1 HIPAA at UCONN: Protecting Health-Related Information in Educational Settings University of...

transcript

HIPAA at UCONN: Protecting Health-Related Information in Educational

SettingsUniversity of Connecticut

October 4, 2007

Health Insurance Portabilityand Accountability Act of 1996

(HIPAA)

Public Law 104-191Designed to:

• assure health insurance portability

• reduce health care fraud and abuse

• guarantee integrity and confidentiality of health information

• improve the operations of health care systems and reduce administrative costs

Establishes:

• Standards for privacy

• Standards for security of health data

• Standards for eight electronic transactions and the code sets to be used in those transactions

• Unique health identifiers

HIPAA Applicability and Scope

Everyone in healthcare and health-related fields is impacted by this law in some way:

Payers Providers

Members Employers

Clearinghouses Billing agents

Volunteers Vendors

Service organizations

Who must comply? (aka-who does HIPAA apply to?)

• Health PlansHealth Plans

• ClearinghousesClearinghouses

• ProvidersProviders, if they conduct covered electronic transactions (or have someone conduct them on their behalf)

• Employers who act as providers or health plans or who simply choose to comply

• Other organizations that receive health data from those listed above and have formal agreements to protect the data (Business Associates)

“COVERED ENTITIES”

– Health Care Providers (physicians, nurses, allied health practitioners, counselors)

– Health Care Facilities (hospitals, clinics)

– Health Plans (HMOs, insurers)

– Health Information Clearinghouses

UCONN is a “Hybrid Entity”

Covered components:

– Student Health Services

– Speech & Hearing Clinic

– EMS/Fire (within Public Safety) as first responders

– Nayden Physical Therapy Clinic

Health Insurance Portability and Accountability Act of 1996Health Insurance Portability and Accountability Act of 1996

TransactionsTransactions Code SetsCode Sets IdentifiersIdentifiers

Insurance Portability

AdministrativeSimplification

Fraud and AbuseMedical Liability Reform

Title ITitle I Title IITitle II Title IIITitle III Title IVTitle IV Title VTitle V

PrivacyPrivacy SecuritySecurity Electronic Data

Electronic Data

Tax RelatedHealth Provision

Group HealthPlan Requirements

RevenueOff-sets

The 4 components in HIPAA Title II are:

Health Insurance Portability and Accountability Act of 1996Health Insurance Portability and Accountability Act of 1996

PrivacyPrivacyTransactions & Code Sets

Transactions & Code Sets SecuritySecurity IdentifiersIdentifiers

HIPAA Privacy Rule

(Regulations)

Privacy Regulation Application

The HIPAA Privacy rule applies to any covered entity that maintains or transmits protected health information in any form:

Electronic Oral Written Faxed etc.

A Look At Privacy

The Privacy Regulation includes:

• Client/Patient rights• Regulatory authorizations for treatment, payment and

health care operations• Minimum necessary for intended use• Business Associate requirements• Required authorizations• Review processes, restriction requests, and correction

process

What information is protected by the HIPAA Privacy Rule?

Individually Identifiable Health Information (IIHI)

Any health information that is created or received by a health care provider, health plan, clearinghouse or an employer

– Identifies the individual

– Provides a reasonable basis to believe that the information can be used to identify the individual

– Pertains to the health of an individual

– Pertains to the provision of or payment of healthcare to an individual.

Protection of PHI

What is PHI? (Protected Health Information)– Individually identifiable health information--IIHI:

(relating to past, present, future health care or payment for health care)

ORALWRITTENELECTRONIC

– but NOT student IIHI in the hands of Student Health Services (broad FERPA/HIPAA exemption)

– and NOT employee IIHI in the hands of the Employer (HIPAA exemption)

• Name

• Address; street, city,county, zip code

• Social security number

• Birth date

• Account number

• Name of employers

• Telephone/Fax numbers

• Electronic mail addresses

• Names of relatives

• Any other unique identifying number or code that could be used to identify an individual(applies to a small cell)

Scope of data coveredHIPAA places considerable emphasis on the definition, use and disclosure of IIHI. Below are just a few key data elements which require de-identification in certain situations when related or linked to health information:

Privacy Applicability and Scope

• Does not preclude stricter state standards that apply to certain types of information (preemption)

• Makes no distinction about the presumed sensitivity of information Demographic info should be treated the same as clinical info

• Protects the information itself, not the physical record, regardless of where the information appears

Records not covered by HIPAA Privacy Rule

Employment Records

• FMLA certifications• ADA disability/accommodation records• Attendance/sick leave records• Employment physicals• Workers’ Compensation records• Enrollment/disenrollment/COBRA records

Records not covered by HIPAA Privacy Rule

Student Records The definition of protected health information

(PHI) under the Health Insurance Portability and Accountability Act (HIPAA), specifically excludesexcludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g).

