HIPAA 101: The Whos, Whats & Whys of Protecting Patient Privacy Krista Barnes, Senior Compliance Attorney Institutional Compliance Office at MD Anderson Cancer Center GSBS New Student Orientation August 14, 2013
HI…what? • Health Insurance Portability & Accountability Act (HIPAA) • Define “protected health information” (PHI) and how we need to protect it • Gives patients certain rights with respect to PHI (see our Notice of Privacy Practices) • Only applies to “covered entities” (health care providers, insurers, and healthcare clearinghouses) • Health Information Technology for Economic and Clinical Health (HITECH) Act • Imposes breach reporting obligations on covered entities • Gave HIPAA “teeth”
What is PHI? • Protected Health Information • Health information + Identifying Information • Health Information: diagnosis, treatment, lab results, imaging studies, arguably even the fact that someone is a patient here because our name suggests a cancer diagnosis • Identifying Information: 18 types of identifying information (see next slide).
What are the 18 HIPAA Identifiers? Identifying information includes the following EIGHTEEN items for an individual and the individual’s relatives, employers, or household members: • Health plan beneficiary numbers; • Account numbers; • Certificate/license numbers; • Vehicle identifiers and serial numbers, including license plate numbers; • Device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • Internet Protocol (IP) address numbers; • Biometric identifiers, including finger and voice prints; • Full face photographic images and any comparable images; and • Any other unique identifying number, characteristic, or code (unless totally unrelated to any other identifying info and cannot be re-identified except by person who holds the key) • Names (including initials); • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code as long as there are more than 20,000 people in the area for those initial three digits; • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, treatment dates; and all ages over 89 (can be combined into a “90 and over” category); • Phone numbers; • Fax numbers; • E-mail addresses; • Social security numbers; • Medical record numbers
POP QUIZ You’re working on a research study. The protocol calls for blood samples to be sent to the study’s sponsor for banking. The samples are labeled with date and medical record number (no names). The informed consent promises that all samples will be “de-identified.” Can you send the samples out like this? NO. Dates and MRNs are “identifiers” You aren’t authorized to send any identifiers
What does HIPAA say? • HIPAA General Rule: You may not use or disclose PHI without the patient’s Authorization, unless it falls under a regulatory exception, which include: • Treatment (e.g., nurse talking to a doctor, talking to another physician about a common patient) • Payment (e.g., billing insurance) • Healthcare Operations (e.g., for formal internal training programs, quality improvement) • Certain research purposes (IRB waiver, preparatory to research) • De-identified data • Research uses and disclosures of PHI are governed by the protocol, informed consent and authorization document, and/or an IRB waiver
Who can look at PHI? • Can only access PHI if you have a legitimate work-related reason for doing so. • Six Fired for Keeping up with the Kardashian • Harris Hospital District Fires 16 Over Privacy http://www.chron.com/news/houston-texas/article/Harris-hospital-district-fires-16-over-privacy-1736905.php http://www.healthcareitnews.com/news/kardashian-hipaa-breach-catastrophe
POP QUIZ • You are entering data for a study into a spreadsheet. You notice that the mom of your best friend from Junior High is one of the subjects. You didn’t even know she had cancer! You feel awful and want to help your friend’s family, maybe by sending flowers or taking dinner over. You log into ClinicStation to see when her last appointment was and how she is doing. You’re very sad to learn that she passed away last month. You post on your friend’s Facebook page, “I just heard about your mom passing away, I’m so sorry.” • Have you violated HIPAA? • A. No. There’s no way anyone would know that you learned about her death from looking in her medical record. • B. No. HIPAA doesn’t apply after death. • Yes. People who work at covered entities can’t use social media. • Yes. You accessed the mom’s record without authorization, and then disclosed her PHI on Facebook. • Answer: D.
