HIPAA OVERVIEW Privacy & Related Issues for Business Officers Jill Raines Assistant General Counsel & HIPAA Privacy Official © May not be reproduced without prior permission. 10/17

What is HIPAA and Why Do I Care? $1 Million Question: What is HIPAA and Why Do I Care?

HIPAA is… -A federal law -With huge penalties -That DOES apply to certain departments on graduate and undergraduate campuses. That’s the short version.

HIPAA Applies to… Health Care Providers Health Plans Mental, Physical Research w/ Treatment Protocol Health Plans Benefits (self-funded) Business Associates Your faculty may be signing BA agreements…

HIPAA Covers… PHI Individually identifiable health information created or received by a covered entity Related to past, present, or future physical or mental health or condition; payment for or coverage of those conditions Maintained or transmitted electronically or otherwise; written or spoken

WHAT MAKES INDIVIDUAL INFORMATION IDENTIFIABLE (HIPAA DESIGNATED PHI IDENTIFIERS)? Name Address Dates (except year) Telephone number Fax number Email, URL, IP addresses Biometrics (finger, voice) Unique identifying number/code/characteristic ** CATCH ALL CATEGORY Social Security Number Account and license numbers Medical record number Health plan/insurance number Device numbers Vehicle numbers Identifying photos

HIPAA Requires… Covered Entities and their Health Care Components (HCCs) to Protect PHI from unauthorized access, use, disclosure Provide training to Workforce Members Investigate and mitigate violations Report unsecured breaches of PHI

Likely Campus HCCs -Health Services -Athletics?? -Counseling Services -Benefits Office -Certain Support Services: Financial IRB/HRPP Printing Services Audit Compliance Legal Counsel IT Collections Waste Mgmt

What PHI is on Your Campus? Health records Counseling records Medication records and lab reports Employee benefits enrollment information Claims information Billing and payment information Research participant information Correspondence re: patients/enrollees

WHEN CAN AN HCC USE OR DISCLOSE PHI? Required/Permitted by Law For Treatment, Payment, or Operations With Patient Authorization or a BAA (If you aren’t sure, ASK your Compliance Office!)

What is Authorization? Authorization is required for use and disclosure of PHI that is not otherwise allowed by HIPAA or required by law. An Authorization must specify a number of detailed elements, including what may be released and to whom. Where is your HIPAA Authorization form?

What is a BAA? Business Associate performs a job for or on behalf of an HCC Using the HCC’s PHI Must sign a Business Associate Agreement BEFORE PHI is shared Do you know who your BAs are?

Hospital Error Hospital shared PHI with a billing company Hospital did not have a BAA in place $ 1.55 M Penalty

What is NOT PHI…* Worker’s comp documents Employment information Position required immunizations Return-to-work notes FERPA information Immunizations for programs Excused absence notes Treatment records

Why the Asterisk?? If you work in an HCC that PROVIDED the student or employee immunization or treatment, those records MAY BE covered by HIPAA. Understand who your HCCs are. You must understand who created the record and for what purpose to know whether the information is PHI.

Privacy Violation or Professionalism Issue? Business college employee calls in sick; supervisor tells co-worker the details. Health Services employee calls in sick, provider who saw her tells her supervisor the employee won’t be in. Student calls in with flu; professor asks College Clinic if student really has the flu

Can You… Ask HR to check an employee’s insurance file to see if the employee is actually ill? Ask Health Services to confirm that an employee actually had an appointment on a particular day? Share a student-athlete’s treatment file with campus PD? With a professor?

There ARE Consequences If you use or disclose PHI and the use or disclosure -was not required/permitted by law -was not for TPO -was not with patient Authorization or under a BAA, you have violated HIPAA.

Even When Disclosure or Access is Appropriate Under HIPAA: All uses and disclosures of PHI are subject to the Minimum Necessary Standard. Definition – least amount of information necessary to accomplish the purpose Note: This standard does NOT limit disclosures made for actual treatment purposes. (Being curious is NOT treatment.)

Criminals ARE Covered Hospital called police on a patient suspected of Medicaid fraud Fraud was confirmed; patient was arrested Hospital confirmed identity to the media OCR Penalty: $2.4 M in 2017

Snooping Physician Pays Media reported on local newscaster’s death Physician accessed PHI to see details Physician sentenced to 1 year probation, 60 hours of community service, and fined.

The Manager’s Role: When new employees arrive, When employees leave, No PHI from previous employer Training completed Document access When employees leave, Termination checklist Account for all PHI Account for devices

EMPLOYEES ARE INDIVIDUALLY RESPONSIBLE FOR PROTECTING PHI -Protect PHI in your possession/under your control Paper charts -Patient hand-off sheets Laptops -Films/images Smart phones -Clinic notes -Encrypt electronic devices so they are “Secure” under HIPAA. -“Secure” means the PHI is unusable, unreadable, indecipherable.

ARE EMPLOYEES ALLOWED TO TAKE PHI HOME? Next Stop…Penalty Box Health Plan employee took work home No policy addressing this; no procedure Some accessed PHI after separation Company paid $3.5M in penalties KNOW WHERE YOUR PHI IS! ARE EMPLOYEES ALLOWED TO TAKE PHI HOME?

Trash is Treasure – Protect It Local news station found PHI in dumpster Reported the story Penalty: $125K

Encryption is Key Univ of Mississippi Med - $2.75M Unencrypted laptop, shared passwords Non-Profit Biomedical - $3.9M Unencrypted laptop stolen from car Oregon Health & Sciences - $2.7M Unencrypted laptop, thumb drive, cloud Advocate Health - $5.5M Unencrypted desktops and laptops stolen

2017 Penalties…to date $17M+ to date Unencrypted laptops/devices Sharing with unauthorized recipients Not terminating access to PHI when employee no longer needs access

Violation Categories and Penalty Amounts Monetary Penalties Violation Categories and Penalty Amounts Category (HITECH § 1176(a) (1)) Each Violation All such violations (identical violation/year) (A) Did not know $100 - $50,000 $1.5 million (B) Reasonable cause $1000 - $50,000 (C)(i) Willful neglect (corrected) $10,000 - $50,000 (C)(ii) Willful neglect $50,000+ $1.5 million (not corrected)

Criminal Penalties Fines may be imposed against the University and individual work force members (Note that “work force members” include employees, trainees, students, and volunteers.) Individual work force members may be imprisoned for up to 10 years

Take Advantage Of the Safe Harbor Violations that are reported to, managed, and closed by the Privacy Official within 30 days = no penalties or fines may be imposed against you or the University Sorry – no safe harbor for criminal acts or deliberate disregard for the law… Report ASAP so the Safe Harbor can be used!!

For Your Information…… Office for Civil Rights - https://www.hhs.gov/hipaa/index.html HIPAA.com - http://www.hipaa.com/the-definition-of-health-plan/

*** The End ***