FERPA provides privacy protections for student health records held by federally funded educational institutions.

HIPAA Excludes FERPA

“We have excluded educational records covered by FERPA [f]rom the definition of protected health information… because FERPA also provided a specific structure for the maintenance of these records.”

U.S. Department of Health and Human

Services,65 Federal Register 82,483 (December

28, 2000)

FERPA (not HIPAA) protected records

• Student immunization/medical history records

• Student disability/accommodation records

• Student health clinic/counseling records

• Student health insurance enrollment/disenrollment information submitted by student to University

Requirements to Protect Privacy

• No set, specific requirements

• No clear consensus in higher ed on what is needed

• No court decisions on third party breach

• Administrative Safeguards:Administrative Safeguards: (Processes, procedures, training, Risk Analysis)

• Physical Safeguards:Physical Safeguards:(Facility, workstations, etc.)

• Technical Safeguards:Technical Safeguards:(Access, audit control, data integrity, etc.)

A Look At Privacy

The Privacy Regulation includes:

• Client/Patient rights• Regulatory authorizations for treatment, payment and

health care operations• Minimum necessary for intended use• Business Associate requirements• Required authorizations• Review processes, restriction requests, and correction

process

Some Administrative Requirements

• Notice of Privacy Practices • Individual Rights• Business Associate Agreements

• First Date of Service• Acknowledgment

Notice of Privacy PracticesStudent Health Services

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU

MAY BE USED AND DISCLOSED BY THE UNIVERSITY OF CONNECTICUT STUDENT HEALTH SERVICES AND HOW YOU CAN

GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.

We understand that information about your health and program is personal. We are committed to protecting your health information. When you register, we create a file for care and services you will receive from Student Health Services. We use this record to provide you with quality services and to comply with certain legal requirements. This notice applies to all of the information maintained by the Student Health Services about services for you. Other providers of service may have different policies or notices regarding the information they maintain about your health. This notice will explain the ways in which we use and disclose your protected health information (PHI). We also describe your rights and certain obligations we have regarding the use and disclosure of your PHI. The law requires us to:

Make sure that any of your PHI is kept private; Give you this notice of our legal duties and privacy policy practices with respect

to your PHI; and Follow the terms of the notice that is currently in effect.

The effective date of this notice is: April 14, 2003 YOUR RIGHTS REGARDING MEDICAL INFORMATION ABOUT YOU You have the following rights regarding health information we maintain about you: Right to Inspect and Obtain a Copy: You have the right to inspect and obtain a copy of health information that we maintain about you in your medical record. Usually, this includes health and billing records but does not include psychotherapy notes or certain information subject to the Clinical Laboratory Improvement Amendments of 1988. To inspect and obtain a copy of health information we may maintain about you, you must submit your request in writing to the Privacy Officer at Student Health Services - 234 Glenbrook Road, Unit 2011, Storrs, CT 06269-2011. If you request a copy of the information, we may charge you a small fee for the costs of copying, mailing or other

Basic Individual Rights

• Right to privacy of PHI– Treatment, Payment, Health Care Operations

Uses– Specified disclosures allowed (public health,

subpoenas, etc.)– Other disclosures with authorization

• Individual right to access, amendment, accounting

• Individual right to request restricted communications and uses/disclosures

Business Associate Agreements

• Covered entities must have agreements with vendors, administrators, brokers, accountants, etc. that need PHI to perform services on behalf of or with the covered entity

• Agreement must ensure business associate’s compliance with HIPAA Privacy Rule

Other Administrative Requirements

• Designate a Privacy Officer• Create policies and procedures• Provide privacy training• Provide a means for individuals to

lodge complaints• Process for responding to complaints

Other Administrative Requirements (cont’d)

