The healthcare industry is becoming more interconnected Health Plans Medical Services Hospitals Pharmacies & Drug Companies Physicians & Medical Practices Medical Devices Medical Records EMRs & HIEs Research Human Resources Patient privacy and data security are more at risk
Privacy and Data Security Refresher Objectives This training session will focus on the key parts of privacy and data security regulations and Dignity Health policies that you need to understand in order to protect patient and confidential information , such as Federal and state privacy and data securityregulations. What information must be protected Using Minimum Necessary standards. Your responsibilities as a user of theDignity Health network. Appropriate uses of social media, cell phonesand electronic devices. The consequences for non-compliance.
What is Your Responsibility? All Dignity Health employees, business associates, contractors, and volunteers are responsible for taking an active role to protect patient and confidential information. You are responsible for • Reading the Privacy and Data SecurityEmployee Handbook. • Abiding by all Dignity Health privacy anddata security policies and procedures. • Complying with federal and state privacy and data security regulations. • Reporting all known or suspected privacyor data security incidents. • Understanding the consequences fornon-compliance with regulations orDignity Health policies.
Facility Privacy Official Each Dignity Health facility and system office has a designated Facility Privacy Official (FPO) or Facility Privacy Liaison (FPL). The FPO role is responsible for: Implementation of HIPAA and state privacyand data security regulations. Implementation of Dignity Health privacyand data security policies. Privacy and data security training. Ensuring staff compliance with all regulationsand Dignity Health policies. Investigation of privacy and data securityincidents. Notifications of breaches to regulatoryagencies and patient(s). 6
HIPAA Regulations The Health Insurance Portability & Accountability Act (HIPAA) passed by Congress in 1996, is managed by the Office of Civil Rights (OCR) through the Department of Health and Human Services (HHS) • HIPAA regulations include controls for the use and disclosure of Protected Health Information (PHI). • Use: when Protected Health Information (PHI) is used internally for Treatment, Payment or other Healthcare Operations (audits, training, customer service, internal analysis, etc.). • Disclosure: to release, transfer or provide access to a patient’s PHI physically, orally, or electronically to someone like a physician, an attorney, another provider, insurance company, billing contractor, etc., outside of Dignity Health. Health Insurance Portability & Accountability Act
HITECH Act - Expands HIPAA Effective January 1, 2009 the HITECH Act is the privacy and data security component of the American Recovery and Rehabilitation Act (ARRA) • Enforced by the Office of Civil Rights (OCR) of the Department of Health & Human Services. • Additional enforcement is granted through state Attorneys General to enjoin actions and obtain damages on behalf of individuals. • HITECH applies HIPAA standards and penalties to Business Associates. • Increased penalties for HIPAA Violations • Maximum penalty per violation increases from $100 per violation to $50,000 maximum. • The cap on penalties for all similar violations increased from $100,000 to $1,500,000. • Makes individuals subject to penalties. Health Information Technology for Economic and Clinical Health
California Privacy Laws California Health & Safety Code 1280.15 (SB541) impacts Hospitals. It prohibits unauthorized viewing, use or disclosure of medical records without direct need for diagnosis, treatment or other unlawful use. • Effective January 1, 2009 • Requires that breaches be reported to the California Department of Public Health (CDPH) and patient(s) within5 business daysof discovery. • The alleged violator’s name is required as part of reporting. • Authorizes penalties: • $25,000 per patient up to $250,000 • $100 per day for failure to report. • Even if your facility is not in California, Arizona and Nevada facilities often deal with patients and PHI from California, especially our business offices. 10
California Privacy Laws California Health & Safety Code 130200 (AB211) impacts both Healthcare providers and individuals. • Effective January 1, 2009. • Creates the California Office of Health Information Integrity (OHII) authorized to impose fines for violations. • Provides private right of action for patients to seek damages as a result of privacy or security incidents. • Places liability directly on the individualwho knowingly, willfully or negligentlyobtains, discloses or uses medicalinformation inappropriately with penaltiesfrom $2,500 to $250,000 per violation. 11
