East Carolina University HIPAA Privacy Office of Institutional Integrity Division of Health Sciences
Overview of HIPAA Background and General Information Use and Disclosure of PHI Patients Rights Security Breach Notification Requirements Penalties and Enforcement Violation Levels and Sanctions
Background HIPAA is a federal law which establishes a minimum level of privacy protections related to “protected health information” (PHI) Required compliance with HIPAA became effective on April 14, 2003 Congress felt that additional privacy and security protections were necessary once transmission of health claims and other health information became uniform and electronic
Background What is Protected Health Information (PHI)? Information that is created or received by the covered entity; Relates to past, present or future physical or mental health or condition of the individual, or related to payment for health care; and Identifies the individual or provides a reasonable basis to be used to identify the individual (includes all personal demographic & health information) Can be in any form: Verbal, written or electronic Hybrid entity – A single legal entity that is a covered entity, performs business activities that include both covered and noncovered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, nonhealth care components of a hybrid entity may be affected because the health care component is limited in how it can share PHI with the non-health care component. ECU is a hybrid entity with designated health care components
PHI Identifiers Name Geographic location Street address, city, county, precinct, zip code Dates DOB, date of death, admission/discharge/ treatment date Phone/fax numbers E-mail address SSN Medical record number Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers Including license plates Device identifiers and serial numbers URLs IP Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying numbers, characteristic, or code
USE & DISCLOSURE OF phi The American Recovery & reinvestment Act of 2009 (ARRA) Drastically modified certain provisions under HIPAA: Heightened Enforcement Increased penalties Periodic audits for compliance Security Breach Notification Requirements Increased Restrictions on Use and Disclosure of PHI Additional Rights for Patients Copies of PHI in electronic format Cannot disclose PHI to health plan if patient paid in full “out of pocket”
HIPAA Authorization Typical uses include: In general, required for any use or disclosure of PHI Authorizations are separate from the general consent for treatment Must be in writing and include specific elements Patient must receive a copy and may revoke an authorization in writing in certain situations. Typical uses include: Research Patient’s request to release PHI to an outside entity or individual Release of employment- related examination information Psychotherapy notes and other sensitive conditions Certain fundraising or marketing activities Examples of Exceptions to the Authorization Requirement Law enforcement purposes Judicial and administrative proceedings (per court order or subpoena) Health oversight agencies (e.g., HHS) Certain public health activities (e.g., CDC, public health departments, tracking of FDA recalls, reporting of adverse events during research)
Use & Disclosure of PHI Broad exception for “treatment, payment or health care operations” “Treatment” Providing health information to other providers involved in the care of the patient (e.g., other nurses, doctors, lab personnel, etc.) Does NOT allow for disclosure of psychotherapy, notes a separate consent is required to release that type of information “Payment” Submission of claims for services to third party payors Collection activities “Health care operations” Using and disclosing PHI for quality assurance reviews, internal auditing, peer review, outside lawyers, accountants, etc. Research is not considered health care operations
The Minimum Necessary Requirement 45 C.F.R 164.502 (b) and 164.514 (d) Family Member or Friend Other Persons Patient is present and has the capacity to make health care decisions Provider may disclose relevant information if the provider does one of the following: Obtain the patient’s agreement; Gives the patient an opportunity to object and the patient does not object; Decides from the circumstances, based on professional judgment, that the patient does not object Disclosure may be made in person, over the phone, or in writing Patient is not present or is incapacitated Provider may disclose relevant information if, based on professional judgment, the disclosure is in the patient’s best interest. Disclosure may be made in person, over the phone, or in writing. Provider may use professional judgment and experience to decide if it is in the patient’s best interest to allow someone to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of health information for the patient. Provider may disclose relevant information if the provider is reasonably sure that the patient has involved the person in the patient’s care and in his or her professional judgment, the provider believes the disclosure to be in the patient’s best interest. Disclosure may not be made in person, over the phone, or in writing. The Minimum Necessary Requirement 45 C.F.R 164.502 (b) and 164.514 (d)
“Minimum Necessary” Rule Contacting Patients Make every effort to speak to patient directly Never leave voice messages containing information regarding condition, test results, specifics about treatment, etc. If you must leave a message, leave your name, ECU Physicians, and your phone number only. Do not state the reason for the call. Reasonable efforts must be made to verify the identity of a caller or individual requesting PHI “Minimum Necessary” Rule In general, the amount and types of PHI used or disclosed is restricted to the minimum amount of PHI necessary to satisfy the request. “Reasonable efforts” must be taken not to disclose more than the minimum amount of PHI necessary to accomplish the intended purpose. Does not apply in disclosures for treatment purposes to other providers or for release of PHI to patient pursuant to their own authorization. Reasonable questions include certain personal information regarding patient, such as DOB, maiden name, etc. (not information such as telephone number, address, etc.)
de-identified information After review and approval, de-identified information can be used if 18 specific identifiers are removed from the information: Names All geographic subdivisions smaller than a State including address, city, county, zip code All elements of dates except year that relate to health care treatment including age Telephone numbers, fax numbers, email addresses Numbers – SSN, MRN, health plan beneficiary, account, certificate/licenses, vehicle ID and serial, device ID and serial URLs or IP numbers Fingerprints, full face photos, or other comparable images Any unique identifying number, code, or characteristic
Designated Shred containers If a container is marked “Confidential”, it is for PHI material only, and will be disposed of per policy. If a container is marked “Shred”, then it is for confidential material. If a container is marked “Trash”, then it is not for confidential material. Be sure to empty individual shred bins every day if there is one you maintain yourself.
