privacy and security training session! draft v.12 4/8/15

Privacy and Security Training Session! Draft v.12 4/8/15

This HIPAA Privacy & Security Training Session Copyright by the HIPAA Collaborative of Wisconsin (HIPAA COW) may be freely redistributed in its entirety provided that this copyright notice is not removed. When information from this document is used, HIPAA COW shall be referenced as a resource. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This HIPAA Privacy & Security Training Session is provided as is without any express or implied warranty. It is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this HIPAA Privacy & Security Training Session. Therefore, this document may need to be modified in order to comply with Wisconsin/State law. This document is not a complete summary covering every aspect of the Privacy and Security Rules. You may need to modify content to suit your organizations policies and procedures. Slides are provided for informational purposes only. It is recommended to select only those slides or groups of slides that are relevant to your training purposes. This Training Session is not meant to be presented as is, but as a starting point or idea generator only. Copyright HIPAA COW2

1. What is HIPAA? 2. Why is HIPAA Important? 3. HIPAA Definitions 4. HIPAA Enforcement 5. Patient Rights 6. HIPAA Privacy Requirements 7. The Breach Notification Rule 8. Release of Information (ROI) 9. HIPAA Security Rule 10. PHI Safeguarding Tips 11. Business Associate Agreements 12. HIPAA Violations and Complaints 13. Discussion Slides Copyright HIPAA COW3

Privacy Officer: [Insert Name and contact information] Security Officer: [Insert Name and contact information] Compliance Committee Members: [Insert Names and contact information] Copyright HIPAA COW4

Acronym for Health Insurance Portability & Accountability Act of 1996 (45 C.F.R. parts 160 & 164). Provides a framework for establishment of nationwide protection of patient confidentiality, security of electronic systems, and standards and requirements for electronic transmission of health information. Copyright HIPAA COW6

Each part of HIPAA is governed by different laws Health Information Privacy and Portability Act of 1996 1 Privacy Rule 2 Security Rule 3 Electronic Data Exchange Copyright HIPAA COW7

Privacy Rule went into effect April 14, 2003. Privacy refers to protection of an individuals health care data. Defines how patient information used and disclosed. Gives patients privacy rights and more control over their own health information. Outlines ways to safeguard Protected Health Information (PHI). Note: Some Wisconsin Privacy Laws (e.g. WI Chapters 51, 146, 252 and DHS 92, are more stringent than HIPAA Privacy Rule Copyright HIPAA COW8

Security (IT) regulations went into effect April 21, 2005. Security means controlling: Confidentiality of electronic protected health information (ePHI). Storage of electronic protected health information (ePHI) Access into electronic information Copyright HIPAA COW9

Defines transfer format of electronic information between providers and payers to carry out financial or administrative activities related to health care. Information includes coding, billing and insurance verification. Goal of using the same formats is to ultimately make billing process more efficient. Copyright HIPAA COW10

To show our commitment to protecting privacy As an employee, you are obligated to comply with [Insert Your Organization Name] privacy and security policies and procedures Our patients/members are placing their trust in us to preserve the privacy of their most sensitive and personal information Compliance is not an option, it is required. If you choose not to follow the rules: You could be put at risk, including personal penalties and sanctions You could put [insert organization name] at risk, including financial and reputational harm Copyright HIPAA COW11

HIPAA Regulations require we protect our patients PHI in all media including, but not limited to, PHI created, stored, or transmitted in/on the following media: Verbal Discussions (i.e. in person or on the phone) Written on paper (i.e. chart, progress notes, encounter forms, prescriptions, x-ray orders, referral forms and explanation of benefit (EOBs) forms Computer Applications and Systems (i.e. electronic health record (EHR), Practice Management, Lab and X-Ray Computer Hardware/Equipment (i.e. PCs, laptops, PDAs, pagers, fax machines, servers and cell phones Copyright HIPAA COW12

Section II Why is HIPAA Important? Copyright HIPAA COW13

Outlines ways to prevent accidental and intentional misuse of PHI. Makes PHI secure with minimal impact to staff and business processes. Its not just about HIPAA its about doing the right thing! Shows our commitment to managing electronic protected health information (ePHI) with the same care and respect as we expect of our own private information Copyright HIPAA COW14

It is everyones responsibility to take the confidentiality of patient information seriously. Anytime you come in contact with patient information or any PHI that is written, spoken or electronically stored, YOU become involved with some facet of the privacy and security regulations. The law requires us to train you. To ensure your understanding of the Privacy and Security Rules as they relate to your job. Copyright HIPAA COW15

HIPAA Definitions

Protected Health Information (PHI) is individually identifiable health information that is: Created or received by a health care provider, health plan, employer, or health care clearinghouse and that Relates to the past, present, or future physical or mental health or condition of an individual; Relates to the provision of health care to an individual The past, present or future payment for the provision of health care to an individual. What is Protected Health Information (PHI)? Copyright HIPAA COW17

Information in the health record, such as: Encounter/visit documentation Lab results Appointment dates/times Invoices Radiology films and reports History and physicals (H&Ps) Patient Identifiers HIPAA Definitions Copyright HIPAA COW18 LabPhysicalX-Ray

PHI includes information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. HIPAA Definitions What are Patient Identifiers? Copyright HIPAA COW19

Names Medical Record Numbers Social Security Numbers Account Numbers License/Certification numbers Vehicle Identifiers/Serial numbers/License plate numbers Internet protocol addresses Health plan numbers Full face photographic images and any comparable images Web universal resource locaters (URLs) Any dates related to any individual (date of birth) Telephone numbers Fax numbers Email addresses Biometric identifiers including finger and voice prints Any other unique identifying number, characteristic or code HIPAA Definitions Copyright HIPAA COW20

Uses When we review or use PHI internally (i.e. audits, training, customer service, or quality improvement). What Are Uses and Disclosures? Disclosures: When we release or provide PHI to someone (i.e. attorney, patient or faxing records to another provider). Copyright HIPAA COW21

To use or disclose/release only the minimum necessary to accomplish intended purposes of the use, disclosure, or request. Requests from employees at [Organization]: Identify each workforce member who needs to access PHI. Limit the PHI provided on a need-to-know basis. Requests from individuals not employed at [Organization]: Limit the PHI provided to what is needed to accomplish the purpose for which the request was made. What is Minimum Necessary? Copyright HIPAA COW22

HIPAA allows Use and/or Disclosure of PHI for purpose of: Treatment providing care to patients. Payment the provision of benefits and premium payment. Health Care Operations normal business activities (i.e. reporting, quality improvement, training, auditing, customer service and resolution of grievances data collection and eligibility checks and accreditation). HIPAA Definitions Copyright HIPAA COW23

