HIPAA PRIVACY 101

Orientation for the University of Maryland Dental School and U.M.

FDSP

Health Insurance Portability and Accountability Act of 1996

An act that sets standards for national electronic health data systems.

Simplifies submission of electronic insurance claims.

Section 264: Contains privacy provisions covering the transmission, uses, storage and disclosure of health information. Electronic databases increase the risk of invasion of privacy.

HIPAA – How do we prepare?

Health and Human Services expects us do what is REASONABLE, but reasonable has not been defined by the court. We must be compliant with privacy regulations by April 14, 2003.

HIPAA Glossary of Terms HIPAA: Health Insurance Portability and

Accountability Act of 1996 (Pub. L. 104-191) IIHI: Individually identifiable health

information OCR: Office for Civil Rights PHI: Protected Health Information HCFA: Health Care Financing

Administration TPO: Treatment, payment, operations

“PHI”

Protected health information includes any information that:

1. Relates to the health of the individual and …2. Can be used to identify the individual but …3. Does not include not education records

covered by the Family Educational Right and Privacy Act (FERPA)

PHI includes Name Address (except first 3 digits of Zipcode) Birthdate, and some

limits on age Telephone & FAX

number Email address Social Security number Medical record number Health plan beneficiary number

Account number Certificate/ license

number Vehicle ID and serial

numbers Device ID and serial

numbers Web addresses Internet Protocol

address numbers Biometric Ids FULL FACE

PHOTOGRAPHS

Examples of PHI used at the Dental School: 1. Patient dental records2. Dental bills3. Routing control forms4. Receipts5. Doctor appointment schedules6. X-rays with name/medical record

number/social security number, etc.7. Laboratory prescriptions, including

prescriptions for dental prostheses (crowns, partials, dentures, etc.)

8. Insurance forms

PENALTIES FOR NON-COMPLIANCE WITH HIPAA

$100 fine per day for each unmet standard. (Up to $25,000 per person, per year, per standard.)

$50,000 fine + one year in prison for improper disclosure of health information.

$100,000 fine + five years in prison for obtaining health information under false pretenses.

$250,000 fine + ten years in prison for using health information for personal gain.

Sanctions policy We are required by law to sanction

students, staff and faculty who violate HIPAA regulations.

Disciplinary action (up to and including termination or student dismissal) may result from a violation of our HIPAA policies and procedures.

“Real Life” Examples of Privacy Breaches

Documents referring to over 125 psychiatric patients of a hospital were found in a convenience store trashcan. A medical student had taken papers outside of the hospital and dumped them in the trash. The documents included lists of patients in the psychiatric unit and their diagnoses.

Doctor’s staff looked up employee’s medical

record to learn about her birthday so they could throw her a surprise birthday party. Employee’s medical record contained many sensitive details previously unknown to the staff.

Other examples of violations

Giving a former student the name, phone number, and chart information of a possible board patient.

Telling a friend that someone is a patient at the Dental School.

Talking about patients in the hallway or elevator.

Disclosing that someone is your patient in a situation that is not related to the patient’s treatment (i.e., telling others about famous people you treat in your practice).

HIPAA grants all patients these rights. We must have process in place to facilitate

these rights by April 14, 2003 Receive Notice of Privacy Practices See and obtain copy of own health and

billing records Request corrections to health information Obtain accounting of disclosures Request restrictions and confidential

communications Name a personal representative File complaints

Right to Receive Notice of Privacy Practices

Each patient will be given a Notice of Privacy Practices (NPP) at the first treatment encounter after April 1, 2003.

The NPP will tell our patients: Types of uses and disclosures we make Their patient rights How they may register a complaint

The NPP must also be posted in each clinic.

The patient will sign indicating they have received the notice.

Patient Acknowledgment of Receipt of NPP

A “good faith” effort must be made to get the patient’s written acknowledgment that they received the NPP at the first treatment encounter.

If we cannot get the acknowledgment, we must document our “good faith” efforts to obtain the acknowledgment. Simply place a note in the chart that the patient refused or forgot to sign the acknowledgement, but the patient was given the NPP.

We must keep a record of the acknowledgment (or our effort to obtain one) for at least six years. This is accomplished by placing the acknowledgment or note about our efforts to get an acknowledgment in the written chart. Written charts of the Dental School are kept for seven years before they are destroyed.

Right to Request Access and Copying of PHI

Right to access and copy generally applies only to PHI in the medical record or billing record.

Timely action: Access must be provided no later than 30 days after receipt of request; copies must be provided no later than 21 working days after receipt of request.

We can deny access with reason. We may charge for copying PHI unless prohibited by

federal or state law, or a commercial contract. We charge $15.00 to copy a dental record, with additional charges for radiographs.

