University medical center hipaa privacy and security training compliance is everyone s job
This presentation is the property of its rightful owner.
Sponsored Links
1 / 50

University Medical Center HIPAA Privacy and Security Training Compliance is Everyone’s Job PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on
  • Presentation posted in: General

University Medical Center. University Medical Center HIPAA Privacy and Security Training Compliance is Everyone’s Job. UMC’S HIPAA Privacy/Security Officer: Jan Chaisson [email protected] 348-1231. Topics to Cover. General HIPAA Privacy and Security Overview HIPAA Privacy

Download Presentation

University Medical Center HIPAA Privacy and Security Training Compliance is Everyone’s Job

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


University medical center hipaa privacy and security training compliance is everyone s job

University Medical Center

University Medical Center HIPAA Privacy and Security TrainingCompliance is Everyone’s Job

UMC’S HIPAA Privacy/Security Officer: Jan Chaisson

[email protected]

348-1231


Topics to cover

Topics to Cover

INTERNAL USE ONLY

  • General HIPAA Privacy and Security Overview

  • HIPAA Privacy

    • Use and Disclosure of PHI

    • Notice of Privacy Practices

    • Authorization Form

    • Accounting for Disclosures

    • Business Associate Agreements

  • HIPAA Security

    • Security and Other Related-UA Policies

    • Access Controls

    • Contingency Planning

    • Audit Controls

    • Reporting Breaches & Security Incidents

  • Questions/Acknowledgment of Training


What is hipaa

What is HIPAA?

INTERNAL USE ONLY

The Health Insurance Portability and Accountability Act

Law passed to ease the movement of healthcare data between providers.

Privacy and Security regulations must be followed by a “Covered Entity”


Applicability of hipaa to ua

Applicability of HIPAA to UA

INTERNAL USE ONLY

  • UA is a “Hybrid Entity” –Only A Few Areas Must Comply

    • HIPAA Applies to UA’s Covered “Health Care Components”:

      • University of Alabama Medical Center

      • Brewer-Porch Children's Center

      • The Speech & Hearing Center

    • HIPAA Applies to UA’s Covered Health Plans

      • UA Group Health Insurance/Flexible Spending Plan/Other (EAP)

  • Also applies to Administrative Departments supporting any of these covered entities (like Legal Office, Auditing, Financial Affairs, UA Privacy/Security Officer, etc.)


What is protected health information phi

What is Protected Health Information (PHI)

INTERNAL USE ONLY

Any information, maintained in any medium, including demographic information

Created/received by covered entity

Relates to/describes physical/mental health or payment for healthcare

Can be used to identify the patient


Some records are not phi

Some Records are not PHI:

INTERNAL USE ONLY

Student records that fall under the Family Educational Rights and Privacy Act (FERPA).

Medical records, exempt from FERPA, of students 18 or over attending UA and that are made or maintained by a health care provider and used only to treat the student and disclosed only to individuals providing the treatment.

The University’s employment records.

Not PHI if you de-identify by removing all of the 18 identifiers


Data to remove to de identify patient information

Data to Remove to De-Identify Patient Information

INTERNAL USE ONLY

Names

Geographic subdivisions smaller than state (address, city, county, zip)

All elements of DATES (except year) including DOB, admission, discharge, death, ages over 89

Telephone, fax, SSN#s, VIN, license plate #s

Med record #, account #, health plan beneficiary #

Certificate/license #s

Email address, IP address, URLs

Biometric identifiers, including finger & voice prints

Full face photographic and comparable images

Any other unique identifying #, characteristic, or code


Hipaa privacy security work together

HIPAA Privacy & Security Work Together

INTERNAL USE ONLY

Privacy Rule applies to all PHI of covered entity and sets rules for use or disclosure of PHI, and gives person certain rights to PHI—requires entity to safeguard PHI

Security Rule applies to PHI in electronic form (EPHI) and requires various safeguards to protect the confidentiality, integrity and availability of EPHI


Hipaa privacy security work together1

HIPAA Privacy & Security Work Together

INTERNAL USE ONLY

Confidentiality ensures the protection of data during all aspects of its life. This includes data at rest on computers, data in transit between computers and destruction of data when no longer needed or the asset holding the data is no longer needed. Remember the rule of “Least Privilege” - Users should have access to the data they need to perform their jobs and nothing else.

Integrity is upheld when we are confident that the data is maintained in an accurate manner free of unauthorized modification. This requires controls to be in place for the hardware, software and network components to ensure that the data is free of any possible interception and/or unauthorized changes.

