Health Information Privacy and Security Including HIPAA and ...

Health Information Privacy and Security Including HIPAA and ...

1 Health Information Privacy and Security Maine Department of Health and Human Services 2 Contents Purposes for this Training Basics Best Practices Permitted Disclosures Breach Notification and Enforcement Research Summary Knowledge Check

3 Three Purposes for This Training 1. Legal and Regulatory Mandate The law requires education on privacy and security. It also requires the Department to have and enforce a Sanction Policy for failure to comply with our confidentiality policies. Compliance is MANDATORY. 2. Reinforcing a Culture of Compliance The Department is committed to ensuring compliance with federal and state requirements at every level of our operations. 3. Its the Right thing to Do We honor the confidentiality of our consumers confidential and sensitive information, just as we would want our own data to be honored and protected. 4 Basics: What Does HIPAA Protect?

The Health Insurance Portability and Accountability Act, or HIPAA, (and its update HITECH,) safeguard Protected Health Information or PHI. PHI essentially is identifiable information about an individuals physical or mental health, services rendered, or payment for services. It may be: verbal, such as a conversation between healthcare providers recorded on paper, such as in a medical chart or claims record kept or shared electronically 5 Basics: The Department Protects Different Types of Consumer Data

Our PROTECTED INFORMATION includes: Confidential information Protected Health Informatio n Restricted data Personal or Identifiable Health Information 6

Basics: Protected HIPAA/HITECH Identifiers Name s Addresses Full face photos Medical record number Account number Vehicle identifiers including license plate and serial

number Email address Dates of birth, death, admission, treatment, discharge. Telephone and fax numbers Device Identifiers including serial

number Biometric URLs and identifier IP s finger addresse and voice s prints Health plan beneficiary number/ID Certificat e License number

Social Security Number Geneti c history and test results Any other unique number, characteristi c or code 7

Basics: Hybrid Entity The Department is a hybrid entity from a HIPAA perspective. That means that the Department has activities that are considered HIPAAcovered and other activities that are not covered by the HIPAA Privacy and Security Rules. Click here to see the Departments Hybrid map. 8 Basics: Our Completely HIPAACovered Entities Healthcare providers and health

plans, including Medicaid, must comply with HIPAA, as well as with other applicable statutes, regulations and rules that govern health information privacy and security. The Departments completely HIPAA-covered entities are: Office of MaineCare Services Riverview Psychiatric Center Dorothea Dix Psychiatric Center 9 Basics: Our Partially HIPAA-Covered Entities The Centers for Disease Control and Prevention has several covered programs:

Public Health Nursing Health and Environmental Testing Lab (for human/clinical specimens) Most Office of Aging and Disability Services programs are HIPAA-covered, except for Adult Protective and Legal Services Office for Family Independence is covered for its work on behalf of OMS, but not for other programs such as ASPIRE, TANF, or its Child Support Enforcement efforts. 10 Basics: Additional HIPAA-Covered Components Other offices, programs or services that are HIPAA-covered by virtue of the oversight or

business functions performed in support of the Departments HIPAA Covered Entities include: The Commissioners Office The General Counsel and Director of Healthcare Privacy Division of Audit Fraud Constituent Services DAFS (Division of Administrative Financial Services)/Financial Service Center District Operations Accounting

District Operations Facilities Office of Administrative Hearings 11 Basics: Safeguard All Protected Information Even if your office or program is not HIPAA-covered, our workforce must treat Protected Information as confidential, based upon other laws, regulations, rules and Department policy. 12 Basics: Our Colleagues

Remember that some of our colleagues may be receiving Department services and must receive the same confidentiality protections as other consumers. 13 Best Practices: Safeguards HIPAA and HITECH requires safeguards to secure the integrity, confidentiality, and availability of PHI. These safeguards are common sense best practices. 14

Best Practices: Administrative Safeguards Administrative safeguards include: Privacy/Security Officials (such as the Director of Healthcare Privacy and our Privacy/ Security Liaisons) Policies and procedures Business Associate Agreement language Training and education 15 Best Practices: Physical Safeguards Physical safeguards relate to protections from natural,

environmental, and man-made hazards and may include: Using structural workstation protections like dividers and Plexiglas windows Turning computer screens and paper files away from the publics view Putting documents away in files and file cabinets Securing mobile devices containing the Departments confidential information 16 Best Practices: Technical Safeguards Technical safeguards include: Locking your computer when

you leave your desk Using strong passwords and not posting or sharing them Saving Protected Information to the appropriate network drive or encrypted device Not emailing Protected Information to your personal email address Not downloading programs unless approved by OIT (Office of Information Technology) Not clicking on unknown links received through email 17 Best Practices: Communication Methods