• Administrative, technical, and physical safeguardssafeguards to protect PHI

• Maintain HIPAA documentation for 66 years

• SanctionsSanctions for HIPAA privacy violations• MitigateMitigate harmful effects from

violations• Avoid retaliation or waiver of HIPAA

rights

Authorization

• Obtain an authorization when appropriate

• Usually a customized document

• Used for specified purposes, other than TPO

• Covers only the PHI for uses and disclosures specified in the authorization

• Required for uses and disclosuresuses and disclosures of PHI not otherwise allowed by the rule

Uses Requiring Authorization

• Marketing• Insurance pre-enrollment

activities• Employer/uses for

employment• Fund raising• Other uses not exempted by

these rules

Uses & Disclosures Exceptions -- TPOTPO

• TTreatment• PPayment• Health Care

OOperations

“Health Care Operations”

• Quality assessment/improvement• Determining clinical privileges• Reviewing plan performance• Insurance rating, underwriting, etc.• Medical review and auditing• Fraud and abuse detection• Compiling PHI for legal proceedings

Other Permissible Uses Without Consent

Based on capacity or authority

Public health activities Health care oversight Judicial/administrative

proceedings Coroners/medical examiners Law enforcement, banking, or

payment Research, emergencies, and next

of kin

“Minimum Necessary”

• Only disclose the PHI needed to accomplish a function

• Case-by-case determination• Designated decision maker• Exceptions for:

– DHHS access– plan audit and “as required by law”

Why Should You Care?

Civil penalties for improper PHI disclosure:– $100 per day, up to $25,000 per year for

identical violations– Penalty may be avoided if disclosure

was for reasonable cause, not willful neglect

Criminal Sanctions

Criminal penalties for knowing wrongful disclosure of PHI:– Fine of not more than $50,000/imprisonment

for one year/both– If committed under false pretenses, fine of not

more than $100,000/imprisonment for not more than five years/both

– If committed with intent to sell, transfer or use such health information for gain or malicious harm, fine of not more than $250,000/imprisonment of ten years/both

The Bottom Line . . .

• Know Your Permitted Uses and Disclosures of PHI

• Limit Access/Disclosure to Permitted Group• Safeguard PHI• Keep PHI Out of Employment-Related

Actions and Decisions

• most importantly…

Don’t be afraid to ask Don’t be afraid to ask questions!questions!

Questions?

Rachel Krinsky Rudnick, JD, CIPP

University Privacy OfficerOffice of Audit, Compliance &

Ethics(860) 486-5256

rachel.krinsky@uconn.edu

HIPAA Security Awareness Training

Elaine David, Director of IT Security, Policy & Quality

Assurance

HIPAA SECURITY AWARENESS TRAINING

HIPAA Security Rule: The purpose of the final HIPAA rule is to adopt national standards for safeguards to protect the confidentiality, integrity and availability of electronic protected health information.

These standards require measures to be taken to secure ePHI while in the custody of covered entities as well as in transit between covered entities and from covered entities to others.

HIPAA Security Rule Requirements:o Administrative Safeguardso Physical Safeguardso Technical Safeguards

Administrative Safeguards:o Security Management (Risk Analysis, Sanctions,

Activity Review)o Workforce Securityo Access Managemento Awareness & Trainingo Incident Response & Reportingo Business Associate Contractso Evaluation of Compliance

Physical Safeguards:o Facility Access controlso Workstation Acceptable Use &

Responsibilityo Workstation/Server and Mobile Systems

securityo Device and Media Control Security

Technical Safeguards:o Access controls (e.g. unique id, password

structure, firewall use, wireless access, remote access, etc.)

o Security Audit controlso Authenticationo Transmission security

Compliance with HIPAA Security Rule:

Development and dissemination of many security and data policies.

See http://itpolicy.uconn.edu or http://policy.uconn.edu

What is information security?The steps taken to protect the confidentiality, integrity and availability of our information resources.

Confidentiality: assurance that information can only be seen or used by those who are authorized to access the information.

Integrity: assurance that information that we use has not been modified inappropriately during storage, transmission, etc.

Availability: assurance that computer resources are available when we expect them to be.

What is security awareness?oRecognizing the various types of security issues; oKnowing how to prevent a breach; oKnowing how to react to a breach.

Good Computing Practices - Safeguards for Users

#1: Passwords: - Choose your password carefullyo Use at least 8 characterso Do not use repetitive characterso Combine alpha, numeric and non-alpha numeric

characters, upper and lower-caseo Do not base password on familiar words or

words/names that can be associated with youo Choose one that is easy to remember and easy to type

#1: Passwords cont.: Keep your password safe

Securely file or destroy paperwork that includes user-id and password information.