HIPAA Enforcement

Its the law. To protect our reputation. To avoid potential withholding of federal Medicaid and Medicare funds. To build trust between providers and patients. If patients feel their PHI will be kept confidential, they will be more likely to share information needed for care. [p Copyright HIPAA COW25

Federal Government protects PHI through HIPAA regulations Civil penalties up to $1,500,000/year for identical types of violations. Willful neglect violations are mandatory! Criminal penalties: $50,000 fine and 1 year prison for knowingly obtaining and wrongfully sharing information. $100,000 fine and 5 years prison for obtaining and disclosing through false pretenses. $250,000 fine and 10 years prison for obtaining and disclosing for commercial advantage, personal gain, or malicious harm. Our organization, through the Notice of Privacy Practices (NPP). You, by following our policies and procedures. Copyright HIPAA COW26 Government Organization You

The Public. The public is educated about their privacy rights and will not tolerate violations! They will take action. Office For Civil Rights (OCR). The agency that enforces the privacy regulations providing guidance and monitoring compliance. Department of Justice (DOJ). Agency involved in criminal privacy violations. Provides fines, penalties and imprisonment to offenders. How are the HIPAA Regulations Enforced? Copyright HIPAA COW27 Department of Justice Office for Civil Rights Public HIPAA Enforcement

Patient Rights

The Right to Individual Privacy The Right to Expect Health Care Providers Will Protect These Rights What Are the Patients Rights Under HIPAA? Other Patient Rights Include: Access, Communications, Special Requests, Amendment, Accounting of Disclosures, Notice of Privacy Practices and Reminders, and the Right to File Complaints. Copyright HIPAA COW29

What is the purpose of the NPP? Summarizes how [Organization] uses and discloses patients PHI. Details patients rights with respect to their PHI The Organization must request that new patients sign the NPP acknowledgment form at the time of their first visit. Patients sign the Acknowledgment of Receipt to confirm that they have been offered and/or received the NPP. If unable to obtain a signed Acknowledgement, the Organization must document its good faith efforts to obtain such acknowledgement and the reason why it could not obtain it. Copyright HIPAA COW30

Patients have the right to inspect and copy their PHI. However, there are some situations where access may be denied or delayed: Psychotherapy notes. PHI compiled for civil, criminal or administrative action or proceedings. PHI subject to CLIA Act of 1988 when access prohibited by law. If access would endanger a persons life or safety based upon professional judgment. If a correctional inmates request may jeopardize health and safety of the inmate, other inmates or others at the correctional institution. If a research study has previously secured agreement from the individual to deny access. If access is protected by the Federal Privacy Act. If PHI was obtained under promise of confidentiality and access would reveal the source of the PHI. Copyright HIPAA COW31

Patient has the right to request to receive communication by alternative means or location. For example: The patient may request a bill be sent directly to him instead of to his insurance company. The patient may request we contact her on cell phone instead of home telephone number. Copyright HIPAA COW32

Example: If a patient requests that we always call a family member instead of her directly, what are some options: Your organization may have specific form to complete Your organization may have a policy to refer such requests to Patient Relations or another customer service department Usually, organization will have a process in place to document the patients wishes in his/her medical record Copyright HIPAA COW33

Patient has the right to request an amendment or correction to PHI However, may be a situation when request may be denied, including: [Organization] did not create the information. Record accurate according to health care professional that wrote it. Information is not part of the [Organizations] record. If a patient indicates there is an error in his/her record, what are some options: Your organization may have a specific form to be completed Your organization may have process in place to direct requests to Member Relations or another customer service department Usually, an approved amendment will be directed to the Health Information Management Department or Privacy Officer Copyright HIPAA COW34

Record Restriction may be requested by the patient if he/she wishes to change or restrict how your organization uses and discloses your PHI. Organization must honor request to restrict disclosure to a health plan: If the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and The PHI pertains to items and services paid by the patient or patient representative in-full. For all other requests for restrictions, organization must make reasonable effort to honor request, but approval is not required Organization typically has a form to complete to request the restriction Patient may later revoke a request for record restriction. Copyright HIPAA COW35

Accounting of Disclosures is a request for a list of disclosures of a patients PHI that did not require an authorization or the opportunity for the patient to agree or object. Organization typically has a form to complete to request the accounting The HIPAA rules require the organization to provide certain information about the disclosure, such as date, name of person who received the PHI, a description of the PHI and the purpose of the disclosure. Individual may request accounting of disclosures as far back as six years before the time of the request. Organization must provide the first accounting without charge. Subsequent requests for accountings by the same individual within a 12 month period may be charged a reasonable, cost-based fee, as long as the organization provides notice to the individual. Copyright HIPAA COW36

Accounting of Disclosures Does Not Include Disclosures For: Treatment (to persons involved in the individuals care), payment or health care operations. Individual subject of PHI. Incident to an otherwise permitted disclosure. Disclosure based on individuals signed authorization. For facility directory. For national security or intelligence purposes. To correctional facilities or law enforcement on behalf of inmates. As part of a limited data set (see 45 CFR s. 164.514). Copyright HIPAA COW37

Required by law For public health activities Victims of abuse, neglect, violence Health oversight activities Judicial/Administrative proceedings Law enforcement purposes Organ/eye/tissue donations Research purposes To avert threat to health and safety For specialized government functions About decedents Workers compensation Releases made in error to an incorrect person/entity (i.e. breach) Accounting of Disclosures Does Include Disclosures For: Copyright HIPAA COW38

HIPAA Privacy Requirements

Privacy Officer Responsibilities Development and implementation of the policies and procedures of the entity Designated to receive and address complaints regarding Privacy Provide additional information as requested about matters covered by the Notice of Privacy Practices Designation of the Privacy Officer must be documented Copyright HIPAA COW40

Members of the workforce who handle PHI require training Required upon hire and recommended annually As material changes are implemented, training to appropriate workforce members affected by that change Documentation of the training, who attended, the topic covered and date the training was held Copyright HIPAA COW41

Implementation of administrative, physical and technical safeguards (work in tandem with Security rule). Safeguard PHI from any intentional or unintentional use or disclosure. Limit incidental uses and disclosures that occur as a result of otherwise permitted or required uses and disclosures. Example: create safeguards to prevent others from overhearing PHI. Copyright HIPAA COW42

Individuals may file complaints with [Organizations] Privacy Official regarding health information privacy violations or [Organizations] privacy compliance program. Individuals may file complaints with the Department of Health and Human Services Office of Civil Rights. Copyright HIPAA COW43

Develop and apply appropriate sanctions for the non- compliance with [Organizations] policies and procedures. Document sanctions that are applied. NOTE: Sanctions can be referred to as discipline or corrective action. Copyright HIPAA COW44

