Presentation is loading. Please wait.

Presentation is loading. Please wait.

East Carolina University HIPAA Privacy

Published byLoreen Ball Modified over 9 years ago

Similar presentations

Presentation on theme: "East Carolina University HIPAA Privacy"— Presentation transcript:

1 East Carolina University HIPAA Privacy
Office of Institutional Integrity Division of Health Sciences

2 Overview of HIPAA Background and General Information
Use and Disclosure of PHI Patients Rights Security Breach Notification Requirements Penalties and Enforcement Violation Levels and Sanctions

3 Background HIPAA is a federal law which establishes a minimum level of privacy protections related to “protected health information” (PHI) Required compliance with HIPAA became effective on April 14, 2003 Congress felt that additional privacy and security protections were necessary once transmission of health claims and other health information became uniform and electronic

4 Background What is Protected Health Information (PHI)?
Information that is created or received by the covered entity; Relates to past, present or future physical or mental health or condition of the individual, or related to payment for health care; and Identifies the individual or provides a reasonable basis to be used to identify the individual (includes all personal demographic & health information) Can be in any form: Verbal, written or electronic Hybrid entity – A single legal entity that is a covered entity, performs business activities that include both covered and noncovered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, nonhealth care components of a hybrid entity may be affected because the health care component is limited in how it can share PHI with the non-health care component. ECU is a hybrid entity with designated health care components

5 PHI Identifiers Name Geographic location
Street address, city, county, precinct, zip code Dates DOB, date of death, admission/discharge/ treatment date Phone/fax numbers address SSN Medical record number Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers Including license plates Device identifiers and serial numbers URLs IP Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying numbers, characteristic, or code

6 USE & DISCLOSURE OF phi The American Recovery & reinvestment Act of 2009 (ARRA) Drastically modified certain provisions under HIPAA: Heightened Enforcement Increased penalties Periodic audits for compliance Security Breach Notification Requirements Increased Restrictions on Use and Disclosure of PHI Additional Rights for Patients Copies of PHI in electronic format Cannot disclose PHI to health plan if patient paid in full “out of pocket”

7 HIPAA Authorization Typical uses include:
In general, required for any use or disclosure of PHI Authorizations are separate from the general consent for treatment Must be in writing and include specific elements Patient must receive a copy and may revoke an authorization in writing in certain situations. Typical uses include: Research Patient’s request to release PHI to an outside entity or individual Release of employment- related examination information Psychotherapy notes and other sensitive conditions Certain fundraising or marketing activities Examples of Exceptions to the Authorization Requirement Law enforcement purposes Judicial and administrative proceedings (per court order or subpoena) Health oversight agencies (e.g., HHS) Certain public health activities (e.g., CDC, public health departments, tracking of FDA recalls, reporting of adverse events during research)

8 Use & Disclosure of PHI Broad exception for “treatment, payment or health care operations” “Treatment” Providing health information to other providers involved in the care of the patient (e.g., other nurses, doctors, lab personnel, etc.) Does NOT allow for disclosure of psychotherapy, notes a separate consent is required to release that type of information “Payment” Submission of claims for services to third party payors Collection activities “Health care operations” Using and disclosing PHI for quality assurance reviews, internal auditing, peer review, outside lawyers, accountants, etc. Research is not considered health care operations

9 The Minimum Necessary Requirement 45 C.F.R 164.502 (b) and 164.514 (d)
Family Member or Friend Other Persons Patient is present and has the capacity to make health care decisions Provider may disclose relevant information if the provider does one of the following: Obtain the patient’s agreement; Gives the patient an opportunity to object and the patient does not object; Decides from the circumstances, based on professional judgment, that the patient does not object Disclosure may be made in person, over the phone, or in writing Patient is not present or is incapacitated Provider may disclose relevant information if, based on professional judgment, the disclosure is in the patient’s best interest. Disclosure may be made in person, over the phone, or in writing. Provider may use professional judgment and experience to decide if it is in the patient’s best interest to allow someone to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of health information for the patient. Provider may disclose relevant information if the provider is reasonably sure that the patient has involved the person in the patient’s care and in his or her professional judgment, the provider believes the disclosure to be in the patient’s best interest. Disclosure may not be made in person, over the phone, or in writing. The Minimum Necessary Requirement 45 C.F.R (b) and (d)