Do not post, write or share passwords with anyone

#2: Control Access to Confidential Information o Use a Password protected screensaver for

your workstation (on-site, laptop, home, etc.)o Lock your screen

o For a PC: <crtl> <alt> <delete> <enter>o For a MAC:

o Configure a screensaver with your password; Create a shortcut to activate screensaver

o Use a password to start up or wake-up your computer

o Always log off shared workstationso If you don’t log off, someone else could use your ID to illegally

access confidential information

#2: Control Access to Confidential Information cont

o Just say “No” when a program ask: “Do you want me to remember your password?”

o When your password is saved on your hard drive, it makes you and your data vulnerable to hackers who can steal you Password.

#3: Physical Access Protect your computer, laptop, PDA, electronic

media from being stolen or accessed by others Secure computers with a lockdown cable Store backup media safely and separately from the equipment Don’t leave portable devices unattended, even for a moment

#4: Anti Virus o Make sure your computer has antivirus and

all necessary security patcheso See http://antivirus.uconn.edu

o Schedule and run regular virus scans of all your files

o Always close “pop-ups” when they solicit a response to advertisements or other messages

o Click the “x” box to close the pop-up ado Clicking “no” is the same as “yes” and allows the virus or

hacker access to your computer

#5: Data Backup and Restorationo Make backups a regular tasko Back up data to your department’s secure server or

store on removable mediao Store backup media safely and separately from the

equipmento Test that backup data can be restored if necessary

#6: Operating System and Network Applications

Update operating systems and network applications of your computers with current patches

See http://security.uconn.edu/guides/windowsupdate.html

#7: Information Security Use good judgment about the amount of confidential

data that you store on university-owned or personally-owned devices

delete files containing confidential data from devices as soon as they are no longer needed

Use encryption for transmitting and storing confidential data

http://tss.uconn.edu/Public/fileencrypt/fileencryptionwindows.htm http://tss.uconn.edu/Public/fileencrypt/fileencryptionmac.htm

#7: Information Security – cont

Ensure that your computer and other devices are wiped clean of all confidential data using the University’s procedures before being surplused or redeployed to another individual.

See http://itpolicy.uconn.edu/policydocs/datawipe.html

#8: Email Practice safe emailing

Do not open, forward or reply to suspicious emails Keep your inbox “preview pane” closed to prevent

certain types of malicious code from executing Turn off the “Automatic download HTML graphics”

and “Display graphics in messages” options Delete spam Don’t open email attachments or click on website

addresses without being certain of their safety.

#8: Email cont

Be Aware: Email is NEVER 100% secure

Do not use email to send, receive or store confidential information unless required by your job

Always limit the amount of confidential information sent by email to the minimum necessary

Never send, reply or forward UConn confidential information from a non UConn email account

#9: Computer Security o Don’t install unknown or unsolicited programs on

your computeo Do not install any programs on your University

computer that are not authorized by your department and licensed to use on a University computer

o Be cautious about installing any unknown or unsolicited program on any computer that is used with confidential data.

#10: Mobile Devices o Maintain the tracking number for the mobile device in a

safe location.o This will assist police in locating the device in case of

loss or thefto Only use devices that can restrict access by way of a

password or other authentication method o Enable all security features the device may haveo Remove all Personal Identifiers when possibleo If you use a mobile, wireless device for backup then

encrypt all sensitive data and store separately.o When available, always save and store to a secure

server.

#11: Reporting Security Incidents/Breach o What to Report:

o Lost or stolen devices especially if they contain confidential data

o Erratic computer behavior or unusual email messages to your department manager, department IT resource, or UITS Help Center

o Suspected issues or incidents to a manager or Security Office

#11: Reporting Security Incidents/Breach cont

o Loss of Equipment o Report lost or stolen laptops, Blackberries, PDAs, cell

phones, flash drives, etc. to the UCONN Police Department

#11: Reporting Security Incidents/Breach cont

o Other Security Incidents/Breacheso Your Supervisor/Managero Your Department’s IT persono Privacy Office (Rachel Krinsky Rudnick):

o (860) 486-5256

o Security Office (Elaine David): o security@uconn.eduo (860) 486-8255

o UITS Help Centero helpcenter@uconn.eduo (860) 486-4357

What about paper records?

