HIPAA Privacy and Security October 20, 2009 1 Karen Pagliaro-Meyer Privacy Officer Columbia...
-
date post
21-Dec-2015 -
Category
Documents
-
view
215 -
download
1
Transcript of HIPAA Privacy and Security October 20, 2009 1 Karen Pagliaro-Meyer Privacy Officer Columbia...
HIPAAPrivacy and Security
October 20, 2009October 20, 2009 1
Karen Pagliaro-MeyerPrivacy Officer
Columbia University medical Center
(212) 305-7315
Nursing Students
HIPAA: PRIVACY vs. SECURITY
PRIVACYRefers to WHAT is protected — Health information about an individual and
the determination of WHO is permitted to use, disclose, or access the information
April 18, 2023 2
What’s the Difference?:What’s the Difference?:What’s the Difference?:What’s the Difference?:
SECURITYSECURITY
Refers to HOWHOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss
Consequences of Privacy or Security Failure
Disruption of Patient Care
Increased cost to the institution
Legal liability and lawsuits
Negative Publicity
Negative Patient perception
Identity theft (monetary loss, credit fraud)
Disciplinary action
3
HIPAA –Privacy & Security Concerns – Theft of Patient Data
• Identity Theft• Stolen lap top
– Loss of Patient Data • incorrect disposal of documents• Portable devices increases the
possibility of data loss
– Misuse of Patient Data• Privacy Breach
A NYP employee (patient admissions representative) was charged with stealing almost 50,000 patient files and selling some of them.
The files stolen probably contained little or no medical information, but did include patient names, phone numbers and social security numbers--fertile ground for identity theft.
Employee reported that he sold 1,000 files to a man for $750.
NYP sent letters and offered free 2 year credit monitoring to all patients
50,000 * $15 = $750,000 +++
Theft of Patient Data NewYork-Presbyterian Hospital
Theft of electronic devices at CUMC
6
A large fire in a NYP/CUMC building with immediate evacuation of the entire building
An outside firm was hired to assist with the clean-up and repair of the building
When staff returned it was discovered that laptops, USB drives (thumb drives) and digital cameras had been stolen
Lesson learned – All equipment must be password protected. Portable equipment that includes patient information must also be encrypted.
Consider installing software like PC phone home that may assist in locating stolen portable devices
Loss of Patient Data CVS Pharmacy
7
•CVS Pays $2.25 Million & Toughens Disposal Practices to Settle HIPAA Privacy Case
•A case that involves the privacy of millions of health care consumers
•On January 16, 2009 the U.S. Department of Health & Human Services (HHS) reached agreement with CVS Pharmacy, Inc. to settle potential violations of the HIPAA Privacy Rule.
• CVS agreed to pay $2.25 million and implement a detailed Corrective Action Plan to ensure that it will appropriately dispose of protected health information such as labels from prescription bottles and old prescriptions, related medical information and credit card information.
Privacy Breach• The Kaiser hospital in Bellflower at which Nadya
Suleman gave birth eight has been hit with a $250,000 fine by California health officials.
• Kaiser Permanente spokesman Jim Anderson said that the hospital had warned employees to stay away from the Octo-Mom's files and reported the privacy violations itself, firing 15 employees.
