1. Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009

3. Administrative Simplification [Accountability] Insurance Reform [ Portability] Health Insurance Portability and Accountability Act (HIPAA) HIPAA OVERVIEW Transactions, Code Sets, & Identifiers Compliance Date: 10/16/2002 and 10/16/03 Transactions, Code Sets, & Identifiers Compliance Date: 10/16/2002 and 10/16/03 Privacy Compliance Date: 4/14/2003 Privacy Compliance Date: 4/14/2003 Security Compliance Date: 4/20/2005 Security Compliance Date: 4/20/2005 Fraud and Abuse (Accountability)

4. Who Needs HIPAA Training? All staff working at CUMC should receive HIPAA training Clinical – Patient Care requirements Research – HIPAA research requirements Administration – Billing, Fundraising, Marketing, Public Relations & other Business functions

5. Privacy & Security Concerns Theft of Patient Data Identity Theft Stolen lap top USB Drives Loss of Patient Data Incorrect disposal Misuse of Patient Data Privacy Breach

6. In the News…… An employee from the Admissions Department at a prestigious NYC hospital has been accused of stealing and selling information of nearly 50,000 patients CVS Caremark Corp. has agreed to pay $2.25 million to settle allegations by the government that it dumped credit-card data, Social Security numbers and customer medical records into garbage containers outside a number of its stores. 53 staff members disciplined for accessing Britney Spears medical records at UCLA medical center

7. 1. Provide patient with the Notice of Privacy Practices 2. Shred patient information – disposal 3. Telephone Guidance – messages and requests for patient information 4. Use and Disclose Medical Information Correctly Release of medical information Minimum necessary 5. Fax patient information utilizing a cover sheet HIPAA Guidance – Top 10 Privacy Guidance

8. HIPAA Guidance – Top 10 Information Security Guidance 1. Never share your password 2. Secure (password / encrypt) electronic devices with patient information 3. SS# number should not be included in databases when not required 4. Do not access records of co-workers, family members, friends or high profile patients 5. Promptly Report loss or theft of electronic devices with protected health information and inform Privacy Officer of improper use/ privacy breach

9. 9 Privacy/Security Breaches

10. Sharing Passwords Loss / theft of USB drive, blackberry, disc or Laptop with patient information Failure to use passwords/encryption to protect portable devices Mailing medical records Incorrect patient registration Failing to log off systems (CROWN, WebCIS, Eclipsys, IDX etc.) Sending ePHI (electronic protected health information) outside the institution without encryption Using a non-CUMC email account to communicate patient information Information Security & Privacy Failures Employee Carelessness DO NOT USE PERSONAL EMAIL ACCOUNTS FOR WORK PURPOSE

11. New Requirements for Patient’s Notice of Privacy Practices must be offered to the patient at the time of their first visit. On first visit only, not every visit. Tells patients their specific rights regarding their health information. A signed acknowledgement must be placed in the patient’s medical record and documented in IDX.

12. 12

13. Notice of Privacy Practices Patients have the right to: Request restrictions on release of their PHI Receive confidential communications Inspect and copy medical records (access) Request amendment to medical records Make a complaint Receive an accounting of any external releases. Obtain a paper copy of the Notice of Privacy Practices on request

14. Use or Disclosure of Medical Information Written Authorization required to release medical information Physician may share information with referring physician “patient in common” without an authorization All legal requests for release of information should be forwarded to the HIPAA Compliance Office for review

15. Electronic Access is Recorded Your access to Crown, WebCIS, Eclipsys, and other clinical electronic systems is recorded and subject to audit Periodic audits are done and access is monitored If you access medical information without a legitimate business purpose you will be disciplined Do not allow others to use your password or user ID or work after you have signed into a clinical application

16. New Regulations - 2009 HITECH – Economic Stimulus Plan Significantly increased penalties PERSONAL liability for violations Significantly increased requirements to protect electronic medical information Red Flag Regulations New regulations to detect, prevent and respond to medical identity theft Social Security Notification Act Individual notification and free credit monitoring when the SS# of an individual is lost/stolen

17. HIPAA Research Training All researchers are required to complete HIPAA Research online training in addition to the HIPAA general training Researcher Training Register on RASCAL: www.rascal.columbia.edu

18. HIPAA and Research Two main avenues— Form A HIPAA Clinical Research Authorization—required elements Form B HIPAA Application for Waiver of Authorization—subject to approval of the IRB Some exceptions: Research using solely Decedent Information Research using solely De-identified Information Activities prior to research or preparatory Medical Record Research done under a HIPAA Waiver of Authorization is approved by the IRB

19. 19

20. PATIENT PRIVACY At some point in our lives we will all be a patient Treat all information as though it was your own

21. Questions & Answers Karen Pagliaro-Meyer Privacy Officer Columbia University Medical Center 212-305-7315 kpagliaro@columbia.edu HIPAA@columbia.edu