[Organization] must mitigate, to the extent practicable, any harmful effects known to the [Organization] of a use or disclosure of PHI (by the Covered Entity or Business Associate) in violation of the [Organizations] policies and procedures or the requirements of the Privacy Rule. Copyright HIPAA COW45

[Organization] may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against: Individuals for exercising their rights or filing a complaint; Individuals and others for: Filing a complaint with the Secretary; Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing; or Good faith opposition to a prohibited act or practice Copyright HIPAA COW46

[Organization] cannot require an individual to waive their rights provided under this rule for the purpose of providing treatment, payment or enrollment in a health plan or eligibility for benefits. Copyright HIPAA COW47

[Organization] must implement policies and procedures designed to comply with the Breach and Privacy Rules. [Organization ] must change policies and procedures as necessary and appropriate to comply with changes in the law and maintain consistency between policies, procedures and the Notice of Privacy Practices. [Organization] must document all changes made to policies and procedures and maintain all policies for 6 years. [Organization] must train employees on changes made to policies and procedures. Copyright HIPAA COW48

[Organization] must maintain all documentation for 6 years from the date of its creation, including: Policies and procedures in written or electronic form; Communications in written or electronic form when such communications are required in writing; Written or electronic records of actions, activities, or designations as required. Copyright HIPAA COW49 EventInvestigationResolution Corrective Action Documentation

Access Using Taking Possession Release Editing Destruction The following activities occurring in the absence of patient authorization are considered misuse of protected health information (PHI): Copyright HIPAA COW50 No! You must have authorization first!f!

Type I -- Inadvertent or Unintentional Disclosure Inadvertent, unintentional or negligent act which violates policy and which may or may not result in PHI being disclosed. Disciplinary action for a Type I disclosure will typically be a verbal warning, re-education, and review and signing of the Confidentiality Agreement. However, disciplinary action is determined with the collaboration of the Privacy Officer, Director of Human Resources and the department manager. Type II Intentional Disclosure Intentional act which violates the organizations policies pertaining to that PHI which may or may not result in actual harm to the patient or personal gain to the employee. Breach notification processes will be followed as described in the Breach Notification Policy. Copyright HIPAA COW51

Breach Notification Rule

Definition of Breach (45 C.F.R. 164.402) Impermissible use or disclosure of (unsecured) PHI is assumed to be a breach unless the covered entity or business associate, demonstrates a low probability that the PHI has been compromised based on a risk assessment. Copyright HIPAA COW53

Unsecured PHI Unsecured protected health information means protected health information (PHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology required by the Breach Notification Rule. Copyright HIPAA COW54

Risk Assessment under the Final Rule requires consideration of at least these four factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated Copyright HIPAA COW55

Evaluate the nature and the extent of the PHI involved, including types of identifiers and likelihood of re-identification of the PHI: Social security number, credit card, financial data (risk of identity theft or financial or other fraud) Clinical detail, diagnosis, treatment, medications Mental health, substance abuse, sexually transmitted diseases, pregnancy Copyright HIPAA COW56

Consider the unauthorized person who impermissibly used the PHI or to whom the impermissible disclosure was made: Does the unauthorized person who received the information have obligations to protect its privacy and security? Is that person workforce of a covered entity or a business associate? Does the unauthorized person who received the PHI have the wherewithal to re-identify it? Copyright HIPAA COW57

Consider whether the PHI was actually acquired or viewed or if only the opportunity existed for the information to be acquired or viewed Example: Laptop computer was stolen, later recovered and IT analysis shows that PHI on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised The entity could determine the information was not actually acquired by an unauthorized individual, although opportunity existed Copyright HIPAA COW58

Consider the extent to which the risk to the PHI has been mitigated: Example: Obtain the recipients satisfactory assurance that information will not be further used or disclosed Confidentiality Agreement Destruction, if credible Reasonable Assurance Copyright HIPAA COW59

Evaluate the overall probability that the PHI has been compromised by considering all the factors in combination (and more, as needed) Risk assessments should be: Thorough Performed in good faith Conclusions should be reasonably based on the facts If evaluation of the factors fails to demonstrate low probability that the PHI has been compromised, breach notification is required Copyright HIPAA COW60

A covered entity or business associate has the discretion to provide the required notifications following an impermissible use or disclosure or protected health information without performing a risk assessment Copyright HIPAA COW61

Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals No breach notification required for PHI that is encrypted in accordance with the guidance Copyright HIPAA COW62

A breach is treated as discovered: On first day the breach is known to the covered entity, or In the exercise of reasonable diligence, it should have been known to the covered entity. Notification time period for a breach begins when the organization did or should have known it existed Copyright HIPAA COW 63

Fax Document to Wrong Location Hello, this is Pizza Plaza on Stark Street. Did you mean to fax me this lab result for Fred Flintstone? Enter Incorrect Medical Record Number I guess I was just typing too fast. Forgetting to Verify Patient Identity There were seven patients with the name Barney Rubble. I should have confirmed his date of birth. Copyright HIPAA COW64

Section VIII Release of Information Copyright HIPAA COW65

When releasing PHI, it is important to know when a patients authorization is required. Patient authorizations are governed by state and federal law. Copyright HIPAA COW66

I received a request to release PHI. What now? Is the individual's authorization required before [Organization Name] can release PHI? Under certain circumstances (e.g., treatment, payment, or health care operations), the individuals authorization is not required (more on this later). An authorization is required for disclosures of PHI not otherwise permitted by the Privacy Rule or more stringent state law. If so, has the authorization been filled out completely and correctly? Copyright HIPAA COW67

1. Individual's name 2. [Organization Name] (or a [Organization Name] employee or department) as the party authorized to make the disclosure 3. Name of the person, organization or agency to whom the disclosure is to be made 4. Purpose of the disclosure 5. Specific and meaningful description of the information to be disclosed A.Note: If the release includes sensitive information (e.g., alcohol or drug abuse treatment records, developmental disability records, HIV test results, reproductive health), these must be affirmatively specified by the individual 6. The individual's right to revoke the authorization and either the exceptions on the right to revoke and a description of how to revoke or a reference to [Organization Name]s Notice of Privacy Practices as appropriate 7. Statement of the ability or inability to condition treatment, payment, enrollment or eligibility for benefits Copyright HIPAA COW68

8. Statement on the potential for re-disclosure 9. If the release will involve marketing remuneration to [Organization Name], a statement outlining this 10. If the authorization relates to Wisconsin Statute Chapter 51 treatment records, the authorization must include a statement that the individual has a right to inspect and receive a copy of the material to be disclosed 11. Expiration date or event 12. Time period during which the authorization is effective 13. Signature and date signed and A.If signed by a personal representative, a description of his/her authority to sign and relationship to individual must be provided 14. Must be written in plain language If any element is missing, the authorization is not valid. Also, a copy of the authorization must be provided to the individual. Copyright HIPAA COW69