Availability provides the necessary capacity and performance to access data in a predictable manner. Appropriate protection mechanisms should be in place to prevent attacks both from the inside and the outside that could jeopardize Availability. Environmental issues can also affect availability such as heat, cold, humidity, static electricity and contamination.


Hipaa security privacy rule penalties

HIPAA Security/Privacy Rule Penalties

INTERNAL USE ONLY

  • State Breach of Privacy Claims

  • DOJ-Imposed Criminal Penalties for the Employee:

    • Wrongfully Accessing or Disclosing PHI: Fines up to $50,000 and up to 1 Year in Prison.

    • Obtaining PHI Under False Pretenses: Fines up to $100,000 and up to 5 Years in Prison.

    • Wrongfully Using PHI for a Commercial Activity: Fines up to $250,000 and up to 10 Years in Prison.

  • Federal-Imposed Civil Penalties for UA:

    • Up to $100 per violation

    • Each Name in a Data Set Can Be a Violation. Not to Exceed $25,000 Per Calendar Year.

    • Feds have six years from occurrence to initiate civil penalty action


Ua hipaa sanctions

UA HIPAA Sanctions

INTERNAL USE ONLY

UMC Employees who do not follow Privacy and Security Policies and related workplace rules and policies are subject to disciplinary action, up to and including dismissal

Type of sanction depends on severity of violation, intent, pattern/practice of improper activity, etc.

Sanction records maintained 6 years

Possible notification to Enforcement Officials


General rule for use and disclosure of phi

General Rule for Use and Disclosure of PHI

INTERNAL USE ONLY

A covered entity can always use and disclose PHI for any purpose if it gets the person’s written authorization.

HIPAA requires certain components to be in the authorization in order for it to be valid.

There are many exceptions to the requirement for authorization.


Exceptions

Exceptions:

INTERNAL USE ONLY

No authorization is needed if for Treatment, Payment and Healthcare Operations (TPO).

PHI (except psychotherapy notes) may be used/disclosed for the covered entity’s own TPO.

PHI may be disclosed to other covered entities or health care providers for the payment activities of the entity that receives the information, such as an ambulance company.

PHI may be disclosed to another covered entity or health care provider for its health care operations, under limited circumstances.


No authorization is required to disclose to business associates

No Authorization is Required to Disclose to Business Associates

INTERNAL USE ONLY

PHI may be disclosed to a Business Associate (BA) if UMC has executed a Business Associate Agreement with that organization or vendor.

Regulations define who qualifies as a BA.

Each UA Health Care Provider must maintain records of who its identifies as a Business Associate, and must ensure agreements are in place.


No authorization is needed to disclose phi

No Authorization is Needed to Disclose PHI:

INTERNAL USE ONLY

When required (not permitted) by law;

To Public Health/Legal Authorities charged with preventing and controlling disease, disability or injury;

To FDA to ensure quality, safety, or effectiveness of FDA-regulated products;


University medical center hipaa privacy and security training compliance is everyone s job

And:

INTERNAL USE ONLY

To persons who may have been exposed to communicable disease or may be at risk of contracting or spreading a disease;

To entities charged with overseeing victims of abuse, neglect or domestic violence, consistent with reporting obligations;

To a health oversight agency for activities authorized by law (gov’t. licensing or accreditation agencies)


University medical center hipaa privacy and security training compliance is everyone s job

And:

INTERNAL USE ONLY

In response to a Court order;

In response to a subpoena that meets certain requirements (always check with the Legal Office);

Law enforcement officials seeking to identify a suspect, witness, or victim of a crime;

Coroners/medical examiners/funeral directors to identify a deceased person or determine a cause of death;

Organizations handling organ, eye or tissue donation;


University medical center hipaa privacy and security training compliance is everyone s job

And:

INTERNAL USE ONLY

To prevent/lessen a serious and imminent threat to patients or others health and safety;

To military command authorities and federal officials for intelligence and national security activities;

To comply with workers compensation laws;

Facility directories, if asked by name.

Individuals involved in patient’s care or payment.

Persons involved in disaster relief.


Hipaa requires ua s health care providers to

HIPAA requires UA’s health care providers to:

  • Provide Notice to individuals of privacy practices

  • Authorization Forms

  • Control access

  • Account for use and disclosures

  • Manage complaints

  • Have a privacy officer

  • Conduct training

  • Provide sanctions

  • Develop Business Associate Agreements

  • Have policies and procedures

INTERNAL USE ONLY


Under hippa patients have the right to

Under HIPPA, Patients Have the Right to:

INTERNAL USE ONLY

Receive Notice of Health Information Practices.

Authorize use of their data.

Request access to their data.

