HIPAA PRIVACY – OVERVIEW--Allied Health Students--

Jill RainesUniversity Privacy OfficialUniversity of Oklahoma

Copyright 2014 – May not be redistributed, reproduced, or used for any purpose without prior written permission of the Office of Legal Counsel

What is HIPAA?

Health Insurance Portability and Accountability Act

Federal law covering privacy and security of certain health information and imposing electronic transaction standards

We’re covering the Privacy Rule in HIPAA

Effective Date: April 14, 2003

HIPAA’s Purpose

Provides comprehensive protection for the privacy of health information and gives patients certain rights regarding that information.

Protection includes regulations governing the management, use, and disclosure of Protected Health Information (PHI).

Protected Health Informationor PHI

Individually identifiable health information created or received by a covered entity

Related to past, present, or future physical or mental health or condition (or the payment for it)

Maintained or transmitted electronically or otherwise

Written or spoken

WHAT MAKES INDIVIDUAL HEALTH INFORMATION IDENTIFIABLE?

(HIPAA DESIGNATED PHI IDENTIFIERS) Name

Address

Dates (except year)

Telephone number

Fax number

Email, URL, IP addresses

Biometrics (finger, voice)

Unique identifying number/code/characteristic

*Reasonable Basis” catch-all

Social Security Number

Account and license numbers

Medical record number

Health plan/insurance number

Device numbers

Vehicle numbers

Identifying photos

Types of Uses and Disclosures of PHI

Disclosures required by law

Disclosures permitted by law

Disclosures pursuant to an Authorization

A covered entity is permitted to use or disclose PHI for treatment, payment, and health care operations (“TPO”)

A covered entity is permitted to make certain other disclosures without authorization as specifically set out in the Privacy Rule.

Examples:

--- Public health and safety

--- Medical examiners

--- Military

Permitted Disclosures

Treatment

Provision, coordination, management of care

Related Services

- referrals

- consultations

Covered Entities are Required to Disclose

PHI in These Circumstances:To an individual (or legal representative) who asks to inspect and copy his/her own PHITo DHHS, CMS, or a state attorney general for investigation or determination of compliance, with the Privacy Rule

In response to a subpoena, court order, law, or similar

Releases via Authorization

Authorization is required for use and disclosure of PHI that is not otherwise allowed by HIPAA. An Authorization must specify a number of detailed elements, including what may be released and to whom

Governed by HIPAA and state law 63 OS 1-502.2

All uses and disclosure of PHI – unless you have an Authorization – are subject to the Minimum Necessary Standard

Definition – the least amount of information necessary to accomplish the purpose

Minimum Necessary Standard

Security Breach

If PHI is disclosed- for purposes other than TPO- without patient authorization- outside of legal exceptions

then HIPAA has been breached

Federal law requires reporting of all unsecured breaches

As of 9/23/13, the patient has the right to receive PHI via email, even if unencrypted

Covered Entity is required to notify patient in writing of risk prior to using email for PHI

Each Covered Entity must implement procedures for emailing PHI

- how to confirm email address

- where to store the email

Emailing PHI??

Does HIPAA Apply to Social Media?

Before you post:– Is the post required by law?– Is the post for TPO?– Do you have patient Authorization?

If no, have you removed ALL identifiers?

Medical Schools surveyed report 60 % have had HIPAA incidents involving

Social Media sites 13% rose to the level of a HIPAA breach

SURVEY SAYS

Social Media Breaches

RN fired after FB post

-post up less than 30 minutes

Emergency worker sanctioned after web post

-no name, no face, no right

Hospital Facebook post leads to ID theftPosted in Oct 21, 2013By Erin McCann, Associate Director

An Arizona hospital is facing scrutiny after one of its employees posted a workplace photo on Facebook, inadvertently including the protected health information and Social Security number of a patient.

The University of Arizona Medical Center South – Campus confirmed that an emergency room employee posted a photo of her workstation back in June, which include a shot of a computer screen containing the patient’s information, according to a report from Green Valley News. Four month later in October, the patient notified law enforcement that she was the victim of identity theft, as someone had attempted to use her information to qualify for food stamps.

Although the photo was removed from Facebook reportedly 30 minutes after it was posted, the patient expressed concern that the employee and their friends are still in possession of the photo. “I want everybody to know about this,” the patient said to GVN. “I don’t want anyone else to go through this kind of hell.”

Healthcare IT News

Monetary PenaltiesViolation Categories and Penalty Amounts

Category(HITECH § 1176(a) (1))

Each Violation All such violations(identical violation/year)

(A) Did not know $100 - $50,000 $1.5 million

(B) Reasonable cause $1000 - $50,000 $1.5 million

(C)(i) Willful neglect(corrected)

$10,000 - $50,000 $1.5 million

(C)(ii) Willful neglect $50,000+ $1.5 million (not corrected)

*Violations occurring on or after 2-18-09

California Medical Center Pays $95,000 for Violating

one Patient’s Medical Privacy Rights

• Responding to newspaper story

• Most information already public

Criminal Penalties

• Fines may be imposed against the Covered Entity and individual employees

• Individual employees may be imprisoned for up to 10 years

Go Directly to Jail

MD sentenced to prison for HIPAA violation

Ensure you are trained in HIPAA

Know who your area’s HIPAA contact person is and stay in touch

Be familiar with OU’s and your facility’s HIPAA policies and forms

Ask for help with HIPAA when you need it-- Privacy Official (405) 271 – 2033

-- Office of Compliance (405) 271 - 2511

YOUR OBLIGATIONS

QUESTIONS??