What’s the big deal? • Use or disclosure of protected health information (“PHI”) in a manner that doesn’t comply with HIPAA is a violation of federal (and probably state) law • An unauthorized use or disclosure that compromises the patient’s privacy may be a “breach” of PHI • Breaches are reported to the patient, the government, and if big enough, the media • Breaches compromise patient privacy; patients’ trust in the hospital/institution; the hospital’s reputation; can cost big $$, and may cost you your career • Fines for HIPAA violations: $100 to $50,000 per day, up to a maximum of $1.5 million for the same violation in any one year
What is at stake? • Alaska Medicaid • Unencrypted USB hard drive stolen from employee’s car • $1.7 million settlement • Massachusetts hospital • Theft of unencrypted laptop containing prescription & clinical information • $1.5 million settlement • UCLA • Researcher accessed coworkers’ and celebrities’ medical records without authorization • Prosecuted and sentenced to 4 months in prison • MD Anderson examples http://www.chron.com/news/houston-texas/article/M-D-Anderson-loses-device-with-patient-data-3796918.php
What happened here • 2012: laptop stolen from researcher’s home contained 30,000 patients’ data • 2012: lost jump drive contained 2200 research subjects’ data • 2013: lost jump drive contained 3600 research subjects’ data http://www.chron.com/news/houston-texas/article/M-D-Anderson-loses-device-with-patient-data-3796918.php Pop Quiz: What would have prevented all 3 of these breaches? Answer: ENCRYPTION
What you can do to protect PHI • Accessing PHI • Access PHI on encrypted devices only (laptops, jump drives, BlackBerry). • Never access the medical record of a celebrity, friend, family member, or coworker (unless it is your job to do so). • Storing PHI • Do not store PHI in the cloud unless sanctioned by the institution (e.g., MDACC box.com account) • Limit physical access to PHI (lock cabinets, use folders). • Shred (do not recycle!) paper and wipe devices when finished. • Transporting PHI • Do not leave devices or paper files in your car. • ENCRYPTED DEVICES ONLY! • Email • Encrypt emails in transit. • Don’t email PHI to your personal email account. • Social Media • Never post about a patient/subject on social media
ONE LAST POP QUIZ You’re helping an MD Anderson PI and a collaborator from UT Health Science Center on a research study. The data relates to live human subjects, and is stored in a spreadsheet that you saved to the MD Anderson server. It contains medical record numbers, study ID numbers, treatment dates, diagnoses, and drugs administered. • The collaborator wants you to send him the data on a CD. Should you? • First, is it PHI? • Yes (treatment dates, maybe study ID numbers, maybe genomic sequencing data = identifiers) • Second, is the data allowed to leave MD Anderson? • Check the protocol and informed consent document to see if PHI can leave MD Anderson and be shared with an outside collaborator. • Is the CD a permissible way to send PHI? • Send on an encrypted CD and send the password separately, or ask InfoSec for more options. • The MD Anderson PI is on vacation and wants you to put it on Dropbox (online cloud sharing/storage) so she can view it remotely while on vacation. Should you? • No. Dropbox is not necessarily secure, your consent probably doesn’t say that you’ll be storing data on that site, and we do not have a Business Associate Agreement with Dropbox. Box.com is the only option right now (through MD Anderson’s institutional box.com account).
Reporting Privacy Incidents • What to do if a privacy incident occurs: • Report incidents quickly to: • Institutional Compliance Officeat 713-745-6636 or Privacy Hotline at 1-888-337-7497 • Document everything • Report to IRB as unanticipated problem (if research) • Report lost or stolen computers, BlackBerrys, jump drives to: • UTPD: 713-792-5890 • 4-INFO: 713-794-4636 • Departmental asset manager
Compliance Concerns • It is every Workforce Member’s responsibility to report a violation or a potential violation • Failure to report a violation or potential violation may subject you to disciplinary action • To report compliance concerns: - Call the Institutional Compliance Office (713-745-6636) - Page the Chief Compliance Officer (713-792-7090) - Call the Fraud and Abuse Hotline (1-800-789-4448) - Call the Privacy Hotline (1-888-337-7497) IMPORTANT: All discussions and reports are treated confidentially and may be made anonymously Suspected fraud, waste, and abuse involving state resources • State Auditor’s Office Hotline (1-800-892-8348).
Non-Retaliation • Workforce Members should not hesitate to report any suspected violations out of fear of retaliation • Non-Retaliation Policy (UTMDACC Institutional Policy #ADM0254)
Questions? Krista Barnes Senior Compliance Attorney, Privacy Compliance firstname.lastname@example.org 713-792-2511