Prepared for HCA Corporate and North Texas Division

Prepared for HCA Corporate and North Texas Division Executive Leadership April 4, 2017 HIPAA/ HIPAA/ HITECH HITECH Training Training Clinical Clinical Non Non –– Patient Patient Care Care Areas Areas

Objectives Participants will be able to: Describe an overview of HIPAA and HITECH privacy key definitions and principles Describe how HIPAA and HITECH affect job duties List tips and guidance for applying privacy requirements 2

HIPAA Terminology BAA: Business Associate Agreement HIPAA: Health Insurance Portability and Accountability Act HITECH: Health Information Technology for Economic and Clinical Health Act PHI: Protected Health Information CE: Covered Entity (Hospital, physician practice, surgery center) ACE: Affiliated Covered Entity (Common ownership) OHCA: Organized Health Care Arrangement (The hospital and medical staff will be considered an Organized Health Care Arrangement) DRS: Designated Record Set (medical record and billing record) AOD: Accounting of Disclosures (patient’s right to receive) Directory: Hospital census list used by volunteers and operators with name and room 3

Hospitals are required by law to maintain the privacy of patients’ health information. It is everyone's responsibility to ensure patient information is properly protected and safeguarded! 4

Facility Privacy Official (FPO) What is a FPO? The FPO is the “go-to” person for any Potential patient privacy issues Questions on patient privacy matters Patient privacy questions and complaints The FPO oversees and facilitates the privacy program including all training and compliance FPO for OU Medicine is Amber Simpson 5

HIPAA Definition & Purpose What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. Mandatory federal law. What is the purpose of the law? Protect health insurance coverage, improve access to healthcare Reduce fraud, abuse and administrative health care costs Improve quality of healthcare in general 6

How does HIPAA affect you? Coversheets with confidential statement need to 7 be used on all faxes Screens will need to be placed out of public view and screensavers in use Patients will identify who their information can be discussed with, including family All PHI (e.g., dietary slips) will need to be placed in shred containers (e.g., Shred-It bins) when disposed of Patient information must only be accessed if there is a need to know and only the minimum necessary may be used

What is Protected by PHI is the information pertaining to healthcare that contains any of HIPAA? these identifiers. People often believe that if the patient's name is removed then the information is not PHI. That is not true. There are many types of patient identifying information. 8 Name Medical Record number Address including street, county, zip code and equivalent geocodes Health plan beneficiary number Name of relatives Account number Name of employers Certificate/license number All elements of dates except year (DOB, admission/ discharge, expiration, etc. ) Any other unique identifying number, characteristic or code Telephone numbers Web universal resource locator (URL) Fax numbers Internet protocol address (IP) Email addresses Finger or voice prints Social Security number Photographic images Any vehicle or other device serial number

HITECH Definition & Purpose What is HITECH? The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed into law by the President on February 17, 2009. It is the part of the American Recovery and Reinvestment Act(ARRA) of 2009. It is a federal law. HITECH Act strengthens those patient privacy protections of HIPAA and places additional requirements on the healthcare community. What is the purpose of the law? 9 Makes massive changes to existing privacy and security laws Applies to covered entities and business associates Increases penalties for privacy and security violations Creates a nationwide electronic health record

Key HITECH Changes While there are many changes as a result of HITECH, some of the more substantial changes include: Breach Notification Restrictions Penalties OCR Privacy Audits Criminal provisions Copy charges for providing copies from EHR Accounting of Disclosure for treatment, and health care operations in electronic health record (EHR)environment Sharing of civil monetary penalties with harmed individuals Business Associate Agreements Private cause of action Right to Access HIPAA preemption applies to new provisions Let’s look at some of the details of these changes. 10

Breach Notification A breach is any impermissible acquisition, access, use, or disclosure of unsecured protected health information which compromises the security or privacy of such information. HITECH provisions requires the following notifications when breaches (as defined in PHI.006) occur: To the patient To the Department of Health and Human Services To the media when the breach involves more than 500 Individuals in the same state or jurisdiction 11

Civil Monetary Penalties for Non-Compliance* *As of 9/06/2016 12

Criminal Penalties for Non-Compliance For health plans, providers, employees, clearinghouses and business associates that knowingly and improperly disclose information or obtain information under false pretenses can be assess penalties. These penalties can also apply to any “person”. up to 50,000 and one year in prison for obtaining or disclosing protected health information (PHI) up to 100,000 and up to five years in prison for obtaining protected health information under "false pretenses" up to 250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm Penalties are higher for actions designed to generate monetary gain. 13

