Provider Training HIPAA: Privacy & Security

2018

Created by: Deb Trombly Operations Manager, LTC Programs

Privacy Rule – Effective April 14, 2003

Standards for storing, sharing, and accessing hard copy Protected Health Information (PHI)

Security Rule – Effective April 20, 2005

Standards and basic safeguards for the storage, security, transmission, and access of electronic Protected Health Information (e-PHI)

HIPAA Training

HIPAA requires that UPCAP train Business Associates on HIPAA policies and procedures

State contracts require UPCAP to verify that provider staff are trained

What HIPAA is and Why it is important

Who must follow the HIPAA law

Define Protected Health Information (PHI)

PHI Use, Access, & Sharing

Security Measures: Organizations & Individuals

Prevent & Report Breaches

Congressional response to healthcare reform

Prevents health care fraud and abuse

Simplifies billing and other transactions, reducing health care administrative costs

Covered Entities: Health Care Providers Health Plans Electronic Billing Clearinghouses

& Business Associates (contracts & sub-contracts)

…responsible for all Protected Health Information (PHI & e-PHI), whether it is stored or transmitted electronically, in paper format, or communicated verbally

i.e. … EVERYONE!!!

Past, present, or future physical or mental condition of an individual

Provision of healthcare to an individual Payment of care provided to an individual Is transmitted or maintained in any form

(electronic, paper, or verbal representation)

Identifies, or can be used to identify the individual

Name – Relative’s Names Address (including street, city, parish, zip code

and equivalent geo-codes)

Name of Employer Any Date (birth, admit date, discharge date)

Telephone & Fax numbers Electronic (email) Addresses Social Security Number

Medical Records & Client Numbers

Treatment: direct or coordinated care consultation or referrals

Payment: billing and collection for provided services

Operations: business and management activities quality, compliance, and training public health and other government reporting

Secure & Restricted Access: Only those directly involved in care (locked

files, computer access)

Sharing: Business Associates Agreement in place Consent from Program Participant Only what is “minimally necessary”

Know approved methods of sharing!!!

In the Office Be mindful of who can over hear case

discussions and phone calls

Phone Calls Be sure you are talking with those directly

involved with the case Who can overhear cell phone calls

Outside of Work NEVER!!!!

Approved and minimally necessary PHI can be faxed only if:

if cover sheet includes your agency’s Confidentiality Statement

you have assurances that the receiving party’s fax is in a secure area

DO NOT FAX PHI containing:

drug or alcohol dependency

mental illness or psychological information

sexually-transmitted infections (STI)

HIV status genetic info

EMAIL IS NOT SECURE!!!!! There are four basic places where email can be

compromised: On your devices On the networks & servers that allow you to share

internally and externally On your recipient’s devices

Communications via email over the Internet are not secure. Everyone who can see the Internet path an email is sent along (which is a lot of people) can see all the contents of the message. It is possible that information included in an email can be intercepted and read by other parties besides the person to whom it is intended… auto-fill!!!

UPCAP sends email to: ___@michigan.gov

Outgoing mail server via Simple Mail Transfer Protocol (SMTP)

Domain Name System (DNS) server – domain sort

___@michigan.gov

michigan.gov server

mail exchange server

Mail Transfer Agent

De-identifying Email Communications

… not a good idea! Staff members starting out an email

conversation about a participant using only first name or initials just opens the door for adding an additional piece of identifying information that would allow an outsider to “connect the dots.”

Emails to participants may have even more consequences if using a free email service like Yahoo, Hotmail, etc. – see next example:

Patient Gary sends an email to his Dr. Lee about something he feels may be a sexually transmitted infection and includes a picture from his Smartphone. Neither Patient Gary or Dr. Lee mentions the words “genital herpes.”

Wherever Patient Gary goes online now, he sees advertisements for Valtrex, as does his wife who uses a shared tablet device. She now sees herpes treatment ads when she’s on Kohls.com shopping for shoes.

Because advertising matching algorithms (sometimes called “retargeting”) have become so accurate, scanning medical emails in a free email service have the potential to violate HIPAA with alarming frequency and to the great embarrassment of those involved.

Manually encrypt transmitted files

Office 2007 and later has the ability to encrypt and password protect documents.

PeaZip and WinZip are common way to encrypt & password protect files.

Websites may have secure file exchange feature

End-user must have same system Check with your IT staff

Unique “User ID” for log-in purposes, limits access to the minimum information needed to do your job

i.e. UPCAP issues User ID and Pass Codes to Provider staff to utilize VenderView and NAPIS data systems.

