Confidentiality/HIPPA

1
Confidentiality/HIPPA
2
(No Transcript)
3
Electronic Protected Health Information
EPHI

• Examples of EPHI
• Patient names
• Diagnosis
• Date of birth / Age
• Address / Room number
• Social Security number
• Test results
• Past health conditions
• Treatments and medications
• Account number, or any number that is specific to
  a patient.

4
It is our RESPONSIBILITY to protect the IDENTITY
of our PATIENTS!
5
Staff Awareness Training

• Security Training is necessary for all workforce
  members who may or may not access protected
  health information.
• Education is provided initially to employees
  during orientation and annually to employees
  during Race Day.
• Periodic Newsletters prepared by the
  Privacy/Security Officer, Joan Engels, containing
  new information and reminders may be sent out
  through department wide email, posted by time
  clocks, attached to the Adams Family Newsletter,
  and delivered in the physician mailboxes. 

6
Employees Access To Their Own Electronic Record

• It is inappropriate to access your own ePHI
  without following the proper procedures as that
  of a patient.
• If it is not your immediate job responsibility,
  the same applies to family members, co-workers,
  and friends.

7
Employees Access To Their Own Electronic Record

• Adams Health Network is responsible to protect
  the integrity of all medical records.
• Preventing employees from gaining unauthorized
  access to their own record reduces the potential
  for an incorrect record.
• Accessing your own ePHI is a violation of the
  Minimum Necessary Rule Policy.

8
Employees Access To Their Own Electronic Record

• Discrimination If we were to allow employees
  the right to access their own record without
  following appropriate procedures, it would be
  unfair to employees with less security.
• Clean Audit When running audits, if there is
  personal access to employees, co-workers, and
  family records this raises concern for a HIPAA
  violation and a detailed audit is performed.
• Accessing your own record is a violation to our
  Sanction Policy and disciplinary action will be
  implemented.

9
Employees Access To Their Own Electronic Record

• Employees are not to access the ePHI of their
  family, co-workers, friends, etc. if it is not to
  do their job.
• Access of this nature is flagged on audits,
  therefore when in doubt, do not proceed and
  rather request another co-worker to complete the
  task.
• Even if an employee or physician requests you to
  retrieve their ePHI, they should be encouraged to
  use the proper procedure for authorization and
  access.

10
Employees Access To Their Own Electronic Record

• Employees are not to access their own ePHI for
  any purpose.
• If employees unintentionally access their own
  PHI, (for example transcriptionist automatically
  retrieves a dictation of their own outpatient
  consult) the process is to
• Exit out of the ePHI ASAP
• Report the occurrence to their manager.
• The manager will have the employee complete the
  form Unintentional Access to ePHI and maintain
  this document in case an audit identifies the
  alleged
• breach.

11
Employees Access To Their Own Electronic Record

• Test Patients During Training
• Use a Test Patient rather than Yourself, Family
  Member, Friend, or Co-Worker for training
  purposes.
• (Contact IT Dept. if you need the name of a test
  patient.)

12
Employees Access To Their Own Electronic Record

• Appropriate Process to Gain Access to ePHI
• If the task that needs to be done is part of your
  job responsibility, you must act as a patient
  and go through the same channels with another
  employee to complete the task.
• Listed below are examples of appropriate
  scenarios
• When a registration clerk is scheduled for a
  radiology test, another registration clerk needs
  to register her.
• When a physician calls asking a radiology
  employee for that employees own chest x-ray
  report, the employee should hand the request to
  another radiology employee.
• When a Health Information Services employee is
  scanning and comes across their own documents,
  they need to give the documents to another
  employee to scan.
• When a lab tech comes across their vial of blood,
  they should ask another lab employee to result it.

13
Employees Access To Their Own Electronic Record

• Appropriate Process to Gain Access to ePHI
• To retrieve your medical records or those of
  family members, you (or the patient, if an adult)
  must proceed to the appropriate department and
  complete the necessary paperwork.
• Necessary Emergency Access
• Only to access your record in the
• event that there is no other workforce
• member available at the time the
• information is required by a health
• care practitioner.

14
Employees Access To Their Own Electronic Record
Unintentional or Necessary Emergency Access to
ePHI Form

• This form is to be completed when employees
  unintentionally access ePHI or had an incident
  where "emergency access was necessary."
• The employee should then forward the completed
  form to their supervisor.
• When the HIPAA Security Officer audits this
  account number and presents you with concerns,
  this documentation will be important to support
  your employee as to why they accessed the ePHI.

15
Unintentional or Necessary Emergency Access to
ePHI Employee Name ___________________________
________ Employee ______________ Division
_____________ Department __________
Supervisor______________________ Job
Description_____________________________
Date of Occurrence
____________________ Date of Form
Completion_______________ Account Number
Accessed _________________ Relationship to
Employee____________ Please describe in
detail want prompted the unintentional
access Signature of Employee_____________
_____________________ Date_______________
Signature of Supervisor__________________________
_______ Date_______________ Supervisors,
please keep this for your records. You may have
the employee type on the form and save
as in your network folder to eliminate a paper
copy. When we audit this account number and
present to you with the concern, this
documentation will be important. If you
believe there needs to be further investigation
now, please forward this information to Joan
Engels or Brent Senesac.
16
Security Breach
17
What is a breach?
The acquirement, access, use or release of
protected health information (PHI) in a manner
not permitted under the Privacy Rule which
compromises the security or privacy of the PHI.
Compromises the security or privacy of the
PHI poses a significant risk of financial,
reputational, or other harm to the individual
18
Most common form of Data Breach
Medical Snooping
When a workforce member, because of celebrity
curiosity, domestic disputes, or second guessing
clinician opinions, accesses a patients ePHI
without a need to do their job.
19
Penalties for Breaches

• The Secretary of Health and Human Services will
  base its penalty determination on the nature and
  extent of both the violation and the harm caused
  by the violation. 
• The maximum penalty is 50,000 per violation,
  with a cap of 1,500,000 for all violations of an
  identical requirement or prohibition during a
  calendar year.
• The minimum civil monetary penalties are tiered
  based upon the organizations perceived liability
  for the HIPAA violation.