California Privacy Laws California Civil Code 1798.82 takes privacy and data security beyond HIPAA. Employee information, credit card data and data not publicly available are all subject to safeguards and protections depending on their classification. • Effective January 1, 2012. • Requires reporting of breaches to the California Attorney General. • Personal Information: means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual. Includes one or more of these data elements: • Name or signature • Address or telephone number • medical information • Health insurance information • Social Security number • and other personally identifiable information 12
Federal Trade Commission’s Red Flag Rules In response to increasing instances of thieves using identity theft to open new accounts and misuse existing accounts, the Federal Trade Commission (FTC), federal bank regulatory agencies, and the National Credit Union Administration • (NCUA) issued the Red Flags Rules as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. • Requires financial institutions and creditors to develop and implement written Identity Theft Prevention Program to detect, investigate, and mitigate possible identity theft. • The final Red Flags “Rule” became effective January 1, 2008 • Enforcement Date: June 1, 2010 • Dignity Health facilities are located in the three states with the highest rate of Identity theft. Fair and Accurate Credit Transactions Act 13
110.1.051 Red Flag Rules Policy A Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft. Medical ID theft is the fraudulent use of another’s identifying information to gain access to medical services. Medical ID theft can cause serious medical record issues for the valid patient. Fictitiousrecords (labs, diagnosis, etc) can be createdand cause harm to victim in future treatment. Red Flags Rule Impacts hospitals because wehandle patient credit card information. The Business Owner or his/her representativeis responsible to provide training at eachDignity Health facility for all staff with access topatient financial information (functional areaslike HIM, registration, PFS staff, etc.) 14
110.1.049 Safeguarding Credit Card Information Policy Dignity Health processes about $200M in credit card transactions annually. Payment Card Industry (PCI) has set up data security standards for processing, storing and transmitting credit card information. Breach of or noncompliance with the standardscan subject an organization to: Reporting to banks and payment card processors Liability for credit card financial losses Fines up to $500,000 per incident Reimbursement for credit card transactions can be withheld. Loss of merchant status and no longer ableto accept credit or debit cards Most likely, a PCI breach will involve PHI,and is also subject to HIPAA liabilities. 15
What Information Must You Protect? We use PHI every day for patient treatment, billing, research, and teaching. You must protect all patient PHI and other confidential information in ANY medium, whether written, verbal or electronic – including photos, videos, and x-rays. Protected Health Information (PHI) – includes any name, number, code, photo or any data element that can be used directly or indirectly to identify an individual (i.e. name, date of birth, home address, Social Security number, phone number, images, medical record number, etc.) Confidential or Sensitive information – not PHI, but includes data for Dignity Health employees, job applicants, fund raising contacts, financial information, etc. Even if you do not deal with patient information directly,Confidential or Sensitive information should be treated with same precautions as PHI.
110.1.015 Minimum Necessary Standards Policy HIPAA’s Privacy Rule requires thatyou must make a reasonable effort to limit the use, disclosure or release of PHI to only the Minimum Necessary amount of data elements that are necessary to accomplish the intended purpose. • Dignity Health workforce members may onlyaccess the minimum necessary informationto complete their job responsibilities. • Dignity Health workforce members mustapply minimum necessary standardswhen PHI must be disclosed or providedto someone outside of Dignity Health.(for example, an attorney, contractor,business associate, auditor, etc.) • Minimum Necessary does not apply to useor disclosure of PHI for treatment purposes.
110.1.014 Safeguarding PHI & Sensitive Information Policy • Protecting patient privacy and confidential information means practicing some basic safeguards in your every day work. • Do not leave documents with PHI or confidential information unattended in fax machines, printers or copiers. • Turn over or cover all PHI and Confidentialinformation when you leave your work area. • Never remove PHI or other Confidentialinformation from a facility without properauthorization and security measures. • When at the office or off-site, store portablemedia that contains PHI or Confidentialinformation in a locked drawer or cabinet. • Do not allow friends, relatives or visitors intowork areas with PHI or Sensitive informationwithout appropriate authorization.