Evaluating Authorizations: Should the access be denied? Has the access been denied? Is [Organization Name] providing only the information specified in the authorization? Is the authorization combined with another type of document to create an inappropriate compound authorization? In what form/format should the information be provided? How much time does [Organization Name] have to respond to the request? What fees can/should be applied? Note: If you are uncertain about any of these steps, ask [Organization]s Privacy Officer. Copyright HIPAA COW70

The patients Authorization to Release Information stated only the records from 2002 to 2006 should be sent to the attorney. The Release of Information (ROI) Technician didnt notice the limitation and sent documentation of a motor vehicle accident in 2010. She lost her court case and was fined $50,000. The patient later filed a complaint with the ROI Technicians employer and the Office for Civil Rights (OCR) and the ROI Technician was fired Copyright HIPAA COW71

Sometimes an authorization is not needed. Read on to learn more. Copyright HIPAA COW72

Uses and disclosures of PHI for (TPO): Treatment Payment Health Care Operations Disclosures required or permitted by law. If use of the information does not fall under one of these categories you must have the patients signed authorization (written permission) before sharing that information with anyone. Copyright HIPAA COW73

When Authorization IS Required: Use or disclosure of psychotherapy notes Except in limited circumstances, use and disclosure of PHI for marketing purposes When selling PHI When Authorization IS NOT Required: Disclosures to the individual Uses and disclosures for treatment by your physician Uses and disclosures for quality assurance activities Copyright HIPAA COW74

Wisconsin laws may require authorizations, even though HIPAA doesnt In 2014, Wisconsin passed the HIPAA Harmonization Law, at Wis. Stat. s. 146.816, which aligns Wisconsins confidentiality law with HIPAA for TPO uses and disclosures The next few slides summarize a few of the more commonly used Wisconsin confidentiality laws Copyright HIPAA COW75

StatuteSummary 146.82, Wis. Stat. Covers general medical health care PHI and authorization requirements 51.30, Wis. Stat. Covers PHI relating to mental health, AODA, and developmentally disabled treatment, authorization requirements, and penalties DHS 92 Adm. Code Further covers confidentiality of mental health treatment records (with 51.30) DHS 144, Adm. Code Covers release of immunizations between vaccine providers, and to schools specifically for minors Copyright HIPAA COW76

StatuteSummary 102.13 & 102.33 Wis. Stat. Covers records reasonably related to a workers compensation claim and release to the employee (patient), employer, workers compensation insurer, or Department with a written request 610.70 Wis. Stat. Covers disclosure of personal medical information by insurers 252.15, Wis. Stat. Covers health care information relating to HIV testing and authorization requirements Copyright HIPAA COW 77

StatuteSummary 42 CFR, Part 2 Federal Alcohol and Drug Regulations which covers use and release of a patients drug and alcohol abuse records in a federally assisted program Copyright HIPAA COW78

Your organization may have restrictions or alerts designed to bring an employees attention to specific information For example: Patient is adopted. Check [insert where to find flag/restriction] for special instructions Patient has authorized spouse to receive lab results on her behalf. Check [insert where to find flag or restriction] for more information Copyright HIPAA COW79

Prior to releasing PHI, ask the individual to provide you with enough information to identify the patient, such as: Name Date of Birth Address Other identifiers: Social security number, mothers maiden name Identify someone other than the patient by requesting he or she provide you with all the above information, as well as his or her relationship to the patient. Check a physical signature against a known one on file Make a call-back to a known number Ask for a photo ID Ask for a business card Provide only the minimum necessary to safeguard PHI. Copyright HIPAA COW80

Once you know who the requestor is, be sure he or she has the right to access this information Routine requests from employees you know in [the organization] who have business related reason to obtain information are authorized to do so Unusual requests from individuals you dont know can be risky, so before sharing PHI: Ask your supervisor And/or check [organizations] HIPAA Privacy Policies and Procedures Copyright HIPAA COW81

If an individual would like to find out if a patient is in our facility, but he or she is not in our Facility Directory: Do not confirm or deny the patient is here until you: Obtain the names of the patient and individual making the request Inform the requesting individual that if the patient is in our facility, and agrees for us to notify them of this, you will Copyright HIPAA COW82 Privately call the department in which the patient is located That department should ask the patient if their location and/or condition may be released to this individual If the patient agrees, provide information to requesting individual If patient not in facility, or does not agree to notify the requesting individual he/she is here, inform the requesting individual that you are unable to confirm or deny whether or not the patient is in the facility

Use the following protected health information to maintain a directory of individuals in its facility: (A) Individuals name (B) The individuals location in the health care providers facility (C) Individuals general condition, no specific information (D) The individuals religious affiliation (E) Use of disclosure for directory purposes of such information (F)To members of the clergy; or except religious affiliation, to others who ask for individual by name Copyright HIPAA COW83

Patients have the right to opt out of having their information disclosed from a facility directory. There may be State laws that also apply as to what qualifies as directory information. The patient must be provided an opportunity to express his or her preference about how, or if, facility directory information may be disclosed. Disclosure of directory information may still occur if doing so is in the individuals best interest as determined in the professional judgment of the provider and would not be inconsistent with any known preference previously expressed by the individual. Copyright HIPAA COW84

HIPAA requires reasonable steps to limit the use and disclosures of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. The standard does not apply to the following: Disclosures to or requests by a health care provider for treatment purposes Disclosures to the individual subject of the information Uses or disclosures made pursuant to the individuals authorization Use or disclosures required for compliance with Health Insurance HIPAA administrative Simplification Rules Disclosures to the Dept. of Health and Human Services (HHS) when disclosure is required under the Privacy Rule for enforcement purposes Uses or disclosures that are required by other laws Copyright HIPAA COW85

Document the release, when required by law, or [Organizations] policies Neither HIPAA nor Wisconsin law requires documentation of disclosures for purposes relating to treatment (providing and coordinating care); payment (billing for services rendered); and health care operations (internal business) HIPAA requires documentation of breaches and other releases of information Copyright HIPAA COW86

Why do we have to document when we release PHI (when required by law)? Patients have the right to request a record of what PHI was released and to whom (Accounting of Disclosures) Documentation of releases of information applies to both verbal and written disclosures Copyright HIPAA COW87

If you dont know for sure if information can be released: Dont guess! Contact [Organization] Privacy Officer at [insert number] Contact HIM Department at [insert number] Next, well move on to some release of information examples Copyright HIPAA COW88