10 “Minimum Necessary” Rule
Contacting Patients Make every effort to speak to patient directly Never leave voice messages containing information regarding condition, test results, specifics about treatment, etc. If you must leave a message, leave your name, ECU Physicians, and your phone number only. Do not state the reason for the call. Reasonable efforts must be made to verify the identity of a caller or individual requesting PHI “Minimum Necessary” Rule In general, the amount and types of PHI used or disclosed is restricted to the minimum amount of PHI necessary to satisfy the request. “Reasonable efforts” must be taken not to disclose more than the minimum amount of PHI necessary to accomplish the intended purpose. Does not apply in disclosures for treatment purposes to other providers or for release of PHI to patient pursuant to their own authorization. Reasonable questions include certain personal information regarding patient, such as DOB, maiden name, etc. (not information such as telephone number, address, etc.)

11 de-identified information
After review and approval, de-identified information can be used if 18 specific identifiers are removed from the information: Names All geographic subdivisions smaller than a State including address, city, county, zip code All elements of dates except year that relate to health care treatment including age Telephone numbers, fax numbers, addresses Numbers – SSN, MRN, health plan beneficiary, account, certificate/licenses, vehicle ID and serial, device ID and serial URLs or IP numbers Fingerprints, full face photos, or other comparable images Any unique identifying number, code, or characteristic

12 Designated Shred containers
If a container is marked “Confidential”, it is for PHI material only, and will be disposed of per policy. If a container is marked “Shred”, then it is for confidential material. If a container is marked “Trash”, then it is not for confidential material. Be sure to empty individual shred bins every day if there is one you maintain yourself.

13 PATIENT RIGHTS UNDER HIPAA

14 Right to Access PHI Patients may request to receive a copy of their medical record Request must be in writing using approved form Requests may be denied in certain circumstances ECU employees are not permitted to access their own PHI without first going through Health Information Systems Services and requesting access.

15 Patient Rights under HIPAA
Patients may request: Accounting of disclosures of PHI Confidential and/or Alternative communications of PHI Further Restrictions of PHI Amendment of PHI 1- Patients may Request an Accounting of Disclosures of their ECU maintained PHI which has been made during the past six years Patients are permitted to request a listing showing to whom their PHI has been disclosed Does not include disclosures made for treatment, payment, or health care operations; disclosures made pursuant to patient’s own authorization or disclosures prior to April 14, 2003 (effective date of rule) Does not include disclosures made for national security or intelligence purposes, or law enforcement purposes 2- Patients have the right to request the method whereby they will be contacted (e.g., what telephone number, location, etc.) Any requests to communicate PHI by alternate means must be submitted in writing using the ECU Request for Alternate Communication Form 3- Patients may request that their PHI not be disclosed in a certain manner, even if it is permitted under HIPAA Common requests include no disclosure for fundraising purposes (institutions are otherwise permitted to use minimal PHI for fundraising purposes), no disclosure to certain government agencies, or certain family members Requests must be made in writing using ECU’s Request for Restriction on the Use and Disclosure of PHI Form ECU may accept or decline request 4- Patients may request a correction to the medical record Provider is not required to amend; however, must notify patient regarding decision Typically happens with sensitive types of conditions: Obesity, mental illness conditions, etc.

