Preventing Breaches When Using , Telephone and Fax Machines

Similar documents
HIPAA and Social Media and other PHI Safeguards. Presented by the UAMS HIPAA Office August 2016 William Dobbins

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Family Medicine Residents HIPAA Highlights May 2016 Heather Schmiegelow, JD

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

HIPAA UPDATE. Michael L. Brody, DPM

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

HIPAA: Health Insurance Portability & Accountability Act. Presented by the UAMS HIPAA Office August 2015

HIPAA FOR BROKERS. revised 10/17

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

Compliance & HIPAA Annual Education

HIPAA Privacy and Security Training Program

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

HIPAA Security and Privacy Policies & Procedures

HIPAA For Assisted Living WALA iii

Frequently Asked Questions. My life. My healthcare. MyChart.

HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA Federal Security Rule H I P A A

2017_Privacy and Information Security_English_Content

HIPAA Omnibus Notice of Privacy Practices

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Data Compromise Notice Procedure Summary and Guide

ECA Trusted Agent Handbook

Data Backup and Contingency Planning Procedure

Texas Health Resources

Steffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

Employee Security Awareness Training Program

Putting It All Together:

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA & Privacy Compliance Update

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

UTAH VALLEY UNIVERSITY Policies and Procedures

University of Mississippi Medical Center Data Use Agreement Protected Health Information

The Relationship Between HIPAA Compliance and Business Associates

Security and Privacy Breach Notification

Electronic Communication of Personal Health Information

SFDPH Annual Privacy and Data Security Training Module

United States Postal Service (USPS) Employee Assistance Program

For any questions regarding this notice call: Meredith Damboise, Privacy Officer , ext. 17

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Information Technology Standards

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Banner Health Information Security and Privacy Training Team. Morgan Raimo Paul Lockwood

Emergency Nurses Association Privacy Policy

RETINAL CONSULTANTS OF ARIZONA, LTD. HIPAA NOTICE OF PRIVACY PRACTICES. Our Responsibilities. Our Uses and Disclosures

Red Flags/Identity Theft Prevention Policy: Purpose

Campus Health Your Information Your Rights Our Responsibilities

HIPAA / HITECH Overview of Capabilities and Protected Health Information

HIPAA 101: What All Doctors NEED To Know

Healthcare Privacy and Security:

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

(10/17) PATIENT GUIDE

GUIDE FOR INDIVIDUALS WHO ARE THE SUBJECT OF DATA

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Subject: University Information Technology Resource Security Policy: OUTDATED

Virginia Commonwealth University School of Medicine Information Security Standard

Physician Office Name Ambulatory EHR Security Risk Analysis

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Effective as of May 4, 2018

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996.

AUTHORIZATION TO RELEASE HEALTH INFORMATION

Data Protection Policy

University of Wisconsin-Madison Policy and Procedure

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

LifeWays Operating Procedures

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Change Healthcare CLAIMS Provider Information Form *This form is to ensure accuracy in updating the appropriate account

Exercising Your Data Access Rights under the Personal Data (Privacy) Ordinance (Frequently Asked Questions and Answers)

Presented by: Jason C. Gavejian Morristown Office

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

What is MyPalomarHealth and how will it benefit my health care? How do I access my health information on MyPalomarHealth?

HIPAA Security and Research VALERIE GOLDEN, HIPAA SECURITY OFFICER

Revised January

RelayHealth Legal Notices

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

HIPAA Privacy, Security and Breach Notification 2018

HIPAA Security Manual

Signing up for My Lahey Chart

HOW THE SECURE PATIENT PORTAL WORKS

The ABCs of HIPAA Security

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Your Information. Your Rights. Our Responsibilities.

NMHC HIPAA Security Training Version

Policy. Policy Information. Purpose. Scope. Background

Overview of Presentation

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

HIPAA Privacy, Security and Breach Notification 2017

Cleveland State University General Policy for University Information and Technology Resources

HIPAA Compliance Checklist

Transcription:

Preventing Breaches When Using E-mail, Telephone and Fax Machines Harley HIPAA Presented by the UAMS HIPAA Office, July 26, 2011

Breach Reporting When a use or disclosure occurs that is not allowed by HIPAA, UAMS may be required to notify the patient and report the breach to the Office of Civil Rights. We may also be required to notify the media. All breaches must be reported to the UAMS HIPAA Office immediately.

What is a Breach? A use or disclosure of PHI that is not permitted by the Privacy Rule. For example: A UAMS employee accesses the record of a patient outside the performance of their job duties An unencrypted laptop containing PHI is lost or stolen PHI is sent to the wrong e-mail address PHI is sent to the wrong fax, mailing address or printer

Exceptions Exceptions there are certain types of uses of disclosures that do not meet the definition of a breach. These exceptions are : Unintentional use by a UAMS workforce member that does not result in the PHI being further used or disclosed. For example, a nurse accidentally clicks on the wrong patient s name in WebChart, pulls up that patient s record, realizes that she is in the wrong patient s chart, and closes the record. Unauthorized disclosure to an individual who cannot possibly retain it. For example, when checking a patient in, you accidentally hand the patient a registration packet that belongs to someone else, but you realize your mistake and immediately retrieve the information.