All requests must go through Office of Clinical Affairs. Do not duplicate records in individual clinics.

Right to Request Amendment of PHI Applies only to PHI in a dental, medical or billing

record Requests may be denied if:

PHI was not created by us (unless the originator is no longer available to receive the request to amend)

PHI is not part of medical record or billing record

Records at issue are no longer available, or PHI is already accurate and complete.

Denials must be in writing, and must give basis for denial.

Right to Request an Accounting of Disclosures

Individuals have a right to receive an accounting of some disclosures made after April 14, 2003 by Dental School.

No accounting is required for disclosures made: For treatment, payment or health care

operations purposes To the individual Incidentally to treatment, payment or health

care operations disclosures Based on a valid written authorization For certain other law enforcement, national

security and disaster relief effort purposes, or Prior to April 14, 2003.

Right to Request Restrictions on Uses and Disclosures

We must permit requests to be made, but need not grant all requests.

Even if a request is granted, an “emergency exception” will allow disclosures as needed to provide emergency treatment.

Right to Request Alternative Channels of Communications

Alternative channels include for example, calling a patient at an alternate phone number or mailing information to an alternate location.

Reasonable requests for alternative channels of communications will be granted, and the patient must not be asked the reason for the request.

The computer system and written record will indicate that we have honored this request.

Right to Name a personal representative

This is not the same as power of attorney, which takes a court order. These individuals cannot consent for treatment.

Please note in the written record the name of the personal representative or have the patient fill out a form naming a personal representative. The patient can name a personal representative verbally or with written notice.

Right to Submit a Complaint

Individuals have a right to complain about the privacy policies and procedures directly to the Dental School, or to the federal Department of Health and Human Services.

We must:

• Investigate the complaint in a timely manner and inform the patient of the findings and actions, if any.

• Take appropriate actions against members of our workforce who do not follow our privacy policies and procedures.

• Minimize, to the extent possible, any harmful effects of unauthorized or accidental uses or disclosures.

• Not intimidate, threaten, coerce or otherwise retaliate against anyone who files a complaint or exercises any of their other rights under the HIPAA Privacy rules.

New procedures “Minimum necessary” is the buzz phrase

for PHI – only request what is needed, and only disclose what is needed. “Minimum necessary” varies according to a person’s job. A receptionist does not need to know all the details of a patient’s medical history to do his or her job.

We cannot disclose PHI to the portions of the Dental School not involved with patient care. We must ensure this does not happen, as part of our hybrid entity status.

New procedures Patient requests for amendments will go

through the PCCs. They will also receive complaints about privacy practices. The Office of Clinical Affairs will investigate.

Restrictions on disclosures will go through the business managers, as will requests for a list of disclosures.

Dr. Atkinson is the chief privacy officer; Mr. Wong is in charge of electronic and computer security.

We must keep all of the written requests and our responses for six years.

Covered entities may use & disclose health information only:

For treatment, payment, and health care operations (TPO). This includes education, as it is a function of our operations. This is a use, not a disclosure.

To a business associate with whom we have an agreement.

After an opportunity to agree or object through the notice of privacy practices.

Without consent for specific public purposes: public health, law enforcement, oversight, etc.

As AUTHORIZED by the individual for everything else.

Business AssociatesWho is a Business Associate?

Business associates may include: Answering and Transcription Services Accountants, Lawyers, Auditors, Consultants Third party administrators Billing companies Collection agencies Collaborating researchers at other institutions (for these

business associates other confidentiality agreements may be required)

Who is NOT a Business Associate? Health care providers when receiving PHI for treatment-

related purposes (dental laboratories) HMOs, Health Insurers, and group health plans Vendors who have only incidental contact with PHI

( postal workers, cleaning and repair services, and plant maintenance services.

AuthorizationsA valid written authorization must

contain the following: Who may use or disclose the information Who may receive the information Purpose of the use or disclosure Expiration date or event Individual’s signature and date A statement about the right to revoke A statement about the right to refuse to

sign Redisclosure statement

Authorizations Maryland law states PHI can only be authorized for

disclosure for one year. This would apply to the use of a full-face photograph in a study club presentation.

A consent form for research (a clinical trial) is different from an authorization.

Patients enrolled in clinical trials after April 14, 2003 will sign both an authorization and an informed consent. In the case of research, the authorization can be longer than one year. The IRB will post an authorization form template on the Web.

A waiver for authorization for research can be granted by the IRB for retrospective studies.

Full-face photography It is acceptable to show full-face

photographs for education within your own institution. Education is one of our defined operations.

When publishing a photograph, the patient can authorize its use for multiple years to a non-HIPAA entity (such as a publisher).

The best solution is to only show the lower half of the face and limit full-face photography to when absolutely needed.

