Get documents about "Compliance Education
Document Sample
Compliance Education
Tulane University
( For Staff assigned to TUMG HIPAA Clinics ONLY )
HIPAA & HITECH
HIPAA – The Health Insurance Portability & Accountability Act was passed by the U.S.
Congress in 1996. Its provisions were phased in over several years.
HIPAA Privacy – Protection for the privacy of Protected Health Information (PHI) was effective
April 14, 2003. It set the standards for how covered entities and business associates are to
maintain the privacy of PHI. It states that a covered entity is not allowed to use or disclose
PHI without permission from the individual, except as the law allows. The Privacy rule
applies to PHI in all formats. The Administration Simplification provision of HIPAA
(standardization of electronic data interchange in health care transactions) was effective
October, 2003.
HIPAA Security – Protection for the security of electronic Protected Health Information (ePHI)
was effective April 20, 2005. It defines the standards which require covered entities to
implement basic safeguards to protect ePHI that is created, received, used or maintained
by a covered entity.
HITECH is part of the “American Recovery and Reinvestment Act” of 2009. It allocated $20
billion to health information technology projects expanding the reach of HIPAA by
extending certain obligations to business associates and imposed a nationwide security
breach notification law and increased penalties and enforcement. Like HIPAA, the various
procedures will be phased in over several years.
HITECH-Breach Notification Provisions
The law requires covered entities and business associates to
notify individuals, the Secretary of Health and Human Services
and, in some cases, the media in the event of a breach of
unsecured protected health information
– The law applies to the Tulane Health Care Component, which
consists of the Tulane University Medical Group (“TUMG”), its
participating physicians and clinicians, and all Tulane University
employees and departments that provide management,
administrative, financial, legal and operational support services to or
on behalf of TUMG to the extent that such employees and
departments use and disclose individually identifiable health
information in order to provide these services to TUMG, and would
constitute a “business associate” of TUMG if separately incorporated.
– A business associate is a person or entity that performs certain
functions or services for or to TUMG involving the use and/or
disclosure of PHI, but the person or entity is not part of TUMG or its
workforce (examples include law firms, transcription services and
record copying companies).
HITECH-Breach Notification Provisions
Law applies to breaches of “unsecured protected
health information”
– Protected Health Information (PHI)
Relates to past, present, or future physical or mental condition
of an individual; provisions of healthcare to an individual; or for
payment of care provided to an individual.
Is transmitted or maintained in any form (electronic, paper, or
oral representation).
Identifies, or can be used to identify the individual.
Examples of PHI include
– Health information with identifiers, such as name, address, name
of employer, telephone number, or SSN
– Medical Records including medical record number, x-rays, lab or
test results, prescriptions or charts
– Unsecured
Information must be encrypted or destroyed in order to be
considered “secured”
HITECH-Breach Notification
Obligations
If a breach has occurred, Tulane will be responsible for
providing notice to
– The affected individuals (without unreasonable delay and in no
event later than 60 days from the date of discovery—a breach
is considered discovered when the incident becomes known
not when the covered entity or Business Associate concludes
the analysis of whether the facts constitute a Breach)
– Secretary of Health & Human Services-HHS- (timing will
depend on number of individuals affected by the breach)
– Media (only required if 500 or more individuals of any one
state are affected)
No Notification;
No Is the information PHI?
Determine if Red
Flag Rules or state Decision Tree for
breach notification
laws apply Yes
Breach Notification
No Is the PHI unsecured?
No Notification;
Determine if
accounting and Yes
mitigation obligations
under HIPAA
Is there an
impermissible
acquisition, access, use
No Notification No
or disclosure of PHI?
Yes
No Notification; Does the impermissible
Determine if acquisition, access, use or
accounting and No disclosure compromise
mitigation obligations the security or privacy of
under HIPAA PHI?
Yes
No Notification;
Determine if Does an exception
accounting and Yes apply?
mitigation obligations Notification Required;
under HIPAA Determine methods for
notification for affected
No individuals, the Secretary of
HHS and, if necessary,
media
HITECH-Reporting Breaches
Breaches of unsecured PHI (can include information in any form or
medium, including electronic, paper, or oral form) or of any of
Tulane’s HIPAA policies and procedures must be reported to the
Privacy Official at 504-988-7739 or the Office of the General
Counsel immediately.
Tulane’s policy (GC-026) states,
– “Any member of the Health Care Component who knows,
believes, or suspects that a breach of protected health
information has occurred, must report the breach to the Privacy
Official or the Office of the General Counsel immediately.”
If a breach is reported, the incident will be thoroughly investigated.
The Tulane University Covered Entity is required to attempt to
remedy the harmful effects of a breach, including providing
notification to affected individuals
Disciplinary Actions
Internal Disciplinary Actions
– Individuals who breach the policies will be subject
to appropriate discipline under policy GC-009
Minimum
Privacy Violation Action
Level & Definition of Example Action
Violation
Accidental and/or due to lack of •Improper disposal of PHI. •Re-training and re-evaluation.
proper education. •Improper protection of PHI •Oral warning with documented
(leaving records on counters, discussions of policy, procedures,
leaving documents in and requirements.
inappropriate areas).
•Not properly verifying
individuals.
Purposeful violation of privacy •Accessing or using PHI without •Re-training and re-evaluation.
or an unacceptable number of have a legitimate need. •Written warning with discussion of
previous violations •Not forwarding appropriate policy, procedures, and
information or requests to the requirements.
privacy official for processing.
Purposeful violation of privacy •Disclosure of PHI to Termination.
policy with associated potential unauthorized individual or
for patient harm. company.
•Sale of PHI to any source.
•Any uses or disclosures that
could invoke harm to a patient.
Disciplinary Actions
Civil Penalties
– Covered entities and individuals who violate these
standards will be subject to civil liability.