Safeguarding Faxes and U.S. Mail Misdirected faxes are the #1 reported privacy incident across Dignity Health. Per our 110.1.014 Safeguarding PHI and Sensitive Information Policy, everyone must use a Dignity Health fax coversheet when faxing PHI or other confidential information. Always verify the recipient’s fax number beforesending (including preprogrammed number). Report to FPO any misdirected fax or U.S. mailthat contains or pertains to the following: Requests for or copies of medical records Billing documents, checks or other documents with PHI Privacy-related complaints PHI or sensitive information Office of Civil Rights (OCR) letters
Safe Disposal of PHI and Confidential Information • HIPAA requires that PHI must be kept confidential even when it is thrown away. • Never dispose of paper, film, or other hard copy containing PHI or other sensitive information in a garbage can or recycle container. It must be shredded or put into a locked shredder bin. • Paper records with PHI should be shredded or disposed of in a manner that the PHI can notbe read or reconstructed. • Pill bottles or patient care items with labels thatcontain patient information should be destroyedand never put in a recycle bin or garbage can. • Electronic media (CDs, DVDs, backup tapes, etc.)that contain PHI or confidential informationmust be cleared, overwritten, purged or destroyedso that the information can not be retrieved.
Social Media Guidelines Per Dignity Health’s Standards of Conduct, employees are expected to always conduct themselves in a manner that reflects integrity, and shows respect and concern for others, including the use of Social Media. Always be respectful of your colleagues, Dignity Health, and our competitors. Never post confidential information or photo ofa patient on the internet, even if it does not include a patient’s name. Never discuss confidential information in publicforums, chat room, text message or news group. Inappropriate posts of confidential informationor photos can seriously damage Dignity Health’sreputation, and result in individual liability forthe responsible person(s). Think about the consequences that may resultfrom your communications.
The Reality of Social Networks Krystal posts information about a patient she treated in the ED on her Facebook page and how interesting the case was. Level 1 Kryrstal (1 person) Level 2 Krystal’s Friends (153 friends) 153 friends Jana Austin Christy John Bill Lisa Rita Level 3 Kristal’s Friends’ Friends(26,928 people) 26,928people Average 176 friendsx Krystal’s 153 friends = 26,928 people Jana’s237 Friends Austin’s124 Friends Christy’s130 Friends John’s305 Friends Bill’s’176 Friends Lisa’s423 Friends Rita’s203 Friends Level 4 Their Friends’ Friends(Over 4.7 million people) 4.7 millionpeople Jana’sFriends’ 41,475 friends Austin’sFriends’ 14,200 friends Christy’sFriends’ 22,750 friends John’sFriends’ 53,375 friends Bill’sFriends’ 17,500 friends Lisa’sFriends’ 34,200 friends Rita’sFriends’ 64,525 friends Average 176 friends x 28,928 people = 4,739,328 people One person’s post grows exponentially based on “friending”. 23
Data Security Dignity Health is required by law to monitor and detect any potential privacy or data security breach, including regularly monitoring user network activity. The HIPAA Security Rule establishes standards to protect electronic PHI (ePHI) and PHI from unauthorized access or disclosurewhether it is at the facility or off-site. ePHI includes information that is used, received,transmitted or stored in an electronic medicalrecord, patient billing system, digital imagesand print outs. It is the responsibility of all Dignity Health network users to safeguard and protect ePHI. Attempts to bypass or override any privacy ordata security safeguards to access PHI is aviolation of Dignity Health’s policies. Information is a valuable Dignity Health asset.