16 Patient Rights under HIPAA
Complaints about Privacy and Security Practices Any individual may file a complaint regarding suspicion of a potential privacy violation Individuals may file privacy complaints with: ECU Privacy Officer Division Integrity Hotline (866) The United States Office for Civil Rights No intimidation or retaliatory actions taken against any individual making a complaint

17 Security Breach Notification Requirements Penalties & Enforcement

18 Security Breach Notification Requirements
First federal notification law established under ARRA For breach of any “unsecured PHI,” the covered entity is required to notify within 60 days each individual whose PHI has been accessed, acquired or disclosed as a result of such breach. Annual disclosure requirement to HHS regarding all notifications If breach involves 500 or more individuals, notice to HHS must be immediate; “prominent” local media must also be notified. Excludes certain inadvertent or unintentional disclosures

19 Security Breach Notification Requirements
OCR Most Frequent Compliance Issues in order of frequency: Impermissible use and disclosure of PHI Lack of safeguards of PHI Lack of patient access to PHI Violation of “minimum necessary” rule Lack of administrative safeguards of electronic PHI 98,279 HIPAA complaints received (4/2003-8/2014) OCR has referred 530 cases to the Department of Justice for criminal investigation

20 Penalties under HIPAA Civil Penalties Penalty Amount Calendar Year Cap
For violations occurring on or after 2/18/2009 $100 to $50,000 or more per violation $1,500,000 For violations occurring prior to 2/18/2009 Up to $100 $25,000 Summary of HIPAA Privacy Rule: (accessed June 22, 2012)

21 Penalties under HIPAA Criminal Penalties Penalty Amount Prison Term
Knowingly obtains or discloses PHI in violation of Privacy Rule Up to $50,000 Up to 1 year Wrongful conduct involves false pretenses Up to $100,000 Up to 5 years Wrongful conduct involves intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm Up to $250,000 Up to 10 years Summary of HIPAA Privacy Rule: (accessed June 22, 2012)

22 ECU HIPAA Privacy Violation Levels
ECU is required to have and apply internal sanctions against its workforce who fail to comply with its policies and procedures Specific internal sanctions are outlined in East Carolina University’s Privacy Regulation: HIPAA Violation Level 1 Violation Level 2 Violation Level 3 Violation Level 4 Level 1: Failure to demonstrate appropriate care Examples: Failing to log off a computer Leaving PHI in a non-secure location Inappropriate hallway conversation Level 2: Intentional or unintentional exposure of PHI internally Unauthorized access to PHI Repeated Level 1 violations Providing passwords to unauthorized users Accessing PHI for which you have no job duty Level 3: Intentional or unintentional exposure of PHI internally or externally Repeated Level 2 violations Sharing PHI with unauthorized individuals Failing to perform necessary actions to prevent disclosure Disclosing PHI external to ECU’s designated health care components Level 4: Intentional abuse of PHI Large scale disclosure Use for personal gain Destroying PHI

23 ECU HIPAA Privacy sanction Levels
Violations can result in local sanctions ranging from documented counseling, in accordance with ECU’s disciplinary policies, up to and including dismissal. Other Federal sanctions may result including fines and/or imprisonment.

24 Privacy Training All workforce members must receive annual HIPAA Training to protect the privacy and security of individually identifiable health information. Annual HIPAA Training is located in Cornerstone.

25 HIPAA Privacy and E-mail
and PHI: containing PHI within University network Encryption not necessary. Limit PHI to the minimum necessary. containing PHI outside of University network (e.g. Vidant) Encryption IS required. ECU student accounts Encryption is required. Wireless Networking and PHI: Do not access or send PHI over a wireless network, unless the data is encrypted prior to transmission. Data sent over a wireless network can be captured by unauthorized persons in nearby buildings, parking lots, and streets. (This includes personal smartphones and other portable devices )

26 ECU HIPAA Privacy Officer
& Chief Institutional Integrity Officer Kenneth De Ville, PhD, JD (252) Complete HIPAA Privacy and Security Policies are available at:

Download ppt "East Carolina University HIPAA Privacy"

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.

The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
HIPAA Privacy Keys to Success Education for Nursing and all other Clinical Students Effective January 2010 HIPAA Job Specific Education1.

HIPAA Privacy Keys to Success Education for Nursing and all other Clinical Students Effective January 2010 HIPAA Job Specific Education1.

Similar presentations

Ads by Google