Verbal disclosure of information permissible when: Patient present and alert patient decides Patient incapable to make wishes known inferred permission to discuss current care Needed for care or payment Information needed for patients care Family member/friend must clearly be involved in payment for care (involvement is obvious, patient stated so) Notify family or friend(s) who are involved in patients care of: Patients general condition Patients location Patient being ready for discharge Patients death Disclosures of this nature exclude paper copies Copyright HIPAA COW89

A divorced parent calls to get information on their child. Can you release it? If the parents are divorced, either parent may get access to the records with a proper release. Assume that they can get records unless told otherwise. When parental rights are in question: Obtain the court documents for the childs file from one of the parents. If parental rights for physical placement have been terminated, Wisconsin law allows only the parent with sole physical placement to access records. Copyright HIPAA COW90

An individual calls to discuss appointment information with you for a patient and states he is the patients legal guardian. May I discuss with the individual? Yes, after obtaining the court documents appointing the individual as the patients Legal Guardian. Make a copy of the court documents for the patients file. Confirm that the information being provided is appropriate and necessary. If unable to obtain court documents verifying legal guardianship, do not discuss PHI with the individual. Copyright HIPAA COW91

A step parent calls to discuss her stepchilds care. May you discuss this with her? No, unless the step-parent is a legal guardian and [Organization] has the guardianship papers on file, or a legal guardian has provided authorization. Step-parents may call to schedule appointments, but do not have access to their stepchildrens PHI without authorization by a legal guardian. Copyright HIPAA COW92

What are the release of information rules for foster parents? A foster parent must provide a copy of their WI drivers license or state ID and one or more of the following: Foster Parent ID Card (state-issued) Foster Parent Authorization Form (signed by biological parent or another individual of the proper authority). This form will describe the foster parents rights in health care situations. (Note: this may be limited) If the foster parent cannot produce these documents, are there other options? Provide [organization] with name and phone number of their [Insert County]Social Worker [Organization] may call the Foster Parent Intake Line at [Insert phone number] to confirm [Organization] may call either biological parent, if information available, to confirm status. Give foster parent the [organization] authorization form, if available, indicating that it must be signed by a biological parent and returned to [organization]. Copyright HIPAA COW93

The Designated Agent on patients power of attorney (POA) for health care contacted me to discuss the patients care. May I discuss? It depends. The Designated Agents rights to access care, treatment and payment information are not effective until the patient is declared incapacitated by two physicians or one physician and one therapist (with few exceptions) The POA must be reviewed in detail to ensure the requested information is consistent with the rights outlined in the document. A Declaration of Incapacity Form should be submitted prior to honoring a request from the designated agent. Copyright HIPAA COW94

What information can be disclosed in response to a Workers Compensation request? We may disclose only those records reasonably related to the Workers Compensation claim/condition without an authorization Patients written authorization is required to release any PHI unrelated to the Workers Compensation claim Copyright HIPAA COW95

Can I release a patients address and/or insurance information to a nursing home? Yes, if you know the requesting individual and the request is legitimate If you are unfamiliar with the individual requesting the information, ask for the following in writing: Patients name, date of birth, and address Why the information is needed Specific reason (e.g. treatment or payment) The requestors name, name of the nursing home, and a direct telephone to the nursing home (switchboard) If uncertain, obtain patient authorization Copyright HIPAA COW96

A spouse answers the phone, or voice mail picks up. What information may I provide? State your first name and that you are calling from [Organization name] (include the site). Ask the patient to return your call, and provide your direct phone number. Do not provide lab results, or other detailed information, other than an appointment reminder. Example: This is Sally from [Organization] calling for Johnny Doe. Please call me back at your earliest convenience at [number]. Thank you. Ensure call is disconnected. Copyright HIPAA COW97

An individual arrives requesting to pick up a prescription for his neighbor. Now what? Request he provide you with the patients name, date of birth, address, and relationship to the patient. Confirm the patients and requestors information matches what the patient provided when informing [organization] this individual was picking up the prescription. If information is consistent, we can be assured that the patient requested prescription pick-up by this individual (according to Item Pick Up Policy). Request that the individual sign the Item Pick Up Form and provide him with the prescription. Copyright HIPAA COW98

May PHI Be Transmitted via Fax Machine? Yes, but only when in best interest of patient care or payment of claims. Faxing sensitive PHI, such as HIV, mental health, AODA, and STDs is strongly discouraged. It is best practice to test a fax number prior to transmitting information. If this is not possible: Restate the fax number to the individual providing it. Obtain telephone number to contact the recipient with any questions. Do not include PHI on the cover sheet. Verify you are including only correct patients information (i.e. check the top and bottom pages). Double check the fax number prior to transmission Copyright HIPAA COW99

We may not communicate with patients through e-mail at this time. The patient portal will provide the opportunity to electronically communicate with our patients. When sending ePHI to other organizations for required business functions (i.e. treatment, payment or healthcare operations), encrypt the email per [organizations] procedures. Note to Organization: Depending on your Email policy, include either this slide, or the next, but not both Copyright HIPAA COW100

We may communicate with patients through e-mail only if the patient has signed the organizations privacy and security E-Mail Agreement. When sending ePHI to anyone for treatment, payment or healthcare operations, encrypt the e-mail per [Organizations] procedures, and verify the organizations confidentiality disclaimer is included. Note to Organization: Depending on your Email policy, include either this slide, or the previous, but not both Copyright HIPAA COW101

Section IX HIPAA Security Rule Copyright HIPAA COW102

In general, the HIPAA Security Rule requires covered entities and business associates to do the following: Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is created, received, maintained or transmitted. Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI. Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required under the Privacy Rule. Ensure compliance with security by its workforce. Copyright HIPAA COW103

Administrative Safeguards Policies and procedures are REQUIRED and must be followed by employees to maintain security (i.e. disaster, internet and e-mail use) Technical Safeguards Technical devices needed to maintain security. Assignment of different levels of access Screen savers Devices to scan ID badges Audit trails Physical Safeguards Must have physical barriers and devices: Lock doors Monitor visitors Secure unattended computers Copyright HIPAA COW104

Internet Use Access only trusted, approved sites Dont download programs to your workstation E-Mail Keep e-mail content professional Use work e-mail for work purposes only Dont open e-mails or attachments if you are suspicious of or dont know the sender Dont forward jokes Follow [Organizations] policy for sending secure E-mails Copyright HIPAA COW105

How Do We Control ePHI Access? User names and passwords Biometrics Screen savers Automatic logoff Copyright HIPAA COW106

[Organization]must implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights as specified in the HIPAA Security Rule Copyright HIPAA COW107

[Organization]must assign a unique name and/or number for identifying and tracking user identity. It enables an entity to hold users accountable for functions performed on information systems with ePHI when logged into those systems. Copyright HIPAA COW108

