HIPAA PRIVACY OFFICE HIPAA & Other Confidentiality Laws 2020 Reviewed

HIPAA PRIVACY OFFICE HIPAA & Other Confidentiality Laws 2020 Reviewed Apr 2021

HIPAA PRIVACY OFFICE HIPAA Provides the Minimum Requirements for Patient Privacy and Confidentiality Protection A state or other federal law prevails when it provides the patient greater protection Such laws include: NYS PHL Article 27-F Confidentiality of HIV – related information (labs, rx’s) NYS MHL Confidentiality of mental health information applicable to OMH certified providers & locations (CPEP, 10N, 12N) GINA (Fed & NYS) Genetic Information Non-Discrimination Act 42 CFR Part 2 (known as Part 2) Confidentiality of Substance Use Disorder Patient Records (ELIH Inpatient & Outpatient Treatment Units) Other Confidentiality Laws

HIPAA PRIVACY OFFICE Protected Health Information (PHI) Any form of information that can identify an individual who has, is or will be obtaining health care services What makes up PHI ? Name, Address, SSN, Phone Number, Medical Record Number, Diagnosis, Test Results, Photographs, Doctors notes, Health Plan Information, etc. What is being Protected?

HIPAA PRIVACY OFFICE Privacy Rule Pertains to all manners of communicating PHI including: Spoken Written Electronic HIPAA Privacy Rule

HIPAA PRIVACY OFFICE Provide Care Obtain payment Health Care Operations When are we permitted to share PHI?

HIPAA PRIVACY OFFICE Maintain our patient’s trust ( patient safety & satisfaction) Safeguard our patient’s PHI Educate our patients as to their rights. What are our Privacy Goals ?

HIPAA PRIVACY OFFICE request restricted use and disclosure of PHI request to receive communications via alternate mechanism inspect and copy their health information request to amend their medical record request an accounting of disclosures file a complaint PATIENT’S RIGHTS

HIPAA PRIVACY OFFICE Breach Notification report misdirected faxes, mail, email, lost portable devices, etc. Electronic Copies patient health information from the EHR Individually Directed Privacy Restrictions for insurance billing Vendors/Business Associates subject to same penalties Increased Enforcement and New Penalties - Individuals & Organizations are subject to the criminal provisions; State AG’s can bring civil suit in Federal Courts on behalf of state residents; harmed individuals can receive a % of CMP’s or settlement HITECH CHANGES TO HIPAA

HIPAA PRIVACY OFFICE Stony Brook Organized Health Care Arrangement (SBOHCA) NOTICE OF PRIVACY PRACTICES Notice of Privacy Practices

HIPAA PRIVACY OFFICE Information Security is the process of protecting data from accidental or intentional misuse by persons inside or outside of the organization. The HIPAA Security Rule sets the standards for ensuring that only those who should have access to e- PHI will actually have access and that the integrity of patient information in electronic systems is maintained. e-PHI Electronic Protected Health Information HIPAA Security Rule

HIPAA PRIVACY OFFICE Administrative Safeguard (policies, training, audits, etc) Physical Safeguards (locks, privacy screens, etc) Technical Controls (firewalls, encryption, virus protection, etc) Note: The Federal HIPAA Security Regulation requirements are in alignment with the NYS Cyber & Information Security Law , TJC standards & the NYS DOH Regs. HIPAA Information Security Requirements

HIPAA PRIVACY OFFICE Privacy Best Practices: Use, Access and Disclose the minimum necessary to perform your assigned duties & responsibilities (provide treatment; obtain payment; perform a healthcare related activity (QA/QI, audit, teaching, research, etc.) Definition of T,P,O can be found in the Admin P&P LD: 0075 Do Not Snoop even if someone asks you to (neighbors, friends, relatives, family members, colleagues) Dispose of PHI properly HIPAA Bins or Cross Cut Shredders Store PHI Securely Lock-up all paper documents containing PHI Use only SBM approved electronic storage solutions Secure share drives (u: or w: drives), SBM OneDrive for Business, SBM Box for Research Ensure PHI that is sent electronically is sent to the proper recipient When in doubt ask the HIPAA Privacy Office phone 631-444-5796 or e-mail [email protected] What is expected of me to protect patient privacy?

HIPAA PRIVACY OFFICE Security Best Practices: Remember your username and password are your signature: Do Not Share usernames/passwords Strong password Use a combination of Alpha/Numeric and special characters Log-Off before walking away from a workstation Do Not place/post patient information on MOBILE DEVICES or SOCIAL NETWORK sites (Laptops, USB Drives, cellphones, Facebook, Twitter, Instagram) Do Not text patients without ensuring you are in compliance with the federal regulation Do Not take pictures of patients with non-approved devices & w/o patient consent Do Not install/download applications/software, etc. on a SBUH computer without IT approval Remember when sending patient information via e-mail: Use only SBM Outlook and send only to another SBM Outlook email address Send only the minimum necessary amount of information Ensure you have the correct recipient When in doubt contact [email protected] What is expected of me when using electronic information?