Request an accounting of the uses and disclosures of their data.

Request amendment and corrections to their data.

Request restrictions on use of data.

File a complaint.


Ua must meet the minimum necessary standard

UA Must Meet the Minimum Necessary Standard

INTERNAL USE ONLY

  • Providers should disclose or use only the minimum necessary amount of PHI in order to do their jobs.

  • Minimum necessary does not apply to:

    • Disclosures used for treatment;

    • To the individual who is the subject of the disclosure;

    • When a valid HIPAA authorization is signed;

    • Uses and disclosures required by law;

    • Disclosures to HHS.


Incidental disclosures are permitted if

Incidental Disclosures are Permitted if:

INTERNAL USE ONLY

They cannot be reasonably prevented;

Are limited in nature;

Are a by-product of otherwise permitted use; and

The Covered Entity has established “reasonable safeguards” to ensure only necessary information is disclosed.


Incidental uses and disclosures include

Incidental Uses and Disclosures Include:

INTERNAL USE ONLY

Waiting room sign-in sheets

Patient charts at bedside

Physician conversations with patients in semi-private room

Physicians conferring at nurse’s stations.


What hipaa did not change

What HIPAA Did Not Change:

INTERNAL USE ONLY

Family and friends can still pick up prescriptions for sick people.

Physicians and Nurses do not have to whisper.

State laws still govern the disclosure of minor’s health information to parents. (a minor is under the age of 19 in Alabama)


Ua s covered health care providers are required to have and use

UA’s Covered Health Care Providers are Required to Have and Use:

INTERNAL USE ONLY

1. Notice of Privacy Practices

2. Authorization Forms

3. Accounting for Disclosures

4. Business Associate Agreements

UA has developed template forms and policies for its health care components/health plans.


1 notice of privacy practices

1. Notice of Privacy Practices

INTERNAL USE ONLY

Notice of patient’s rights with respect to PHI and our privacy practices.

We must make a good faith effort to obtain the patient’s written acknowledgement at the time of receipt of the Notice of Privacy Practices, except in emergency circumstances.

Each patient must receive a Notice of Privacy practices no later than the date of first service delivery.


The notice of privacy practices

The Notice of Privacy Practices:

INTERNAL USE ONLY

  • Must list each type of disclosure that may be made by the covered entity and distinguish between those that are made pursuant to law and those that are not.


2 the authorization form

2. The Authorization Form

INTERNAL USE ONLY

An Authorization Form is required for the use and disclosure of PHI for business-related purposes other than Treatment, Payment, and Operations and other than the permitted exceptions.

Authorizations are always required to disclose psychotherapy notes in order to give psychotherapy notes stronger protections.


Psychotherapy notes

Psychotherapy Notes

INTERNAL USE ONLY

Must be kept separately from the patient’s medical record.

Consists of the “process notes” that the therapist makes about counseling sessions.

Does not include summary information used for treatment such as symptoms; summary notes; diagnosis, and medications.


Authorization required for marketing

Authorization Required for Marketing

INTERNAL USE ONLY

UA is prohibited from using or disclosing PHI for marketing purposes without the patient’s express authorization.

Prohibited from selling patient lists to third parties.

CAN talk with patients about our treatment options, and have common health care communication about wellness, prescription refill reminders, therapies, and appointment notifications without an authorization.


Authorization for marketing

Authorization for Marketing:

INTERNAL USE ONLY

Must disclose if UA is receiving benefits or payment from any third party receiving the patient’s information.


3 accounting for disclosures

3. Accounting For Disclosures

INTERNAL USE ONLY

  • Individuals have the right to receive an accounting of disclosures of PHI made by UA (even to our Business Associates), except for:

    • Disclosures made to carry out Treatment, Payment and health care Operations;

    • PHI provided to the patient about them;

    • PHI disclosed to family members or friends involved in a patient’s care;

    • Disclosures made pursuant to authorization

      UA has designed forms for tracking disclosures.


4 business associate agreements

4. Business Associate Agreements

INTERNAL USE ONLY

  • BA performs specific tasks involving the use/disclosure of PHI on our behalf, such as billing, legal services, and accreditation.

  • Agreement requires BA to

    • not use/disclose PHI except as necessary to perform duties on our behalf

    • safeguard PHI and ePHI

    • report security incidents/breaches of confidentiality

    • log/track its disclosures of PHI.

  • UA has a BAA Template, which Legal has approved

  • If UA is the BA, Legal should review agreement


Hipaa put new requirements on research

HIPAA Put New Requirements on Research:

INTERNAL USE ONLY

  • If you work for a Health Care Provider under HIPAA, do not release PHI for research unless:

    • The patient has signed a valid HIPAA authorization, or

    • The IRB at UA has approved a waiver of authorization; or

    • The IRB agrees that an exception applies.

      Separate training on HIPAA & Research is available through the Privacy Office.


Security standards general rules

Security Standards – General Rules

INTERNAL USE ONLY

  • HIPAA security standards ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (ePHI – Electronic Protected Health Information) by and with all facilities.

  • Protect against any reasonably anticipated threats or hazards to the security or integrity or such information

  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted


The hipaa security rule requires

The HIPAA Security Rule Requires…

HIPAA Security Policy Documents

  • General Security Requirements

  • Risk Analysis and Management

  • HIPAA Security Sanction Policy

  • Information System Activity Review

  • Named Security Officer

  • Workforce Security

  • Information Access Management

  • Security Awareness and Training

  • Protection from Malicious Software

  • Security Incident Procedures

  • Contingency Planning

  • Facility Access Controls

  • Workstation Use and Security

  • Device and Media Controls

  • Medial Reallocation and Disposal

  • Access Controls

  • Audit Controls

  • Data Authentication

  • Person or Entity Authentication

  • Transmission Security

INTERNAL USE ONLY


Managing access to information

Managing Access to Information

INTERNAL USE ONLY

  • Access to UMC’S computer systems and information is based on your work duties and responsibilities with UMC

  • Access privileges are limited to only the minimum necessary information you need to do your work

  • Access to an information system does not automatically mean that you are authorized to view or use all the data in that system

  • Different levels of access for personnel to EPHI is intentional!

    • Doctors access is for physicians

    • Nursing access is for nursing

    • Students access is for students

  • Access in one capacity may not permit access in another capacity

  • If job duties change, clearance levels for access to EPHI is re-evaluated

  • Access is eliminated if employee terminated

  • Accessing EPHI for which you are not cleared or for which there is no job-related purpose will subject you to sanctions!


Information access control

Information Access Control

INTERNAL USE ONLY

Do not allow unauthorized persons into restricted areas where access to PHI or ePHI could occur

Arrange computer screens so they are not visible to unauthorized persons and/or patients; use security screens in areas accessible to public

Log in with password, log off prior to leaving work area, and do not leave computer unattended

Close files not in use/turn over paperwork containing PHI

Do not duplicate, transmit, or store PHI without authorization

Storage of PHI on removable devices (Disk/CD Rom/DVD/ Thumb Drives) is prohibited without prior authorization


Password management

Password Management

INTERNAL USE ONLY

  • Do not allow coworkers to use your computer without first logging off your user account

  • Do not share passwords or reuse expired passwords

  • Use passwords that cannot be easily guessed (B’day, pets, kids)

  • Choose new passwords when they must be reset

  • Do not write down passwords that could provide access to EPHI

  • Change password if you suspect anyone else knows it

  • Change passwords or delete accounts when employees are transferred or terminated

  • Pick good passwords – Recommendations for good passwords:

    • 7 characters long

    • 3 of 4 data types – Upper, Lower, Numeric and Special Character

    • Change periodically

    • Good password scheme is critical for complex passwords – R0llt!de (don’t use this, just an example)


Log in monitoring by security officer

Log-in Monitoring by Security Officer

INTERNAL USE ONLY

  • Look for Inappropriate Access – Outside Normal Classification

  • Monitor Logs for Brute Force Attacks

    • Same ID, Multiple Password Guesses

    • Multiple ID/Password Attempts That Fail

    • Multiple Attempts to Log-in to Administrative Accounts

  • Log-in Outside Normal Hours

  • Multiple Log-ins With Same ID

  • Significant findings are recorded and presented to management and safeguards adjusted based on findings


Protection from malicious software

Protection from Malicious Software

INTERNAL USE ONLY

  • Malicious software can be thought of as any virus, worm, malware, adware, etc.

  • As a result of an unauthorized infiltration, ePHI and other data can be damaged or destroyed

  • Practice good PC hygiene

    • Automatic patch update for your Operating System

    • Install and use a good anti virus/anti spyware software package and set updates to daily and a full system scan once a week

    • If possible, enable firewall protection for your PC

      • Notify your supervisor, system support representative, and/or security officer immediately if you believe your computer has been compromised or infected with a virus—do not continue using computer until resolved.

