always vigilant for email scams that could result in theft of Protected Health Information (PHI).

A common, recent variation on the scam is an email that:1. Requires you to verify a user name and/or password, or

2. Links you to a site pretending to be one you know and requires you to enter your user name and/or password.

Tulane is particularly concerned with a current scam that tries to trick you into revealing your Tulane email user name and password, so that the sender can read all of your emails and either steal PHI that is contained in your email or use your codes to enter other password-protected accounts that you maintain for PHI.

HIPAA Security Phishing continued

What you should do: First, be careful following links in emails – you may be able to

verify if the link’s true identity from a careful reading of the web address. If you are uncertain, you should instead check out of email and enter the desired web site using Google or another search engine to find the true home page of the desired web site.

Second, never provide confidential information to someone who initiates a contact with you. In this case, never respond to an email that directly or indirectly requires you to provide, verify or enter your Tulane email user name and password.

Finally, if you think you may have been compromised in this way, take immediate steps to change your Tulane password; then contact the University’s 24/7 Technology Help Desk and send an email to security@tulane.edu

Resources

HIPAA Security Official

Hunter Ely (504) 988-8566

HIPAA Privacy Official

Glenda Folse (504) 988-7739