Final copy 7

Hippa Violations & Its Implications

HIPPASAFETYCONFIDENTIALITY

Hippa Violations & Its Implications

Presented by: A.Duenas RN, CRM, CPN

Storing patient information on laptops

THE # 1HIPPA VIOLATION: IS A RESULT OF STORING PHI ON UNSECURED LAPTOPS .

IF PHI MUST BE ASSESED REMOTLY IT IS BEST TO CONSIDER UTILIZING A CLOUD STORAGE ,FOR SECURITY.

Employees inappropriately accessing, using or transmitting Phi MOST COMMON HIPPA VIOLATIONS INVOLVE HEALTHCARE EMPLOYEES ACCESSING FILES INAPPROPRIATELY, EIGHTER, OUT OF CURIOSITY, OR MALICIOUSLY.

USING CLEARENCE LEVELS AND USEING ID CODES FOR ACCESSING PHI WILL DISCOURAGE THIS BEHAVIOR.

The Loss of backup disks or portable drives

LAST YEAR, AN ATLANTA-BASED HOSPITAL SYSTEM MISPLACED 1O BACKUP DISKS STORING THE PHI OF OVER 315K PATIENTS.

ACCOUNTABILITY LOGS AND THOROUGH RECORDS SHOULD BE KEPT WHEN DEALING WITH BACKUP DISK, AND THUMB-NAIL DRIVES SHOULD BE PASSWORD PROTECTED AND ENCRYPTED

COMPUTER HACKINGIN 2012, THE UTAH DEPARTMENT OF HEALTH CONFIRMED THAT A SERVER WITH THE PHI OF MORE THAN 780K PATIENTS HAD BEEN HACKED INTO, LEAKING ADDRESSES, BIRTH DATES, SOCIAL SECURITY NUMBERS, DIAGNOSES CODES , ETC.

ENCRYPTION, FIREWALLS, AND OTHER SECURITY MEASURES ARE IMPERATIVE TO PROTECTING INFORMATION

FAILURE TO RELEASE PATIENT INFORMATION IN A TIMELY MANNER ANOTHER ADDITION OF THE FINAL OMNIBUSRULE IS THE REQUIREMENT OF MEDICAL FACILITIES TO RELEASE ELECTRONIC COPIES OF MEDICAL RECORDS TO PATIENTS UPON REQUEST.SHOULD YOUR FACILITY BE UNABLE TO RESPOND TO THE REQUEST IN A TIMELY MANNER, YOU COULD NE FINED.IF YOUR FACILITY IS NOT CURRENTLY EQUIPPED TO PROCESS ELECTRONIC FILES , CONSIDER HIRING A MEDICAL DOCUMENT SCANNING SERVICE.

Errors in paper file storage and disposalSOME OF THE MOST COMMON HIPPA VIOLATIONS OCCUR AS A ESULT OF HUMAN ERROR.ITS ALL TOO EASY FOR AN ADMINISTER TO INCORRECTLY FILE A PATIENTS RECORD., OR MISTAKENLY DISCARD A PRIVATE DOCUMENT WITHOUT SHREDDING IT.BREECHES LIKE THESE CAN BE AVOIDED BY SWITCHING TO AN ELECTRONIC FILING DATABASE

RELEASE OF INFORMATION after authorization period has expiredINSIST THAT YOUR STAFF TAKE THE TIME TO VERFIY THE EXPIRATION DATES ON HIPPA AUTORIZATIONS EACH TIME THAT A RELEASE OF IMFORMATION REQUEST COMES THROUGHALTHOUGH EVERYTHING ELSE MAY APPEAR TO BE IN ORDER, IF THE REQUEST FOR INFORMATION COMES IN AFTER THE EXPIRATION DATE, A NEW AUTHORIZATION FORM WILL NEED TO BE COMPLETED.

FAILURE TO ESTABLISH CONTRACTS WITH BUSINESS ASSOCIATESTHE FINAL OMNIBUS RULE HAS EXTENDE THE UMBRELLA UNDER WITH AND ENTITYS BUSINESS ASSOCIATE MAY FALL.SHOULD YOUR BUSINESS EMPLOY ANY OUTSIDE PARTY TO HANDLE, PROCESS, OR TRANSMIT PHI, YOU MUST IMMEDIATELY ESTABLISH A NEW CONTRACT WITH THE AGENCY. IN THIS CONTRACT , YOUR BUSINESS ASSOCIATES MUST AGREE TO COMPLY WITH HIPPA REGULATIONS.

EXCLUTION OF RIGHT TO REVOKE CLAUSEYOUR PATIENTS HAVE THE RIGHT TO REVOKE THEIR HIPPA AUTHORIZATION, AND THIS RIGHT SHOULD CLEARLY BE STATED ON THE HIPPA FORM, LEST THE AUTHORIZATION BECOME INVALID.

INCOMPLETE HIPPA AUTHORIZATION FORMSBEFORE RELEASING ANY INFORMATION TO OUTSIDE PARTIES, IT IS IMPERATIVE THAT YOU DOUBLE AND TRIPLE CHECK TO ENSURE AUHORIZATIONS ARE COMPLETED FROM TOP TO BOTTOM.THE FORM SHOULD CLEARLY LIST THE PATIENTS NAME, THE PARTY OR PARTIES WHOM INFORMATION MAY BE RELEASED WHICH SPECIFIC ASPECTS OF THEIR MEDICAL RECORDS CAN BE RELEASED, AND THE DATE THROUGH WHICH THE AUTHORIZATION IS VALID.