The Security Rule requires [organization] to implement procedures regarding access controls, which can include the creation and use of passwords, to verify that a person or entity seeking access to ePHI is the one claimed. The use of a strong password to protect access to ePHI is an appropriate and expected risk management strategy. Copyright HIPAA COW109

What Makes a Strong Password? Use at least 6-8 characters. Use a minimum of 2 letters and 1 number, and capital and lower case letters Use a pass-phrase such as MbcFi2yo (My brown cat Fluffy is two years old) Do not use passwords that others may be able to guess: Spouses Name, Pet or Childs Name Significant Dates Favorite sports teams Access to ePHI User Names and Passwords User Names and Passwords are required by the HIPAA Security Rule Copyright HIPAA COW110

Workstation use Restrict viewing access to others Follow appropriate log-on and log-off procedures Lock your workstation, press Ctrl-Alt-Del or Windows key + L Use automatic screen savers that lock your computer when not in use Do not add your own software and do not change or delete ours Know and follow organizational policies If devices are lost, stolen or compromised, notify your supervisor immediately! Do not store PHI on mobile devices unless you are authorized to do so and appropriate security safeguards have been implemented by your organization What Can I Do to Help Protect Our Computer Systems and Equipment? Copyright HIPAA COW111

Appropriate use of e-mail can prevent the accidental disclosure of ePHI. Some tips or best practices include: Use email in accordance with policies and procedures defined by the [Organization]. Use e-mail for business purposes and do not use e-mail in a way that is disruptive, offensive, or harmful. Verify email address before sending. Include a confidentiality disclaimer statement. Dont open e-mail containing attachments when you dont know the sender. E-Mail Security Copyright HIPAA COW112

The Security Rule requires organizations to implement hardware, software, and/or procedural mechanisms that record and examine activity in electronic information systems that contain or use ePHI. Organizations should define the reasons for establishing audit trail mechanisms and procedures for its electronic information systems that contain ePHI. Reasons may include, but are not limited to, System troubleshooting Policy enforcement Compliance with the Security Rule Mitigating risk of security incidents Monitoring workforce member activities and actions Audit Controls Copyright HIPAA COW113

What else can I do to protect our patients PHI? Copyright HIPAA COW114

Securing information from improper disclosure also includes Sharing PHI with only those that need to know (direct care workers, staff) in a discreet manner Refraining from discussing patient visits, conditions, progress, etc. with family, friends, neighbors, and co-workers that do not have a need to know Ensuring the disclosure of information reaches the intended person: Validating fax numbers prior to faxing PHI Verification of identity prior to releasing information without the patient present Requesting verbal authorization from the patient to discuss their health, conditions, etc. with those that may be present Copyright HIPAA COW115

Ensuring those that require information for proper treatment, payment or health care operations have access to the information they need to fulfill their job obligations Limiting the access to information to those that do not require access to perform the obligations of their job Secure workstations by logging off, using strong passwords and keeping passwords confidential Copyright HIPAA COW116

Ensuring the electronic transmission of data is secured in a manner to protect the integrity of the data. Protecting data integrity may include using: Secure e-mail or Organization communication portals that transfer files within or external to the organization for treatment, payment or operation purposes Copyright HIPAA COW117

Do not share with family, friends, or anyone else a patients name, or any other information that may identify him/her, for instance: It would not be a good idea to tell your friend that a patient came in to be seen after a severe car accident. Why? Your friend may hear about the car accident on the news and know the person involved Do not inform anyone that you know a famous person, or their family members, were seen at this organization Copyright HIPAA COW 118

If I am contacted by the media, may I release PHI to them? If I am contacted by an individual offering to pay me for PHI, may I release it to them? No! You may not release PHI under either of these circumstances. Both are grounds for disciplinary action. Refer the requestor to the Privacy Officer. Copyright HIPAA COW119

I need to transport paper records/PHI to another department. Is this okay? Yes, you may transport documents to another department. Secure so you dont drop them: Carry them close to your person. Carry them in a facility designated bag, box, or container. Ensure no names are visible. Ensure no records are left unattended. Copyright HIPAA COW120

When necessary to transport PHI externally: Place in a locked briefcase, closed container, sealed, self-addressed interoffice envelope; Place PHI in the trunk of your vehicle, if available, or on the floor behind the front seat; Lock vehicles when PHI is left unattended [Include if this applies to your organization]: You may not transport patient charts between departments or offsite unless authorized by the Director of Health Information Management. Copyright HIPAA COW121

Send all PHI in sealed Inter-Office envelopes Verify all PHI was removed from the envelope before stuffing it Address to correct individual and department Mark the envelope confidential Confirm you are sending correct PHI Copyright HIPAA COW122

Turn over/cover PHI when you leave your desk/cubicle so others cannot read it. If you have an office, you have the option of closing your door instead. Turn over/cover PHI when a coworker approaches you to discuss something other than that PHI. Dont leave documents containing PHI unattended in fax machines, printers, or copiers. Check your fax machine frequently so documents are not left on the machine. Copyright HIPAA COW123

How should I dispose of confidential paper? Shred or place all confidential paper in the designated confidential paper bins. How should I dispose of electronic media (floppy disk, CD, USB Drive, etc.)? Provide electronic media to the IS Department for proper disposal Copyright HIPAA COW124

How can I help protect our facilities? Wear your ID Badge at all times (helps identify you as an [Organization] employee/provider). Only let employees enter through employee entrances with you. Keep hallway doors that lead to patient care areas closed. Request vendors and contracted individuals to sign-in and obtain Vendor ID Badges when visiting a restricted area. Copyright HIPAA COW125

Restricted areas are those areas within our facilities where PHI and/or organizationally sensitive information is stored or utilized Receptionist stations Business office windows HIM Department Patient care hallways/treatment areas Offices Storage closets and cabinets Accounting, Human Resources, Administration Offices, IS Department, etc. Employee meeting/rooms/kitchens in the departments Areas containing potential safety hazards (ex. medical imaging, lab, nuclear medicine, etc. If you see someone in a restricted area not wearing a badge, kindly ask May I help you? Then escort the individual out of the restricted area and to the area he/she is visiting. Copyright HIPAA COW126

Business Associate Agreements Section XI Copyright HIPAA COW127

If you initiate negotiations to contract with a company to perform, or assist in the performance of a function or activity involving the use or disclosure of PHI, please contact the [Organization Privacy Officer] to obtain a Business Associate Agreement (BAA). Examples of when to obtain a BAA with a company include: Claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; and Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. Copyright HIPAA COW128

Companies that maintain PHI on behalf of a Covered Entity (CE) Data storage company Patient safety organizations Companies that transmit PHI to a Covered Entity Copyright HIPAA COW129

