1 / 36

HIPAA and Home Health

HIPAA and Home Health. ISAC October 9, 2018. Sorry, I have to do this!.

Download Presentation

HIPAA and Home Health

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. HIPAA and Home Health ISAC October 9, 2018

  2. Sorry, I have to do this! • The contents of this presentation are provided for the purpose of information and education only and do not constitute legal advice. You are encouraged to consult competent legal counsel of your choice for all legal issues.

  3. Due solely to the nature of the business, home health activities have a high risk in terms of meeting the obligations of HIPAA • This presentation is intended to raise the level of awareness rather than address every fact situation

  4. Topics for Today • What is HIPAA and how is Protected Health Information defined • Dealing with PHI on the move • Communicating with patients • Social Media and HIPAA

  5. What is HIPAA • Health Insurance Portability and Accountability Act of 1996 • Now, the focus is on protecting information that can be used to identify an individual • Identity theft is a primary concern

  6. Quinzella Romer – former health insurance company employee • During a traffic stop, officers discovered an outstanding warrant • During pat down found a driver’s license from another person and a cell phone • Obtained a search warrant for the phone

  7. Found over 20 screen shots on the phone that contained PHI of over 50 people. • 12 had already been victims of tax-related identity theft where the IRS paid out refunds • Sentenced to 32 months in prison and restitution of $16,264

  8. What is PHI? • Protected Health Information (PHI) is individually identifiable health information that is: Created or received by a health care provider, health plan, employer, or health care clearinghouse that • Relates to the past, present, or future physical or mental health or condition of an individual; • Relates to the provision of health care to an individual • The past, present or future payment for the provision of health care to an individual.

  9. PHI is so much more than just the medical record. • PHI includes information by which the identity of a person can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.

  10. Identifiers • Names • Medical Record Numbers • Social Security Numbers • Account Numbers • License/Certification numbers • Vehicle Identifiers/Serial numbers/License plate numbers • Internet protocol addresses • Health plan numbers • Full face photographic images and any comparable images

  11. Web universal resource locaters (URLs) • Any dates related to any individual (date of birth) • Telephone numbers • Fax numbers • Email addresses • Biometric identifiers including finger and voice prints • Any other unique identifying number, characteristic or code • PHI is more than name, date of birth and SSN!

  12. Breach • The impermissible or unauthorized use or disclosure of protected health information Minimum Necessary Doctrine • Requires notification to the government and the individual impacted

  13. How to handle PHI • First and foremost, protect it! • Ensure it remains private • Ensure it is secure when in electronic format – encryption, firewalls, etc. • Access must be authorized • Do not discuss PHI in public areas such as cafeterias, breakrooms, etc. • Dispose of it properly

  14. PHI in Transit – on the move • Laptops and cell phones • Paper • Must ensure security of PHI at all times regardless of where the “office” may be

  15. Laptops and cell phones Two largest sources of breaches High degree of theft Email Text messages Photographs Encryption and passwords are essential

  16. Dangers of Phishing Email • Phishing is a particularly dangerous form of spam that seeks to trick users into revealing sensitive information, such as passwords • Over 75% of breaches are because someone let the bad guys in • The best protection is to always be skeptical about e-mails – “when in doubt, throw it out!”

  17. Why is Phishing so dangerous? • E-mails appear to come from a legitimate company and can look very official • Easy to be fooled into providing personal information in hopes of rectifying some nonexistent problem with your account • Sense of urgency created tricks people into acting without thinking

  18. Examples • “There has been a security breach and your immediate attention is required. If you don’t update and confirm your password within 48 hours all data will be lost.” • Provides a link to access the log-in page which actually takes the person directly to the bad guys

  19. Red Flags • A financial institution will NEVER ask you to reset your account information online • The e-mail claims there will be dire consequences unless you log in immediately • There is a link within the e-mail that takes you to the “log-in” page • Fear is attacker’s best weapon

  20. PHI on Paper • Face sheets, plans of care, physician orders schedules, etc. • There is a lot of paper PHI floating around • Easy to misplace, leave behind or lose.

  21. But I always keep everything in my folder/briefcase/bag Where is the folder when you run an errand Is the folder ever out of sight when serving a patient Cars at Casey’s At home Disposal of notes and cheat sheets

  22. Always have to assume people are nosey! • What is PHI worth? • Paper will always be a soft spot

  23. Conversations with Patients • Home health is a special setting for the delivery of health care services • Essential to maintain the “information boundaries” • Even innocent conversations can be problematic • Consider who else may be around

  24. Social Media and HIPAA • Social media is the landmine of health care We have lost our filters • Snapchat Clarksville Nursing and Rehab Hubbard Care Center • Best advice – never post work related information or photos

  25. Privacy still matters • OCR expects over 17,000 privacy complaints this year

  26. The problem with social media is you can’t un-ring the bell • The magnitude of the impermissible disclosure is far greater in our electronic world

  27. “I don’t work there anymore…” • Obligations and responsibilities continue well past the date of separation • It isn’t the agency or county that enforces the obligation, rather, it is the Office for Civil Rights, part of the Federal government

  28. Enforcement • Oklahoma v. Bond Along with co-conspirator, stole medical records from employer, Mercy Health Used information to fraudulently open credit card accounts Charged with felony identity theft and fraud

  29. Martha Smith-Lightfoot Took a spreadsheet containing PHI of 3,000 people “to ensure quality of care” Gave the information to her new employer Several patients complained about being contacted by the new employer about changing providers Lost her nursing license

  30. U.S. v. Orlando Jemmott Worked in the ER of Kings County Hospital Stole PHI of 100 individuals Sold the information to another person Fired by hospital Arrested by FBI for criminal identity theft

  31. Penalties • Fines can range from $5,000 to $2.5 million • Jail time of up to 10 years if the use was malicious or for personal gain • Criminal sanction available when the individual knowingly obtained or disclosed PHI

  32. Do’s and Don’ts • Do keep computer sign-on codes and passwords secret and use locked screensavers • Do Not allow unauthorized persons to access your computer • Do keep notes, files, USB drives and mobile devices in a secure place and not out in the open

  33. Do Not place PHI on a mobile device that isn’t encrypted and password protected • Do hold discussions of PHI in private areas and for job-related purposes only • Do be aware of other people listening in on your conversation

  34. Do make sure all envelops used to mail or transport PHI are sealed and closed securely • Do follow proper procedures for proper disposal of sensitive information i.e. secure shredding • Do Not include PHI in e-mails unless the e-mail is encrypted

  35. Bottom Line • Privacy of patients’ information is more important than ever • Whether it be on paper or in electronic form PHI must be secured at all times • HIPAA continues long past the date of separation • Think twice before posting anything work related on social media

  36. Gary N. Jones J.D. CHC, CHPC Gary.jones@mwcompliance.com Midwest Compliance Associates, LLC 721 W. 1st Street Cedar Falls, Iowa 50613

More Related