  • Do not disable anti-virus software on individual workstations

  • Do not open e-mail or attachments from an unknown, suspicious, or untrustworthy source or if the subject line is questionable or unexpected—DELETE THEM IMMEDIATELY


Use of technology

Use of Technology

INTERNAL USE ONLY

Email, internet use, fax and telephones are to be used for UA business purposes (see UA policies)

No ePHI is permitted to leave facility in any format without prior approval

Email should never be used to communicate PHI without being encrypted

We must be sure electronically transmitted ePHI is not improperly modified without detection

Fax of PHI should only be done when the recipient can be reliably identified

Verify fax number and recipient before transmitting

Uploading of PHI for instruction or communication is prohibited w/o prior approval and demonstration of appropriate de-identification procedures


General misuse of workstations

General Misuse of Workstations

INTERNAL USE ONLY

Do not misuse e-mail privileges by sending and forwarding non-business related mass e-mails, chain e-mails and junk e-mail

Do not misuse internet privileges by spending excessive time on the internet for non-work related business or accessing inappropriate sites

Do not download, install, or run unauthorized software

Do not use non-work related chat rooms and instant messaging programs at work

Do not knowingly enable an external/remote party to gain unauthorized access or control of any device, application, or system to the data networks

Only individuals with administrative responsibilities or their designee may be granted access to the e-mail account of their former employee or vendor


Links to ua policies

Links to UA Policies

INTERNAL USE ONLY

Network and Computing Support Policies:

http://ncs.ua.edu/policies/index.html

Electronic Media Policy:

http://www.hr.ua.edu/empl_rel/policy-manual/electronic-media.htm

University of Alabama General Policies:

http://policies.ua.edu/


Media reallocation and disposal

Media Reallocation and Disposal

INTERNAL USE ONLY

  • All computers, disks, removable storage devices must be properly cleaned/erased before transfer or disposal

    • No computer or disk/CD Rom/DVD or any other removable storage device should leave the facility for disposal/transfer without ensuring that ePHI has been properly cleaned

    • Do not throw away a disk/CD Rom/DVD or any other removal storage device containing ePHI

    • Do not transfer computers to another department before taking steps to ensure that any ePHI has been PROPERLY erased/deleted from that computer

    • Do not transfer any hard drive/disk/CD Rom/DVD or other removable storage device before taking steps to ensure that any ePHI has been erased/deleted

    • Merely deleting files is not a proper cleaning method. See Media Reallocation and Disposal Policy for proper sanitization methods

  • Sanctions can be imposed for violations of this policy!


Facility access controls

Facility Access Controls

INTERNAL USE ONLY

  • Access to our centers must be managed and controlled to prevent unauthorized visitors from accessing the facilities or PHI

  • Help to monitor the controls we have for Facility Access

    • Sign-in Visitors and Vendors

    • Insure that locks, card access, or any other physical access controls are working as expected

  • Report any problems or possible problems to your supervisor, administrator, and/or your security officer.


Contingency planning

Contingency Planning

INTERNAL USE ONLY

Contingency planning allows us to continue some critical operations in the event of an emergency

Help us prepare for emergencies by pointing out critical areas necessary for continuing operations

This includes emergency communications plans, emergency operations plans, back up and recovery plans and many other items included in an Impact Analysis and Disaster Recovery Plan

Some of you may be asked to participate in the creation of these plans and will be involved in testing


Audit controls

Audit Controls

INTERNAL USE ONLY

Audit Controls are required to insure that we are following all of the required regulations associated with the HIPAA Privacy and Security Rules

This will require us to make sure that we have procedures in place that provide tracking and audit records demonstrating compliance with all rules and regulations

Please notify your supervisor and Security Officer of any improvements necessary or deficiencies that would assist with properly tracking and controlling access to PHI


Reporting security incidents

Reporting Security Incidents

INTERNAL USE ONLY

  • Notify your Security Officer or supervisor of any unusual or suspicious incident

  • Security incidents include the following:

    • Theft of or damage to equipment

    • Unauthorized use of a password

    • Unauthorized use of a system

    • Violations of standards or policy

    • Computer hacking attempts

    • Malicious code

    • Security Weaknesses

    • Breaches to patient, employee, or student privacy


Questions comments

Questions/Comments

INTERNAL USE ONLY

  • Know Your Security and Privacy Officer:

    • UMC’S Privacy/Security Officer: Jan Chaisson, [email protected], 348-1231

    • UA Privacy Officer: Jan Chaisson

    • UA Security Officer: Ashley Ewing

  • Other References

    • Privacy:

      • www.hhs.gov/ocr/hipaa

    • Security:

      • www.cms.hhs.gov/SecurityStandard

  • Acknowledgement:

    • Please Complete the Training Acknowledgement Form to Obtain Credit for Completing the Annual Training


  • Login