Stony Brook Health Sciences Center

Melissa Pinero

HIPAA Privacy Officer

631-444-2148

Health Sciences Center Schools New Employee & Student Training

FERPAFamily Education Rights & Privacy Act

HIPAAHealth Insurance Portability &

Accountability Act

FERPA

The Family Education Rights & Privacy Act (20 U.S.C. §1232g:34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the US Dept of Education.

FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.”

HIPAA is……

The Health Insurance Portability and Accountability Act of 1996

Portability

Created to ensure access to health coverage

Allows for continuity in health coverage

Prevents denial due to a pre-existing condition(s)

Accountability

• Healthcare fraud is a federal crime

• Fines and / or jail time may apply

• Individuals and organizations face sanctions

The HIPAA Privacy Rules &

HITECH 2010

What is HITECH?

• On February 17, 2009, the Federal Stimulus Bill or American Recovery and Reinvestment Act (ARRA) was signed into law and included provisions to address Health Information Technology and Economic and Clinical Health Act (HITECH)

• Purpose is to create a national health information infrastructure and widespread adoption of electronic health records through monetary incentives.

• Provide enhanced Privacy & Security Protections under HIPAA including increased legal liability for non-compliance and greater enforcement.

PHI is a culmination of data that is specific to individual patients. This data can be used to identify:

A patient A patient’s health Health care services received

by a patient

Privacy Goals

We need to:

Maintain our patient’s trust.

Educate our patients as to their rights.

Safeguard our patient’s PHI.

HIPAA18 Elements Necessary for De-identification of

Patient Data Before Presenting the Case in ClassThe following data must be removed for de-identification:• Name

• Location; all geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes.

• Dates (all dates related to the subject of the information, e.g. birth dates, admission dates, discharge dates, encounter dates, surgery dates, etc.)

• Telephone numbers• Fax numbers• Electronic mail addresses• Social security numbers• Medical record numbers• Health plan beneficiary numbers• Account numbers• Certificate / license numbers• Vehicle identifiers and serial numbers, including license plate numbers• Device identifiers and serial numbers• Web Universal Resource Locators (URLs)• Internet Protocol (IP) address numbers• Biometric identifiers, including finger and voice prints• Full face photographic images and any comparable images• Any other unique identifying number, characteristic, or code

• The following data may be used:• Age (age 90 and over must be aggregated to prevent the identification of older individuals)• Race• Ethnicity• Marital status• Codes (a random or fictional code may be used to link cases or re-identify the health information at a later time; codes may not

be a derivative of the individual’s social security number or other identifiable numerical codes, e.g. birth date, fax number, etc.)

Authorization

Authorization is required when disclosing PHI forpurposes other than treatment, payment, oroperations.

Patients Rights Under HIPAA

• request restricted use and disclosure of

PHI;

• inspect and copy their health information;

• request to amend their medical record;

• request an accounting of disclosures; and

• file a complaint.

How is HIPAA Enforced?

• Civil monetary penalty:Civil penalty for inadvertent violation= fines of $100/per incident up to $25,000/per year for each similar offense.

Example:A hospital employee violates HIPAA by misdialing

a fax number and sending 100 patient records to Starbucks. The hospital & the employee may have to pay a $10,000 ($100 x 100) fine.

Worse Case Scenario• Criminal Penalties:Criminal penalties= large fines + jail time,

and increase with the degree of the offense.

Example:A hospital employee steals and sells patient

information for personal profit. Criminal penalties could be as much as $1.5 million and / or 10 years in jail.

Security

Health Insurance Portability and Accountability Act HIPAA

Electronic Security to EnsurePrivacy, Trust, and Quality Care

Edward W. HinesInformation Security Officer, SBUMC, HSC, and Dental School

What is Security

The Protection of Electronic and Physical Assets

Merriam-WebsterMeasures taken to guard against espionage or

sabotage, crime, attack, or escape an organization or department who task is security.

The best way to protect yourself…make your passwords difficult to guess

NEVER tell anyone your passwordNEVER write your password down, such as on a post-it note.Don’t use common info about you or your family, pets, or friends names,

Soc. Sec #;birthdates; anniversary, credit card number; telephone number, etc.

Don’t use names you have used before, variation of your user ID, or something significant about yourself as a password.

Don’t let someone see what you are entering as your password.

If you thing there is even a slight chance someone knows your password, CHANGE IT !!

Remember if someone logs on as you and does something improper, you can be held responsible.

Removable Media

If lost, removable media can allow unscrupulous people access to confidential patient information.

Removable drives can also introduce malicious software to the network.

USB drives, CD-RW, and any other flash media must be approved by the ISO

If you need to take your work home, do it safely from home and request a VPN account…..

1. Understanding Ethics and Compliance

Ethics are based on……

• Values• Morals• Integrity• Knowledge of Right vs. Wrong

What is a Compliance Program?

A Compliance Program is a system to detect and prevent violations of law or policy. An effective Compliance Program will:

-Promote an ethical environment-Reduce risks-Improve operational efficiency-Ensure quality of care-Promote a strong control environment

Ethical Business Practices

Refrain from Misrepresentations-Remember to keep it honest(e.g. Falsification of documentation= violation)

“Doing the right thing each and every time, even when no one is watching.”

Ethical Business Practices

Avoid Conflicts of Interest….SBU property should never be used forpersonal business.Employees should not supervise familymembers.

Reporting of Possible Violations• Where to Report: Immediate Supervisor, Departmental

Chain of Command, or Compliance Officer• What to Report: An actual or reasonable belief of a

violation• Consequences of Reporting: No retaliation or discipline

for reporting in good faith• Investigations of Violations: All allegations of wrongdoing

will be assessed and investigated• Discipline for Violations: In accordance with labor union

contracts, and may include termination.

Call the Compliance HOTLINE

(631) 444-6666