Providing Care WithRespect and Dignity

Through Data Security & Privacy Practices

Springfield ClinicHIPAA Review for Interpreters

9/23/13

Presented by: The Privacy Office

Core Elements of this Review1. Accessing PHI (Protected Health Information) beyond the scope of

your duties is a violation of HIPAA’s “Minimum Necessary” Rule”, which is everyone’s responsibility in every transaction.

2. It also violates Clinic Policy, and can lead to immediate termination of contract.

3. Providers and Business Associates are required by law to report privacy/security incidents or suspected violations. Contact the Privacy Office at ext. 14216.

4. Under HITECH patients have the right to pay cash out-of-pocket at the time of service to keep the insurer from receiving info from the visit (going forward). This is called a “Cash Restriction”.

5. Sending patient information through external email requires the user to type encrypt in the subject line.

6. Sharing Passwords or user ID’s is strictly prohibited.

The OverviewHIPAA is a Federal Law named

“The Health Insurance Portability and Accountability Act”.

HIPAA was enacted in 1996 to standardize electronic health insurance transactions. Its primary purpose was to reduce the gap in health insurance coverage occurring with change of employment.

HIPAA Omnibus – the Final Rule is effective 9/23/13

Business Associates now have all the responsibilities of a Covered Entity and must also require the same protections of any subcontractors.

Health Insurance Portability & Accountability Act

HIPAA Privacy Rule focuses on the Uses and Disclosures of patient identifiable health and billing information. It structured the insurance industry’s electronic data exchange. Gave patients 6 new civil rights. Requires designation of a Privacy and Security Officer, delivery of a Notice of Privacy Practices before the first service, contractual agreements for privacy between Organizations, and internal reporting with mitigation of violations.

HIPAA Security Rule focuses on theConfidentiality, Integrity, and Availabilityof patient-identifiable electronic health and billing information. Requires that reasonable and appropriate measures be taken. It is technology neutral and includes scalability of numerous requirements. There are Organizational requirements, and safeguards include administrative, physical and technical safeguards.

HITECH expands penalties, requirements, and enforcement capacity. Expands the definition and responsibilities of a Business Associate (BA) to the same level as CE (Covered Entity). Requires HHS proactive auditing of CE’s. Adds patient right to Cash Restrictions. Requires patient notification within 60 days of PHI breach with potential harm. Requires that any breach over 500 patients is reported to HHS, media outlets, and patients. It also provides Meaningful Use incentives for Providers to use electronic records.

OMNIBUS The “Final Rule” expands requirements for BA’s and their subcontractors, increases penalties, expands HHS auditnumbers, and audit scope where evidence of willful negligenceis found. Huge increases in fines. It requires the CE to audit compliance of its Business Associates. BA’s are directly liable for their breaches. It changes the definition of Business Associate and “breach notification”. Lack of BAA does not prevent this designation. State Attorneys General are given “private right to action” to prosecute on a patient’s behalf (the state gets a percentage). Genetic information is now PHI. Decedent info is no longer PHI 50 years after death. Documented Risk Analysis is now required for incidents not reported to HHS due to low probability that PHI was “compromised”. Patients can ask for records in electronic format and must accommodate if reasonable. Entities that create, receive, maintain or transmit ePHI for CE’s are now BA’s. BA’s must provide an accounting of disclosures if requested.Business associates will be subject to audits, compliance reviews, and enforcement actions by HHS.

It’s been updated several times!

Fines/Violations

Degree of Culpability/ “State of Mind”

Potential Penalty Per Violation

Maximum Annual Cap for All Violations of Identical HIPAA Provision

Violation was not known and could not have been discovered with reasonable diligence

$100 - $50,000 $1,500,000

Reasonable cause for violation, not due to willful neglect

$1000 - $50,000 $1,500,000

Violation due to willful neglect, but corrected in 30 days

$10,000 - $50,000 $1,500,000

Violation due to willful neglect, not corrected in 30 days

$50,000 $1,500,000

•Violations are counted up “based on the nature of the … obligation to act or not to act.” New factors - # of persons affected by the violation, potential harm to those persons’ reputations and finances.•Generally, monetary penalties will be tallied on a per person and per day basis. A violation should be corrected promptly within 30 days. Delaying beyond the timeframe will foreclose certain defenses that could decrease monetary penalty amounts.•The maximum annual cap of $1.5 million is applied on a “per provision” basis.•Monetary penalty system is as follows:

Who Is A HIPAA Covered Entity?

• A Covered Entity (CE) is someone with a direct (face-to-face) patient care relationship. No authorization is required for PHI release for purposes of treatment, payment and CE operations.

• Everyone at Springfield Clinic is

considered part of the same covered entity. Internally releasing patient information without patient consent is allowed.

Who Is A Covered Entity Outside the Clinic?

• Any Provider with either a face-to-face patient relationship or who processes transactions using electronic patient information

• Any Health Care Plan paying for patient services• Any Clearinghouse providing healthcare billing

services• Interpreters; Dentists; NP’s, PA’s, Counselors,

Therapists• Medical Benefits Coordinator for ANY residential

facility including:– Prisons– Law enforcement officials holding prisoner in custody– Residential, Group & Nursing homes

• Pharmacists• School Nurses (only when evaluating students or

administering medications)

What Is Protected Health Information (PHI)?

Any patient identifiable information contained within an electronic media and its offspring.

This includes all subsequent release of medical records, demographics, or billing information, whether released orally, through electronic transmission, copies, or fax.

De-identifying PHI is the only legal way to transmit in an unsecured transmission. Consult with I.T. before using ePHI on personal devices. To de-identify information, call the ROI Services Manager in HIM Correspondence.

HIPAA Protects Patient-identifiable Health and/or Billing Information, So What

Constitutes Identifiers?1. Name

2. Street address

3. SSN

4. DOB

5. All dates (admit/discharge, DOS, date of death)

6. First 3 digits of zip only (if population > 20,000)

7. any geographic divisions smaller than state

8. age (if 90 or more, report age as “90+”)

9. Telephone, cell, or other personal number

10. Fax Number

11. URL and IP addresses (e-mail/internet)

12. VIN and serial numbers (vehicle)

13. Full face photos

14. Tattoos and any unique physical anomalies

15. Medical Record Number

16. Account Number

17. Insurance plan numbers

18. Device identifiers and serial numbers

19. Biometrics including fingerprint, voice, iris

20. Certificate/License Numbers

De-identifying PHI is considered a “safe harbor” for transport or storage.However there must be a procedure in place, to de-identify and re-identifyaccurately. Encryption is more commonly used.

HIPAA Rule: Provide Minimum Necessary Information Per

Business Transaction

• It is the individual’s responsibility to provide no more than the “minimum necessary” patient information to satisfy a request or to complete a transaction.

• The only exception to minimum necessary is releasing health and/or billing information to another Provider.

Patient Rights Under HIPAA

• If we accept terms or conditions requested by the patient they must be accepted Clinic-wide.

• Please contact the Privacy Office when patients assert the civil rights reviewed on the following slides.

The Right To Review their Health and/or Billing Information

• Patients may ask to sit with us and review their medical and billing records, which is a Health Information Review.– (Call the Privacy Office Staff)

• They may ask for paper or electronic copies in any preferred format and we generally must provide this (Behavioral Health Records may be an exception – Provider’s choice). – (Call Health Information Mgmt. - Correspondence)

The Right To Request Amendment of Their Health Or Billing

Information • When the patient disagrees with statements in the

record, it is their right to ask the author to change the item.– (Refer them to the Privacy Office)

• The provider may refuse the amendment if he/she feels that the content is “complete and accurate” as it is, or if the information came from another source (transferred record).

• The Privacy Office assists the patient in adding a rebuttal letter to the disputed content if amendment is denied.

The Right To Request Confidential Communications

• When a patient asks us to change our normal method of communicating with him or her.

• HIPAA states that where we can we should. Remember that this type of request applies to all Clinic computer systems and offices. Let the Privacy Office handle it.

The Right To Request Privacy Restrictions

When a patient asks us to change the way we internally flow their PHI through our transaction processes.

– (It is critical to call the Privacy Office)– Examples:

• Don’t give my records to the worker’s Comp Carrier

• Don’t let the receptionist ay my doctor’s office see my information (she’s my ex sister-in-law)

• Don’t send information to my other doctors

The Right To An Accounting Of

Disclosures• When a patient asks “Where have you sent my

information without my authorization”?– (Call the Privacy Office)

• We must supply a listing of 6 years of past transactions.

• With an EHR, we must include all electronic transactions as of 1/1/14.

The Right to a Paper Copy of the Notice of Privacy Practices

• HIPAA requires that patients receive the Notice of Privacy Practices (NPP) before their first service with a covered entity.

• The purpose is to:– Assist the patient in choosing a provider based on our uses and

disclosures of their PHI– Inform them of their privacy rights under the law– Provide a contact to complain to when they feel their rights have

been violated. • If anyone asks for a privacy notice, please take them to

the nearest reception desk for an NPP (Notice of Privacy Practices) booklet.

Purpose Of The NPP

• Intent of a public notice• To help patients choose between

covered entities• To explain rights given to

individuals• To inform a patient where to

complain if rights are violated

NPP Booklet Variations

• If requested, we should try to make accommodations for our special needs patients.