HIPAA PRIVACY OFFICE 2 Seconds One, one thousand; two, one thousand - 2 seconds is all it takes: To check EACH tab/sheet/page of an excel file to ensure identifiable patient information is not on any of the sheets/pages. To check the LED window on a fax to verify that you have dialed the number correctly and that you have flipped through all the pages to ensure all the documents are for the same/correct patient before hitting send/start fax. To check the recipients on the “To/cc/bcc” lines of an email to verify you have entered all the correct recipients and that you are only sending health information to another stonybrookmedicine.edu user and not any other email account. To double check you have made all the correct selections prior to XR Clinical Reporting for printing and faxing through our EMR. To flip through all pages to ensure all the documents are for the same/correct patient prior to handing the documents to a patient. To flip through all the pages to verify all the documents are for the same/correct patient and the envelope is addressed correctly prior to stuffing and mailing the documents. To ensure you have limited the amount of health information being shared/sent/disclosed to only that which is requested – no more, no less. To clarify the correct primary care physician (PCP) has been selected for continuity of patient care communications. Please stop & take 2 seconds to prevent a breach of patient confidentiality. 2 Second Rule

HIPAA PRIVACY OFFICE Be on the look out for and report to the HELP-Desk any unusual emails as they could be phishing, spoofing or Ransomware attempts. DO NOT open/click on any links or attachments in these emails. (email Helpdesk or call 4-4357)

HIPAA PRIVACY OFFICE Patient Privacy Monitoring We are introducing a new proactive privacy monitoring solution called FairWarning to help us ensure compliance with healthcare regulations and internal policies. By proactively protecting our patients’ privacy, we are: Building a reputation for privacy, helping us attract and retain patients Giving our patients confidence in their choice of care provider Assuring patients that they can share sensitive information without fear Positioning our organization for long-term success By working together to build a culture of privacy, we can reduce the following types of activities: Co-worker snooping Household/Family snooping VIP snooping Neighbor snooping Identity theft Medical identity theft FairWarning - Patient Privacy Monitoring

HIPAA PRIVACY OFFICE Civil monetary penalty: Civil penalty for inadvertent violation such as a misdialed fax number: Fines 100- 1000/per incident Criminal Penalties : Criminal penalties large fines jail time, and increase with the degree of the offense. Example: A hospital employee steals and sells patient information for personal profit. Criminal penalties could be as much as 250,000 to 1.5 million and/or 10 years in jail. How is HIPAA Enforced?

HIPAA PRIVACY OFFICE CALIFORNIA SURGEON SENTENCED TO JAIL FOLLOWING HIPAA VIOLATION - Former UCLA cardiothoracic surgeon caught snooping in celebrities medical records and the medical record of his colleagues. Sentenced reduced to 4 months in jail and 2000 fine. LONG ISLAND HEALTH CARE PROVIDER SENTENCED TO 12 YEARS IN PRISON FOR 10 MILLION MEDICARE FRAUD AND HIPAA IDENTITY THEFT – Operated a medical equipment company in Hicksville and user her position to enter nursing homes in order to access/steal patient records. Also falsely resumed roles as doctor, NP, etc. and accompanied doctors on patient evaluation rounds. Spent stolen Medicare funds on LI multi-million dollar home, half-million dollar pension account and luxury items. Was ordered to forfeit 1.3 million seized by government at indictment. Anthem to pay OCR 16M in Record HIPAA Settlement following the largest U.S Health Data Breach in History Allergy Practice pays 125,000 to settle doctor’s disclosure of patient information to a reporter – A patient of Allergy Associates of Hartford contacted a local TV station to speak about a dispute that occurred between the patient and the practice. The reported subsequently contacted the doctor for a comment and the doctor impermissibly disclosed the patient’s PHI to the reporter. OCR found that the physician’s discussion with the reporter demonstrated reckless disregard for the patient’s privacy and that the disclosure occurred after the doctor was instructed by the Practice Privacy Officer to either not respond to the media or respond with “no comment.” Settlements for impermissible disclosures of PHI include: Memorial Hermann Health System – 2.4 million settlement for disclosing a patient’s PHI in a press release. New York Presbyterian Hospital – 2,200,000 penalty for filming patients without consent. Massachusetts General Hospital– 515,000 penalty for filming patients without consent. Luke’s-Roosevelt Hospital Center – 387,000 settlement for careless handling of PHI/Disclosure of a patient’s HIV status to their employer. Brigham and Women’s Hospital– 384,000 penalty for filming patients without consent. Boston Medical Center – 100,000 penalty for filming patients without consent. Phoenix Cardiac Surgery - 100,000 penalty for practice posting patient appointments on publicly accessible web-based calendar But are they really taking this seriously?

HIPAA PRIVACY OFFICE

HIPAA PRIVACY OFFICE REVISED 1/11/2016 HIPAA Privacy Questions Call 631-444-5796 or Email: [email protected] Thank you !

HIPAA PRIVACY OFFICE Chief Information Security Officer Matthew P. Nappi [email protected] Call the SBMIT Helpdesk 631-444-4357 BEST WISHES ON YOUR STONYBROOK CAREER