Duke University SOMHIPAA Privacy Training Lawrence H. Muhlbaier, PhD Tasha Carmon, CHPC, CCRC, CCRP Associate Professor, B&B Senior Compliance Auditor DCRI SOM Compliance Office
Purpose of HIPAA Training • This training will: • Briefly define HIPAA and PHI • Provide general education regarding access, use, and disclosure of health information in compliance with the Privacy & Security Rules • Outline your responsibilities as faculty and staff in the proper use, disclosure and protection of health information. • Describe your responsibilities and resources when there is a question, concern or violation. • Omnibus Rule Update - January 2013
What is the SOM Compliance Office • Clinical Trials Quality Assurance (CTQA) • Human Subjects Research Compliance, Clinical Trials Billing Compliance • Compliance Review Services (CRS) • Financial Compliance, COI, Departmental reviews http://medschool.duke.edu/research/compliance-office/staff
Why do I need HIPAA Training? • Your duties may require you to have contact with Duke University Health System (DUHS) health information. Due to this contact, you have an obligation to maintain the privacy and security of this health information.
Our Responsibility as a Covered Entity • Under the HIPAA Privacy and Security Rules, Duke must have policies and procedures in place to protect the privacy and confidentiality of both PHI and electronic PHI (ePHI). • Covered entity: Healthcare provider, Healthcare plan, or Health care clearinghouse that handles protected health information.
Health Insurance Portability &Accountability Act (HIPAA) • Enacted in 1996, HIPAA covers: • Insurance Portability (allows one to take insurance to their next job) • Accountability (fraud Prevention) • Administrative Simplification • Security • Privacy
Health Information Technology for Economic and Clinical Health (HITECH) Act • HITECH Act, enacted as part of the American Recovery and Reinvestment Act ARRA) of 2009. • Addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. • Four categories of violations that reflect increasing levels of culpability; • Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and • A maximum penalty amount of $1.5 million for all violations of an identical provision.
HIPAA Privacy • The Privacy Rule: • Protects information about an individual’s health, health care, or payment for care; past, present, or future (PHI). • Identifies permitted uses and disclosures of this PHI • Gives patients some control over their health information (Patient’s Rights)
What is considered Protected HealthInformation (PHI)? HIPAA defines 18 identifiers of PHI, including: • Names. • All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census: • The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people. • The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.
18 identifiers of PHI (cont.) • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. • Telephone numbers. • Facsimile numbers. • Electronic mail addresses. • Social security numbers. • Medical record numbers. • Health plan beneficiary numbers. • Account numbers.
18 identifiers of PHI (cont.) • Certificate/license numbers. • Vehicle identifiers and serial numbers, including license plate numbers. • Device identifiers and serial numbers. • Web universal resource locators (URLs). • Internet protocol (IP) address numbers. • Biometric identifiers, including fingerprints and voiceprints. • Full-face photographic images and any comparable images. • Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification. • Note: In combination with health information
Use & Disclosure of PHI • Use: • Sharing PHI within Duke Medicine and designated Duke University departments. • Disclosure: • Sharing health information with others or entities outside of Duke Medicine.
AppropriateUse & Disclosure of PHI • Use and disclosure of PHI: • As authorized by the patient • (informed consent) • For treatment, payment, or operations (TPO) • For other certain circumstances as detailed in the Privacy Rule (including Public Health disclosures)
What is needed in an Authorization to Use or Disclose PHI • Description of PHI to be used or disclosed • Person(s) authorized to use or disclose the PHI • Person(s) to whom the covered entity may disclose PHI • Each purpose for the use or disclosure • Expiration date or study event • Signed copy given to individual
Other HIPAA documents to consider • Notice of Review Preparatory to Research • I will look but not recordand/or allow to leave Duke. • Waiver or Alteration of Consent and HIPAA Authorization (Recording identifiable private information w/out written/verbal authorization) • Notice of Decedent Research • Deidentification • (All 18 identifiers are removed) • Limited Data Set with a Data Use agreement • Contact Gill Smith’s office
Limited Data Set with DUA • Limited Data Set with a Data Use agreement • All identifiers except: • Dates (DOB, DOD, Service dates), demographic (city, state, Zip, Zip +4) • A contract must be signed between the disclosure and recipient.
Minimum Necessary The Privacy Rule instructs that we follow the “minimum necessary” requirements when using, disclosing, or accessing PHI for anything other than treatment of a patient. • Only the amount of PHI needed to perform the task should be used or reviewed by staff or disclosed to others. • If asked to disclose PHI and this is outside your job responsibilities, contact your supervisor or the SOM Privacy Officer before releasing the information. • If requested to give PHI to a third party (e.g., sponsor ) contact your supervisor or the SOM Privacy Officer for direction.
What can you do to help protect PHI? • Do Not discuss PHI in public or discuss with anyone unrelated to the task at hand. • Do Not access PHI if not needed for your job. • Do Not leave papers containing PHI unattended. Place papers face face down or conceal to avoid access by unauthorized persons. Theft or loss of any paper record should be reported immediately to the SOM • Do Not send unencrypted electronic PHI • Use a cover sheet when faxing confidential information; verifying fax number • Paper, images and other printed materials containing PHI should be destroyed by shredding or striking out (redaction) so that it cannot be read or reconstructed. • Please confirm if a DUA is needed for your research (BAAs are typically not needed for research) • If you must retain SSNs for your research, please contact the SOM Compliance Office and/or the ISO.
Common Violations/Hot button issues • Not offering the Notice of Privacy Practices to Healthy subjects. • Retention of SSNs • Duke Policies: Collection, Storage, and Use of Social Security Numbers • The disclosure of PHI to a third party without authorization. • Non-existence of DUA and/or BAA, when needed • International Data • Use of personal email for Duke business • Electronic Communication
What’s New!! • Omnibus Rule • Data Loss Prevention (DLP) • Diane Padgett, Compliance Auditor
Omnibus Rule – September 20, 2013 Final modifications to the HIPAA Privacy, Security, and Enforcement Rules require: • Modifications to individual authorization (allows “opt in” check boxes to be used in Consent and Authorization forms) • Modifications to the NOPP and redistribution • Business associates of covered entities are now responsible for HIPAA Privacy/Security breaches and reporting. (New business associate agreements) • Individual rights to request e-copies of their health record and to restrict disclosures to a health plan concerning treatment for which one has paid out of pocket. • New breach reporting requirements • Privacy rule copies Genetic Information Nondiscrimination Act (GINA) to prohibit health plans from using or disclosing genetic information for underwriting purposes. • Individuals deceased longer than 50 years are not longer covered
Why is it important? Reporting a Suspected event
How to report • If a suspected privacy event occurs, please contact the SOM Compliance Office immediately (919-684-2475). • Examples including accidentally releasing patient information to the wrong person, losing PHI such as a spreadsheet, etc. • The Privacy Officer should also be notified if someone incorrectly discloses PHI to you • If you wish to make an anonymous report or feel uncomfortable calling the DUHS Privacy Officer directly, you can call Duke Medicine’s Privacy Line 1-800-688-1867
What happens to me when I report a HIPAA concern? Non-Retaliation/Non-Retribution Policy • If you report a concern in “good faith”* no retaliation or retribution may be taken against you even if the investigation determines that a problem does not exist. • Supervisors will be disciplined for any attempts to punish or retaliate against anyone acting in good faith in reporting a privacy violation. *Good faith means that the person reporting the concern believes that the problem exists.
Resources • Duke SOM Compliance Office • Duke Medicine’s Privacy Line: 1-800-688-1867 • Duke IRB • DUHS Policies: http://marlowe.mc.duke.edu/accred/duhspol.nsf/fb44e3dd791dbda0852567910047d969?OpenView
Thank You Duke School of Medicine Compliance Office Lawrence H. Muhlbaier, PhD Tasha Carmon, CCRC, CCRP 919-668-8774 919-684-6456 email@example.com@duke.edu