Lawrence H. Muhlbaier, PhD Tasha Carmon, CHPC, CCRC, CCRP Associate Professor, B&B Senior Compliance Auditor DCRI SOM Compliance Office Duke University SOM HIPAA Privacy Training 1

All Rights Reserved, Duke Medicine 2007 This training will: –Briefly define HIPAA and PHI –Provide general education regarding access, use, and disclosure of health information in compliance with the Privacy & Security Rules –Outline your responsibilities as faculty and staff in the proper use, disclosure and protection of health information. –Describe your responsibilities and resources when there is a question, concern or violation. –Omnibus Rule Update - January 2013 Purpose of HIPAA Training 2

All Rights Reserved, Duke Medicine 2007 What is the SOM Compliance Office Clinical Trials Quality Assurance (CTQA) –Human Subjects Research Compliance, Clinical Trials Billing Compliance Compliance Review Services (CRS) –Financial Compliance, COI, Departmental reviews 3

All Rights Reserved, Duke Medicine 2007 Why do I need HIPAA Training? Your duties may require you to have contact with Duke University Health System (DUHS) health information. Due to this contact, you have an obligation to maintain the privacy and security of this health information. 4

All Rights Reserved, Duke Medicine 2007 Our Responsibility as a Covered Entity Under the HIPAA Privacy and Security Rules, Duke must have policies and procedures in place to protect the privacy and confidentiality of both PHI and electronic PHI (ePHI). –Covered entity: Healthcare provider, Healthcare plan, or Health care clearinghouse that handles protected health information. 5

All Rights Reserved, Duke Medicine 2007 Duke Community members who must comply with HIPAA 6

All Rights Reserved, Duke Medicine 2007 What is HIPAA? 7

All Rights Reserved, Duke Medicine 2007 Health Insurance Portability & Accountability Act (HIPAA) Enacted in 1996, HIPAA covers: Insurance Portability (allows one to take insurance to their next job) Accountability (fraud Prevention) Administrative Simplification Security Privacy 8

All Rights Reserved, Duke Medicine 2007 Health Information Technology for Economic and Clinical Health (HITECH) Act HITECH Act, enacted as part of the American Recovery and Reinvestment Act ARRA) of Addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. –Four categories of violations that reflect increasing levels of culpability; –Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and –A maximum penalty amount of $1.5 million for all violations of an identical provision. 9

All Rights Reserved, Duke Medicine 2007 HIPAA Privacy The Privacy Rule: Protects information about an individual’s health, health care, or payment for care; past, present, or future (PHI). Identifies permitted uses and disclosures of this PHI Gives patients some control over their health information (Patient’s Rights) 10

All Rights Reserved, Duke Medicine 2007 What is considered Protected Health Information (PHI)? HIPAA defines 18 identifiers of PHI, including: 1. Names. 2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census: The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to

All Rights Reserved, Duke Medicine identifiers of PHI (cont.) 3.All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. 4.Telephone numbers. 5.Facsimile numbers. 6.Electronic mail addresses. 7.Social security numbers. 8.Medical record numbers. 9.Health plan beneficiary numbers. 10. Account numbers. 12

All Rights Reserved, Duke Medicine identifiers of PHI (cont.) 11.Certificate/license numbers. 12.Vehicle identifiers and serial numbers, including license plate numbers. 13. Device identifiers and serial numbers. 14.Web universal resource locators (URLs). 15.Internet protocol (IP) address numbers. 16.Biometric identifiers, including fingerprints and voiceprints. 17.Full-face photographic images and any comparable images. 18.Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re- identification.  Note: In combination with health information 13

All Rights Reserved, Duke Medicine 2007 Use & Disclosure of PHI Use: –Sharing PHI within Duke Medicine and designated Duke University departments. Disclosure: –Sharing health information with others or entities outside of Duke Medicine. 14

All Rights Reserved, Duke Medicine 2007 Appropriate Use & Disclosure of PHI Use and disclosure of PHI: –As authorized by the patient (informed consent) –For treatment, payment, or operations (TPO) –For other certain circumstances as detailed in the Privacy Rule (including Public Health disclosures) 15

All Rights Reserved, Duke Medicine 2007 What is needed in an Authorization to Use or Disclose PHI –Description of PHI to be used or disclosed –Person(s) authorized to use or disclose the PHI –Person(s) to whom the covered entity may disclose PHI –Each purpose for the use or disclosure –Expiration date or study event –Signed copy given to individual 16

All Rights Reserved, Duke Medicine 2007 Other HIPAA documents to consider Notice of Review Preparatory to Research –I will look but not record and/or allow to leave Duke. Waiver or Alteration of Consent and HIPAA Authorization (Recording identifiable private information w/out written/verbal authorization) Notice of Decedent Research Deidentification – (All 18 identifiers are removed) Limited Data Set with a Data Use agreementData Use agreement –Contact Gill Smith’s office 17