Notice of Privacy Practices (NOPP) Patient will receive NOPP upon each registration NOPP outlines patient rights: Breach Notification Right to Access Right to Amend Fundraising and the Right to Opt Out Confidential Communication Right to Privacy Restriction Right to Opt out of Directory 14

Confidential Communications Patients have the right to request for use of alternate address or alternate phone number for future contact If there is a failure to respond by the patient, then we may revert to permanent address or phone number 15

Right to Privacy Restrictions Patients have the right to request a privacy restriction of their PHI NEVER agree to a restriction that a patient may request All requests must be made in writing and given to the FPO to make a decision on NO request is so small that it should not be routed to the FPO 16

Patient Privacy Complaints FPO must maintain complaint log in accordance with the complaint process PHI.022 ALL privacy complaints must be routed to the FPO There may be no retaliation due to a complaint being made Disposition of complaint must be consistent with PHI.023 Sanctions for Privacy and Security Violations policy RL Solutions is the module used for complaint tracking 17

Examples of Exposure Sharing of passwords Inappropriate control or use of patient lists with PHI Lack of knowledge regarding permitted uses of patient information Using business agents without contracts and appropriate Business Associate Agreements Discussing patient information on social networking sites (e.g., Facebook, Twitter) 18

Examples of Exposure Sharing PHI without an authorization when oneCont. is required Failure to act proactively to prevent, detect, or correct privacy or security breaches PHI in the trash can Discussing PHI with someone who does not have a need to know 19

Sanctions There is a sanctions policy to address privacy and information security violations Types of violations can include: – Negligent (accidental or inadvertent) – Intentional (purposeful) For specific information on sanctions policy contact FPO and/or review the facility’s policy For More Information Review: 20 PHI.023 Sanctions for Privacy & Information Security Violations

Patient Privacy Policies and Forms on the Intranet 21

Test Your Knowledge Do you know who your FPO is? What kinds of privacy rights does the patient have? Can a patient amend their record? Do you know who to refer patient privacy questions or complaints to? What is an Accounting of Disclosures? When can you access, use or disclose the patient’s PHI? Where do you dispose of patient information? 22

OUM Privacy Policies PHI.001 - Mitigating Inappropriate or Unauthorized Access, Use and/or Disclosure of Protected Health Information PHI.002 - Protecting and Mitigating Inappropriate or Unauthorized Access, Use and/or Disclosure of Personally-Identifiable Information PHI.003 - Patients’ Right to Amend PHI.004 - Patients’ Right to Request Privacy Restrictions PHI.005 - Accounting of Disclosures PHI.006 - Protected Health Information Breach Risk Assessment and Notification PHI.007 - Notice of Privacy Practices PHI.008 - Safeguarding Protected Health Information PHI.009 - Minimum Necessary PHI.010 - Patients’ Right to Request Confidential Communications PHI.011 - Patient Privacy Program Requirements 23

OUM Privacy Policies PHI.012 - Privacy Official Cont. PHI.013 - Fundraising Under the HIPAA Privacy Standards/HITECH PHI.014 - Community Clergy Access to Patient Listings under the HIPAA Privacy Standards PHI.015 - Designated Record Set PHI.016 - Determination of Uses & Disclosures of De-Identified Info PHI.017 - Authorization for Uses & Disclosures of PHI PHI.018 - Hybrid Entity PHI.019 - Limited Data Set & Data Use Agreement PHI.020 - Marketing Under the HIPAA Privacy Standards PHI.021 - Patient's Right to Opt Out of Being Listed in Facility Directory PHI.022 - Privacy Complaint Process 24

OUM Privacy Policies PHI.023 - Sanctions for Privacy & Info Security Violations Cont. PHI.024 - Uses & Disclosures for which an Authorization or Opportunity to Agree or Object is not Required PHI.025 - Uses & Disclosures of Protected Health Info to Other Covered Entities & Health Care Providers Under the HIPAA Privacy Standards PHI.026 - Uses & Disclosures of PHI for Involvement in Patient's Care & Notification Purposes PHI.027 - Uses and Disclosures Required by Law PHI.028 - Uses Verification of External Requestors PHI.029 - Electronic Incident Response PHI.030 - Confidential Patient Status PHI.031 - Photographing, Video Monitoring,/Recording, Audio Monitoring/Recording, and/or Other Imaging Policy PHI.032- Patents' Right to Access 25

Thank you for your attention and for protecting our patient’s PHI. Every patient, every time!