Tiered Civil Penalties
Circumstance of Minimum Penalty Maximum Penalty
Violation
Entity did not know $100 per violation $50,000 per violation
(even with reasonable ($25,000 per year for ($1.5 million annually)
diligence) violating same
requirement)
Reasonable cause, not $1,000 $50,000
willful neglect ($100,000) ($1.5 million)
Willful neglect, but $10,000 $50,000
corrected within 30 ($250,000) ($1.5 million)
days
Willful neglect, not $50,000 None
corrected ($1.5 million)
Disciplinary Actions
An employee who does not report a
breach in accordance with the policies and
procedures could lose his or her job.
Employee Obligations
Do not disclose PHI without patient authorization. If
you have questions about whether a disclosure is
permitted, ask your supervisor.
If you think there has been an unauthorized
disclosure of PHI, contact the Security or Privacy
Official or the Office of the General Counsel
immediately.
When removing PHI from Tulane (i.e., by physician
removal of medical records or through the use of a
laptop), act in accordance with Tulane’s security
measures.
Review
Review of HIPAA Policies & Procedures that
were revised 2010
Patient Access to Protected Health
Information Fees – GC-008
Policy Revised November 2010
Copies – 0.25¢ per page and a handling fee
of $10.00
A fee of $25.00 will be charged for an
expedited request.
A fee of $25.00 will be charged to prepare a
summary of the information.
A fee of $25.00 will be charged to prepare an
explanation of the information.
Patient Access to Protected Health
Information – GC-008 continued
If a patient requesting copies of the record is
unable to pay because the cost would
constitute a hardship, the TUMG Financial
Hardship form must be completed and
become part of the patient’s record.
If any of the TUMG clinics have a third party
vendor handling the copying of records then
this policy is not applicable for the vendor.
Authorization for Release of Protected
Health Information – GC-010
Policy revised August 2010
An additional authorization was added to
this policy.
Form is specific “to use / disclose
protected health information for marketing,
public relations, and external
communications.”
HIPAA Security Policies
Protecting Data in Copiers &
Multifunction Devices
Copiers, faxes, and/or scanners
1. Purchasing / leasing: If you are in the process
of purchasing, leasing or renting a copier, fax,
and/or scanner, please ask your supplier or
vendor about security options now available by
most manufactures that regularly clear the
memory of these devices and also encrypt the
hard drives so that privacy breaches can be
prevented.
Protecting Data in Copiers &
Multifunction Devices continued
Copiers, faxes, and/or scanners
2. Existing Equipment: If you are currently in the
middle of a product’s life, TS recommends you
carefully follow the following guide.
– Determine if it has a hard disk drive
Consult the device manual, if available
Contact your service rep
It may be possible to look up online by model on the
vendor web site
– If it does have a hard disk drive, you must ensure
the data stored on the device does not leave our
control
Protecting Data in Copiers &
Multifunction Devices continued
3. Disposing of, transferring, or retiring old equipment:
• Since it has become public knowledge that copiers/multifunction
office devices may contain sensitive personal information, their
disposal must be handled carefully. The university already has the
following existing resources related to the disposal of hard drives
and the secure removal of data, which should be applied to this type
of equipment:
• HIPAA Disposal Policy
– http://www.tulane.edu/~hipaa/TS30Disposal_Policy.pdf
• Computer Recycling
– http://recycle.tulane.edu/recycle-news.html
Protecting Data in Copiers &
Multifunction Devices continued
Each link below contains documentation for how to wipe the hard drive of a printing
device by the particular manufacture. Some manufactures provide a feature
whereby the printer will continuously or periodically wipe its hard drive. You should
enable this feature where available.
– Xerox Devices:
http://www.xerox.com/information-security/product-security/enus.html
– Ricoh Devices:
http://www.ricoh.com/about/security/product/index.html
– HP Devices:
http://www.hp.com/large/solutions/hp-disk-erase-white-paper.pdf
– Lexmark Multi-function Printer security features:
http://www1.lexmark.com/documents/en_us/CIP_Piece_POD.pdf
– Cannon Image RUNNER Devices:
http://www.usa.canon.com/CUSA/assets/app/pdf/ISG_Security/brochure__ir_hard_disk_dri
ve_security_kit_061009.pdf
For more information on best practices, see:
– http://www.prlog.org/10640424-how-to-protect-your-photocopier-hard-drive
– http://www.dataerasure.com/printer_hard_drive.php
HIPAA Security Phishing
WARNING: Be always vigilant for email scams that could result
in theft of Protected Health Information (PHI).
A common, recent variation on the scam is an email that:
1. Requires you to verify a user name and/or password, or
2. Links you to a site pretending to be one you know and requires you
to enter your user name and/or password.
Tulane is particularly concerned with a current scam that tries
to trick you into revealing your Tulane email user name and
password, so that the sender can read all of your emails and
either steal PHI that is contained in your email or use your
codes to enter other password-protected accounts that you
maintain for PHI.
HIPAA Security Phishing continued
What you should do:
First, be careful following links in emails – you may be able to
verify if the link’s true identity from a careful reading of the web
address. If you are uncertain, you should instead check out of
email and enter the desired web site using Google or another
search engine to find the true home page of the desired web
site.
Second, never provide confidential information to someone who
initiates a contact with you. In this case, never respond to an
email that directly or indirectly requires you to provide, verify or
enter your Tulane email user name and password.
Finally, if you think you may have been compromised in this
way, take immediate steps to change your Tulane password;
then contact the University’s 24/7 Technology Help Desk and
send an email to security@tulane.edu
Resources
HIPAA Security Official
Hunter Ely (504) 988-8566
HIPAA Privacy Official
Glenda Folse (504) 988-7739