Business Associates Also Include: Personal Health Record vendors Subcontractors to Business Associates that create, receive, maintain or transmit PHI on behalf of the Business Associate. Copyright HIPAA COW130

Limit uses and disclosures of PHI to minimum necessary Enter into a BAA with their subcontractors Comply with the BAA and the same HIPAA; administrative, physical and technical safeguard rules as covered entities (CEs) Report to CE Breach of Unsecured PHI Comply with Privacy Rule to extent it must carry out a CEs obligation under Privacy Rule Copyright HIPAA COW131

When initiating a contract with a company to perform work for [organization] which will not have direct access to PHI, request a Confidentiality Agreement be signed and forwarded to the [Organization Privacy Officer]. Copyright HIPAA COW132

HIPAA Violations and Complaints

Remember, it is your responsibility, as a [Organization] employee or provider, to comply with all privacy and security laws, regulations, and [Organizations] policies pertaining to them. Employees and providers suspected of violating a privacy or security law, regulation, or [Organization] policy are provided reasonable opportunity to explain their actions. Violations of any law, regulation, and/or [Organization] policy will result in disciplinary action, up to and including termination, according to [Organization] HR Policy #. Copyright HIPAA COW134

Three types of violations: Incidental Accidental Intentional Insert [Organizations] policy regarding types of violations and levels disciplinary action provided. How much is enough?How much is too much? Copyright HIPAA COW135

If reasonable steps are taken to safeguard a patients information and a visitor happens to overhear or see PHI that you are using, you will not be liable for that disclosure. Incidental disclosures are going to happen (even in the best of circumstances). An incidental disclosure is not a privacy incident and does not require documentation Copyright HIPAA COW136

Mistakes happen. If you mistakenly disclose PHI or provide confidential information to an unauthorized person or if you breach the security of confidential data, you must Acknowledge the mistake and notify your supervisor and the Privacy Officer immediately. Learn from the error and help revise procedures (when necessary) to prevent it from happening again. Assist in correcting the error only as requested by your leader or the Privacy Officer. Dont cover up or try to make it right by yourself. Accidental disclosures are privacy incidents and must be reported to your Privacy Officer immediately! Documentation of Accidental Disclosures is required. Copyright HIPAA COW137

If you ignore the rules and carelessly or deliberately use or disclose protected health or confidential information, you can expect: Disciplinary action, up to and including termination Civil and/or criminal charges Examples of Intentional Violations of Privacy Include: Accessing PHI for purposes other than assigned job responsibilities Attempting to learn or use another persons access information If youre not sure about a use or disclosure, check with your Supervisor or the Privacy Officer Copyright HIPAA COW138

If you are aware or suspicious of an accidental or intentional HIPAA violation, it is your responsibility to report it. [Organization] may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against anyone who in good faith reports a violation (whistleblowing). Refer to the [HIPAA Intranet page] for more examples of what to report. Copyright HIPAA COW139

So they can be investigated, managed, and documented So they can be prevented from happening again in the future So damages can be kept to a minimum To minimize your personal risk In some instances, management may have to notify affected parties of lost, stolen, or compromised data Incidental disclosures need not be reported, but if youre not sure, report them anyway Copyright HIPAA COW140

All Privacy Complaints Must Be Reported We Must Respond to Privacy and Security Complaints Copyright HIPAA COW141

Directly to your Supervisor, who in turn reports it to the [Organizations] Privacy Officer Call or email the Privacy Officer Complete a HIPAA Incident Report form (#) which is located [on the HIPAA Intranet page] Email the internal HIPAA Hotline email group Note: this is not anonymous as the sender will be known Leave a message on the HIPAA Hotline [insert #] Copyright HIPAA COW142

Same as for Privacy Violations, except instead of reporting to the Privacy Officer, report to the [Organizations] HIPAA Security Officer You may also call or email the [Organizations] Technical Security Officer, Information Services Help Desk, or Director of Information Services Copyright HIPAA COW143

Want More Information About HIPAA Privacy and Security? Check out our website at www.hipaacow.com Copyright HIPAA COW144

Contact your Privacy Officer at: (phone) (pager) (email) Contact your Security Officer at: (phone) (pager) (email) Not sure which way to go? Copyright HIPAA COW145

Discussion Slides

Your daughters school just called. She has a fever and you need to pick her up immediately. You know shell need to see her pediatrician (who just happens to work down the hall) so you access her medical record to schedule an appointment quick before another patient gets the available time slot. Is this access permissible? Does it make a difference if your daughter has a different last name than you? The audit trail report wouldnt show an obvious inappropriate access.right? Copyright HIPAA COW147

Youre a Lab Technician. You just processed a positive blood alcohol test for a patient you later learned was your neighbors soon-to-be ex- husband. This information will be very useful in court to strengthen her case for full custody of the kids. Can you disclose the information to your neighbor? Copyright HIPAA COW148

Your co-worker, Joan, hasnt been at work the last 3 days and youre starting to get worried about her. You consider her a friend and conclude shed be hurt if you dont call her. You dont have her phone number. But its in the electronic medical record! You wait until your supervisor goes to lunch, log on and look up Joans phone number. Is this ok? Consider This: While looking up her phone number you notice she has a diagnosis of breast cancer on her problem list. Copyright HIPAA COW149

Youre a RN at the downtown clinic. This morning you saw 6-year old, Allison for a strep test. On the way home from work you you stop at Woodmans for a few things. Walking through the Frozen Foods, you run into Allisons mom, Sherry. Im so glad I ran into you! Did you get the strep results yet? It would be great if I knew now so I could pick up the prescription tonight, get her started on the antibiotics and back to school sooner. Can you disclose to Allisons mom? Copyright HIPAA COW150

Youre a CMA at the downtown clinic. You recently started dating the spouse of one of clinic patients and its gotten pretty serious. He has a teenage daughter being seen for mental health treatment at your west clinic and his wife comes in regularly to your clinic (shes probably a hypochondriac) but youre not usually the nurse for these visits. Youre very interested in tracking whats going on with mom and daughter, not because you want to do anything with the information, youre just plain curious. You have a routine now to look at their medical records every Tuesday at noon when your supervisor is in a meeting. Is this a good idea? Consider This: What if you are actually the nurse taking vital signs when his wife comes in so you have a legitimate right to access her record. Except youre looking at it any time you wantyoull never get caught since you do have a legitimate right to access. Copyright HIPAA COW151

Mr. Albertson is on the phone. He states his wife was in the clinic yesterday for lab testing and he wants you to tell him the results of the urinalysis immediately. You explain that his wife has individual privacy rights and such information can be disclosed only to her. You suggest he talk directly to her. He is very angry! I have a right to know since I pay the bills. Im going to report you for a HIPAA violation. Should you cave and tell him? Consider This: Upon review of Mrs. Albertsons record, you see a signed authorization permitting the clinic to exchange PHI with Mr. Albertson regarding her care and treatment. Does this change your response? Copyright HIPAA COW152