Real Life Example Backup tapes containing patient health records were stolen out of a truck belonging to a hospital s contractor. The hospital had to send notification letters to 1.7 million patients, notify the media, and report the loss to the OCR. The letters had to be translated into 17 languages and credit monitoring services were offered to all 1.7 million patients, at a total estimated cost of $350 Million. 5

How can you help? Notify the UAMS HIPAA Office as soon as you suspect a possible breach. The HIPAA Office will then determine if an actual breach has occurred and take care of the notification process. Help us keep patient contact information current. Follow your department s documentation requirements. Take steps to prevent breaches from happening in your department. When in doubt, contact us.

UAMS Email Policy-7.1.12 The patient s e-mail address is part of the patient s Protected Health Information and must be protected as any other PHI in accordance with all applicable laws, regulations and UAMS policies. For Protected Health Information (PHI) that is subject to the minimum necessary requirements of the HIPAA regulations, reasonable efforts must be made to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Policy 3.1.25 Minimum Necessary 7

UAMS Email Policy-7.1.12 Confirm the e-mail address before sending any e-mail containing Confidential Information or ephi, to ensure there are no typographical errors. Caution should be taken when using distribution lists or forwarding e-mails that contain Confidential Information and ephi. UAMS e-mail may not be auto-forwarded to any non- UAMS account, including but not limited to personal and commercial e-mail accounts such as AOL, Yahoo, or MSN, with the exception that UAMS e-mail may be autoforwarded to VA and Arkansas Children s Hospital e-mail accounts. 8

UAMS Email Policy-7.1.12 Provider Communication with patients: Any ephi originated by UAMS must be encrypted when being sent via e-mail. UAMS takes the steps necessary to secure e- mail and other computer messages, but no one can guarantee the security and privacy of e-mail messages. Use caution when sending highly sensitive information E-mail communication is a convenience for the patients and should not be used for emergencies or time-sensitive situations. 9

UAMS Email Policy-7.1.12 Provider Communication with patients: Before sending the e-mail containing Confidential Information or ephi, confirm the e-mail address to ensure it does not contain any typographical errors. E-mail messages must include (a) information in the subject line, such as prescription refill, appointment request or other information generally describing the purpose of the e-mail; and (b) patient name, telephone number and patient identification number in the body of the message. Clinically relevant messages and responses will be documented in the patient s medical record. 10

UAMS Email Policy-7.1.12 Email Encryption: E-mail is secured automatically inside the UAMS network. Any e- mails sent outside of the UAMS network containing Confidential Information, including ephi, must be encrypted. It is recommended that the UAMS workforce utilize the enterprise secure e-mail gateway solution. This is easily accomplished by clicking on the mark secure button provided on the standard toolbar in Outlook, or The word [secure] typed with the brackets into the subject line will also encrypt the message Communication with other organizations in many cases will be set up for automatic encryption and a list of these organizations will be provided http://www.uams.edu/email/instructions/securemail/securemess agedeliveryinstructions.html 11

Use the Mark Secure Button 12

Type [Secure] 13

Privacy & Security Safeguards 3.1.37 Verification of Identity 3.1.19 Faxing Policy and Form 14

For every request for information, ask yourself Who am I speaking with? Who is requesting the information? What is his/her authority to have the information? Who is the patient? What information is being requested? What is the purpose of the request? Are there any restrictions in place regarding release of this patient s information?

Verify Identity of Requestor if not known to you Caller s name Company name/relationship to patient Phone number When in doubt, call the phone number for the entity requesting the information or have them fax a written request on company letterhead 16

Verifying identity of patient Obtain any 3 of the following patient items: Full name Date of Birth Last 4 digits of SS number One additional piece of information such as address, phone, acct number (Note: It is better to have them provide information to you rather than saying Do you still stay on XYZ road? ) 17

Patient s Right to PHI With a few exceptions, patients or their legal representatives, have a right to copies of their medical record, including billing records, within 30 days of requesting them. Patients have a right to electronic copies of their records. 18

Use and Disclosure 3.1.28 Generally, you may use and disclose PHI for treatment, payment and healthcare operations (TPO) of our organization WITHOUT patient authorization. Most of your uses (within UAMS) and disclosures (outside UAMS) of PHI for TPO, will be for Treatment purposes. 19

Patient Authorization HIPAA generally requires that a patient sign an Authorization for disclosures (sharing protected health information PHI with someone outside of UAMS) made for purposes other than TPO Use your Authorization check list to make sure the Authorization is valid. Make sure the authorization has not expired and is signed by the patient or the patient s documented legal representative. There are certain exceptions to this rule, such as when the disclosure is required or permitted by law, and an authorization is not required in those cases.