All Rights Reserved, Duke Medicine 2007 Limited Data Set with DUA Limited Data Set with a Data Use agreementData Use agreement –All identifiers except: Dates (DOB, DOD, Service dates), demographic (city, state, Zip, Zip +4) –A contract must be signed between the disclosure and recipient. 18

All Rights Reserved, Duke Medicine 2007 Minimum Necessary The Privacy Rule instructs that we follow the “minimum necessary” requirements when using, disclosing, or accessing PHI for anything other than treatment of a patient. –Only the amount of PHI needed to perform the task should be used or reviewed by staff or disclosed to others. –If asked to disclose PHI and this is outside your job responsibilities, contact your supervisor or the SOM Privacy Officer before releasing the information. –If requested to give PHI to a third party (e.g., sponsor ) contact your supervisor or the SOM Privacy Officer for direction. 19

All Rights Reserved, Duke Medicine 2007 What can you do to help protect PHI? Do Not discuss PHI in public or discuss with anyone unrelated to the task at hand. Do Not access PHI if not needed for your job. Do Not leave papers containing PHI unattended. Place papers face face down or conceal to avoid access by unauthorized persons. Theft or loss of any paper record should be reported immediately to the SOM Do Not send unencrypted electronic PHI Use a cover sheet when faxing confidential information; verifying fax number Paper, images and other printed materials containing PHI should be destroyed by shredding or striking out (redaction) so that it cannot be read or reconstructed. Please confirm if a DUA is needed for your research (BAAs are typically not needed for research) If you must retain SSNs for your research, please contact the SOM Compliance Office and/or the ISO. 20

All Rights Reserved, Duke Medicine 2007 Common Violations/Hot button issues Not offering the Notice of Privacy Practices to Healthy subjects. Retention of SSNs –Duke Policies: Collection, Storage, and Use of Social Security NumbersDuke Policies: Collection, Storage, and Use of Social Security Numbers The disclosure of PHI to a third party without authorization. Non-existence of DUA and/or BAA, when needed International Data Use of personal for Duke business –Electronic CommunicationElectronic Communication 21

All Rights Reserved, Duke Medicine 2007 Duke Privacy Policy Please review the Duke Breach of Protected Health Information/Patient Privacy PolicyDuke Breach of Protected Health Information/Patient Privacy Policy 22

All Rights Reserved, Duke Medicine 2007 What’s New!! Omnibus Rule Data Loss Prevention (DLP) –Diane Padgett, Compliance Auditor 23

All Rights Reserved, Duke Medicine 2007 Omnibus Rule – September 20, 2013 Final modifications to the HIPAA Privacy, Security, and Enforcement Rules require: Modifications to individual authorization (allows “opt in” check boxes to be used in Consent and Authorization forms) Modifications to the NOPP and redistribution Business associates of covered entities are now responsible for HIPAA Privacy/Security breaches and reporting. (New business associate agreements) Individual rights to request e-copies of their health record and to restrict disclosures to a health plan concerning treatment for which one has paid out of pocket. New breach reporting requirements Privacy rule copies Genetic Information Nondiscrimination Act (GINA) to prohibit health plans from using or disclosing genetic information for underwriting purposes. Individuals deceased longer than 50 years are not longer covered 24

All Rights Reserved, Duke Medicine 2007 REPORTING A SUSPECTED EVENT Why is it important? 25

All Rights Reserved, Duke Medicine 2007 How to report If a suspected privacy event occurs, please contact the SOM Compliance Office immediately ( ). Examples including accidentally releasing patient information to the wrong person, losing PHI such as a spreadsheet, etc. The Privacy Officer should also be notified if someone incorrectly discloses PHI to you If you wish to make an anonymous report or feel uncomfortable calling the DUHS Privacy Officer directly, you can call Duke Medicine’s Privacy Line

All Rights Reserved, Duke Medicine 2007 What happens to me when I report a HIPAA concern? Non-Retaliation/Non-Retribution Policy If you report a concern in “good faith”* no retaliation or retribution may be taken against you even if the investigation determines that a problem does not exist. Supervisors will be disciplined for any attempts to punish or retaliate against anyone acting in good faith in reporting a privacy violation. *Good faith means that the person reporting the concern believes that the problem exists. 27

All Rights Reserved, Duke Medicine 2007 Resources Duke SOM Compliance Office Duke Medicine’s Privacy Line: Duke IRB DUHS Policies: d969?OpenView 28

Thank You Lawrence H. Muhlbaier, PhD Tasha Carmon, CCRC, CCRP Duke School of Medicine Compliance Office 29