Important to consider not only electronic records, but paper records as well.

See: Best Practice Office Procedures for Dealing with Confidential and Registered Confidential Data

http://itpolicy.uconn.edu/uconngsr/bestprac.html

Paper Records: Limit sign-in sheets to first name only. Do not post lists containing confidential information. Remove confidential data from reports where it is not required. Shred or store securely for shredding all reports no longer required that contain confidential. Account for any lists, records and reports containing confidential information.

What Does What Does HIPAA Mean for HIPAA Mean for

UConn?UConn?The UConn Speech & The UConn Speech &

Hearing Clinic is Hearing Clinic is “HIPAA-tized”“HIPAA-tized”

Clinic Operations Clinical Education

HIPAA’s Impact

Brief HistoryBrief History University of Connecticut Speech & Hearing Clinic – University of Connecticut Speech & Hearing Clinic –

began in the late 1940’s to support clinical training of began in the late 1940’s to support clinical training of students becoming speech-language pathologists and students becoming speech-language pathologists and audiologistsaudiologists

1976 – began to charge fees for services provided; billed 1976 – began to charge fees for services provided; billed

through a clearinghousethrough a clearinghouse

2001 – determined to be2001 – determined to be a HIPAA covered entity a HIPAA covered entity because billing was managed electronicallybecause billing was managed electronically

Getting ready for the Getting ready for the Privacy RulePrivacy Rule

Confidentiality practices in the clinic were always Confidentiality practices in the clinic were always governed by the standards set forth by the American governed by the standards set forth by the American Speech-Language-Hearing AssociationSpeech-Language-Hearing Association

Released information only when given permission by the Released information only when given permission by the clients except in specific situations clients except in specific situations

Discussions about clients and their communication Discussions about clients and their communication disorder were limited to conferences with other disorder were limited to conferences with other professionals related to client care AND to clinical professionals related to client care AND to clinical teachingteaching

Forbidden to remove files from the Speech & Hearing Forbidden to remove files from the Speech & Hearing Clinic (ACLU influence)Clinic (ACLU influence)

Safeguards pre-HIPAASafeguards pre-HIPAA Depended on students, clinical service providers, and Depended on students, clinical service providers, and

staff to uphold the ASHA Code of Ethicsstaff to uphold the ASHA Code of Ethics Sanctions built in when violations to the Code Sanctions built in when violations to the Code

occurred, but only applied to persons who were occurred, but only applied to persons who were affected by the Codeaffected by the Code

ASHA issued sanctions and the process is lengthy and ASHA issued sanctions and the process is lengthy and cumbersomecumbersome

• Dependent on students and clinical service providers Dependent on students and clinical service providers to use good judgment to determine whether they were to use good judgment to determine whether they were maintaining confidentialitymaintaining confidentiality

From August 2001 until From August 2001 until April 14, 2003April 14, 2003

Conduct gap analysis – where were the gaps between Conduct gap analysis – where were the gaps between what we were doing and what we needed to do to what we were doing and what we needed to do to comply with the Privacy Rule of HIPAA?comply with the Privacy Rule of HIPAA?

Examples of gaps: PHI visible on the secretary’s Examples of gaps: PHI visible on the secretary’s computer and computer was easily viewed; PHI released computer and computer was easily viewed; PHI released to school systems as the payer of servicesto school systems as the payer of services

Prepare a budget of what it would cost to become Prepare a budget of what it would cost to become compliantcompliant

Develop a plan of how to proceedDevelop a plan of how to proceed

State of Connecticut DoIT’s roleState of Connecticut DoIT’s role

Highlights of the process Highlights of the process toward compliance with the toward compliance with the

Privacy RulePrivacy Rule Upgrade the clinic lobby to insure that personal health Upgrade the clinic lobby to insure that personal health

information (PHI) was protectedinformation (PHI) was protected

Create a comprehensive Policy and Procedures Manual Create a comprehensive Policy and Procedures Manual that detailed the Clinic’s implementation of HIPAAthat detailed the Clinic’s implementation of HIPAA

Create a Notice of Privacy Practices and a procedure for Create a Notice of Privacy Practices and a procedure for disseminating this information (translated into Spanish)disseminating this information (translated into Spanish)

Create a new set of forms and procedures for Create a new set of forms and procedures for documentation all relevant aspects of HIPAA to the care documentation all relevant aspects of HIPAA to the care of clients with communication disordersof clients with communication disorders

More highlights…More highlights… Devise a training tool for all students and anyone having Devise a training tool for all students and anyone having

contact with clients and client records. Issue a contact with clients and client records. Issue a “certificate” following training that students take with “certificate” following training that students take with them.them.

