HIPAA and Portable Electronic Devices Michele Cerullo, Assistant Attorney Office of the General Counsel Jane Haughney, J.D., Privacy Consultant Professional Integrity Office March 6, 2012
Learning Objectives 1.Learn about applicable University policies. 2.Recognize that you must obtain a signed written consent from the patient for all photography, videotaping or audio taping of patients. 3.Recognize that electronic media used for treatment purposes must be stored in the medical record. 4.Understand that electronic media with identifiable patient images/information must be secured when stored or transmitted. 5.Know the institutional and individual consequences of privacy violations. 6.Learn how to report a privacy incident. 7. Know individuals to call with Privacy questions.
University Policies GME 226: Intentional and unintentional disclosure USF Physician Group Control and Security of Patient Medical Records –Purpose: to ensure security –Policy: it is the responsibility of faculty and residents to safeguard the medical record USFPG Release of Patient Health Information – PHI shall not be disclosed except on written authorization, as required by law, for purpose of treatment or business operations
University Policies Continued USFPG Accounting of Protected Health Information Disclosures –Release, transfer, provision of access to, or divulging in any manner including written, oral or electronic, of information outside of the USF covered entity USFPG Electronic Mail Containing PHI – containing PHI must be treated with the same degree of privacy and confidentiality as the medical record – messages concerning treatment are part of the medical record –Patient must consent to correspondence between the patient and physician
University Policies Continued USFPG Accidental Release of PHI –Process for responding to accidental disclosure USFPG Disclosure of De-Identified Information –De-identified means the following are removed Name Geographic subdivision smaller than a State All elements of dates Telephone numbers Tax numbers addresses, URLs, IP addresses SSN MRN Health plan beneficiary number Account number Certificate/license number Vehicle identifiers and serial numbers Device identifiers and serial numbers Biometric identifiers; full face photographic images and comparable images Any other unique identifying number, characteristic, or code
Patient Consent Required Obtain a signed consent from each patient before: – taking a photograph of a patient; – making a video of a patient; or – making an audiotape of a patient.
Storing Electronic Media with Patient Information Protected health information or “PHI” in an electronic media format that is used for treatment purposes should be stored in the medical record.
Transmission and Storage of Patient Information Identifiable patient information in any form of electronic media must be secure when stored and transmitted. Is the patient information transmitted via encrypted ? Please note that USF Health is not encrypted as of February Is the patient information stored on a secure USF Health server, or secure in Allscripts or EPIC?
What is Secure? PHI on mobile devices (including laptops, cell phones, digital cameras, tablets computers, PDAs, USB (flash, thumb) drives, external hard drives is not considered to be secure unless it is encrypted with AES 128-bit or better (Office for Civil Rights “Guidance to render Unsecured protected health information Unusable, Unreadable, or Undecipherable”). PHI stored on a personal device is never considered secure by USF.
Patient Consent Forms At USF Health a “Consent for Photograph” form is available on the USFPG SharePoint site under the Clinical Operations section. Contact the USFPG Medical Records Department ( ) with related questions. For media releases, utilize the “Patient Information Authorization for Release through News Stories, Photography and News Media Form” available from the USF Health Public Affairs office at (813) You must contact the USF Health Public Affairs office before having any discussions with the media.
Patient Consent Forms at Tampa General Hospital Tampa General Hospital (“TGH”) policy requires consent for all photography, videotaping, or making of audio recordings at TGH except with regard to certain law enforcement investigations, decubitus and wound documentation, child abuse investigations, and patient/infant identification performed in accordance with TGH policies. At TGH, photo consent forms are available on the inpatient units and clinics; and the OR consent includes a check box that must be used.
Common Questions about Patient Photos Q. Are patient photos considered protected health information (“PHI”)?
Answer: A. Photos can be considered PHI based on the following definitions: –The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “protected health information (“PHI”).”
