Course Objectives  After competing this course, you

Course Objectives After competing this course, you should understand: Privacy and security of sensitive information is your responsibility; How you can recognize situations where sensitive information may be handled improperly; How you can protect patient and confidential information in common workplace situations; That you will be held responsible for improperly handling sensitive information; and Who to notify if you have questions about the privacy and security of sensitive information. Annual Privacy & Security 2011

Menu Overview: Privacy, Security, and your Job. A, B, and Cs of Privacy and Security in 2011: Awareness of your responsibilities and patient rights. Breaches of patient information. Common questions. Annual Privacy & Security 2011

Overview: Privacy, Security, and Your Job The Ohio State University Medical Center Expects Everyone to: Protect a patient’s information; Protect other restricted information such as employee information; and Follow the University’s privacy and security policies. Remember . . . You may only access information that is needed to do perform you job duties! Failure to do so will result in corrective action up to and including termination. Annual Privacy & Security 2011

A’s, B’s, and C’s of Privacy & Security in 2010 Awareness of patient rights and your responsibilities Breach of Protected Health Information Common Questions Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Identity Theft Under the Identity Theft Red Flag Rules, the Ohio State University Medical Center must prevent, detect, and reduce the harmful effects of identity theft An Identity Theft Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Identity theft occurs when someone uses another person’s identifying information without permission. Examples of identifying information include: name; Social Security number; medical insurance number; credit card number; or OSUMC badge with payroll deduct. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Examples of Identity Theft Red Flags: Records showing medical treatment that is inconsistent with a physical examination; Identification appears altered or forged; Complaints or questions from a patient about information added to a credit report; Patient receives: – a bill for another patient; – a bill for a product or service the patient did not receive; – a notice of insurance benefits (or Explanation of Benefits) for health care services never received; or – a collection notice from a collection agency for services the patient never received. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Identity Theft: Your Responsibilities Prevent identity theft by keeping patient information safe; Detect identity theft by being aware of suspicious activities; and Report identity theft as soon as you suspect it. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities You have access to the electronic medical record. You search by the patient’s name and date of birth to try to find the patient. Two patients return with the same social security number, but with different dates of birth. What should you do? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Two patients with the same Social Security number is an Identity Theft Red Flag. Action: Notify your manager who will complete an initial investigation; If your manager is unavailable, then notify the Privacy Office: OSU Physicians, Inc. (OSUP): 784-7806; OSU Health System (OSUHS) & College of Medicine (COM): 293-4477. File an anonymous complaint via the EthicsPoint Reporting System OSUP: 1-800-559-5217; https://secure.ethicspoint.com/domain/en/report custom.asp?clientid 14670 OSUHS & COM: 1-866-294-9350. https://secure.ethicspoint.com/domain/en/report custom.asp?clientid 7689 The Identity Theft Red Flag Rules Response Team will investigate. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Your colleague has access to patient and staff social security numbers. Recently, you notice that your colleague is placing stacks of papers in envelopes and sending them out in the mail or takes the information home. This is not something your colleague needs to do as part of her job duties. What should you do? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Your colleague’s behavior is an Identity Theft Red Flag. Worst case scenario—your colleague may be stealing patient information and selling it for misuse by identity thieves. This type of theft has occurred at other hospitals. Action: Notify your manager who will complete an initial investigation; If your manager is unavailable, then notify the Privacy Office: OSUP: 784-7806; OSUHS & COM: 293-4477. File an anonymous complaint via the EthicsPoint Reporting System OSUP: 1-800-559-5217; https://secure.ethicspoint.com/domain/en/report custom.asp? clientid 14670 OSUHS & COM: 1-866-294-9350. https://secure.ethicspoint.com/domain/en/report custom.asp? clientid 7689 The Identity Theft Red Flag Rules Response Team will investigate. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities If it is found that you have been misusing data or inappropriately accessing systems, then you will face corrective action up to and including termination. Misuse of patient information may subject you and OSUMC to civil or even criminal penalties. These penalties may include fines and possible jail time. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act, a federal law that: Requires health care organizations like OSUMC to: – follow certain rules when we use and release patient information; – keep patient information private, confidential, safe, and accurate. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities HIPAA Privacy We must protect an individual’s Protected Health Information that is created, kept, filed, used or shared and is: Written Spoken Electronic Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities HIPAA & Patients Rights: The right to look at and get a copy of their own medical and billing records. The right to ask for an amendment to these records. The right to ask for limits on how we use their information. The right to a paper copy of the notice of privacy practices. The right to an accounting of disclosures, and more. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Examples of Protected Health Information (PHI): A patient’s name, address, birth date, age, phone and fax numbers, e-mail address; Medical record numbers; Medical records, diagnosis, x-rays, photos, prescriptions, lab work and test results; Billing records, claim data, referral authorizations and explanation of benefits; Certain research records. Click here for a list of 18 key PHI identifiers Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Releasing Protected Health Information Requires Patient Authorization Exceptions: Authorized staff may disclose information to fulfill public health reporting requirements to governmental agencies as required by state, federal or local law; For law enforcement requests, subpoenas, court orders or for purposes other than listed here: OSUHS & COM: Medical Information Management and/or Legal Services must approve the release of information. OSUP: The Privacy Officer must approve the release of information. A Waiver of HIPAA Authorization has been obtained for research purposes. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities You are watching the football game and see that Famous Football Player has been injured. You think that he is being treated at OSUMC, but are not sure. You are not involved in Famous Football Player’s care. You have access to patient information. You log into the Integrated Healthcare Information System (IHIS) just to check if Famous Football Player has been admitted to OSUMC for treatment. What’s wrong with this scenario? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities You must only access patient information as needed to perform your job duties. Failure to do so will result in corrective action up to and including termination. In this scenario, you did not need to know whether Famous Football Player was admitted to the hospital. Looking up this information is a violation of hospital policy and may be a violation of state and federal laws. Access to patient information is monitored and you are responsible for all that occurs under your log-in and password. Action: Should you have questions about whether access to patient information is appropriate, ask your supervisor and/or contact the Privacy Office: OSUP: 784-7806; OSUHS & COM: 293-4477. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities If it is found that you have been misusing data or inappropriately accessing systems, then you may face corrective action up to and including termination. In an investigation into HIPAA violations, both OSUMC and you may be subject to civil or even criminal penalties. These penalties may include fines and possible time in jail. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Resident Rita prints a rounds report and leaves it in the pocket of her white coat. At the end of the day while leaving the hospital the list falls out of her pocket onto the sidewalk. What’s wrong with this scenario? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Do not remove PHI on paper from OSUMC premises. In this scenario, Rita inappropriately took PHI from the hospital. Exposing the information to risks of loss or theft. PHI on paper is easily lost or stolen and you are responsible for ensuring that it remains secure and properly disposing of the information when it is no longer needed. Action: Should you have questions about PHI on paper and how to properly secure it or dispose of it, ask your supervisor and/or contact the Privacy Office: OSUP: 784-7806; OSUHS & COM: 293-4477. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities The clinic has a fax machine and printer that are located in a patient waiting area. These machines are often unattended and receive faxes and print jobs containing PHI throughout the day and night. What’s wrong with this scenario? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Fax machines and printers that receive PHI must be kept in a secure area. PHI sent to fax machines or printers must be removed promptly. In this scenario, the clinic has the fax/printer located in an unsecure location. Faxes and printers must be attended by OSUMC staff at all times or behind locked doors and only accessible by authorized staff. Faxes and print jobs containing PHI must be removed from the fax or printer promptly. Action: Should you have questions about faxing or printing PHI and how to properly secure it, ask your supervisor and/or contact the Privacy Office: OSUP: 784-7806; OSUHS & COM: 293-4477. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities If it is found that you have been misusing data or inappropriately accessing systems, then you may face corrective action up to and including termination. In an investigation into HIPAA violations, both OSUMC and you may be subject to civil or even criminal penalties. These penalties may include fines and possible time in jail. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities As part of Andrew’s job, he prints out information that includes patient addresses and zip codes. He thinks that he should place these documents in the shredder bin, but whenever he goes to the shredder bin it is either full or unlocked, so he doesn’t bother. Andrew decides that because there is no patient name on the papers, that it is okay to throw the papers in the regular trash. What’s wrong with this scenario? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Patient addresses, zip codes, and medical record numbers are Protected Health Information. Action: Place paper with Protected Health Information and any sensitive information in a shredding container; and If the shredding container in your area is full or unlocked, notify: OSUHS: Environmental Services 293-8645/293-4230; OSUP: Shred-It 231-7470. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities - PASSWORDS HIPAA Security Passwords: A password, along with your MedCenter Logon ID, is the “key” that protects your identity within information systems; You protect your passwords in the same way that you would protect the key to your home or automobile; Keep your password a secret: OSUMC IT will NOT request your password via e-mail; You should not share your passwords with anyone, including coworkers, administrative staff, IT staff, physicians, manager/supervisors or strangers; Password sharing is a violation of OSUMC policy. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Passwords (cont.) You can reset your own MedCenter Logon ID Password using the Password Change Portal on OneSource (OneSource MyWorkplace Pasword Portal); For assistance with password related issues or if you feel your password has been stolen or compromised call the OSUMC Help Desk at 3-3861. You are responsible for all activity that occurs under your log-in and password. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities You receive an e-mail from IT Support stating that OSUMC is performing system maintenance and telling you that you need to provide your: Name; UserID; Password; and Phone Number. What should you do? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities STOP! This is a Phishing attempt. Phishing is where people send an email to a user falsely claiming to be a legitimate requestor. Phishing tries to scam a user into surrendering private information that can be used to attack OSMC’s electronic systems. OSUMC IT will NOT request your password via email. Action: Delete the email; and Call the Help Desk at 293-3861 to report the email. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities You are working with a new staff member that doesn’t currently have access to log into the computer. You need the staff members assistance so, you log into IHIS and allow the staff member to use your account to access PHI. What wrong with this scenario? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Do not share your passwords with anyone, including co-workers, administrative staff, IT staff or strangers; Password sharing is a violation of OSUMC policy. Violations of OSUMC policy may result in corrective action up to and including termination In this scenario, both staff members violated OSUMC policy. You are responsible for all activity that occurs under your log-in and password. Action: Should you have questions about computer access to PHI ask your supervisor and/or contact the OSUMC IT Helpdesk: 293-3861. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Work Stations; Computers are business tools you may use to access OSUMC electronic resources required to perform your job; Computers should be used for business purposes only and not for personal gain or inappropriate activities; Physical security of computers is vital to protecting sensitive information. Where appropriate, computers should be locked to a stationary piece of furniture; Position the computer monitor so that sensitive information displayed on the screen is not visible to an unauthorized observer. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Unsupported Devices: Devices that are not registered and supported by a LAN manager or OSUMC IT cannot be attached to the OSUMC network as they create vulnerabilities that may lead to virus outbreaks, information exposure and network performance issues; If you have a device that you would like to attach to the OSUMC network, then please contact your LAN manager or OSUMC Help Desk at 3-3861. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Researcher Ron is recruited to the Medical Center. Researcher Ron hires a research assistant that has some computer skills and asks that she set up and maintain some non-medical center owned computer equipment that is needed for his study. What wrong with this scenario? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Devices that are not registered and supported by a LAN manager or OSUMC IT cannot be attached to the OSUMC network. In this scenario, Researcher Ron’s assistant is not a LAN manager and is not part of OSUMC IT and therefore is not authorized to maintain and support equipment attached to the OSUMC network. Computer equipment that is not properly maintained may lead to virus outbreaks, information exposure and network performance issues. Action: Should you have questions about attaching computers to the OSUMC network or accessing OSUMC applications using non-OSUMC issued devices ask your supervisor and/or contact the OSUMC IT Helpdesk: 2933861. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Software: Only software that is appropriately licensed and approved by a LAN manager or OSUMC IT should be installed on devices that are connected to the OSUMC network; Do not install any unlicensed software on any computing device that uses the OSUMC network; Do not download, install or run peer-to-peer file sharing applications on devices connected to the OSUMC network; Peer-to-peer file sharing applications (e.g., Kazaa, Morpheus, Napster, Limewire, etc.) are often used to spread malicious software. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Malicious Software: Are programs that covertly enter information systems with the intent of compromising the confidentiality, integrity and availability of data, applications or operating systems (other names are viruses, works, trojans and spyware); Can lead to identity theft and the exposure of sensitive information; Is often spread as e-mail attachments. (If an attachment looks suspicious, then don't open it and delete it!); Can be spread through Social Networking Sites such as FaceBook and MySpace; Use caution when viewing files from friends. Ask the friend if they sent the message before clicking links that install software such as “Viewers” for video content. TIP: Antivirus software is available free to OSUMC employees. Visit OSUMC IT Information Security Home Page or OSU Office of Information Technology for more details. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities What is Encryption? Encryption is defined as putting data into a secret code so it is unreadable except by authorized users; and Encryption uses keys to scramble and unscramble data. Per OSU and OSUMC policy all PHI must be encrypted when stored on portable devices such as laptop computers, smart phones and flash drives. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Encryption and Remote Access: When working remotely, encryption and wireless security should be considered; Information sent via unencrypted wireless networks can be intercepted by unintended recipients. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Encryption and eMail: You should only use the email system associated with your osumc.edu account to conduct OSUMC related business; Do not use Web based email accounts such as Yahoo!, Gmail, AOL and MSN to conduct OSUMC business; Never send unencrypted sensitive information such as Protected Health Information, social security numbers, and credit card information through email. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities It’s the Holiday season and you receive a message in your Social Networking account to view a funny video from a friend. When you click on the link in the message you are prompted to install a viewer before you can watch the video. What’s should you do? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Stop! Do not install the viewer because it may introduce a virus or malicious code into the OSUMC computer network and compromise sensitive information. Delete the email. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities OSUMC Encryption Tools: If you need to use FTP (File Transfer Protocol) electronic Protected Health Information to perform your job, use secure FTP (SFTP or another secure method such as typing [SECURE MAIL] in the subject line of emails; Messages sent and received through the OSUMC approved email system are scanned for malicious code and for restricted data to protect our patients and OSUMC’s reputation; For more information on encryption, please contact your LAN manager or the OSUMC Help Desk at 3-3861 or the OSUP Help Desk at 784-7812. To send a message securely to a non OSUMC e-mail address, add [SECURE MAIL] to the subject line of you message Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Doctor Jones uses her personal flash drive to store information about her patients. The drive is not encrypted. One day during her rounds she mistakenly leaves the flash drive on a nursing unit and is unable to find it when she returns. What wrong with this scenario? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Per OSU and OSUMC policy all PHI must be encrypted when stored on portable devices such as laptop computers, smart phones and flash drives. In this scenario, Dr. Jones was using an unsecured flash drive to store PHI. Portable equipment is easily lost or stolen and must be encrypted in order to protect OSUMC restricted data such as PHI. Action: Should you have questions about storing PHI or other restricted data on portable storage devices ask your supervisor and/or contact the OSUMC IT Helpdesk: 293-3861. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Portable Devices: Portable devices such as laptops, flash drives, smart phones and cameras are powerful and convenient business tools. However, they are also highly susceptible to loss and theft. Unless the portable device is properly encrypted, you must not store sensitive information such as patient data, Social Security numbers, credit card numbers and financial information. All laptops carrying OSUMC owned data MUST be encrypted. Physically secure all portable devices when left unattended. Examples include a locked office, file cabinet or trunk or a cable and lock that is secured to a stationary piece of furniture. TIP: -Do NOT leave your Laptop or PDA unattended. -Purchase a locking security cable to attach to your laptop around an immovable object to prevent theft. -Use strong passwords to prevent unauthorized users from accessing your laptop or Smart Phone. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Nurse Neal received the latest smart phone as a birthday present. He would like to use the device to access his OSUMC e-mail and OSUMC clinical applications. What should Nurse Neal do? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Per OSU and OSUMC policy all PHI must be encrypted when stored on portable devices such as laptop computers, smart phones and flash drives. In this scenario, Nurse Neal should contact OSUMC IT to have his device properly encrypted and secured before accessing OSUMC electronic resources. Portable equipment is easily lost or stolen and must be encrypted in order to protect OSUMC restricted data such as PHI. Action: Should you have questions about storing PHI or other restricted data on portable storage devices ask your supervisor and/or contact the OSUMC IT Helpdesk: 293-3861. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Data Storage: If you store Protected Health Information (PHI) on a Personal Digital Assistant (PDA), laptop, computer, CD ROM, camera, phone or other storage media, you are the “Data Custodian” for the data and are responsible for its security and proper disposal. Basic protections include that Data Custodians must: Locate the file on a secure department share (network drive) that is protected from those who do not require access to the data; Encrypt (password protecting) the data files (MS Office documents); Password protect databases (MS Access); and Completely destroy the data when it is no longer needed. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Data Storage (cont.): Storing an unencrypted sensitive file on your C drive is NOT an acceptable security practice. Be aware that the “My Documents” folder usually resides on the C: drive. Save unencrypted sensitive files only to your individual work folder on the network (P: drive) or to a secure network shared folder For assistance with properly storing and disposing of sensitive information stored on electronic devices, please contact your LAN manager or the OSUMC Help Desk at 3-3861 or OSUP Help Desk at 784-7812. Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Bill and Carla are using the same spreadsheet to analyze patient outcomes. The spreadsheet is currently stored on a Secure department shared drive. Carla decides it is too hard to work on the same spreadsheet and creates a copy on her desktop. What is wrong with this scenario? Annual Privacy & Security 2011