• According to the state, however, the hospital did not do enough to protect Octo-Mom's privacy
• UCLA Medical Center disciplined 53 staff members for accessing the medical information of Britney Spears in 2007
8
What you need to know about HIPAA & Patient Privacy
Notice of Privacy Practices Authorization to Release Medical Information Patient Rights Privacy Breaches Business Associates HIPAA and Research
9
Authorization to Release Medical Information
12
Written Authorization required to release medical information
Physician or care team may share information with referring physician without an authorization “patient in common”
All legal requests for release of information should be forwarded to the HIPAA Compliance Office for review
Must understand who is the legal next of kin
Notice of Privacy PracticesPatient Rights
• Patients have the right to:– Request restrictions on release of their PHI– Receive confidential communications– Inspect and copy medical records (access)– Request amendment to medical records– Make a complaint– Receive an accounting of any external releases.– Obtain a paper copy of the Notice of Privacy
Practices on request
Privacy Breach
15
Privacy Breaches do not usually involve high profile patients
Most Privacy Breaches involve staff accessing medical information of friends, family members and co-workers
Audit reports are run daily to identify potential inappropriate access, use or disclosure of medical information
It is important that staff are aware that ANY access of medical information WITHOUT a business purpose will result in disciplinary action
Who is a Business Associate? Individuals who do business with CUMC and have access to protected health information
Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen
Examples of BAAs include: billing companies or claims processing voice mail or appointment reminder service management transcription services or coding companies accreditationSoftware used for medical data
16
HIPAA and Research
• Medical Record Research or identification of potential research subjects must be approved by the IRB which includes a review of HIPAA Research requirements
• Two main avenues of HIPAA Research —– Form A HIPAA Clinical Research Authorization—required elements– Form B HIPAA Application for Waiver of Authorization—subject to
approval of the IRB
• Some exceptions:– Research using solely Decedent Information– Research using solely De-identified Information– Activities prior to research or preparatory to research
HIPAA Privacy Guidance – Top 10
1. Provide patients with the Notice of Privacy Practices
2. Shred patient information
3. Follow Electronic Security Policies
4. Telephone Guidance – messages and requests for info
5. Use and Disclose Medical Information Correctly
6. Fax patient information utilizing a cover sheet
7. Verify patient at the time of new registration
8. Avoid unintentional disclosures (hallway – email - mail)
9. Report and manage Privacy Breaches
10. Notify Privacy Office of Complaints
Good Computing Practices 10 Safeguards for Users
1. User ID or Log-In Name (aka. User Access Controls)2. Passwords3. Workstation Security4. Portable Device Security – USB, Laptops 5. Data Management, e.g., back-up, archive, restore.6. Remote Access - VPN7. Recycling Electronic Media & Computers8. E-Mail – Columbia email account ONLY9. Safe Internet Use – virus 10. Reporting Security Incidents / Breach
Security Controls
Laptop and File EncryptionWinZip (password protect + encrypt)7-zip (free, password protect + encrypt)
Truecrypt (free, complete folder encryption)FileVault (folder encryption on Macintosh)
Encrypted USB DrivesKingston Data TravelerIron Key (Fully encrypted)
21
Types of Security Failure Sharing Passwords– You are responsible for your password. If you shared your password, you will be
disciplined even if other person does no inappropriate access
Not signing off systems – You are responsible and will be disciplined if another person uses your ‘not-
signed-off’ system and application
Sending EPHI outside the institution without encryption – Under HITECH you may be personally liable for losing EPHI data
Losing PDA and Laptop in transit with unencrypted PHI or PII– Under HITECH and NY State SSN Laws, you may be personally liable, and you
will be disciplined for loss of PHI or PII
22
New Regulation: HITECH Act (ARRA)
23
(Health Information Technology for Economic and Clinical Health)
New Federal Breach Notification Law – Effective Sept 2009
Applies to all electronic “unsecured PHI” Requires immediate notification to the Federal Government if
more than 500 individuals effected Requires notification to a major media outlet Will be listed on a public website Requires individual notification to patients
Criminal penalties apply to individual or employee of a covered entity
State Attorneys General will have enforcement authority and may sue for damages and injunctive relief
New York State SSN/PII Laws
Social Security Number Protection Law Effective December 2007 Recognizes SSN to be a primary identifier for identity theft It is Illegal to communicate this information to the general public Access cards, tags, etc. may not have SSN SSN may not be transmitted over Internet without encryption SSN may not be used as a password SSN may not be printed on envelopes with see-through windows SSN may not be requested unless required for a business purpose Fines and Penalties
24
New York State SSN/PII Laws
Information Security Breach and Notification Act Effective December 2005 IF… Breach of Personally Identifiable Information occurs
o SSNo Credit Cardo Driver’s License
THEN… Must notifyo patients / customers / employeeso NY State Attorney General o Consumer reporting agencies
25
New Regulations – Red Flag rule
26
Red Flag – Identity Theft Prevention Program
Requires healthcare organizations to establish written program to identify, detect and respond to and correct reports of potential identity theft
Educate all staff how to identify Red Flags and report them
Appoint program administrator & Report to leadership
FTC law includes fines and penalties $2,500 per violation
Business Associate Agreements will have to be revised to inform CUMC of any Red Flags involving CUMC data
What Is My Role in Protecting Medical Information?
Good Security Standards follow the “90 / 10” Rule:• 10% of security safeguards are technical• 90% of security safeguards rely on the computer user
(“YOU”) to adhere to good computing practices– Example: The lock on the door is the 10%. – You remembering to lock, – check to see if it is closed, – ensuring others do not prop the door open,– keeping controls of keys is the 90%. – 10% security is worthless without YOU!
29
PATIENT PRIVACY
At some point in our lives we will all be a patient
Treat all information as though it was your own
Questions & Answers
Karen Pagliaro-MeyerPrivacy Officer
Columbia University Medical Center212-305-7315
[email protected]@columbia.edu