Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
1. Privacy and Confidentiality Residents and Fellows Orientation
2. 2 Overview What Do You Need to Know?
New Privacy State Laws
New Federal Regulations- HITECH
Important Privacy Concepts
Privacy in the Clinical Environment
Best Privacy Practice Reminders
What to do in the Event of a Privacy Breach?
3. 3 What do you need to know about Privacy and HIPAA? Complete the required training
Provider Training Module
Know the patient’s privacy rights
New State Privacy Laws and your personal liability
American Recovery and Reinvestment Act (ARRA) impact on healthcare and privacy- HITECH
4. 4 Advanced Provider HIPAA Training Review Advanced Provider Module: http://www.ucsf.edu/hipaa/
Read HIPAA Handbook (in your packet)
Sign Confidentiality Statement and turn it in to your Department Manager
Read Notice of Privacy Practices (NOPP) booklet: http://www.ucsfhealth.org/common/3-03ucsfhipaa.pdf
5. 5 Patient HIPAA Rights can be Hot Spots for Providers HIPAA Patient Rights:
To restrict use and disclosure of their PHI
New restriction for self-pay patients
To request amendments to their PHI
To file complaints with UCSF, UCOP and OCR that may result in civil and criminal penalties for individuals as well as the healthcare organization
To request Accounting of Disclosure
To inspect and receive a copy of their medical record
New rights to receive on electronic copy of records
To request confidential communication
6. 6 Survival Tips For HIPAA Patient Rights
7. 7 What’s New? Privacy is more than HIPAA these days
New states laws and Federal Regulations are more stringent and impose increased fines/ penalties
The Privacy environment is constantly changing
National mandate for an Electronic Health Record
State wide initiatives for a Health Information Exchange
8. 8 Major Impacts of The New Privacy State Laws:
9. 9 Major Impacts of The New Privacy State Laws:
10. 10 How Does This Impact You? Increased Fines and Civil Penalties
5 Day Notification Requirement to DPH and individuals
Surveillance and Monitoring
Audit Logs of Appropriate Access
11. 11 The answer to all legal/risk questions is…
12. 12 Federal Regulations/Laws & Some Major Impacts “Stimulus Package” included health information technology, e.g., Electronic Health Records
Multiple impacts related to Privacy
Defines unsecured PHI
Requires notification to the consumer w/in 60 days
Individuals may be fined for wrongful disclosure
Increases criminal fines and penalties for wrongful disclosure
Individuals have right of civil action for wrongful disclosure
Requires honoring restriction requests, when related to self pay situations.
Major impact on Business Associates (BAs)
More guidance from HHS expected
14. 14 Important Privacy Concepts:
Utilize these concepts when making decisions regarding
Privacy Protection in the clinical environment:
Treatment, Payment or Operations (TPO)
You may access, use or disclosure PHI or ePHI for the purposes of TPO
See Notice of Privacy Practices (NOPP) for details
If your access, use or disclosure is not covered by the NOPP, then you will need to obtain an authorization from the patient prior to proceeding.
Protected Health Information/Electronic Protected Health Information
See HIPAA handbook for definition
15. 15 Important Privacy Concepts cont’d… Minimum Necessary Standard applies for all uses and disclosures except for treatment
Access only what you need to know.
Share only what you need to disclose.
Incidental Use and Disclosure as long as:
The disclosure is incidental to other permitted uses and disclosures.
Never access, use or disclosure PHI which you are not allowed to access in the first place.
Reasonable safeguards are in place to protect PHI that may be disclosed incidentally.
16. 16 Privacy in the Clinical Environment Do I need to access this information to do my job?
Am I using the minimum information needed to do my job?
Am I providing others with the minimum necessary information to do their job?
Do I need to store this information to do my job?
If yes, how will I secure this information?
Ok, I can do this, should I really do it?
What if this was my information? How would I feel about how it is being handled?
How would this process/practice look on the front page of the Chronicle?
17. 17 Scenario 1 – Email Communication A patient emails you about new symptoms that have presented since taking a new medication.
Since the patient has sent the email unencrypted, can you respond without sending your message in a secure manner?
18. 18 Scenario #1- Answers Yes
19. 19 Correct Answer to Scenario #1 B.) NO
It is your responsibility, when communicating to send any PHI securely.
DO NOT use personal email accounts or personal devices.
20. 20 Secure E-Mail is easy to use at UCSF! How to use
Use the secure email system when sending emails with ePHI
Type in the email Subject Line the word:
Secure: ePHI: PHI:
Make sure you are sending your message to the correct recipient.