Issue Business Associate Agreements with all vendors Issue Business Associate Agreements with all vendors and unions with whom we have contractsand unions with whom we have contracts

Gain an office that is self-containedGain an office that is self-contained

New Speech & Hearing New Speech & Hearing Clinic OfficeClinic Office

Security RuleSecurity Rule Compliance date: April 17, 2005Compliance date: April 17, 2005

Risk analysis revealed numerous compliance issues: transmission Risk analysis revealed numerous compliance issues: transmission and storage of electronic data, building’s wireless capability and and storage of electronic data, building’s wireless capability and students’ access to that, encryption (and lack of), computer students’ access to that, encryption (and lack of), computer accessibilityaccessibility

Plan put into place; work closely with UITS and CLAS computer Plan put into place; work closely with UITS and CLAS computer support teams. Budget and ways to cover the costs of becoming support teams. Budget and ways to cover the costs of becoming compliant.compliant.

Procedures for closing out computer access for students and others Procedures for closing out computer access for students and others when they leave the programwhen they leave the program

HIPAA’s impact on clinical HIPAA’s impact on clinical educationeducation

Students are provided with a model of the Students are provided with a model of the implementation of HIPAA Rulesimplementation of HIPAA Rules

HIPAA training and certificates are often recognized by HIPAA training and certificates are often recognized by the host facility when students go to off-campus the host facility when students go to off-campus practicum sitespracticum sites

Increased awareness of the procedural nature of Increased awareness of the procedural nature of maintaining privacy; documentationmaintaining privacy; documentation

Outcomes for students…Outcomes for students… Awareness of consequences of non-compliance both at Awareness of consequences of non-compliance both at

federal and local levelsfederal and local levels When files are removed from the building, the When files are removed from the building, the

infraction is now treated and reported as “theft”infraction is now treated and reported as “theft”

Increased understanding about PHI and need for Increased understanding about PHI and need for complying with procedures intended to protect complying with procedures intended to protect information and confidentialityinformation and confidentiality

• Exposure to the model of HIPAA implementation that Exposure to the model of HIPAA implementation that is similar to other settings where they will beis similar to other settings where they will be

What it has meant…What it has meant…

Increasing vigilance to maintaining PHIIncreasing vigilance to maintaining PHI

- - ensuring that PHI does not exist on hard drives, on reports that ensuring that PHI does not exist on hard drives, on reports that students might use for models to write their own reportsstudents might use for models to write their own reports

- clinicians’ compliance with maintaining confidentiality- clinicians’ compliance with maintaining confidentiality Increasing amounts of paperIncreasing amounts of paper Increasing amounts of time spent in training, Increasing amounts of time spent in training,

monitoring, and updatingmonitoring, and updating Increasing operating expenses as a resultIncreasing operating expenses as a result

Also has meant…Also has meant… Development of a Business Continuity Plan as part of Development of a Business Continuity Plan as part of

complying with the Security Rulecomplying with the Security Rule

Increased vigilance in making sure that the release of Increased vigilance in making sure that the release of any information has been authorized by the client and/or any information has been authorized by the client and/or the designeethe designee

An entirely new vocabulary!An entirely new vocabulary!

UConn Speech & Hearing Clinic is regarded as a model UConn Speech & Hearing Clinic is regarded as a model of implementation among similar training programsof implementation among similar training programs

• Procedural safeguards have been prescribed and are clearly defined

• Client records provide a rich database; OK to use the data as long as the client has been “de-identified” (meant, too, that researchers and teaching faculty had to go through HIPAA training)

•Installation of a scheduling system that was HIPAA compatible for storing client information

•Installation of a server that was dedicated to clinic operations; increased efficiency in backing up data regularly

Service providers became more HIPAA-savvy consumers!

HIPAA AT STUDENT HEALTH SERVICES

JANE DESROSIERS, RHITINFORMATION COORDINATOR

PRIVACY OFFICEROctober 2007

STUDENT HEALTH SERVICESWho are we? What do we do?

We are the “Hospital” for our students and also for employees who have been injured on the job.