PATIENT RIGHTS UNDER HIPAA
Right to Access PHI Patients may request to receive a copy of their medical record Request must be in writing using approved form Requests may be denied in certain circumstances ECU employees are not permitted to access their own PHI without first going through Health Information Systems Services and requesting access.
Patient Rights under HIPAA Patients may request: Accounting of disclosures of PHI Confidential and/or Alternative communications of PHI Further Restrictions of PHI Amendment of PHI 1- Patients may Request an Accounting of Disclosures of their ECU maintained PHI which has been made during the past six years Patients are permitted to request a listing showing to whom their PHI has been disclosed Does not include disclosures made for treatment, payment, or health care operations; disclosures made pursuant to patient’s own authorization or disclosures prior to April 14, 2003 (effective date of rule) Does not include disclosures made for national security or intelligence purposes, or law enforcement purposes 2- Patients have the right to request the method whereby they will be contacted (e.g., what telephone number, location, etc.) Any requests to communicate PHI by alternate means must be submitted in writing using the ECU Request for Alternate Communication Form 3- Patients may request that their PHI not be disclosed in a certain manner, even if it is permitted under HIPAA Common requests include no disclosure for fundraising purposes (institutions are otherwise permitted to use minimal PHI for fundraising purposes), no disclosure to certain government agencies, or certain family members Requests must be made in writing using ECU’s Request for Restriction on the Use and Disclosure of PHI Form ECU may accept or decline request 4- Patients may request a correction to the medical record Provider is not required to amend; however, must notify patient regarding decision Typically happens with sensitive types of conditions: Obesity, mental illness conditions, etc.
Patient Rights under HIPAA Complaints about Privacy and Security Practices Any individual may file a complaint regarding suspicion of a potential privacy violation Individuals may file privacy complaints with: ECU Privacy Officer 744-5200 Division Integrity Hotline (866) 515-4587 The United States Office for Civil Rights No intimidation or retaliatory actions taken against any individual making a complaint
Security Breach Notification Requirements Penalties & Enforcement
Security Breach Notification Requirements First federal notification law established under ARRA For breach of any “unsecured PHI,” the covered entity is required to notify within 60 days each individual whose PHI has been accessed, acquired or disclosed as a result of such breach. Annual disclosure requirement to HHS regarding all notifications If breach involves 500 or more individuals, notice to HHS must be immediate; “prominent” local media must also be notified. Excludes certain inadvertent or unintentional disclosures
Security Breach Notification Requirements OCR Most Frequent Compliance Issues in order of frequency: Impermissible use and disclosure of PHI Lack of safeguards of PHI Lack of patient access to PHI Violation of “minimum necessary” rule Lack of administrative safeguards of electronic PHI 98,279 HIPAA complaints received (4/2003-8/2014) OCR has referred 530 cases to the Department of Justice for criminal investigation
Penalties under HIPAA Civil Penalties Penalty Amount Calendar Year Cap For violations occurring on or after 2/18/2009 $100 to $50,000 or more per violation $1,500,000 For violations occurring prior to 2/18/2009 Up to $100 $25,000 Summary of HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html (accessed June 22, 2012)
Penalties under HIPAA Criminal Penalties Penalty Amount Prison Term Knowingly obtains or discloses PHI in violation of Privacy Rule Up to $50,000 Up to 1 year Wrongful conduct involves false pretenses Up to $100,000 Up to 5 years Wrongful conduct involves intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm Up to $250,000 Up to 10 years Summary of HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html (accessed June 22, 2012)
ECU HIPAA Privacy Violation Levels ECU is required to have and apply internal sanctions against its workforce who fail to comply with its policies and procedures Specific internal sanctions are outlined in East Carolina University’s Privacy Regulation: HIPAA Sanctions @ www.ecu.edu/hipaa Violation Level 1 Violation Level 2 Violation Level 3 Violation Level 4 Level 1: Failure to demonstrate appropriate care Examples: Failing to log off a computer Leaving PHI in a non-secure location Inappropriate hallway conversation Level 2: Intentional or unintentional exposure of PHI internally Unauthorized access to PHI Repeated Level 1 violations Providing passwords to unauthorized users Accessing PHI for which you have no job duty Level 3: Intentional or unintentional exposure of PHI internally or externally Repeated Level 2 violations Sharing PHI with unauthorized individuals Failing to perform necessary actions to prevent disclosure Disclosing PHI external to ECU’s designated health care components Level 4: Intentional abuse of PHI Large scale disclosure Use for personal gain Destroying PHI
ECU HIPAA Privacy sanction Levels Violations can result in local sanctions ranging from documented counseling, in accordance with ECU’s disciplinary policies, up to and including dismissal. Other Federal sanctions may result including fines and/or imprisonment.
Privacy Training All workforce members must receive annual HIPAA Training to protect the privacy and security of individually identifiable health information. Annual HIPAA Training is located in Cornerstone.
HIPAA Privacy and E-mail E-mail and PHI: Email containing PHI within University network (@ecu.edu) Encryption not necessary. Limit PHI to the minimum necessary. Email containing PHI outside of University network (e.g. Vidant) Encryption IS required. ECU student e-mail accounts (@students.ecu.edu) Encryption is required. Wireless Networking and PHI: Do not access or send PHI over a wireless network, unless the data is encrypted prior to transmission. Data sent over a wireless network can be captured by unauthorized persons in nearby buildings, parking lots, and streets. (This includes personal smartphones and other portable devices )
ECU HIPAA Privacy Officer & Chief Institutional Integrity Officer Kenneth De Ville, PhD, JD (252) 744-5200 devillek@ecu.edu HEALTHCAREPRIVACY@ecu.edu Complete HIPAA Privacy and Security Policies are available at: www.ecu.edu/hipaa