Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

Columbia University Medical Center

Health Insurance Portability and Accountability Act of 1996

(“HIPAA”)

Privacy & Information Security Training

2009

Administrative

Simplification

[Accountability]

InsuranceReform

[Portability]

Health Insurance Portability and

Accountability Act (HIPAA)

HIPAA OVERVIEW

Transactions, Code Sets, & Identifiers

Compliance Date: 10/16/2002

and 10/16/03

Transactions, Code Sets, & Identifiers

Compliance Date: 10/16/2002

and 10/16/03

Privacy

Compliance Date: 4/14/2003

Privacy

Compliance Date: 4/14/2003

Security

Compliance Date: 4/20/2005

Security

Compliance Date: 4/20/2005

Fraud and Abuse (Accountability)

Fraud and Abuse (Accountability)

Who Needs HIPAA Training?

All staff working at CUMC should receive HIPAA training

Clinical – Patient Care requirements

Research – HIPAA research requirements

Administration – Billing, Fundraising, Marketing,

Public Relations & other Business functions

Privacy & Security Concerns

Theft of Patient Data Identity Theft Stolen lap top USB Drives

Loss of Patient Data Incorrect disposal

Misuse of Patient Data Privacy Breach

In the News……

An employee from the Admissions Department at a prestigious NYC hospital has been accused of stealing and selling information of nearly 50,000 patients

CVS Caremark Corp. has agreed to pay $2.25 million to settle allegations by the government that it dumped credit-card data, Social Security numbers and customer medical records into garbage containers outside a number of its stores.

53 staff members disciplined for accessing Britney Spears medical records at UCLA medical center

1. Provide patient with the Notice of Privacy Practices

2. Shred patient information – disposal 3. Telephone Guidance –

messages and requests for patient information4. Use and Disclose Medical Information Correctly

Release of medical information Minimum necessary

5. Fax patient information utilizing a cover sheet

HIPAA Guidance – Top 10Privacy Guidance

HIPAA Guidance – Top 10Information Security Guidance

1. Never share your password

2. Secure (password / encrypt) electronic devices with patient information

3. SS# number should not be included in databases when not required

4. Do not access records of co-workers, family members, friends or high profile patients

5. Promptly Report loss or theft of electronic devices with protected health information and inform Privacy Officer of improper use/ privacy breach

9

Privacy/Security Breaches

Sharing Passwords Loss / theft of USB drive, blackberry, disc or Laptop with patient information Failure to use passwords/encryption to protect portable devices Mailing medical records Incorrect patient registration Failing to log off systems (CROWN, WebCIS, Eclipsys, IDX

etc.) Sending ePHI (electronic protected health information)

outside the institution without encryption Using a non-CUMC email account to communicate patient

information

Information Security & Privacy Failures

Employee Carelessness

DO NOT USE PERSONAL EMAIL ACCOUNTS FOR WORK PURPOSE

New Requirements for Patient’s

Notice of Privacy Practices must be offered to the patient at the time of their first visit. On first visit only, not every visit.

Tells patients their specific rights regarding their health information.

A signed acknowledgement must be placed in the patient’s medical record and documented in IDX.

12

Notice of Privacy Practices

Patients have the right to: Request restrictions on release of their PHI Receive confidential communications Inspect and copy medical records (access) Request amendment to medical records Make a complaint Receive an accounting of any external

releases. Obtain a paper copy of the Notice of

Privacy Practices on request

Use or Disclosure of Medical Information

Written Authorization required to release medical information

Physician may share information with referring physician “patient in common” without an authorization

All legal requests for release of information should be forwarded to the HIPAA Compliance Office for review

Electronic Access is Recorded Your access to Crown,

WebCIS, Eclipsys, and other clinical electronic systems is recorded and subject to audit

Periodic audits are done and access is monitored

If you access medical information without a legitimate business purpose you will be disciplined

Do not allow others to use your password or user ID or work after you have signed into a clinical application

New Regulations - 2009 HITECH – Economic Stimulus Plan

Significantly increased penalties PERSONAL liability for violations Significantly increased requirements to protect

electronic medical information Red Flag Regulations

New regulations to detect, prevent and respond to medical identity theft

Social Security Notification Act Individual notification and free credit monitoring

when the SS# of an individual is lost/stolen

HIPAA Research Training

All researchers are required to complete HIPAA Research online training in addition to the HIPAA general training

Researcher TrainingRegister on RASCAL: www.rascal.columbia.edu

HIPAA and Research

Two main avenues— Form A HIPAA Clinical Research Authorization—required

elements Form B HIPAA Application for Waiver of Authorization—

subject to approval of the IRB

Some exceptions: Research using solely Decedent Information Research using solely De-identified Information Activities prior to research or preparatory

Medical Record Research done under a HIPAA Waiver of Authorization is approved by the IRB

19

PATIENT PRIVACY

At some point in our lives we will all be a patient

Treat all information as though it was your own

Questions & Answers

Karen Pagliaro-MeyerPrivacy Officer

Columbia University Medical Center

[email protected]

[email protected]