Password Protection • Do not use anyone else’s User ID, log-on,

password, or a computer someone else is logged-on to

• Do not share your User ID, log-on, or password • Do not post written User ID or passwords at

workstation or laptop • Do not insert into an email or electronic

communication Workstation Protection

• Be sure equipment with access to PHI/e-PHI is logged off and locked when not in use

YOU are responsible for everything that occurs under your log-in

Workstations are desktop or laptop computers, or other devices that perform similar data storage and communication functions

Physical Security Measures include Disaster Controls Physical Access Controls Device and Media Controls

Malware Controls are measures taken to protect against any software that causes unintended results

Access & Device Controls Log-off when leaving a workstation Automatic Screen Savers: Password return Locked Office Locked & out of sight in vehicle or hotel

room Security for USB Memory Sticks and Other

Portable Storage Devices: Don’t store e-PHI on memory sticks If you must store it, use encryption & passwords Delete the e-PHI when no longer needed Protect the devices from loss, damage, and theft

Hackers and Worms and Spyware … Oh My! Hacker: Cybercriminal using a number of techniques to gain unauthorized access to computer and/or accounts

Phishing Emails: Appear to be from trusted source to collect confidential information (passwords, account #s, SS #s, etc.)

Virus, Worms, Trojan Horses: Usually acquired by opening an email attachment, visiting websites, or downloading software that are infected with self-replicating, usually malicious, program that spreads into other executable code, documents, or networks

Keystroke Logging: A tool designed to copy ("log") every keystroke on an affected machine for later retrieval (Log-ins & PW)

Scareware: Email pop-up leads you to believe you need to download a program to protect your system – get virus instead

Malvertising & Watering Holes: Fake websites and ads that are infected with virus

Ransomeware: Locks up data or PC until funds are sent. This is HUGE - can only happen if users (unknowingly) allow it

Be suspicious of … any email you receive with an attachment an email from someone you do not recognize reduced performance (your computer slows or

“freezes”) windows opening by themselves missing data slow network performance unusual toolbars added to your web browser

When in doubt, ask IT !!

YOU are the First Line of Defense!!!

HITECH Act: Health Information Technology for Economic

& Clinical Health Act 2009 created a nationwide security breach

notification law The law requires covered entities and business associates to notify individuals, the Secretary of Health and Human Services and, in some cases, the media, in the event of a breach of unsecured protected health information

HITECH Act: All Covered Entity and Business Associate

staff must be trained on the importance of timely reporting of privacy and security incidents, and the consequences of failing to do so.

A “Security Incident” is “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.’’ [45 CFR 164.304]

Examples include: Laptop containing PHI is stolen Unauthorized staff member looks through

participant files in order to gain info “not needed” to perform their job

Billing statements containing PHI mailed or faxed to the wrong individual/entity

You are required to immediately report incidents or security breaches, to your director and to UPCAP Security Officer, Mark Bomberg.

Breaches or violations may result in: disciplinary action up to and including removal,

demotion, suspension, or termination criminal prosecution civil litigation referral to appropriate law enforcement authorities referral to regulatory or licensure authorities other remedies as deemed appropriate

by your organization

Circumstance of Violation

Minimum Penalty

Maximum Penalty

Entity did not know (even with reasonable diligence)

$100 per violation ($25,000 per year for violating same requirement)

$50,000 per violation ($1.5 million annually) Jail: up to 1 year

Reasonable cause, not willful neglect

$1,000 per violation ($100,000 /yr)

$50,000 ($1.5 mill/yr) Jail: up to 5 years

Willful neglect, but corrected within 30 days

$10,000 ($250,000 /yr)

$50,000 ($1.5 mill/yr) Jail: up to 10 years

Willful neglect, not corrected

$50,000 ($1.5 million/yr)

None Jail: up to 10 years

Violations of Privacy, Confidentiality, Security, and IT Policies may result in disciplinary action, up to, and including possible termination, and civil and criminal liability

The final Omnibus Rule (2013) strengthens the ability of HHS’s Office of Civil Rights (OCR) to vigorously enforce the HIPAA Privacy and Security Rules regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.

Recent HIPAA Settlements:

Corporate Example:

Memorial Healthcare Systems: Largest HIPAA settlement of 2017 thus far $5.5m - employees inappropriately accessing patient information, including names, dates of birth, and SS#.

Presence Health: $475,000 payment for when a paper-based operating room schedules containing PHI was missing from the Surgery Center – mainly because of delayed notification … “clear policies & procedures must be in place to respond to the Breach Notification Rule’s timeline requirements”

2017 HealthITSecurity.com

Recent HIPAA Settlements: Non-Healthcare Provider - Example

Life Insurance Company: $2.2M settlement after reporting a USB drive containing ePHI was stolen from the IT office. OCR’s investigation found they did not do risk assessments, and did not use encryption measures on laptops and removable media.

Jan’17 HealthITSecurity.com

Individual Example

A licensed practical nurse who pled guilty to wrongfully disclosing a patient’s health information for personal gain faces up to 10 years in prison, and/or $250,000 fine. She gained access to a patient’s private medical file then shared that information with her husband, who on that same day, called the patient stating he intended to use the information against the patient in an upcoming legal proceeding. Mar’14 NurseZone.com

Access and share only the needed for job

Use only software to store and transmit your e-PHI

Protect User Keep locked and logged off when

not in use Collect signed from participants suspected breaches to your agency’s

director & UPCAP’s Security Officer, Mark Bomberg (if applicable)