1. 2015 Privacy & Security Refresher

2. Presenters  Dana Williams  Privacy Officer  (501) 202-6776  Stephen Yarberry  Chief Information Security Officer  (501) 202-4310

3. Definitions  HIPAA  Health Insurance Portability and Accountability Act of 1996  HITECH  Health Information Technology for Economic and Clinical Health  PHI  Protected health information  IIHI  Individually identifiable health information “If you can identify, HIPAA applies!”

4. Notice of Privacy Practices  Core document that informs patients about HIPAA  Given at first admission  Posted on website  Patients can request an additional copy

5. Patient Rights  Receive Notice of Privacy Practices  Opt out of facility directory (confidential)  Inspect and obtain a copy  Request restriction  Receive confidential communication  Request an amendment  Accounting of disclosures  Receive breach notification  Right to file a complaint

6. Patient Awareness

7. Use and Disclosure  Treatment  Payment  Healthcare operations  Required by law  Authorized by the patient  Any use/access or disclosure outside of this is a violation  Remember your role!!!

8. Interested vs Involved Chicken  Interested in patient’s condition and/or prognosis  “Concerned”  No real commitment Pig  Involved in patient’s care prior to arrival, discharge plan, etc  “Committed”  Does not have to be a family member Unless the patient objects……

9. Personal Electronic Devices & Social Media  HR policy V-45 recently updated  Social Media Violation Examples  Patients posts negative information about ER visit on FB. Employee sends patient a “message” to dispute posting.  L&D employee posts pics to FB and tags her friend/our patient.  Students take video of patients/visitors walking in hallway (from the neck down) and posts to social media

10. Violation Examples  Fax to wrong #, fax with no cover sheet  Discharge instructions (AVS) to wrong patient  RX to wrong patient  Second letter/form included in patient’s  Letters/envelopes mixed up  Schedule/work list lost (left in bathroom)  Employee accesses family/friend record  Email sent without Safe!

11. Breach Notification  Required to provide notification following a breach of unsecured PHI  Must notify patient in writing within 60 days of discovery of the breach  If breach involves more than 500 people, media must be notified  All breaches must be reported to OCR annually

12. Disciplinary Action  Not eligible for verbal counseling  Written counseling  Written warning  Suspension  Termination  Employees terminated for privacy violations are NOT eligible for rehire and will NOT be issued an external ID

13. Discipline Policy OLD  Written Counseling  Accident  Written Warning  Deliberate NEW  Written Counseling  No breach notify  Written Warning  Breach notify

15. Office for Civil Rights  Enforces  HIPAA Privacy Rule  HIPAA Security Rule  HIPAA Breach Notification Rule  Was historically complaint driven  Moving to a new era of proactive auditing  Able to leverage fines  Maintains webpage of all breaches affecting 500 or more individuals  https://ocrportal.hhs.gov/ocr/breach/breach_r eport.jsf

16. Office for Civil Rights cont’d  Maintains webpage of all breaches affecting 500 or more individuals  https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf  University of Arkansas for Medical Sciences,10/18/2010, Theft Other Portable Electronic Device  Health Resources of Arkansas, 08/05/2013, Theft Laptop  Health Resources of Arkansas, 5/23/2013, Theft, Unauthorized Access/Disclosure Other  Health Advantage, 12/20/2012, Other Paper/Films  University of Arkansas for Medical Sciences, 4/20/2012, Unauthorized Access/Disclosure Other  Conway Regional Medical Center, 10/21/2011, Loss Other  NEA Baptist Clinic, 09/07/2011, Hacking/IT Incident Network Server

17. Best Practice Advice - Privacy  Talk with the patient  Document patient’s wishes  Be careful with social media  Patients can post almost anything they want (but not employees)

18. Security Measures  Combination of Administrative, Technical & Physical Controls  Keep Abreast of Policy Changes (e.g., General Responsibilities of Computer Users)  Make sure to use Technical Controls when appropriate e.g., Safe! On an e-mail subject line  Be aware of Physical Controls e.g., locking cabinets on Epic Business Continuity workstations

19. Business Associates  HIPAA holds BAs to the same privacy and security standards as Baptist Health, but breach notification is still our responsibility even if they are the ones with a breach  Vendors usually know about HIPAA, but are often unaware of the HITECH safe harbor provisions  Involve Information Security early on in the contracting and procurement processes

20. Auditing and Monitoring  All EPHI systems require an approved audit plan  Audit results must be reported to Corporate Compliance on a quarterly basis  Failure to adhere to these requirements must be explained in detail to the Routine Audit subcommittee of the Board and presented along with a mitigation plan

21. Best Practice Advice - Security  Don’t text PHI  Use Safe! for e-mail to external addresses  Be cautious of photos and video  Don’t store data on any personal device/media  Be wary of e-mails soliciting confidential information (regardless of what it look like)  Information Security is a tool for all to use, please don’t hesitate to call or e-mail any questions

22. Questions?