Fax Keep machine in a secure location. Include only the minimum necessary Protected Information in your coversheet. Dont leave faxes on the machine. Double check fax numbers before sending. Contact your Privacy/Security Liaison if your fax is received by the wrong party. Phone Speak in a low voice and in a private location when discussing Protected Information either on or off site. Email Avoid using Protected Information in the subject line. Use encryption wherever possible. Slow down and be careful about the auto-fill feature, so you dont accidentally send Protected Information to the wrong recipient! 18

Best Practices: Portable Devices Use encrypted devices. Physically protect devices on or off site. Keep Protected Information private and secure at home if you have permission to work outside the office or facility. 19 Best Practices: Portable Devices Never use your cell phone to photograph Department schedules or other documents. Never copy Protected Information onto a portable device without specific permission of your supervisor. Never leave your Department-issued laptop, cell phone,

electronic device or other Protected Information visible or unlocked in a vehicle. Never leave your passwords with your portable devices. Keep paper-based Protected Information separate from your electronic device(s) when traveling. 20 Best Practices: Portable Devices Consider your surroundings. Do not display Protected Information in cafs or other public settings. Contact immediately your Privacy/ Security Liaison if Protected Information is lost. This, and all privacy and security policies, apply to our entire workforce, including staff, students, interns, volunteers and contractors.

21 Best Practices: Policies and Education We are only as strong as our weakest link. Best practices call for strong policies, an understanding of those policies, and education on privacy and security issues impacting our work. A Department Intranet Privacy and Security Page is available for our workforce and is updated regularly. It includes our policies, forms, blog posts, and much more. Click on the link to view the webpage. 22

Best Practices: Maintaining a Culture of Compliance Along with complying with Department policies and using our forms, we can weave awareness of confidentiality through the work we do by: Putting up posters and including privacy and security topics on our meeting agendas Doing regular walk-through reviews of our offices Addressing confidentiality gaps Commending those who protect our consumer information Retaining documentation of all compliance efforts, including discussions at meeting and training for proof of efforts 23 Best Practices: Staying Informed Through the Privacy/Security Liaison Program

Local Workforce Director of Healthcare Privacy Office and Program Privacy/Security Liaisons District and Off-site Workforce The list of Privacy/Security Liaisons is located on the Departments Privacy/Security intranet webpage. Click here to review. 24 Best Practices or the Minimum Necessary Standard

Only access and use the minimum Protected Information necessary to do your job. Only disclose Protected Information that is specifically requested or that is required or permitted by law to be disclosed. Only access Protected Information when there is a workrelated need to know. Never access, copy, take or send Protected Information from the office - even if it involves you or your family - unless specifically authorized to do so by your supervisor. 25 Permitted Disclosures HIPAA: PHI May be Used and Disclosed for Treatment, Payment or Healthcare Operations (TPO) Treatment includes information used to provide or manage care and services to a patient or client, including referral to other providers, tests,

prescriptions, medical devices, and care coordination. Payment for a Provider includes information used to obtain payment for services including billing and collection activities. AND Healthcare Operations are certain Payment for a Health Plan includes administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run the program, plan, or healthcare entitys business, and to support the core information used to fulfill coverage

responsibilities including to authorize and provide benefits, conduct financial operations, process claims, and conduct utilization review activities. functions of treatment and payment. 26 Permitted Disclosures: HIPAA Additional Disclosures permitted by designated Department staff include: After first consulting with our General Counsel and Director of Healthcare Privacy, for judicial and administrative proceedings under specified circumstances

To a health oversight agency for oversight activities authorized by law such as licensing and compliance For research after receiving permission from a Department approved research board To comply with workers' compensation program requirements Where required by other laws For public health purposes including public health surveillance, investigations, and interventions

To report abuse or neglect After first consulting with our General Counsel and Director of Healthcare Privacy, to law enforcement officials pursuant to a valid court order, subpoena, or other legal mandate; to help identify and locate a suspect, fugitive, or missing person; to report or provide information related to a crime 27 Permitted Disclosures: By Authorization Form or Release Other than for TPO purposes or where permitted or required by law, uses and disclosures of Protected Information should be made only upon authorization

by the client or consumer. The Department has one Authorization Form (also called a Release of Information or ROI) that is located on both the Departments internet and intranet pages. Our workforce members and our consumers should be directed to use that form before we share Protected Information with third parties. 28 Breach Notification The Department is subject to the HIPAA/HITECH and Maine State Breach Notification laws. 29

Maine Breach Notification Law: Virtually every state has its own breach notification law. Maines law only applies to incidents involving electronic data. We must investigation incidents if there is even a possibility of a breach. 30 Breach Notification: Reporting Concerns or Incidents All security or privacy concerns or incidents must be reported to The Director of

Healthcare Privacy Your Privacy/Security Liaison Please report verbally wherever possible, to reduce the potential of alarm. Not all incidents amount to a breach! 31 Breach of Protected Information Its Personal! The Department handles the most sensitive health and financial information imaginable. Any of us can be, or may have been, subject to identity theft due to a breach of Protected Information. Imagine having to address, or try to undue, the impact of a breach of health or financial data. It is time consuming, stressful, and may not be effective.

Your role in keeping Protected Information secure is vital and personal. 32 Breach Notification - Process Whether or not you work for a HIPAA-covered office or program, you are required to contact your Privacy/Security Liaison and Director of Healthcare Privacy if you are aware of, or suspect, a privacy or security incident. Our agreements should include language requiring vendors to contact the Department within 24 hours in the event of an actual or suspected breach of our Protected Information. Direct any questions to the Director of

Healthcare Privacy. Investigation and documentation will be managed centrally with office/program cooperation. Every incident is not a breach. Scenarios are reviewed case by case.

Breach Notification is now included in the Notice of Privacy Practices provided by our HIPAA-Covered Entities. No retaliation for good faith reporting is permitted. 33 Breach Notification: Department Obligations in the Event of a Breach Include: Where 500 or more consumers are impacted, notice by letter and media must be provided within 60

days. Notice may be delayed by law enforcement request, so as not to impede an investigation. Where 1000 or more consumers are impacted, Maine adds additional reporting requirements to state regulators. The burden is on the Department to show thorough investigation to support our decisions. 34

Breach Notification: In the News The Wall of Shame is the nickname for the Federal DHHS Office of Civil Rights webpage where HIPAA-covered entities are required to report breaches of individuals unsecured PHI impacting 500 or more individuals. The breaches are posted for public viewing and are searchable. Most breaches are caused by a loss or theft of a laptop or portable devices. Paper continues to be a risk as well. 35 Enforcement: Penalties Under HITECH What could happen if there were a HIPAA/HITECH breach or violation?

A maximum Civil Monetary Penalty amount of up to $1.5 million for multiple violations of the same provision. Criminal conviction and jail terms Unknowing and with reasonable cause up to one year Under false pretenses up to 5 years For personal gain or malicious reasons up to 10 years 36 Research Requests The Department is required to meet research compliance standards. As part of those requirements, the Department works with the University of Southern

Maines Institutional Review Board (IRB) to review any research requests. 37 Research The Departments process for conducting or providing Protected Information for research may be viewed here. After a review by the IRB, if the Department agrees to share Protected Information or provide de-identified information with a researcher, a Data Sharing

and Protection Agreement must be signed and maintained centrally. Please contact the Director of Healthcare Privacy, who also serves as the Human Protections Administrator, with any questions. 38 Summary: Remember Never: Forward work email containing Protected Information to your home/offsite address. Leave unsecured Protected Information in a car or other non-work location. Secure Protected Information is appropriately encrypted or destroyed to

make it unusable or unreadable to others. 39 Summary: Remember Always: Use the minimum necessary information to accomplish your work. Only access Protected Information on a need-to-know basis. Immediately report lost or stolen consumer records or devices containing Protected Information including flash drives, smart phones, or computers. Review correspondence or documents before sending. Look for mistakes involving Protected Information, such as sharing more information than necessary, attaching the wrong document to an email, mail merge errors, hidden columns in a spread sheet, or incorrect postal or email addresses.

40 Summary: Confidentiality Basics Even if your office or program is not HIPAA-covered, all Department workforce members must treat Protected Information as confidential based upon other laws, regulations, rules, and Department policy. 41 Summary: Our Responsibility The responsibility for protecting and securing the Protected Information we access, use,

disclose, transmit, or maintain to do our jobs belongs to each of us. 42 Knowledge Check: True or False Q: The minimum necessary/need-to-know standard only applies to the Departments HIPAA-covered entities. A: False. Department Policy requires that our entire workforce, including staff, contractors, volunteers and students, use only the minimum Protected Information necessary to accomplish our jobs, and only view the Protected Information that we need for a legitimate work purpose.

