HIPAAPrivacy and Security

October 20, 2009October 20, 2009 1

Karen Pagliaro-MeyerPrivacy Officer

Columbia University medical Center

kpagliaro@columbia.edu

(212) 305-7315

Nursing Students

HIPAA: PRIVACY vs. SECURITY

PRIVACYRefers to WHAT is protected — Health information about an individual and

the determination of WHO is permitted to use, disclose, or access the information

April 18, 2023 2

What’s the Difference?:What’s the Difference?:What’s the Difference?:What’s the Difference?:

SECURITYSECURITY

Refers to HOWHOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss

Consequences of Privacy or Security Failure

Disruption of Patient Care

Increased cost to the institution

Legal liability and lawsuits

Negative Publicity

Negative Patient perception

Identity theft (monetary loss, credit fraud)

Disciplinary action

3

HIPAA –Privacy & Security Concerns – Theft of Patient Data

• Identity Theft• Stolen lap top

– Loss of Patient Data • incorrect disposal of documents• Portable devices increases the

possibility of data loss

– Misuse of Patient Data• Privacy Breach

A NYP employee (patient admissions representative) was charged with stealing almost 50,000 patient files and selling some of them.

The files stolen probably contained little or no medical information, but did include patient names, phone numbers and social security numbers--fertile ground for identity theft.

Employee reported that he sold 1,000 files to a man for $750.

NYP sent letters and offered free 2 year credit monitoring to all patients

50,000 * $15 = $750,000 +++

Theft of Patient Data NewYork-Presbyterian Hospital

Theft of electronic devices at CUMC

6

A large fire in a NYP/CUMC building with immediate evacuation of the entire building

An outside firm was hired to assist with the clean-up and repair of the building

When staff returned it was discovered that laptops, USB drives (thumb drives) and digital cameras had been stolen

Lesson learned – All equipment must be password protected. Portable equipment that includes patient information must also be encrypted.

Consider installing software like PC phone home that may assist in locating stolen portable devices

Loss of Patient Data CVS Pharmacy

7

•CVS Pays $2.25 Million & Toughens Disposal Practices to Settle HIPAA Privacy Case

•A case that involves the privacy of millions of health care consumers

•On January 16, 2009 the U.S. Department of Health & Human Services (HHS) reached agreement with CVS Pharmacy, Inc. to settle potential violations of the HIPAA Privacy Rule. 

• CVS agreed to pay $2.25 million and implement a detailed Corrective Action Plan to ensure that it will appropriately dispose of protected health information such as labels from prescription bottles and old prescriptions, related medical information and credit card information. 

Privacy Breach• The Kaiser hospital in Bellflower at which Nadya

Suleman gave birth eight has been hit with a $250,000 fine by California health officials.

• Kaiser Permanente spokesman Jim Anderson said that the hospital had warned employees to stay away from the Octo-Mom's files and reported the privacy violations itself, firing 15 employees.

• According to the state, however, the hospital did not do enough to protect Octo-Mom's privacy

• UCLA Medical Center disciplined 53 staff members for accessing the medical information of Britney Spears in 2007

8

What you need to know about HIPAA & Patient Privacy

Notice of Privacy Practices Authorization to Release Medical Information Patient Rights Privacy Breaches Business Associates HIPAA and Research

9

10

11

Authorization to Release Medical Information

12

Written Authorization required to release medical information

Physician or care team may share information with referring physician without an authorization “patient in common”

All legal requests for release of information should be forwarded to the HIPAA Compliance Office for review

Must understand who is the legal next of kin

13

Notice of Privacy PracticesPatient Rights

• Patients have the right to:– Request restrictions on release of their PHI– Receive confidential communications– Inspect and copy medical records (access)– Request amendment to medical records– Make a complaint– Receive an accounting of any external releases.– Obtain a paper copy of the Notice of Privacy

Practices on request

Privacy Breach

15

Privacy Breaches do not usually involve high profile patients

Most Privacy Breaches involve staff accessing medical information of friends, family members and co-workers

Audit reports are run daily to identify potential inappropriate access, use or disclosure of medical information

It is important that staff are aware that ANY access of medical information WITHOUT a business purpose will result in disciplinary action

Who is a Business Associate? Individuals who do business with CUMC and have access to protected health information

Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen

Examples of BAAs include: billing companies or claims processing voice mail or appointment reminder service management transcription services or coding companies accreditationSoftware used for medical data

16

HIPAA and Research

• Medical Record Research or identification of potential research subjects must be approved by the IRB which includes a review of HIPAA Research requirements