Our 2006 – 2007 service numbers• Advice Nurse 13,471 visits to 7076 patients

• Primary Care 13,169 visits to 7085 patients

• Women’s Clinic 3,508 visits to 1892 patients

• CMHS 7,487 visits to 1289 patients

• Other Areas 2290 visits to 1005 patients

• More than 25,000 individual patient records

PRIVACY - HIPAA IMPACT ON STUDENT HEALTH SERVICES

• Prior to 2003• Physical renovations, new wiring, installing card

accessible lock systems for file rooms, doors for patient check-in windows.

• Creation of Notice of Privacy Practices & Policies

• Staff training, both permanent and student staff

• “HIPAA – tizing” forms and procedures

• Determining Business Associates & Agreements

• Communicating to UCONN Departments

• Paper, Paper, Paper!

PRIVACY - HIPAA IMPACT ON STUDENT HEALTH SERVICES April 2003 & Beyond

• Distributing NPP to all of our patients!• Continuing with education updates to new and

seasoned staff• Enforcement of HIPAA policies for release of

information, who gets what and how• Providing HIPAA course to all students in Allied Health,

Nursing, Pharmacy, Physical Therapy prior to their Clinical site study.

• IRB (Independent Review Board) approves all Drug Study trials.

• Paper, Paper, Paper!

SECURITY - HIPAA IMPACT ON STUDENT HEALTH SERVICES

Prior to 2005• Risk assessment performed to identify security

vulnerabilities

• Security awareness training

• Workforce clearance procedures for access to electronic PHI

• Servers moved from SHS building to UITS server farm

• Physical Security (theft)

• Data Security (firewall)

• Data backup and backup storage

Prior to 2005• Created isolated environment to test

applications before using in production

• Data disposal policies & procedures

• Automatic log-off/password protected screensaver procedures

2005 & Beyond• Vigilance to continue with recommendations

of the risk assessment.

HIPAA IMPACT ON STUDENT HEALTH SERVICES

And now……• Any violations?

• Over 2200 complaints have been logged with DHHS

• Where are the HIPAA police?• 7 staff members of DHHS were appointed to

“police” the HIPAA regulation

How HIPAA Changed My LifeHow HIPAA Changed My Life

Jeffrey M. Anderson, MDJeffrey M. Anderson, MD

Director of Sports Medicine ServicesDirector of Sports Medicine Services

University of ConnecticutUniversity of Connecticut

Student Health Services/Division of AthleticsStudent Health Services/Division of Athletics

How Does HIPAA Affect Me in How Does HIPAA Affect Me in the Patient Room?the Patient Room? Truth is, it really doesn’tTruth is, it really doesn’t Privacy has always been a hallmark of Privacy has always been a hallmark of

the physician-patient interactionthe physician-patient interaction My relationship with my patient My relationship with my patient

depends on my discretion, whether the depends on my discretion, whether the law dictates it, or not.law dictates it, or not.

Its real impact…Its real impact…

How Does HIPAA Affect the How Does HIPAA Affect the UConn Student-Athlete?UConn Student-Athlete? Information to athletic trainersInformation to athletic trainers

Information to strength and conditioning Information to strength and conditioning coachescoaches

Information to sport coachesInformation to sport coaches

Information to parentsInformation to parents

Information to the mediaInformation to the media

Consent for Disclosure of Consent for Disclosure of Protected Information Protected Information Signed each year by every student-athleteSigned each year by every student-athlete

Information related to the student-athlete’s Information related to the student-athlete’s ability to train, practice, and competeability to train, practice, and compete

Nature and type of injury/illness, duration of Nature and type of injury/illness, duration of expected recovery, treatment methods, and expected recovery, treatment methods, and related rehab progressrelated rehab progress

Essential to the protection of the student-Essential to the protection of the student-athlete’s health while participating here.athlete’s health while participating here.

HIPAA and Media InteractionHIPAA and Media Interaction

HIPAA can actually be helpful in this HIPAA can actually be helpful in this areaarea

Does affect sideline discussionDoes affect sideline discussion Interaction is entirely mediated by Interaction is entirely mediated by

Athletic CommunicationsAthletic Communications Official releases written by them and Official releases written by them and

approved by both the student-athlete approved by both the student-athlete and the head coachand the head coach

1 HIPAA at UCONN: Protecting Health-Related Information in Educational Settings University of...

Documents