HIPAA IS HEATING UP!!

CAN YOU GUESS THE CELEBRITY???

HIPAA GONE BAD?

This patient’s hospital was fined for doing the right thing- despite reporting the privacy breach and taking immediate disciplinary action.

This patient’s hospital is one of few that has sophisticated monitoring technology in place to detect privacy violations.

BUSTED FOR SNOOPING• 218-bed facility• 2 fired• 13 resigned instead of facing

termination• another 8 disciplined• Despite privacy training-

personnel still snooped• Under new rules, states now have

the authority to make examples of workers and hospital itself.

Multiple employees snooped into this record Multiple violations Multiple penalties 80 tiny fingers- 80 tiny toes Famous for being Miracle Mom

LOS ANGELES, California (CNN) -- The hospital where a California woman gave birth to octuplets in January has been fined $250,000 by the state because nearly two dozen medical workers, including doctors, illegally viewed her medical records, according to state health officials.

The California Department of Public Health on July 16 issued an "administrative penalty" of $187,500 after determining that KP Bellflower failed to prevent unauthorized access to the family's confidential patient medical information.

CNN NEWS: “24 EMPLOYEES WERE INVESTIGATED FOR VIOLATIONS OF HEALTH CARE PRIVACY LAW - HIPAA

I KNOW THAT 100% PREVENTION OF THESE TYPE OF VIOLATIONS IS IMPOSSIBLE.  NURSES NEED ACCESS TO PATIENT RECORDS.  SETTING ACCESS RIGHTS ON PATIENT INFORMATION TOO TIGHT COULD COST HUMAN LIVES.  WHAT IF AT THE CRUCIAL MOMENT IN PATIENT'S TREATMENT, A NURSE IS DENIED ACCESS TO A PATIENT FILE?  THEREFORE, WHERE YOU CANNOT 100% PREVENT ACCESS TO INFORMATION, YOU MUST MONITOR ACCESS TO INFORMATION.  AND IF THOSE PEOPLE ABUSE THEIR ACCESS PRIVILEGES, YOU DISCIPLINE THEM. 

A complete basketball buff, he played with the Kentucky Basketball Team way back in 1979.

Vogue magazine has had only two men on their cover- this guy was one of them!

Not only is he one of Hollywood’s greatest stars, but he also has a large heart. He offer $1 million towards hurricane relief. Further, he donated his Oscar gifts to raise money for Hurricane Katrina victims. Incidentally, one gift included a Tahitian pearl necklace!

Hollywood calls him ‘Gorgeous George’. Dr. Doug Ross

40 Palisades Medical Center employees were investigated – and more than two dozen suspended without pay – for allegedly leaking Clooney's and girlfriend Sarah Larson's private medical records to the media.

She auditioned to play Allie Nelson in The Notebook, but lost the part to Rachel McAdams.

At age seven she won $50,000 in a singing contest. She is from Kentwood Louisiana She has one Grammy award (won in 2005) and has

six nominations: two nominations each in the 2000, 2001 and 2003 ceremonies. She also has had a total of 16 MTV Video Music Award nominations.

She spent time in rehab- now back on tour- and not with the Ringling Brothers

Biggest Influence: Madonna Birth Date: December 2, 1982 This mother of 2 shaved her head- and went to

rehab

CIRCUS TOUR UNFORTUNATE CUT

CAN YOU GUESS THIS ONE?

Best selling poster girl – of all time Red swimsuit Best known for her role in 1970’s television series Lost her battle with cancer this year Perhaps the enactment of _________Law,

legislation making it illegal for medical staff, or others who may have access, to leak private medical  information to the media, whether they are paid for that information or not, will be something good to come out of the anguish she has had to endure.

“FORMER MEDICAL CENTER EMPLOYEE HAS BEEN INDICTED FOR SNOOPING IN THE MEDICAL RECORDS OF THE STAR AND SELLING THE INFORMATION TO TABLOIDS”

1947-2009

"It is my personal belief that what Lawanda Jackson is most guilty of is being a pawn," Fawcett wrote. "She worked in a hospital system that did not provide strong enough deterrents to stop their employees from breaching their patient's medical records -- which made it all the easier for the tabloids to financially induce ... her to invade my privacy as well as the privacy of others."

Hospital Leak Goes Deeper Than FarrahAOLFiled Under: TV News(June 9) - In early April, an employee from the UCLA Medical Center was indicted after selling several celebrities' medical records, including Farrah Fawcett's, to the National Enquirer. But the leaking of information to tabloids may have started long before.

NEW SHERIFF IN TOWN. . . . .

WASHINGTON – HHS has delegated the authority for the administration and enforcement of the HIPAA Security Rule to the Office for Civil Rights.