Answer cont. “Individually identifiable health information” is information, including demographic data, that relates to: –the individual’s past, present or future physical or mental health or condition, –the provision of health care to the individual, or, –the past, present or future payment for the provision of health care to the individual; –And that identifies the individual or for which there is reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Answer cont. De-Identified Health Information: de-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de- identify information; either: (1) a formal determination by a qualified statistician; or (2) removal of specified identifiers of the individual and of the individual’s relatives, household members and employer is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
Common Questions about Patient Photos cont. Q. May I take patient photos with my cell phone to share with others on the treatment team?
Answer: A. No. Many cell phones can be used to easily share pictures and videos with others, including uploading such media to publically accessible websites. Even if the media is not deliberately shared, privacy breaches can occur if the cell phone photos are viewed by an unauthorized individual or the cell phone or its memory card is lost.
Common Questions about Patient Photos cont. Q. Is it a HIPAA violation for a patient’s family member or friend to take a picture of a patient I am treating? This could happen without my realizing it and I could end up on someone’s Facebook page stitching up a wound.
Answer: A. Generally speaking, a covered entity is not responsible for the actions by a patient’s family members or friends. If the patient allowed the family member or friend to accompany him/her into the treatment room, that may indicate the patient’s consent. What if a stranger took a photo of the patient? Some covered entities post signs in patient care areas prohibiting photography.
Common Questions about Patient Photos cont. Q. We want to post a photo of a patient and a related article about their successful treatment. Do we need to obtain the patient’s consent?
Answer: A. Yes. Using a patient’s photograph and information about their treatment requires the patient’s written consent and completion of the USF Health “Patient Information Authorization for Release through News Stories, Photography, and News Media” Form. This is the case even if the information is de-identified.
Office of Civil Rights Enforcement OCR Director, Georgina Verdugo, states: “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.” “Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity.” (7/2011)
Examples of enforcement agreements with the OCR UCLA Health Sciences agreed to settle potential HIPAA violations for $865,500 after employees repeatedly accessed e PHI of celebrity patients. Massachusetts General Hospital paid a $1 million settlement after an employee inadvertently left sensitive files of infectious disease patients on a commuter train.
Consequences of Privacy Violations Privacy violations can lead to: –Discipline, including probation and termination; –Fines; –Criminal prosecution.
Annual Reporting of Privacy Incidents to HHS The PIO is responsible for submitting an annual log to HHS of privacy breaches for the calendar year. In order to file the annual log with HHS, the PIO must learn of privacy incidents.
What to do if you think an error resulted in a privacy issue: Tell your supervisor, attending, Program Director or Chair and contact: The Professional Integrity Office Helpline at (813) ; Call or Jane Haughney, J.D., Privacy Consultant (813) or Call Patricia Bickel, CPA, MBA, Compliance and Privacy Officer, Director of the Professional Integrity Program (813)
How to Report Privacy Incidents Contact the PIO at (813) or all the PIO Helpline at (813) to report any privacy incident. Also tell your supervisor, attending, Program Coordinator, Program Director or Chair. You may also call or Jane Haughney, J.D., Privacy Consultant (813) or Call Patricia Bickel, CPA, MBA, Compliance and Privacy Officer, Director of the Professional Integrity Program (813)
What happens after I report a privacy incident? You will be asked to complete an investigation form and take steps to mitigate any privacy breach. If a privacy breach involves 500 or more individuals, notify PIO immediately. The PIO will also notify USF Health IS if the matter involves a security breach such as a laptop theft or the loss of flash drive.
Who are you going to call if you have questions about patient privacy? 1. Ask your supervisor, attending, Program Director, Chair or the GME Office. 2. Call the PIO Help Line at (813) The PIO Website has information that can be a resource and is located at: 3. If you cannot reach the PIO, call the Office of the General Counsel and ask for: – Attorney Michele Cerullo at (813) ; or –Attorney R. B. Friedlander (813) ; or –Any available attorney at the main number (813)