Resourceshttp://www.onesourcedoc.com/blog/bid/95955/The-Top-10-Most-Common-HIPAA-Violations

HIPPAand INFORMATION TECHNOLOGY

This power point presentation created by nur353 work group c and includes participation by the following members:Mary Edwards, RN

Transition from paper to electronic:A statement by the American Health Information Management Association suggests the complete transition from paper charting to an electronic medical record system to be a best practice.The use of or consultation involving a nurse with informatics experience and a health information technology specialist is critical to making the transition to the electronic record a reachable goal.Staff education to the electronic system and time to practice using the electronic health record will be essential steps in the transition to the electronic system.

HIPPA REQUIREMENTS OF ELECTRONIC MEDICAL RECORDSA healthcare facility is obligated to identify any possible threats to patient records, assess any specific vulnerabilities in filing systems and must determine a reasonable level of tactics for safeguarding patient information.

Facilities are required to implement any and all defense mechanisms to ensure patient records are protected.

What health information is protected?NamesDates relating to a patient, (i.e. birthdates, date of treatment, date of admission or discharge, and dates of death)Telephone numbers, addresses, other contact informationSocial Security NumbersMedical record numbersPhotographsFinger and voice printsAny other identifying numberAn individuals health information (health information is protected even without the patients name on it if the information helps identify the patient)

Who Must Comply?Health Care ProvidersHealth Care Clearinghouses, (i.e. billing services)Health PlansAny Health Care Provider who transmits health information in electronic form in connection with a transaction

Who is exempt from the privacy rule?

Those covered by the privacy rule of the HIPPA act do not include group health plans administered or maintained by an employer with less than 50 employees.The privacy rule does not apply to workmens compensation or automobile insurance companies.

THERE ARE SEVERAL LAYERS TO MAINTAINING THE SECURITY OF THE ELECTRONIC MEDICAL RECORDPHYSICAL SECURITYNETWORK SECURITYUSER SECURITYSYSTEM SECURITY

PHYSICAL SECURITY CONSIDERATIONSIs it possible the computers that store the confidential information to be stolen?Keep all computers used to store confidential information as well as the server in a locked and secure area of the healthcare facility.Limit access to the area where the server is stored.

NETWORK SECURITY CONSIDERATIONSIs it possible for unauthorized persons outside the healthcare facility to access patient records?Can a hacker get access to the protected information?Make use of multiple firewalls-using only one firewall is not enough protection to prevent hackers from gaining access to protected information.Use Spyware software.Use IT personnel or a technical expert to maintain the network system.

Protect the patients information:Be careful of entering identifiable patient information into emails.Some emails can become public information and can be used in legal disputes.When using fax machines be sure to protect the patient information by limiting who receives the information or limit the patient identifiable information that is contained in the fax.Only disclose patient identifiable information on a need to know basis.

USER SECURITY CONSIDERATIONSRequire password protection to access confidential patient files.Utilize a user managerial system to determine which staff members will have access to certain levels of private information.Make use of the managerial system to require password changes every 90 days.

Whos looking over your shoulder?Be sure no one else can view the computer screen as you work.Only share the necessary patient information to complete the job.Discuss patient information in private and not in hallways.Keep papers with patient information secure.Do not disclose patient information without proper authorization.

SYSTEM SECURITY CONSIDERATIONSWork with a reputable Information Technology Company.Update Security Systems frequently.Backup electronic health records on a regular basis.Store regular backups in a secure place.

ReferencesUS Department of Health and Human Services: Health Information Privacy (2014). Summary of the hippa security rule. Retrieved March 30, 2014 from http://hhs.gov/ocr/privacy/hippa/understanding/srsummary.htmlGardner, L. A., & Sparnon, E. M., (2014). Work-arounds slow electronic health record use: a slow transition to electronic records creates a safety hazard. American Journal of Nursing, 114(4), 64-67.Filipova, A. A., (2013). Electronic health records use and barriers and benefits to use in skilled nursing facilities. CIN: computers, informatics, nursing 31(7), 305-318.

HIPAA AND INFORMATION TECHNOLOGY

HIPAA and Information TechnologyHIPAA of 1996

States that after leaving an employer, health insurance coverage will continue.

Provides guidelines related to health information being sent electronicallywww.cdc.gov/mmwr/preview/mmwrhtml/m2e411.htm

HIPAA and Information TechnologyWho is covered?

Healthcare providersHealth plansHealthcare clearinghouse

www.hhs.gov/ocr/privacy/

HIPAA and Information TechnologyImportant DatesApril 14, 2001-HIPAA became effective

August 14, 20002-HIPAA was modified

April 14, 2003-Healthcare entities must be in compliance with regulationswww.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm

HIPAA and Information TechnologyHIPAA Privacy RuleProtects the privacy of individually identifiable health information

Enforced by the Office for Civil Rights


HIPAA and Information TechnologyThree PartsPrivacy RuleFederal protectionHealth information is protected. Health information can be shared to assist providing care or for insurance benefits


HIPAA and Information TechnologyThree PartsSecurity RuleAdministrative, physical, and technical safeguards


HIPAA and Information TechnologyThree PartsBreach Notification RuleTo assure confidentiality, integrity, andavailability of health information


HIPAA and Information TechnologyReferences

Center for Disease Control. (2003). HIPAA privacy rule and public health. Retrieved March 30, 2014 from www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm

US Dept of Health & Human Services. Health information privacy. Retrieved March 30, 2014 from www.hhs.gov/ocr/privacy/

THANK YOU FOR WATCHING.

I Gotta FeelingBlack Eyed PeasBlack Eyed PeasWilliam Adams, Allan Pineda, Jaime Gomez, Stacy Ferguson & David GuettaThe E.N.D. (The Energy Never Dies)2009-06-09T07:00:[email protected] 2009 Interscope2009-12-28 18:52:54E.N.D. (The Energy Never Dies)Universal:isrc:USUM70965169

Final copy 7

Education