Awareness: Patient Rights & Your Responsibilities Carla is placing the data on her C drive—an unsafe place for patient information. Carla must save the data to a folder on the network (P: drive) or to a secure network shared folder. If Carla needs assistance with properly storing and disposing of sensitive information, then she should contact her LAN manager or the or the OSUMC Help Desk at 3-3861 or the OSUP Help Desk at 784-7812. Annual Privacy & Security 2011

A’s, B’s, and C’s of Privacy & Security in 2010 Awareness of patient rights and your responsibilities Breach of Protected Health Information Common Questions Annual Privacy & Security 2011

Breach: Protected Health Information New HIPAA Breach Notification Rules Changes in HIPAA: In 2009 the American Recovery and Reinvestment Act of 2009 (ARRA) brought changes to HIPAA; The Breach Notification Provisions is one change; Breach Notification Provisions: Where there is a Breach of patient information, OSUMC must notify the patient; With each possible breach, OSUMC must complete a risk assessment to determine if the potential breach qualifies as an actual Breach under the rule; The risk assessment determines whether there is a “significant risk of financial, reputational, or other ham to the individual whose PHI was breached.” Annual Privacy & Security 2011

Breach: Protected Health Information Dr. Holland was watching news reports about a prominent local news anchor who was involved in a severe car crash. Dr. Holland noticed that the news anchor was admitted to the hospital where he works. Dr. Holland logged on to the hospital’s medical record to see if the news reports were true. Dr. Holland was not involved in the news anchor’s care. Sarah a registration clerk and Carmen a clinic nurse also viewed the patient’s medical record out of curiosity of the patient’s condition. What is wrong with this scenario? Annual Privacy & Security 2011

Breach: Protected Health Information Dr. Holland, Sarah, and Carmen did not need this information to do their jobs. Their curiosity is considered a Breach under the new regulations. OSUMC must record this as a Breach and report it to the Federal Government annually. OSUMC must also write a letter to the patient to tell the patient: Her information has been breached; The date and time that it was breached; What OSUMC has done to prevent future incidences; and Contact information about where she can get further information. Annual Privacy & Security 2011

Breach: Protected Health Information Jennifer Smith receives an email from Dr. Donna. Jennifer often receives misdirected emails because there are at least four other Jennifer Smiths that work at OSUMC. Jennifer notices that she is not the intended recipient of Dr. Donna’s email. Jennifer Smith works in a lab at the College of Medicine. Jennifer does not use patient information to do her job. What should Jennifer Smith do? Annual Privacy & Security 2011

Breach: Protected Health Information Jennifer Smith should: immediately delete the email; notify Dr. Donna of the misdirected email; and report the event to the Privacy Officer. Is this a Breach under the New HIPAA rules? Likely, yes. Annual Privacy & Security 2011

Breach: Protected Health Information Terry lost his flash drive a few days ago. Terry kept patient information on the flash drive including patient names, admission dates, copies of patient prescriptions, and clinic patient lists. Terry did not notify anyone that his flash drive was lost because he thought it would turn up some day. Over two weeks has past and Terry has not located his lost flash drive. What is wrong with this scenario? Annual Privacy & Security 2011

Breach: Protected Health Information Terry should not store PHI unless it has been encrypted. Terry should have notified the Privacy Officer of the lost device ASAP after she noticed it was lost OSUP: 784-7806 OSUHS & COM: 293-4477 The clock is ticking - Once the employee discovers the potential breach, OSUMC has no more than 60 days to notify the patients of the Breach. Annual Privacy & Security 2011