• Braille copies are available from Operations Managers.

• Large Print and Spanish are on our internet site

• www.springfieldclinic.com

The Right to Receive Their PHI Electronically in Their Preferred Format

• Patients now have the right to ask for their PHI in their preferred electronic format. We must accommodate if reasonable to produce.

• We must provide a reason why if we decline and ask for another preference.

The Right to Request a HITECH Cash Restriction

• Any patient may request that today’s services not be submitted to insurance, and if he/she meets conditions, we must allow it.

• In order to allow this cash restriction, the patient must request it before the visit is completed, and pay up front total charges for today.

• When those conditions are met, we must never release this information to the insurer (even in the future).

HIPAA Says: No Snooping!Five medical workers have been fired over patient data breaches at Cedars-Sinai Medical Center. The audit was triggered by Kim Kardashian’s delivery of daughter North West on June 15, 2013. Kim’s family suspected a leak of information at Cedars-Sinai after media reports included undisclosed details of the stay.

Four of the workers logged onto the hospital’s information system to access patient records, as employees of local physicians with staff privileges at the hospital. The others included a Medical Assistant, a Foundation employee, and a volunteer student research assistant.

After “Octomom’ was discharged, Kaiser Permanente fired 15 employees and disciplined 8 more for inappropriate access.

After Fashion Designer Gianni Versace passed away, 5 employees were fired for inappropriate access.

UCLA paid $865,500 for breach of celebrity privacy. The audit was 2005-2009 where breaches had been reported on dozens of celebrities, including Britney Spears, Farrah Fawcett, and Maria Shriver.

• Extra sensitivity for well-known patients is required. Access audits are likely on VIP’s, such as celebrities, politicians, or recent news stories.

• Even mentioning that the VIP was treated at the Clinic is a HIPAA violation.

• Clinic Policy states that all health and health-related services and programs provided by the Clinic are available and accessible equally to patients who are hearing impaired, and to those with limited English proficiency (“LEP”).

• Interpreters shall receive payment for services performed only upon submitting a Clinic form invoice, which is verified or endorsed by a Clinic Manager.

Interpreter Services

Interpreters• Telecommunications manages our

interpreter contracts, and interpreters are available for multiple languages.

• As Business Associates, interpreters are entitled to access minimum necessary PHI relating to the visit, for their services or payment.

• Interpreters should contact the ROI Services Manager in Health Information Management at extension 43742 to request chart copies.

May I discuss treatment information with a visitor present in the exam

room?• The patient has implied consent to discuss

treatment-related information by allowing them in the treatment room.

• Include the visitor by name and relationship in your notes.

• FYI, The Provider’s best practice is always to ask any visitor to step out at some point and ask the patient if there is anything they wish to discuss privately at this time. Also inquire as to social history and any potential abuse issues.

Good to Know!• A visitor brought to the exam room is

only allowed to be privy to the discussion during the exam. For an adult patient, even a parent’s presence does not provide access to any additional information later, regarding that visit (or any other encounter) without a signed patient authorization.

Authorized Patient Representatives

May I release information to a patient’s healthcare power of attorney?– Watch this! Typically a POA for healthcare may

only access a patient’s information after the patient is deemed incapacitated. However, some forms state they are effective on the date signed.

– You must read the form to see if it is activated.– This is different from a non-healthcare POA.– Protect yourself and do not act on a POA unless

the document is in patient’s record!

Business Associate• A Business Associate is defined as a

business or person who is hired to assist with daily operations, and whose job requires them to have access to PHI.

• HIPAA requires written contracts with legally specific language which requires that BA to handle all PHI according to HIPAA rules even when subcontracting.

Is It Okay to E-mail Patient Information

to Another Provider?• Where it is necessary to email, your

email must be encrypted. • If email with PHI is received from

Springfield Clinic, the subject line must contain the word encrypt.

• You may respond to an encrypted email safely.

HIPAA & Your Role• As a Business Associate of the Clinic, we

would appreciate knowing anytime we are not delivering “best practice” services to our patients.

• Please notify the Privacy Operations Manager at ext. 14216.

• We will appreciate your feedback .

How Can I Reach the Privacy Office? The phone directory lists us under Privacy Office.

• Information Privacy Officer– Linda Meadows ext. 14540

• Privacy Operations Manager – Nancy Cardinale-Lower ext. 14216

• Privacy Operations Analysts: – Dawn Kane ext. 14245– Farrah Reagon ext. 14217– Danielle Dellaquila ext. 14278

• Privacy Support Specialist– Safron Squires ext. 14198

Thank Youfor completing this review!

Helping to educate our Interpreters about privacy and security rules is part of the Clinic’s ongoing mission to provide the highest quality of healthcare to the people of Central Illinois!