The OB Department is crazy busy this morning. As a nurse youre running from one crisis to another. Around 11:00 am you finally get a breather and leave for a cup of coffee. While youre usually diligent about securing your computer when you walk away, this time you were so distracted you forgot. Your computer is logged on to two patient records, one of whom is the wife of the hospital administrator who had a miscarriage. When you return from break, a receptionist is sitting at your desk intently reading the screen. Will you confront her? Self-report the incident to the Privacy Officer? Ignore her and walk away until she leaves. Make a deal with her, you wont tell if she doesnt Consider This: Who is subject to disciplinary action in this case? You? The receptionist or both of you? Copyright HIPAA COW153

You are a coder at ABC Memorial Hospital. Youre reviewing a complex case for documentation to support a higher level of service. Its a priority as part of the Coding Team to ethically make this determination and a commitment you take seriously. Youre going to have to conduct a detailed review of the medical record. This is time consuming and it becomes evident that youre seeing a lot of confidential information unnecessary for the proper code assignment. Have you violated the minimum necessary policy? Consider This: The patient is also an employee at the hospital, someone with whom youve had a few disagreements and about whom you have engaged in gossip. You know better than to share this information with anyone but a week later she confronts you about a work problem and you accidentally say Too bad, you probably just forgot to take your Prozac this morning. Copyright HIPAA COW154

Maroon 5s newest song is amazing---I could listen to it all day long! That screen saver with the bubbles? I love it and I want it! Im a gamer addicted to Wild Robots of the World V2. Theres no reason I cant load it onto my work computer so I can play during breaks and lunch. My sisters wedding last weekend was just gorgeous and the pictures prove it. I was able to load all the pictures from the ceremony and the reception on my work computer. Ones even my home screen. So, my computer crashed when I was loading them. I booted and now they seem just fine. Consider This: I spend most of my life sitting in front of this computer. The least they can do is let me do stuff to enjoy it! Copyright HIPAA COW155

As your employer, we appreciate that you want to personalize your workstation. We value your individuality. Its one of the things that makes you a great employee! You can feel free to bring framed pictures of your family and friends, posters and desk items to create a pleasant work environment. However, your computer is a different story Loading music, screen savers, game and photos can slow down our systems, including the effectiveness and quality of medical records and financial data Unapproved tools such as software, downloads, CDs, or flash drives may damage or increase likelihood of unauthorized events such as hacking, viruses and Trojan Horses Just as you dont want another department to come into your office and start changing things around, the Information Services Department doesnt want you to compromise the things they do to keep electronic systems effective and safe Organizational policy is clear. You may not add such tools without written permission from the Information Services Department Copyright HIPAA COW156

Assuming the auto lock would activate soon, the nurse did not lock her computer when she left the patient in an exam room. While waiting, the patient got bored with the old magazines in the room and looked at her electronic record. Not only did the patient see her prescription for Prozac and diagnosis of depression, but she also read her psychotherapy notes. Discussion points: What is [Organization Name]s policy on locking computers? Why are psychotherapy notes included in this patients EMR? What is [Organization Name]s policy on workforce members accessing sensitive information? What is [Organization Name]s policy for patients to request copies of their records? Copyright HIPAA COW157

Katie, a billing department employee, saw her sons girlfriend, Allison, in the hospital. Katie was concerned that Allison was ok so she looked at Allisons medical record. Katie was upset when she saw that Allison was diagnosed with a heart murmur. Katie texted her son this information. When Katie got home, she learned that Allison read Katies text message and had already called the hospital to file a privacy complaint. Discussion points: Does it matter that Katie meant well? What is [Organization Name]s policy for accessing medical records? What is [Organization Name]s policy for role-based access control? What is [Organization Name]s policy for snooping discipline? Copyright HIPAA COW158

Privacy & Security Professionals Must Keep the Pace: Stay tuned in, ensure understanding and be heard! Anticipate how privacy and security protections must change to accommodate technology How will audit trails work? Some Facts: Emerging electronic technology impacting privacy and security is a reality Its getter smarter and smarter & faster and faster Its not just desktops and laptopstoday we have tablets, iPads, iPhones, Androids, remote monitoring of health conditions, HIEs, eVisits, Work-at-Home, Apps, GPS, and cameras recording us shopping, driving, walking, banking, and grocery shopping Copyright HIPAA COW159

Refer to the HIPAA COW website for additional privacy, security, and EDI reference materials http://hipaacow.org/home/home.aspx http://hipaacow.org/home/home.aspx Copyright HIPAA COW160

Copyright HIPAA COW161 Prepared by:Reviewed by:Content Changed: Primary Author: Barbara J. Zabawa, JD, MPH, The Center for Health Law Equity, LLC Contributing Authors: Karin Butikofer, Athletico Physical Therapy Julie Coleman, Group Health Cooperative of South Central Wisconsin Chris Duprey, Caris Innovation Cathy Hansen, RHIA, Director, Health Information Services & Privacy Officer, St. Croix Regional Medical Center Teresa Hernandez, HSHS Mary Koehler, IT Security Regulatory Coordinator, ProHealth Care Information Technology Meghan OConnor, von Briesen & Roper, S.C. Kathy Schleis, Bellin Health System HIPAA COW Privacy & Security Networking Groups This document was updated to reflect changes required by the HITECH Act from 2009 and the subsequent rules that went into effect in 2013, as well as to reorganize and refresh the slides. Current Version: 4/8/15 Version History

Copyright HIPAA COW162 Original Version: 3/31/09 Prepared by:Reviewed by: Primary Author: Holly Schlenvogt, MSH, ProHealth Care Medical Associates, Privacy Officer Contributing Authors: Cami Beaulieu, Red Cedar Medical Center, ROI Supervisor and Privacy Assistant Jane Duerst Reid, RHIA, Clear Medical Solutions, HIM Consultant Linda Huenink, MS, RHIA, Wk Co. Dept. of Health & Human Services, Records Supervisor Carla Jones, Senior Staff Attorney/Privacy Officer, Marshfield Clinic Legal Service Kathy Johnson, Privacy & Compliance Officer, Wisconsin Dept. of Health Services Melissa Meier, ProHealth Care Medical Associates, Corporate Compliance Coordinator Kim Pemble, Executive Director, WI Health Information Exchange (WHIE) LaVonne Smith, Information Services Director, Tomah Memorial Hospital HIPAA COW Privacy & Security Networking Groups Version History (Contd.)

privacy and security training session! draft v.12 4/8/15

Documents