20
Tier A If the offender did not know 100 for
each violation, total for all violations of an
identical requirement during a calendar year
cannot exceed 25,000. Tier B Violation due
to reasonable cause, not willful neglect 1,000
for each violation, total for all violations of
an identical requirement during a calendar year
cannot exceed 100,000. Tier C Violation due
to willful neglect, but was corrected 10,000
for each violation, total for all violations of
an identical requirement during a calendar year
cannot exceed 250,000. Tier D Violation due
to willful neglect, but was NOT
corrected 50,000 for each violation, total for
all violations of an identical requirement
during a calendar year cannot exceed 1,500,000. 
21
AHN HIPAA Violations for 2011

• AHN had 17 HIPAA privacy/security violations (18
  complaints)
• Notified 29 patients whose PHI we breached
• Reported 3 cases to U.S. Department of Health
  Human Services (DHHS),
• Office of Civil Rights re our actions for these
  29 patients
• Terminated one staff member, suspended (unpaid)
  one staff member
• and had a Business Associate terminate one of
  their staff members

22
AHN 2011 HIPAA Violations

• Disclosed PHI to incorrect patient 5 Violations
• 2. Faxed PHI to the incorrect fax number 4
  Violations
• 3. Accessed PHI NOT needed to do their job 2
  Violations
• 4. Sent PHI in an e-mail outside of
  adamshospital.com
• without encrypting it 1 Violation.
• 5. Left PHI in cafeteria 1 Violation
• 6. Put PHI on facebook 1 Violation
• 7. Released PHI without proper authorization
  1 Violation
• 8. Business Associate issues 2 Violations

23
Disciplinary Action for HIPAA violations

• Determined on a case-by-case basis and depend
  upon the severity of the violation
• Action can range from a verbal warning with
  remediation to suspension or termination
• Disciplinary actions is maintained in the
  employees personnel file

24
Sanctions for Privacy Security Related Issues
3 Levels of Sanctions Level 1
Carelessness Level 2 Curiosity or
concern Level 3 Personal Gain or Malice
25
Level 1 Carelessness

• Employee unintentionally or carelessly accesses,
  reviews or reveals PHI to him/herself or others
  without a legitimate need to know

26
Carelessness

• Examples
• Employees discussing PHI in public areas
• Employees leaving copies of PHI in publicly
  accessible areas
• Failing to log off computer terminals when left
  unattended
• Accessing his/her own medical record
• Requesting another employee to access his/her
  medical record
• Sharing passwords
• E-mailing PHI outside the organization (excluding
  the domain adamshospital.com)
• Not securing the storage or disposal of laptops,
  CDs, and other portable devices containing
  electronic PHI.

27
(No Transcript)
28
Disciplinary Sanctions

• Considering the facts on a case-by-case basis
  actions could include the following (and are not
  necessarily progressive)
• Training/counseling
• Verbal warning and training
• Written warning and training
• Final written warning or suspension (unpaid)
• Termination.

29
Level 2 Curiosity or Concern

• Employee intentionally accesses, reveals or
  discusses PHI for purposes other than the care of
  the patient or as needed to perform their jobbut
  unrelated to person gain.
• Level 2 violations are a purposeful disregard to
  organizational policies.

30
Curiosity or Concern

• Examples
• Employees looking up birth dates or addresses of
  friends or relatives
• Employees accessing and reviewing medical records
  out of curiosity or concern
• Employees reviewing public personalitys medical
  records
• Releasing PHI inappropriately
• Employees inappropriately accessing daily census
  reports
• Repeated Level 1 violations

.
31
Disciplinary Sanctions

• Considering the facts on a case-by-case basis the
  actions could include the following (and are not
  necessarily progressive)
• Oral warning with training.
• Written warning with training.
• One to three day suspension (unpaid)
• with training.
• Termination of employment.

32
Level 3 Personal gain or Malice

• Employee accesses, reviews or discusses PHI for
  personal gain or with malicious intent and there
  is a malicious disregard of organizational
  policies

33
Personal gain or Malice

• Examples
• An employee reviews a patients medical record to
  use information in a personal relationship
• An employee compiles a mailing list for personal
  use or to be sold for monetary gifts
• Releasing data for personal gain
• Destroying or altering data intentionally
• Releasing data with the intent to harm an
  individual or the organization
• Repeated Level 2 violations

.
34
Disciplinary Sanctions

• Considering the facts on a case-by-case basis
  actions could include the following (and are not
  necessarily progressive)
• One to three day suspension (unpaid) with
  training
• Dependent upon the severity, termination of
  employment.

35
Reporting Violations
Individuals who observe or are aware of suspected
violations must report them to either their
Department Manager or to the Privacy Officer,
Joan Engels, in a manner that maintains privacy
of both the patient(s) and the employee(s). If
it is your Department Manager who is committing
the violation report it to the Department
Managers supervisor or Joan Engels.
36
All HIPAA violations and disciplinary action
will be maintained in the employees personnel
file
37
(No Transcript)