• Two main avenues of HIPAA Research —– Form A HIPAA Clinical Research Authorization—required elements– Form B HIPAA Application for Waiver of Authorization—subject to

approval of the IRB

• Some exceptions:– Research using solely Decedent Information– Research using solely De-identified Information– Activities prior to research or preparatory to research

HIPAA Privacy Guidance – Top 10

1. Provide patients with the Notice of Privacy Practices

2. Shred patient information

3. Follow Electronic Security Policies

4. Telephone Guidance – messages and requests for info

5. Use and Disclose Medical Information Correctly

6. Fax patient information utilizing a cover sheet

7. Verify patient at the time of new registration

8. Avoid unintentional disclosures (hallway – email - mail)

9. Report and manage Privacy Breaches

10. Notify Privacy Office of Complaints

What you need to know about Information Security

19

Good Computing Practices 10 Safeguards for Users

1. User ID or Log-In Name (aka. User Access Controls)2. Passwords3. Workstation Security4. Portable Device Security – USB, Laptops 5. Data Management, e.g., back-up, archive, restore.6. Remote Access - VPN7. Recycling Electronic Media & Computers8. E-Mail – Columbia email account ONLY9. Safe Internet Use – virus 10. Reporting Security Incidents / Breach

Security Controls

Laptop and File EncryptionWinZip (password protect + encrypt)7-zip (free, password protect + encrypt)

Truecrypt (free, complete folder encryption)FileVault (folder encryption on Macintosh)

Encrypted USB DrivesKingston Data TravelerIron Key (Fully encrypted)

21

Types of Security Failure Sharing Passwords– You are responsible for your password. If you shared your password, you will be

disciplined even if other person does no inappropriate access

Not signing off systems – You are responsible and will be disciplined if another person uses your ‘not-

signed-off’ system and application

Sending EPHI outside the institution without encryption – Under HITECH you may be personally liable for losing EPHI data

Losing PDA and Laptop in transit with unencrypted PHI or PII– Under HITECH and NY State SSN Laws, you may be personally liable, and you

will be disciplined for loss of PHI or PII

22

New Regulation: HITECH Act (ARRA)

23

(Health Information Technology for Economic and Clinical Health)

New Federal Breach Notification Law – Effective Sept 2009

Applies to all electronic “unsecured PHI” Requires immediate notification to the Federal Government if

more than 500 individuals effected Requires notification to a major media outlet Will be listed on a public website Requires individual notification to patients

Criminal penalties apply to individual or employee of a covered entity

State Attorneys General will have enforcement authority and may sue for damages and injunctive relief

New York State SSN/PII Laws

Social Security Number Protection Law Effective December 2007 Recognizes SSN to be a primary identifier for identity theft It is Illegal to communicate this information to the general public Access cards, tags, etc. may not have SSN SSN may not be transmitted over Internet without encryption SSN may not be used as a password SSN may not be printed on envelopes with see-through windows SSN may not be requested unless required for a business purpose Fines and Penalties

24

New York State SSN/PII Laws

Information Security Breach and Notification Act Effective December 2005 IF… Breach of Personally Identifiable Information occurs

o SSNo Credit Cardo Driver’s License

THEN… Must notifyo patients / customers / employeeso NY State Attorney General o Consumer reporting agencies

25

New Regulations – Red Flag rule

26

Red Flag – Identity Theft Prevention Program

Requires healthcare organizations to establish written program to identify, detect and respond to and correct reports of potential identity theft

Educate all staff how to identify Red Flags and report them

Appoint program administrator & Report to leadership

FTC law includes fines and penalties $2,500 per violation

Business Associate Agreements will have to be revised to inform CUMC of any Red Flags involving CUMC data

27

http://www.cumc.columbia.edu/hipaa

What Is My Role in Protecting Medical Information?

Good Security Standards follow the “90 / 10” Rule:• 10% of security safeguards are technical• 90% of security safeguards rely on the computer user

(“YOU”) to adhere to good computing practices– Example: The lock on the door is the 10%. – You remembering to lock, – check to see if it is closed, – ensuring others do not prop the door open,– keeping controls of keys is the 90%. – 10% security is worthless without YOU!

29

PATIENT PRIVACY

At some point in our lives we will all be a patient

Treat all information as though it was your own

Questions & Answers

Karen Pagliaro-MeyerPrivacy Officer

Columbia University Medical Center212-305-7315

kpagliaro@columbia.eduHIPAA@columbia.edu