The OCR's administration and enforcement of the security rule, which had previously been delegated to the Centers for Medicare and Medicaid Services, will eliminate duplication and improve the department's efforts to ensure that health information privacy is protected.

STIMULUS BILL AMENDSHIPAA

Included as part of the federal stimulus bill known as the American Recovery and Reinvestment Act of 2009 (“ARRA”) is Title XIII, the “Health Information Technology for Economic and Clinical Health Act” or the “HITECH Act.”

The HITECH Act contains a sweeping expansion of HIPAA privacy and security regulations. These changes will affect more businesses in more ways than ever before.

BU

SIN

ESS A

SSO

CIA

TES

….an individual or corporate "person" that: performs on behalf of the SMC any function or activity involving the use or disclosure of PHI.

Pre-ARRA Rule: BAs were not directly subject to the HIPAA

Privacy and Security Rules. Rather, their duties arose out of their BA Agreements.

Revise BAAs to incorporate expanded Privacy and Security Rule obligations. Civil and criminal penalties now apply

directly to BAs.

BREACH NOTIFICATION

Notice Required to Individuals:Within 60 days of discovery of a breach, the

Privacy Officer must provide notice via first class mail

“Breach” generally is the unauthorizedacquisition, access, use or disclosure of PHI

thatcompromises the Privacy or Security of thatinformation, excluding certain unintentional orinadvertent disclosures.

Pre-ARRA Rule: No affirmative obligation to notify individuals or HHS of a breach of Privacy or Security Rules. Rather, SMC’S obligation to mitigate any harm caused by a breach.

Notice to HHS & local media! Sept. 2009In any case in which 500 or more persons are

affected by a breach, the covered entity must provide notice to major local media outlets

GREATER ENFORCEMENT!ADDITIONAL ENFORCEMENT POWER RELATED TO

VIOLATIONS OF PRIVACY & SECURITY RULES*LAWS NOW REQUIRE HHS TO CONDUCT AUDITS

Health Information Technology American Recovery and Reinvestment Act (Recovery Act) Implementation Plan Office of the National Coordinator for Health Information Technology

Funding Table Total Appropriated (Dollars in Millions)

Privacy and Security* $ 24.285

National Institute of Standards and Technology (NIST) 20.000

Regional HIT Exchange 300.000

Unspecified 1,655.715

Total, Health Information Technology $ 2,000.000

*Note: This dollar figure, $24,285,000, includes an estimated $9.5 million for audits by the Office for Civil Rights and the Centers for Medicare & Medicaid Services.

Minimum per Violation Annual Maximum

Minimum Penalties“Did not know” Tier A $100

“Reasonable cause” Tier B $1,000

“Willful neglect” Tier C $10,000

“Uncorrected violation” Tier D $50,000

Maximum Penalties

Tier A $25,000

Tier B $100,000

Tier C $250,000

Tier D $1,500,000

HHS is required to distribute portions of the collected penalties to personsFINANCIAL INCENTIVE!!!

ARRA: PROVISIONS CHANGES DUE

August 2009: Breach notification provisions and PHI breach notification

February 2010: Business Associates and Marketing

August 2010: Minimum Necessary and Prohibition on sale of electronic health records/PHRs.

January 2011: Accounting for Disclosures

February 2011: Enforcement for ‘willful neglect’

MEDICAL IDENTITY THEFT IS THE FASTEST-GROWING THEFT IN AMERICA

SMC HAS IMPLEMENT A WRITTEN IDENTITY THEFT PREVENTION PROGRAM TO DETECT, PREVENT, AND MITIGATE IDENTITY THEFT

2 TYPES OF THEFT

IDENTITY MEDICAL

BOTH TYPES HARM YOU IN DIFFERENT WAYS

IDENTITY: IS A HASSLE & CAN HURT FINANCIALLY

MEDICAL: CAN KILL

INACCURATE INFORMATION CAN CAUSE AN UNWARRANTED ADVERSE ACTION

What if a patient were given a medication that reacted with a serious blood disorder because a thief’s diagnosis and treatment had intermingled with the real patient’s record, that stated - no allergies?

To detect identity thieves using personal

information at your institution Preventing medical identity theft can

save patients’ lives.

FTC’S RED FLAG RULES

Warning from consumer reporting agencies Suspicious documents Suspicious personal information Inconsistent with external information

sources Documents provided for identification appear

to be altered Fraud or active duty alert included in

consumer report

PROVIDERS AND PLANSHealthcare providers such as SMC along with health

plans may become secondary victims

Providers may unknowingly submit incorrect precertification or claims and accompanying health information to health plans to justify treatment or payment for the health service rendered

A provider may be forced to write off expenses related to the medical identity theft

Hidden expenses incur in employees rescinding claims and working numerous hours with the victim to correct and mitigate further risk