Breach: Protected Health Information Joe is a faculty member at the College of Medicine and works primarily in a research lab. He meets his friend for lunch at the hospital cafeteria. When Joe sits down, he finds papers on the cafeteria table. On the papers he sees a list of patients names with notes about each patient. What should Joe do? Annual Privacy & Security 2011

Breach: Protected Health Information Joe should notify the Privacy Office of what he has found: OSUP: 784-7806 OSUHS & COM: 293-4477 The Privacy Office will ask Joe to return the information ASAP. Is this a breach of patient information? Likely, yes. The Privacy Office must complete a risk assessment and determine whether this is a breach of patient information and whether OSUMC must notify the patient. Annual Privacy & Security 2011

Breach: Protected Health Information In Summary: Under new HIPAA laws we must notify patients and the federal government when we have a breach of patient information; Inappropriate access to patient information qualifies as a Breach under the new laws; and You must do all you can to keep patient information secure. Annual Privacy & Security 2011

A’s, B’s, and C’s of Privacy & Security in 2010 Awareness of patient rights and your responsibilities Breach of Protected Health Information Common Questions Annual Privacy & Security 2011

Common Questions Does HIPAA allow a health care provider to discuss the patient’s health information with the patient’s family, friends, or others involved in the patient’s care or payment for care? If the patient is present and has the capacity to make health care decisions, then a health care provider may discuss the patient’s health information with a family member, friend or other person if: The patient agrees; or When given the opportunity does not object. A health care provider may share information with these persons if, using professional judgment, the provider decides that the patient does not object. In either case, the health care provider may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care. Annual Privacy & Security 2011

Common Questions Friends and Family: If there is a frequent visitor in the room when the physician (or other staff) comes in, the health care provider should ask the patient (or the patient’s legal representative) if a private conversation is preferable. Use professional judgment, but make it comfortable for the patient to say: “I’d like to keep this discussion private.” Annual Privacy & Security 2011

Common Questions May a health care provider discuss a patient's health information over the phone with a family member, friend or others involved in the patient's care or payment for the patient’s care? Yes. Where a health care provider is allowed to share a patient’s health information in-person, information may be shared over the phone as well. However, proceed with caution: If the patient has asked you not to share information with a family member, then you must not share the information; If you are uncertain whether the patient would want you to, then do not share the information; If you are uncertain of the identity of the caller, then do not share the information. If you work in the hospital, know your unit’s policy. Many units use code numbers or words that signal to staff that the caller has been identified as someone with whom you may share information. Annual Privacy & Security 2011

Common Questions How should OSUMC employees protect paper documents that contain sensitive information about our staff, patients, and vendors? Documents that contain sensitive information such as patient information should be maintained behind a locked door to which other staff do not have access after hours. If other staff have access to your desk after hours, then sensitive information must be placed in a locked drawer. Annual Privacy & Security 2011

Common Questions What if patients or family members overhear us talking about other patients in a shared or open patient care setting? In shared or open patient care settings, take steps to make sure that the patient’s privacy rights are respected: Monitor the volume of your conversation and pull curtains whenever possible; When sharing sensitive results or discussing sensitive information with patients, offer a private setting whenever possible; Don’t talk about patients in elevators, the cafeteria, or other public places. Annual Privacy & Security 2011

More Information For more information about privacy and security at OSUMC, please access: OSUMC Information Security: https://onesource.osumc.edu/departments/it/informationsecu rity/ OSUMC Privacy: https://onesource.osumc.edu/departments/Privacy OSUP Privacy: http://osup.osumc.edu/osup hipaa.htm Campus Data Security and Policy on Institutional Data: http://buckeyesecure.osu.edu/ Additional CBLs related to HIPAA and Red Flag Rules are available via Educational Development and Resources Annual Privacy & Security 2011

Identifiers The following identifiers of the individual or of relatives, employers, or household members of the individual, must be removed: 1. Names; 2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. 3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; 4. Telephone numbers; 5. Fax numbers; 6. Electronic mail addresses; Annual Privacy & Security 2011

Identifiers (Continued) 7. Social security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; and 18. Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and The covered entity must not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. Return to Course Annual Privacy & Security 2011