Upload
meghan-fitzgerald
View
228
Download
0
Tags:
Embed Size (px)
Citation preview
HIPAA PRIVACY – OVERVIEW--Allied Health Students--
Jill RainesUniversity Privacy OfficialUniversity of Oklahoma
Copyright 2014 – May not be redistributed, reproduced, or used for any purpose without prior written permission of the Office of Legal Counsel
What is HIPAA?
Health Insurance Portability and Accountability Act
Federal law covering privacy and security of certain health information and imposing electronic transaction standards
We’re covering the Privacy Rule in HIPAA
Effective Date: April 14, 2003
HIPAA’s Purpose
Provides comprehensive protection for the privacy of health information and gives patients certain rights regarding that information.
Protection includes regulations governing the management, use, and disclosure of Protected Health Information (PHI).
Protected Health Informationor PHI
Individually identifiable health information created or received by a covered entity
Related to past, present, or future physical or mental health or condition (or the payment for it)
Maintained or transmitted electronically or otherwise
Written or spoken
WHAT MAKES INDIVIDUAL HEALTH INFORMATION IDENTIFIABLE?
(HIPAA DESIGNATED PHI IDENTIFIERS) Name
Address
Dates (except year)
Telephone number
Fax number
Email, URL, IP addresses
Biometrics (finger, voice)
Unique identifying number/code/characteristic
*Reasonable Basis” catch-all
Social Security Number
Account and license numbers
Medical record number
Health plan/insurance number
Device numbers
Vehicle numbers
Identifying photos
Types of Uses and Disclosures of PHI
Disclosures required by law
Disclosures permitted by law
Disclosures pursuant to an Authorization
A covered entity is permitted to use or disclose PHI for treatment, payment, and health care operations (“TPO”)
A covered entity is permitted to make certain other disclosures without authorization as specifically set out in the Privacy Rule.
Examples:
--- Public health and safety
--- Medical examiners
--- Military
Permitted Disclosures
Treatment
Provision, coordination, management of care
Related Services
- referrals
- consultations
Covered Entities are Required to Disclose
PHI in These Circumstances:To an individual (or legal representative) who asks to inspect and copy his/her own PHITo DHHS, CMS, or a state attorney general for investigation or determination of compliance, with the Privacy Rule
In response to a subpoena, court order, law, or similar
Releases via Authorization
Authorization is required for use and disclosure of PHI that is not otherwise allowed by HIPAA. An Authorization must specify a number of detailed elements, including what may be released and to whom
Governed by HIPAA and state law 63 OS 1-502.2
All uses and disclosure of PHI – unless you have an Authorization – are subject to the Minimum Necessary Standard
Definition – the least amount of information necessary to accomplish the purpose
Minimum Necessary Standard
Security Breach
If PHI is disclosed- for purposes other than TPO- without patient authorization- outside of legal exceptions
then HIPAA has been breached
Federal law requires reporting of all unsecured breaches
As of 9/23/13, the patient has the right to receive PHI via email, even if unencrypted
Covered Entity is required to notify patient in writing of risk prior to using email for PHI
Each Covered Entity must implement procedures for emailing PHI
- how to confirm email address
- where to store the email
Emailing PHI??
Does HIPAA Apply to Social Media?
Before you post:– Is the post required by law?– Is the post for TPO?– Do you have patient Authorization?
If no, have you removed ALL identifiers?
Medical Schools surveyed report 60 % have had HIPAA incidents involving
Social Media sites 13% rose to the level of a HIPAA breach
SURVEY SAYS
Social Media Breaches
RN fired after FB post
-post up less than 30 minutes
Emergency worker sanctioned after web post
-no name, no face, no right
Hospital Facebook post leads to ID theftPosted in Oct 21, 2013By Erin McCann, Associate Director
An Arizona hospital is facing scrutiny after one of its employees posted a workplace photo on Facebook, inadvertently including the protected health information and Social Security number of a patient.
The University of Arizona Medical Center South – Campus confirmed that an emergency room employee posted a photo of her workstation back in June, which include a shot of a computer screen containing the patient’s information, according to a report from Green Valley News. Four month later in October, the patient notified law enforcement that she was the victim of identity theft, as someone had attempted to use her information to qualify for food stamps.
Although the photo was removed from Facebook reportedly 30 minutes after it was posted, the patient expressed concern that the employee and their friends are still in possession of the photo. “I want everybody to know about this,” the patient said to GVN. “I don’t want anyone else to go through this kind of hell.”
Healthcare IT News
Monetary PenaltiesViolation Categories and Penalty Amounts
Category(HITECH § 1176(a) (1))
Each Violation All such violations(identical violation/year)
(A) Did not know $100 - $50,000 $1.5 million
(B) Reasonable cause $1000 - $50,000 $1.5 million
(C)(i) Willful neglect(corrected)
$10,000 - $50,000 $1.5 million
(C)(ii) Willful neglect $50,000+ $1.5 million (not corrected)
*Violations occurring on or after 2-18-09
California Medical Center Pays $95,000 for Violating
one Patient’s Medical Privacy Rights
• Responding to newspaper story
• Most information already public
Criminal Penalties
• Fines may be imposed against the Covered Entity and individual employees
• Individual employees may be imprisoned for up to 10 years
Go Directly to Jail
MD sentenced to prison for HIPAA violation
Ensure you are trained in HIPAA
Know who your area’s HIPAA contact person is and stay in touch
Be familiar with OU’s and your facility’s HIPAA policies and forms
Ask for help with HIPAA when you need it-- Privacy Official (405) 271 – 2033
-- Office of Compliance (405) 271 - 2511
YOUR OBLIGATIONS
QUESTIONS??