The Dental School must have appropriate physical, administrative and technical safeguards to reasonably protect PHI from any intentional or unintentional use or disclosure.

Safeguard information resources entrusted to you

• Any record checked out to you is your responsibility.

• Any paper containing PHI must be shredded, and not thrown away in the regular trash.

• Lock up any chart or any information when you leave your desk at night. Lock office and control access to office keys. Lock up appointment books.

• Unauthorized individuals should not be in areas where they can view PHI.

• Limit PHI storage in offices – the chart is more secure. Get rid of un-needed old PHI (shred it!).

Other issues1. Conversations with patients involving

sensitive PHI should occur in private areas.2. Discussion of PHI will occur only between

certified individuals and the patient or designee, provided permission is obtained.

3. Use lowered voices in clinical treatment areas.

Incidental Uses and Disclosures

Some uses and disclosures of PHI happen as a result of an otherwise permitted use or disclosure and cannot reasonably be prevented:

Conversations that can be overheard in a waiting room, exam room or other patient accessible area

Patient charts kept outside of exam rooms Appointment reminder messages left on a

patient’s home answering machine Front Desk sign in sheets and calling out a

patient’s name

Each member of the workforce must take reasonable efforts to limit uses and disclosures to the minimum necessary, but HIPAA does not require that all risk of incidental disclosure of PHI be eliminated.

Gossip is Not an Acceptable Incidental Use!

Verification Requirements for Disclosures

Verify the identity of the individual before making a disclosure.

Call to verify the FAX number before sending it.

Limit the use of FAX in 3E-32 to official use. Use a cover sheet with a statement about

confidentiality with any FAX containing PHI. All Faxes will be put in envelopes when

received if they contain PHI.

Research Any researcher who has or is

conducting IRB-approved research must do additional training (HIPAA 201). Please contact the IRB for more information.

Marketing and Fundraising are permitted…….but

ONLY WITH THE AUTHORIZATION OF THE INDIVIDUAL. Either activity must be cleared by the Office of Clinical Affairs.

Electronic Data - General Guidelines It is the responsibility of every authorized data

user to maintain confidentiality of University of Maryland Dental School health information assets even if technical security mechanisms fail or are absent.

A lack of security measures to protect the confidentiality of information does not imply that such information is public.

An authorized data user who finds that he or she has retained or been inadvertently granted additional access beyond that appropriate to his or her current role should report this to his or her current department director.

Password Passwords are the individual’s responsibility and

users should not share them. All computers with PHI need password protection.

Passwords should be changed at least every ninety days.

Passwords should be at least six characters long and not easily guessed or found in a dictionary. Use of numeric digits and non-alphanumeric characters in passwords is encouraged for protection of confidential information.

Users should not write down passwords, store them on hard copy or store them locally on workstations and laptop computers

email Email usage guidelines

Do not use an off-campus or non-secure email account (e.g. AOL, Hotmail) to send, receive, forward or relay email that contains PHI.

Sharing email accounts or mail boxes on an email system is not permitted.

No employee may automatically forward mail outside of the UMB. Do not send email with PHI outside of the school / campus network if possible.

Do not originate communication with a patient or research subject via email.

“Instant Messaging” programs are not secure. They should not be used to transmit patient health information

email Do not put the patient’s name,

number or other PHI in the subject field.

Print out a copy of PHI-containing emails and place it in the written record.

This email may contain confidential information and maybe protected by law as a legally privileged documentand copyright work. Its content should not be disclosedand it should not be given or copied to anyone other than theperson(s) Named or referenced above. Any review,retransmission, dissemination,or other use of this informationby other than the intended recipient is prohibited. If you have received this email in error,please contact the sender.

email disclaimer

Anti-Virus Computer Virus

OIT managed workstations will have Norton Anti-Virus software setup.

Norton Anti-Virus software may be purchased for home computer use at the front desk of Health Science Library.

Verify with sender of email if you receive an unexpected attachment before opening it.

Never open any attachment in email from unknown sender

Hoax/Chain Letter If you received a virus warning email, do not forward to

others, please verify with Office of Information Technology (OIT). Never forward any chain letter to others.

“SPAM” junk email Delete email Report to UCE@ftc.gov

Portable Devices Storing patient health information in

portable devices (laptop, PDA, tablet PC, etc) is not recommended.

If you choose to store patient health information in portable devices, you are responsible for the security of this information (e.g. strong password protection for accessing the device, file encryption, proper disposal of unwanted storage media)

Wireless network It is the current school policy to disallow

any wireless network or installation of any wireless access point (hub).

If you use a laptop with a wireless network card, you must disable the wireless card when connecting to a LAN jack in the school.

A campus wide standard will be implemented to provide wireless access to information systems.

Questions??????