Network Usage Policy 110.1.037 (NUP) for Employees Dignity Health Network access is a privilege that is granted to users to facilitate the performance of Dignity Health business. User responsibilities are covered in the Network Usage Policy (NUP) that every network user must read and sign. There are separate Network Usage Policies forContractors 110.1.052 or Providers 110.1.050. Dignity Health regularly monitors user activity. The contents and history of a user’s networkactivity are Dignity Health’s property. Any content a user creates or receives viathe network is not private nor personal. This includes: Web browsing Email and Instant messages Application activity
Network Usage Policy 110.1.037 (NUP) • As a user of the Dignity Health network, you are responsible for all activity under your user name, and for using appropriate safeguards to protect the privacy and security of all data. • Memorize your passwords and never sharewith anyone. • Use the network for Dignity Health business. • Log out of all workstation computers whenleaving unattended or at end of work day. • Set your computer screen to “locked” whenyou step away from your workstation toavoid unauthorized access. • Comply with Dignity Health IT requirementsfor anti-virus protection, screen savers, encryption, and other computer settings used to safeguard the network.
Being Snoopy Can GetYou In The Doghouse 415-438-5565 SNOOPY Inappropriate Access & Snooping • The law requires that covered entities restrict the access and disclosure of Protected Healthcare Information (PHI) and obtain authorization in writing. • PHI may not be accessed by any employee, contractor or physician without a legitimate business purpose, e.g. treatment, payment or healthcare operations. • In order to ensure compliance with regulations, Dignity Health requires employees to follow thesame authorization procedures as patients. It is a violation of Dignity Health policy to useyour network credentials to access your ownPHI, PHI of a family member or other individual without the proper authorization procedures. Inappropriate access of PHI will result indisciplinary actionper HR policy 120.1.006. Protecting PHI is everyone’s job. PHI is not everyone’s business.
Shared Network Drives Per 110.1.037 Network Usage Policy, all Dignity health Network users are responsible for protecting the privacy and confidentiality of data by following security protocols for shared network drives. Retrieve scanned documents anddelete from the shared departmentnetwork immediately. Documents in shared departmentnetwork drives can be seen by anyindividual who has access to the drive. Access to network drive folders that contain PHI or sensitive informationshould be limited to authorized users. The IT Help Desk can set up restrictedaccess to folders on a shared drive forauthorized users. 29
110.1.038 - Portable Device & Media Security Policy Electronic information is portable and ePHI can be compromised by lost or stolen laptops, cell phones, PDAs, CDs, flash drives, etc. Only Dignity Health approved smart phones, tablets, and PDA models may be used to access the Dignity Health network. Limit the storage of PHI or other sensitive information on portable computers and media to the minimum necessary to perform required duties. When PHI or confidential information is stored on alaptop or other portable media, maintain a record, mirror copy or backup on the Dignity Health Network. Use appropriate safeguards when using, transportingor storing laptops or removable media. Encryption software for removable media is available on all Dignity Healthsupported computers. 30
Removable Media Encryption • Password protection is NOT the same as encryption! • You are responsible to ensure all PHI or sensitive data on removable media like memory sticks, CDs or DVDs is properly encrypted and stored in safe location. • Never save PHI or Sensitive Information to a hard drive or removable media that is not encrypted. • For removable media encryption, use theMcAfee Endpoint Encryption for Files & Folderssoftware available on Dignity Health computers. • When removable media is plugged into aDignity Health computer a pop-up message willask if you want to encrypt the medium. • Follow screen prompts to activate encryptionor contact the IT Help Desk for assistance. • Do NOT use the McAfee encryption software toencrypt devices like cell phones, cameras, music players or any memory cards. Encrypting these devices could render them unusable and/or unrecoverable.
110.1.053 Medical Device Data Security Policy • It is the policy of Dignity Health to protect PHI that is stored on or transmitted by Medical Devices from unauthorized Uses and Disclosures. • Business or Technical owners shall complete a security assessment prior to procurement of a medical device, in order todocument the safeguards used to protect PHIstored on or transmitted by the Medical Device. • Prior to implementation, the Business Ownershall complete a Privacy Impact Assessment. • Limit the storage of PHI on medical devicesto the Minimum Necessary for treatment. • Maintain a backup of PHI stored on the device. • Immediately report any incident involving theloss, theft, or unauthorized use or access of a Portable Device or Portable Media.