Key points to remember
This protects the information when it leaves our UCSF network environment. It does not encrypt the message within the UCSF network. However, best practice is to use the secure email system when sending ePHI anywhere. This will protect you if someone forwards your ePHI outside of the UCSF network.
21. 21 What if your personal, unencrypted laptop was stolen?
22. 22 Scenario #2- Lost/ stolen Laptop Your personal laptop contained information about your current patients. The laptop was locked in your trunk and it had a complex password on the device.
Since you locked the laptop up and you had a complex password on the device, is this enough to keep you from being personally responsible for the loss of the patient information?
23. 23 Scenario #2 - Answers Yes, I cannot be responsible if someone steals my laptop.
No, I am still responsible.
24. 24 Correct Answer to Scenario #2 B.) “No, I am still responsible.”
The only safe harbor is to have the device encrypted
25. 25 Key to Your Survival
26. 26 PHI is Everywhere
27. 27 Best Privacy Practice Reminders Make sure you maintain access for only the systems that you have a business need
Review privacy newsletters and make sure you understand them
PHI/ePHI should never leave the department
If unavoidable, then the materials should stay with the person without exception
Limit discussion in public areas
Place PHI/ePHI in the InstaShred
Do not block software updates
Encrypt ePHI on mobile devices; Laptops, Memory sticks etc
28. 28 Use locked doors/storage areas
Lock up patient information such as paper, floppies, memory sticks, CDs, tapes or other portable media
Secure devices with locks when possible, even when laptops are docked in docking stations
You are responsible for securing home and mobile devices w/confidential information. If you take your laptop home, you need to keep it with you at all times while in transport.
Secure building at the end of the business day
Store information on a secure/encrypted server
Best Privacy Practice Reminders cont’d...
29. 29 Protect your computers and mobile eDevices:
30. 30 What is my responsibility, if I suspect a breach or have questions
31. 31 What is Phishing? Wikipedia Definition
Phishing is the criminally fraudulent process of attempting to acquire sensitive information, such as user names, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
Phishing is typically carried out by email or instant messaging, and it often directs users to enter details at a fake website, whose look and feel are almost identical to the legitimate one
32. 32 Examples of Phishing What does a phishing scam look like?
As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.
They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
33. 33 Current Facts * The Internet has never been more dangerous: rogue Anti-Virus, infected computers and malicious code break new barriers as electronic crime’s sophistication and ambition grow unchecked.
Rogue anti-malware programs are proliferating at an unprecedented rate. The first 6 months of 2009, the number of such programs grew 585 %.
The number of unique phishing websites detected in June 2009 rose to 49,084, the second-highest number recorded since APWG began reporting this measurement.
34. 34 What Is the Real Risk When This Happens? Virgin mail accounts are hot commodities and can be sold for $2/account. This is double what a stolen credit card account is worth.
With your User ID and PW, the cyber thief can carry out many lucrative online activities. They can access your address book, collect clues to your social networks and online banks, then they crack into those accounts and change the PW, so only they can access them.
Remember, many online services require an email address in order to set up the web account, and replacement passwords are sent to that email address.
35. 35 How Does UCSF Reduce This Risk? Never provide your User ID and PW to email queries, even if it looks legitimate.
Use different PWs for each online account.
Adhere to UCSF’s PW policy for complex PWs and change the PW regularly.
Never store spreadsheets with PHI or sensitive data in your email folders.
Adhere to the Minimum Necessary standard when communicating about a patient.
36. 36 Scenario 3 A patient arrives in the ED and states that he has been seen at another ED two times in the last 24 hours for abdominal pain. He now presents with increased abdominal pain. You diagnose him with a bowel obstruction, and he goes to the OR for surgery. You know the MD at the other hospital and want to inform him about what happened to this patient.
Should you contact the MD at the other ED?
37. 37 Scenario #3- Answers Yes
38. 38 Correct Answer to Scenario #3 B.) No
To do so would cause a Privacy violation
If you feel strongly that the other ED should know you should:
Obtain authorization from the patient to disclose this information
Document the authorization in the medical record
39. 39 Remember- Privacy is bigger than HIPAA
40. 40 Your Department Manager or IT support person
UCSF Privacy Officer
UCSF Information Security Officer (Medical Center)
UCSF Information Security Officer (Campus)
School of Medicine Information Security Unit Director
IT Customer Support