New Employee Orientation – HIPAA Privacy Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer
Definitions • HIPAA – Health Insurance Portability and Accountability Act • PHI – Protected Health Information • HHS – Department of Health and Human Services • OCR – Office for Civil Rights – Enforces HIPAA Privacy and Security rules.
What is identifiable protected health information (PHI) under HIPAA • Includes: – Name – Address – Certificate # – Employer – Voiceprints – Relative’s names – Fingerprints – Birth date – Photos – Phone/fax numbers – Codes – Email address – Any other characteristics, such as occupation that can – Social Security # be used to identify an – Medical Record # individual. – Member/Acct #
Forms of Information Paper Verbal Electronic It is the responsibility of every employee to protect the privacy and security of PHI in ALL forms
Goals of the Privacy Rule • Provide strong federal protections for privacy rights – Ensure patient’s TRUST the privacy and security of his/her health information • Preserve QUALITY health care – Encourages frank communication with healthcare providers • Makes sure that the right information is flowing to the right people at the right time .
Breaches • A breach occurs when information that, by law, must be protected is: – Lost, stolen, or improperly disposed of – “hacked” into by people or computer programs – Communicated or sent to others who do not have an official need to receive the information
The U.S. Attorney for the Southern District of Illinois announced today that Susan L Harris , 28 of Marissa, Illinois, and Ashley C. Drummond, 25, of East St. Louis, Illinois were sentenced for aggravated identity theft and conspiracy to commit mail fraud in the U.S. District Court for the Southern District of Illinois, East St. Louis Division. Harris was convicted following a 2-day jury trial in December 2012 Today, the U.S. District Court sentenced Harris to 4 years in prison , to be followed by 3 years of supervised release . Harris was ordered to pay $7,648.97 in restitution and a $200 special assessment . Drummond, who pleaded guilty in November 2012, was previously sentenced to 2 years in prison, to be followed by a 3 year term of supervised release . Drummond also was ordered to pay $8,675.27 in restitution to various victims and a $200 special assessment.
Evidence presented at the trial of Susan Harris showed that Harris conspired with Ashley Drummond to steal personal identifying information of patients of a Southern Illinois hospital . The two women targeted elderly patients, particularly patients who came in to the hospital from the nursing homes and assisted living facilities. Drummond and Harris used the stolen personal information to apply for new credit card accounts in the victims’ names Drummond was a radiology technician, and it was her job to transport patients to and from the radiology department as needed. While transporting the patients, Drummond would steal victims’ personal information from their charts . Harris was later caught on camera at a retail stores using one of the credit cards obtained with the personal information of a 90-year-old woman who lives in an assisted living center and had been a patient at the hospital where Drummond worked . The case was investigated by the Southern District of Illinois Identity Theft Task Force , the U.S. Postal Inspection Service , the Internal Revenue Service Criminal Investigation Division , the Social Security Administration Office of the Inspector General , the Maryville Police Department, the Glen Carbon Police Department, and the Collinsville Police Department.
Other recent nationwide reports of breaches • A Nevada man pleaded guilty to violating HIPAA by using patient records to generate referrals for personal injury attorneys. • Medical files were found at a recycling center in Tenn. They contained “graphic photos” and SS# from potentially 2 medical facilities. • An unencrypted, password protected desk top computer was stolen from administrative offices at Sutter Health in Sacramento CA. The computer contained information on about 4 million patients. • New York Presbyterian Hospital & Columbia University agreed to pay 4.8 million fine after the health records of more than 6000 people were mistakenly released on the Internet. • 4 employees were fired from University Medical Center in Tucson after 1 employee took a picture of a patient with a cell phone camera. • Natahsa Orr, 36 of Miami was sentenced to 24 months in prison plus 12 month of home confinement followed by 3 years of supervised release for stealing patient information from the Holy Cross ER during her employment. She used the information to obtain bank account info & obtain debit cards in the patient’s name.
noteworthy facts • Data breaches are occurring in health care at nearly 3 times the rate as in banking and finance. • A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a social security number. • Victim’s can suffer monetary loss, possible inability to obtain or retain insurance, and corruption of their medical history.
Breaches involving 500 or more individuals reported to OCR (as of 3/2014) Unknown 2% Improper Disposal Other 4% 10% Breached Patient Hacking 8% Information was due to: Theft 47% Unauthor Access 18% Loss 11%
Breaches involving 500 or more individuals that have been reported to OCR Breached Desktop Computer, 15% Patient Laptop, 23% Information was located on: Portable Electronic Device, 14% Paper, 23% EMR, 2% Network Server, 11% Other, 10% E-mail, 2%
Illinois “Wall of Shame”
Breaching Patient Privacy Requires Notification of the Patient Breach definition: The unauthorized acquisition, access, use, or disclosure of PHI which compromise the security or privacy of protected health information, except where an unauthorized person to whom such information is disclosed would not have reasonably have been able to retain such information Applies to paper, electronic or verbal breaches The healthcare facility MUST: • notify the individual (patient) within 60 days (of knowledge of breach) that their PHI has been or may have been accessed, acquired or disclosed as a result of a breach. o Notification must include: – Description of what happened – Type of information disclosed – Steps the patient should take to protect themselves from potential harm – Steps SIH is taking to investigate the breach, alleviate any potential harm, and protect against further breaches. • report breaches annually to Department of Health & Human Services.
Example of Breach Notification Letter SIH/SIMS sends to a patient Dear Patient: On (date) (SIH/SIMS), became aware of a breach of your personal health information. The breach of your information occurred on or around (date) when you were at the ________ Department. We are notifying you so you can take personal action along with our organization’s efforts to reduce or eliminate potential harm. The incident involved your protected health information, specifically, your name and ______________ being disclosed to ___________. I recommend that you increase your awareness of any type of communication regarding your personal health information. If you suspect anything unusual please contact the Contact the Consumer Protection Agency in Illinois: (800) 243-0607; http://www.illinoisattorneygeneral.gov/consumers; 1001 East Main Street Carbondale, IL 62901 Southern Illinois Healthcare sincerely apologizes for the inconvenience and concern this incident causes you. The privacy of your personal information is very important to us and we will continue to do everything we can to fortify our operational protections for you and others. As a result of this breach SIH took the following actions: ________________ Under the Health Insurance Portability and Accountability Act (HIPAA) you also have the right to file a written complaint with the Director, Office of Civil Rights of the U.S. Department of Health and Human Services at the following address: Office of Civil Rights, U.S. Department of Health and Human Services 233 N Michigan Ave. Suite 240 Chicago IL 60601 Your complaint must describe Southern Illinois Healthcare’s acts that you believe to be in violation of applicable law. A complaint to the Director of Health and Human Services may be submitted either by mail or electronic transmission within 180 days of this date. We will not retaliate against you if you file a complaint with the Director of Health and Human Services.
• If breach involves PHI of 500 patients or more, then SIH will be required to notify local media and the Department of Health and Human Service
Information is accessible for authorized use and to Authorized users only • When requested by the individual (patient), with proper identification • For treatment of the individual (example: practitioner caring for the patient) • For payment purposes (example: sending billing information to patient’s insurance company), and • Certain healthcare operations (example: TJC survey, quality improvement, Peer Review)
Recommend
More recommend