Personal Cell Phone Use • The use of personal cell phones or other camera-equipped devices must comply with the Dignity Health Network Usage Policy 110.1.037. The scope of this Policy includes, but is not limited to: cell or smart phones, PDAs, pagers, and tablets (handheld devices). • All employees, physicians, and contractors areresponsible for following Dignity Health policiesand facility protocols to restrict the creating ofor use of unauthorized digital images with a cell phone or other camera-capable device. • Use of personal devices to store and maintainour PHI without using an approved encryptionmethod represents a risk to Dignity Health. • Each facility is responsible for any notification orreporting necessary due to unauthorized useof data, or caused by loss or theft of a device.
Texting ePHI and Image Transmission • PHI must be securely transmitted and protected from unauthorized disclosure during transmission through EMRs, secure email, VPN, MobileMD, encrypted CDs, encrypted flash drives, and other methods. • There is no closed and controlled texting technology implemented at Dignity Health thatwould allow the secure transmission of PHI. • PHI sent via unsecured texting represents both aprivacy and data security incident that requiresinvestigation and mitigation, and may require notification and reporting to regulatory agencies. • Images sent via text leave a copy of the imageon the server of the cellular carrier (i.e. AT & T, Verizon, etc.), the sender’s cell phone, and therecipient’s cell phone. • Cell phone and data carriers are not businessassociates of Dignity Health and have no rightto receive patient or confidential data. 34 34
Lost or Stolen Portable Media Call the IT Help Desk immediately to report the theft or loss of your Dignity Health laptop, Blackberry, iPhone, CD, flash drive or other portable media that you use to connect to the network and contains PHI or sensitive information. For smart phones, the Help Desk opens a ticketand sends information to the IT Security Team. The IT Security Team will send a “wipe” command to clear the memory on the device(this only works for users that connect to ourEnterprise Server for phone users). Note: Do not cancel your phone service provider before notifying the IT Help Deskbecause “wipe” command cannot be sent. For laptops or portable media, the IT Help Deskwill contact the Computer Security Incident Response Team (CSIRT) to start an investigation.
110.1.046 Email Policy and Sending Secure Email Any PHI or confidential information sent outside of the Dignity Health network requires encryption. Insert a space after the subject, then type#secure# (lower case). If a message is sent without the #secure#tag it will not be encrypted and this maybe a reportable incident. You may use the “Send Secure” buttonif available in your Outlook version. A confidentiality statement should be placed at the bottom of the email with the required language as stipulated in the Dignity Healthemail policy #110.1.046. Report incidents regarding unsecured email to your local FPO immediately.
SharePoint Sites SharePoint sites are a great tool for sharing information, but are not authorized for posting, sharing, or storing documents with PHI or sensitive information. Technical controls cannot be enforced on a global level due to the varied uses of the sites. SharePoint can be accessed externally. If it is discovered that a document with PHI orsensitive information is posted in a SharePointsite, the site administrator should: Delete the document. Contact the individual user who posted thedocument and/or their supervisor to alertthem that PHI or sensitive documents should not be posted. Site administrator should promptly notifythe Facility Privacy Official.
110.1.028 Investigation Response and Notification Policy It is the right and responsibility of every member of Dignity Health’s workforce to immediately report a privacy or data security Incident. Reporting options: Directly to your supervisor, who in turnshould report it to the FPO. Directly to Facility Privacy Official (FPO) Directly to the Facility I.T. Site Director Email: firstname.lastname@example.org Call Dignity Health Hotline (confidential)1-800-938-0031 Dignity Health will not intimidate or take any retaliatory action against an employee whoreports a privacy or data security violation.
Conclusion of Privacy & Data Security Refresher Always follow Dignity Health Privacy and Data Security policies and procedures when handling patient or sensitive information. Comply with federal and state privacy and data security regulations. Report all known or suspected privacy or data security incidents. If you have questions or concerns not covered in this trainingcontact your Facility Privacy Official for more information. Proceed to Quiz