An Example of When an Authorization Is Not Required Subpoenas for Parties in Litigation One of the following is required: Patient authorization, or Court order, or Adequate assurances that the party whose PHI is requested has been given notice of the request with adequate time to object, and that no objection was made

Sharing information with Family and Friends Involved in the Patient s Care You may share information directly relevant to the person's involvement with the patient s care or for payment related to care under the following circumstances: If the patient is present or otherwise available prior to the disclosure, you must: Obtain the patient s agreement or Provide the patient an opportunity to object, and they do not or Using professional judgment, reasonably infer from the circumstances that patient does not object.

If the patient is not available or is incapacitated If there appear to be extenuating circumstances, for example the patient is incapacitated and doesn t have a legal representative to act on their behalf, staff should seek assistance from their supervisor or use professional judgment. 23

Patient s Legal Representative The person is authorized by law to act on behalf of the patient in connection with the patient s health care decisions, such as: Parent of their minor child; Court-appointed Guardian of a minor; A person legally acting as the parent in Loco Parentis Court-appointed Guardian of an elderly or incapacitated person; Appointed by the patient to act as their attorney-in-fact in a Durable Power of Attorney with health care rights; Appointed by the patient in a Health Care Proxy; 24

Legal Representatives - continued Court-appointed Administrator or Executor or Personal Representative of the Estate of a deceased patient. A guardianship or a power of attorney (or any other grant of authority by the patient) are no longer effective upon death. No will is effective until probated. For other examples, regarding persons of unsound mind, permanently unconscious or terminally ill, or other incapacitated persons see section 5 - Disclosures to Patient s Legal Representatives, - in the Use and Disclosures of PHI Policy 3.128 in the Administrative Guide.

Requests by Parents of Minors A divorced parent who does not have custody of the minor child is still the minor s parent, and is entitled to all PHI concerning their minor child unless the parental rights have been revoked by court order. Check for documentation in our systems that the requestor is the parent. 26

If Documentation is not Available Explain that information may only be released to the parent or other legal representative. Ask the requestor to provide a copy of the child s birth certificate which documents their relationship, other legal documentation or have the parent or legal representative who is in the record sign an authorization for the release. 27

28 UAMS Faxing Policy 3.1.19 Confidential data should be faxed only when mail will not suffice. Faxes containing PHI and other confidential information must have an official UAMS fax cover sheet. Reconfirm recipient s fax number before transmittal. Confirm receipt of fax Notify your supervisor/hipaa Office immediately if a fax is sent in error.

Printed PHI When retrieving information from the printer and sending information, check every page to make sure it is the correct patient. Also make sure other patients information is not included on the page. Don t leave PHI lying around where others can see it. Don t put PHI in the regular trash. Shred or place in the privacy bins. 29

Electronic PHI Minimize your computer screen if someone walks up Log off or lock your computer prior to stepping away from it Encrypt any email containing PHI sent outside UAMS intranet. All computers and laptops and thumb drives containing PHI must be encrypted. 30

Why would the HIPAA Office call me? Access to patient records is monitored If your name is on an audit report, and the appropriateness is not readily apparent to the auditors, you or your supervisor will be contacted This is routine follow-up and is done for physicians, students and staff. 31

Why would the HIPAA Office call me? Access of patient records outside the performance of your job is prohibited This includes your own records and the records of: Family Friends and acquaintances Co-workers Violations of UAMS HIPAA Policies are taken so seriously that your supervisor will be notified and must impose disciplinary action 32

Social Networking Do not post photographs, video or any information about a UAMS patient through an electronic means such as social networking sites, blogs, pinging and tweeting. The only exception is a response to a UAMS patient that gives no further information about the patient. Example of a post that would violate our policy: An employee posts on her face book wall I talked to a woman today regarding her medicine for that is almost a thousand dollars. I would hate to be her.

UAMS has a HIPAA Team to help you: Vera Chenault, JD, UAMS Privacy Officer & Campus HIPAA Coordinator (603-1379) Anita Westbrook, Medical Center Privacy Officer (501-526-6502) Steve Cochran, Security Officer (501-603-1336) Bill Dobbins, Informatics Manager & Auditor (501-526-7436) Yolanda Hill, HIPAA Auditor and Investigator (501-614-2098) Tanya Mehran, HR and Training Coordinator (501-603-1379)-starting 8/1/11 Scott Addison, AHEC Privacy Officer (501-526-0350) Jennifer Sharp, Research Privacy Officer (501-526-7559) The HIPAA Office is available to conduct additional training for your department, attend staff meetings to address specific issues, or conduct question and answer sessions to help clarify the HIPAA rules and UAMS Policies. To schedule an in-service or other training, please contact the HIPAA Training Coordinator at 501-603-1379. 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback