Preventing Breaches When Using E-mail, Telephone and Fax Machines Harley HIPAA Presented by the UAMS HIPAA Office, July 26, 2011
Breach Reporting When a use or disclosure occurs that is not allowed by HIPAA, UAMS may be required to notify the patient and report the breach to the Office of Civil Rights. We may also be required to notify the media. All breaches must be reported to the UAMS HIPAA Office immediately.
What is a Breach? A use or disclosure of PHI that is not permitted by the Privacy Rule. For example: A UAMS employee accesses the record of a patient outside the performance of their job duties An unencrypted laptop containing PHI is lost or stolen PHI is sent to the wrong e-mail address PHI is sent to the wrong fax, mailing address or printer
Exceptions Exceptions there are certain types of uses of disclosures that do not meet the definition of a breach. These exceptions are : Unintentional use by a UAMS workforce member that does not result in the PHI being further used or disclosed. For example, a nurse accidentally clicks on the wrong patient s name in WebChart, pulls up that patient s record, realizes that she is in the wrong patient s chart, and closes the record. Unauthorized disclosure to an individual who cannot possibly retain it. For example, when checking a patient in, you accidentally hand the patient a registration packet that belongs to someone else, but you realize your mistake and immediately retrieve the information.
Real Life Example Backup tapes containing patient health records were stolen out of a truck belonging to a hospital s contractor. The hospital had to send notification letters to 1.7 million patients, notify the media, and report the loss to the OCR. The letters had to be translated into 17 languages and credit monitoring services were offered to all 1.7 million patients, at a total estimated cost of $350 Million. 5
How can you help? Notify the UAMS HIPAA Office as soon as you suspect a possible breach. The HIPAA Office will then determine if an actual breach has occurred and take care of the notification process. Help us keep patient contact information current. Follow your department s documentation requirements. Take steps to prevent breaches from happening in your department. When in doubt, contact us.
UAMS Email Policy-7.1.12 The patient s e-mail address is part of the patient s Protected Health Information and must be protected as any other PHI in accordance with all applicable laws, regulations and UAMS policies. For Protected Health Information (PHI) that is subject to the minimum necessary requirements of the HIPAA regulations, reasonable efforts must be made to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Policy 3.1.25 Minimum Necessary 7
UAMS Email Policy-7.1.12 Confirm the e-mail address before sending any e-mail containing Confidential Information or ephi, to ensure there are no typographical errors. Caution should be taken when using distribution lists or forwarding e-mails that contain Confidential Information and ephi. UAMS e-mail may not be auto-forwarded to any non- UAMS account, including but not limited to personal and commercial e-mail accounts such as AOL, Yahoo, or MSN, with the exception that UAMS e-mail may be autoforwarded to VA and Arkansas Children s Hospital e-mail accounts. 8
UAMS Email Policy-7.1.12 Provider Communication with patients: Any ephi originated by UAMS must be encrypted when being sent via e-mail. UAMS takes the steps necessary to secure e- mail and other computer messages, but no one can guarantee the security and privacy of e-mail messages. Use caution when sending highly sensitive information E-mail communication is a convenience for the patients and should not be used for emergencies or time-sensitive situations. 9
UAMS Email Policy-7.1.12 Provider Communication with patients: Before sending the e-mail containing Confidential Information or ephi, confirm the e-mail address to ensure it does not contain any typographical errors. E-mail messages must include (a) information in the subject line, such as prescription refill, appointment request or other information generally describing the purpose of the e-mail; and (b) patient name, telephone number and patient identification number in the body of the message. Clinically relevant messages and responses will be documented in the patient s medical record. 10
UAMS Email Policy-7.1.12 Email Encryption: E-mail is secured automatically inside the UAMS network. Any e- mails sent outside of the UAMS network containing Confidential Information, including ephi, must be encrypted. It is recommended that the UAMS workforce utilize the enterprise secure e-mail gateway solution. This is easily accomplished by clicking on the mark secure button provided on the standard toolbar in Outlook, or The word [secure] typed with the brackets into the subject line will also encrypt the message Communication with other organizations in many cases will be set up for automatic encryption and a list of these organizations will be provided http://www.uams.edu/email/instructions/securemail/securemess agedeliveryinstructions.html 11
Use the Mark Secure Button 12
Type [Secure] 13
Privacy & Security Safeguards 3.1.37 Verification of Identity 3.1.19 Faxing Policy and Form 14
For every request for information, ask yourself Who am I speaking with? Who is requesting the information? What is his/her authority to have the information? Who is the patient? What information is being requested? What is the purpose of the request? Are there any restrictions in place regarding release of this patient s information?
Verify Identity of Requestor if not known to you Caller s name Company name/relationship to patient Phone number When in doubt, call the phone number for the entity requesting the information or have them fax a written request on company letterhead 16
Verifying identity of patient Obtain any 3 of the following patient items: Full name Date of Birth Last 4 digits of SS number One additional piece of information such as address, phone, acct number (Note: It is better to have them provide information to you rather than saying Do you still stay on XYZ road? ) 17
Patient s Right to PHI With a few exceptions, patients or their legal representatives, have a right to copies of their medical record, including billing records, within 30 days of requesting them. Patients have a right to electronic copies of their records. 18
Use and Disclosure 3.1.28 Generally, you may use and disclose PHI for treatment, payment and healthcare operations (TPO) of our organization WITHOUT patient authorization. Most of your uses (within UAMS) and disclosures (outside UAMS) of PHI for TPO, will be for Treatment purposes. 19
Patient Authorization HIPAA generally requires that a patient sign an Authorization for disclosures (sharing protected health information PHI with someone outside of UAMS) made for purposes other than TPO Use your Authorization check list to make sure the Authorization is valid. Make sure the authorization has not expired and is signed by the patient or the patient s documented legal representative. There are certain exceptions to this rule, such as when the disclosure is required or permitted by law, and an authorization is not required in those cases.
An Example of When an Authorization Is Not Required Subpoenas for Parties in Litigation One of the following is required: Patient authorization, or Court order, or Adequate assurances that the party whose PHI is requested has been given notice of the request with adequate time to object, and that no objection was made
Sharing information with Family and Friends Involved in the Patient s Care You may share information directly relevant to the person's involvement with the patient s care or for payment related to care under the following circumstances: If the patient is present or otherwise available prior to the disclosure, you must: Obtain the patient s agreement or Provide the patient an opportunity to object, and they do not or Using professional judgment, reasonably infer from the circumstances that patient does not object.
If the patient is not available or is incapacitated If there appear to be extenuating circumstances, for example the patient is incapacitated and doesn t have a legal representative to act on their behalf, staff should seek assistance from their supervisor or use professional judgment. 23
Patient s Legal Representative The person is authorized by law to act on behalf of the patient in connection with the patient s health care decisions, such as: Parent of their minor child; Court-appointed Guardian of a minor; A person legally acting as the parent in Loco Parentis Court-appointed Guardian of an elderly or incapacitated person; Appointed by the patient to act as their attorney-in-fact in a Durable Power of Attorney with health care rights; Appointed by the patient in a Health Care Proxy; 24
Legal Representatives - continued Court-appointed Administrator or Executor or Personal Representative of the Estate of a deceased patient. A guardianship or a power of attorney (or any other grant of authority by the patient) are no longer effective upon death. No will is effective until probated. For other examples, regarding persons of unsound mind, permanently unconscious or terminally ill, or other incapacitated persons see section 5 - Disclosures to Patient s Legal Representatives, - in the Use and Disclosures of PHI Policy 3.128 in the Administrative Guide.
Requests by Parents of Minors A divorced parent who does not have custody of the minor child is still the minor s parent, and is entitled to all PHI concerning their minor child unless the parental rights have been revoked by court order. Check for documentation in our systems that the requestor is the parent. 26
If Documentation is not Available Explain that information may only be released to the parent or other legal representative. Ask the requestor to provide a copy of the child s birth certificate which documents their relationship, other legal documentation or have the parent or legal representative who is in the record sign an authorization for the release. 27
28 UAMS Faxing Policy 3.1.19 Confidential data should be faxed only when mail will not suffice. Faxes containing PHI and other confidential information must have an official UAMS fax cover sheet. Reconfirm recipient s fax number before transmittal. Confirm receipt of fax Notify your supervisor/hipaa Office immediately if a fax is sent in error.
Printed PHI When retrieving information from the printer and sending information, check every page to make sure it is the correct patient. Also make sure other patients information is not included on the page. Don t leave PHI lying around where others can see it. Don t put PHI in the regular trash. Shred or place in the privacy bins. 29
Electronic PHI Minimize your computer screen if someone walks up Log off or lock your computer prior to stepping away from it Encrypt any email containing PHI sent outside UAMS intranet. All computers and laptops and thumb drives containing PHI must be encrypted. 30
Why would the HIPAA Office call me? Access to patient records is monitored If your name is on an audit report, and the appropriateness is not readily apparent to the auditors, you or your supervisor will be contacted This is routine follow-up and is done for physicians, students and staff. 31
Why would the HIPAA Office call me? Access of patient records outside the performance of your job is prohibited This includes your own records and the records of: Family Friends and acquaintances Co-workers Violations of UAMS HIPAA Policies are taken so seriously that your supervisor will be notified and must impose disciplinary action 32
Social Networking Do not post photographs, video or any information about a UAMS patient through an electronic means such as social networking sites, blogs, pinging and tweeting. The only exception is a response to a UAMS patient that gives no further information about the patient. Example of a post that would violate our policy: An employee posts on her face book wall I talked to a woman today regarding her medicine for that is almost a thousand dollars. I would hate to be her.
UAMS has a HIPAA Team to help you: Vera Chenault, JD, UAMS Privacy Officer & Campus HIPAA Coordinator (603-1379) Anita Westbrook, Medical Center Privacy Officer (501-526-6502) Steve Cochran, Security Officer (501-603-1336) Bill Dobbins, Informatics Manager & Auditor (501-526-7436) Yolanda Hill, HIPAA Auditor and Investigator (501-614-2098) Tanya Mehran, HR and Training Coordinator (501-603-1379)-starting 8/1/11 Scott Addison, AHEC Privacy Officer (501-526-0350) Jennifer Sharp, Research Privacy Officer (501-526-7559) The HIPAA Office is available to conduct additional training for your department, attend staff meetings to address specific issues, or conduct question and answer sessions to help clarify the HIPAA rules and UAMS Policies. To schedule an in-service or other training, please contact the HIPAA Training Coordinator at 501-603-1379. 35