43 Knowledge Check: True or False Q: If you are presented with a warrant or a subpoena, you should immediately provide the information requested by the attorney or law enforcement officer. A: False. You should immediately contact the General Counsel or the Director of Healthcare Privacy, because the demand may not be valid. 44 Knowledge Check: True or False

Q: Identifiers such as vehicle license numbers, URLs and thumb prints are considered HIPAA Identifiers. A: True! There are numerous identifiers beyond the name, address, phone and account numbers that may identify the consumer. We need to keep them all confidential. 45 Knowledge Check: True or False Q: If you know of, or suspect, a privacy or security incident involving the Departments Protected Information, should speak with your Privacy/Security Liaison and the

Director of Healthcare Privacy right away. A: True! Contact your Privacy/Security Liaison and the Director of Healthcare Privacy immediately. Your assistance is required by Department policy! 46 Knowledge Check: True or False Q: If, in good faith, you make a report of a privacy or security issue, you may be in trouble if an investigation finds no concerns. False! There is no retaliation permitted for a good faith report, even if no breach is found to have occurred. 47

Questions? Director of Healthcare Privacy and Human Protections Administrator 207.287.9362 [email protected] Resources DHHS Employee Information Center http://inet.state.me.us/dhhs/privacy-security/index.php Policies http://inet.state.me.us/dhhs/privacy-security/policies.php Posters http://inet.state.me.us/dhhs/privacy-security/posters.php 48 Credit

Get credit Please click on the above link to submit a completion form and get credit for reviewing this program.

Recently Viewed Presentations

  • DEPARTMENT FOR CONTINUING EDUCATION TECHNOLOGY-ASSISTED LIFELONG LEARNING Developing

    DEPARTMENT FOR CONTINUING EDUCATION TECHNOLOGY-ASSISTED LIFELONG LEARNING Developing

    Developing a Subject collection for Sesame Marion Manton Summer 2012
  • Gear and Gear Terminology - WordPress.com

    Gear and Gear Terminology - WordPress.com

    Gear and Gear Terminology By: Gp Cap Dr Hamid Ullah Khan Niazi Objectives After completing this unit you should be able to learn: Identify and state the purposes of six types of gears used in the industry Apply various formulas...
  • GR740 Reference Design - microelectronics.esa.int

    GR740 Reference Design - microelectronics.esa.int

    Reference design and basic software for a single board computer based on GR740. The project is a technology development activity funded by ESA. RUAG is responsible for design and manufacturing of the reference design board, test equipment and validation.
  • Invasive Species - ENVIRONMENTAL Science

    Invasive Species - ENVIRONMENTAL Science

    What is a non-native invasive species?. A non-native species that adversely affects habitats and biodiversity. Emerald ash borer, Agrilus . planipennis, has killed millions of ash trees in the mid-west and has recently been found in Pennsylvania
  • Tips on Career Goal Setting - Skagit Valley College

    Tips on Career Goal Setting - Skagit Valley College

    Tips on Career Goal Setting By Clarke Cagingin, SOSC 125W student What is a Career Goal? A goal in general is a result one wants to achieve. Goals require varying amounts of effort, depending on how much work is to...
  • Scientific & Ethical Standards for Conducting & Reporting ...

    Scientific & Ethical Standards for Conducting & Reporting ...

    scientific & ethical standards for conducting & reporting research results: an agenda for kazakhstan international conference "international standards of fundamental and applied research" semey medical academy, semipalatinsk, kazakhstan, 23-27 sept. 2007 irina campbell, phd, mph us dept. of state fulbright...
  • Bottled Water. What's the right choice?

    Bottled Water. What's the right choice?

    What you may not know: Plastic bottles can take up to 1000 years before they even begin to compose 90% of the cost of bottled water is due to the bottle itself 80% of plastic bottles are not recycled 38...
  • The Treaty of Waitangi/ Te Tiriti o Waitangi

    The Treaty of Waitangi/ Te Tiriti o Waitangi

    The Treaty of Waitangi/ TeTiriti o Waitangi. Starter: Write an 18 word sentence that describes early interactions between Maori and European people. By the end of this lesson I will: understand some key words for types of interactions. know some...