Advanced HIPAA Communications and University Relations

Similar documents
HIPAA PRIVACY TRAINING

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Privacy and Security For Teammates

MCCP Online Orientation

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Compliance Program, Code of Conduct, and HIPAA

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

Information Privacy and Security

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

HIPAA Privacy Training for Non-Clinical Workforce

HIPAA Training

HIPAA and HITECH: Privacy and Security of Protected Health Information

HIPAA Education Program

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

CLINICIAN S GUIDE TO HIPAA PRIVACY

HIPAA Privacy & Security Training

The Privacy & Security of Protected Health Information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

2018 Employee HIPAA Orientation (EHO) Handbook

Understanding the Privacy and Security Regulations

A general review of HIPAA standards and privacy practices 2016

SUMMARY OF NOTICE OF PRIVACY PRACTICES

FCSRMC 2017 HIPAA PRESENTATION

HIPAA Privacy & Security Training

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

HIPAA Policies and Procedures Manual

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

Patient Privacy Requirements Beyond HIPAA

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

HIPAA Health Insurance Portability and Accountability Act of 1996

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

HIPAA Privacy Regulations Governing Research

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

CHI Mercy Health. Definitions

Privacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

Notice of HIPAA Privacy Practices Updates

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

HIPAA Notice of Privacy Practices

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines

Faculty Profile. PART I Privacy Training for Health Professionals. Disclaimer. Always Be Prepared 7/11/2013. Why should you care about Privacy?

NOTICE OF PRIVACY PRACTICES

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

HIPAA THE PRIVACY RULE

STAFFING AGENCY ADMINISTRATIVE POLICIES AND PROCEDURES

East Carolina University 2010 Annual HIPAA Privacy Training

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

Parental Consent For Minors to Receive Services

Your Role in Protecting Patient Privacy 2018

HIPAA Privacy Rule. Best PHI Privacy Practices

NOTICE OF PRIVACY PRACTICE UNIVERSITY OF CALIFORNIA SAN FRANCISCO DENTAL CENTER

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

NOTICE OF PRIVACY PRACTICES

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

The Queen s Medical Center HIPAA Training Packet for Researchers

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

HIPAA Compliancy Group, LLC. 2017

Health Information Privacy Policies and Procedures

JOINT NOTICE OF PRIVACY PRACTICES

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

INLAND EMPIRE HEALTH PLAN CODE OF BUSINESS CONDUCT AND ETHICS. Our shared commitment to honesty, integrity, transparency and accountability

PRIVACY POLICIES AND PROCEDURES

The HIPAA privacy rule and long-term care : a quick guide for researchers

Mental Health. Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES Full Length Version Effective Date: 4/19/2016

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

CAPITAL SURGEONS GROUP, PLLC

System Office New Hire Orientation

Stanford University Privacy Guidelines Fundraising

Compliance Program Updated August 2017

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

JOINT NOTICE OF PRIVACY PRACTICES

CENTRAL TEXAS MEDICAL CENTER

Notice of Privacy Practices

Notice of Privacy Practices

Compliance & Privacy Post Test

Slide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

NOTICE OF PRIVACY PRACTICES UNIVERSITY OF CALIFORNIA RIVERSIDE CAMPUS HEALTH CENTER

Opp Health and Rehabilitation, LLC 115 Paulk Avenue P.O. Box 730 Opp, AL Phone Number: (334)

Transcription:

Advanced HIPAA Communications and University Relations accepts no liability of any use reliance placed on it, as it is warranty, express, or implied, or completeness of 1 the HIPAA Health Insurance Portability and Accountability Act

Do I have to take this training? By law, this training is mandatory for UCSF faculty, staff and volunteers who are involved in: Communications Marketing Media Relations University Relations 2 Some members of UCSF s workforce may be required to take additional HIPAA training courses.

Training Objectives The purpose of this training is to: Present a general overview of HIPAA and define important terms Provide training on UCSF s specific HIPAA policies Discuss scenarios that illustrate UCSF policies and procedures 3 Following this training, you will be held responsible for compliance with HIPAA.

HIPAA is a federal law, and violating it may be a crime. The, UCSF and UCSF s employees including volunteers, who are considered an extension of the workforce face civil and criminal liability. The University may be exposed to costly lawsuits, and its credibility and reputation will be challenged. You may face penalties of up to $1,500,000 and 10 years in jail as well as disciplinary action, including termination. 4 Now you know why general HIPAA training is required and why specialized training modules such as this one have been developed.

5 Enforcement of HIPAA as it relates to Communications and University Relations is likely to be complaint-driven. There are several ways to submit HIPAA complaints. They may be directed: To UCSF, in which case the Campus will determine what corrective action, if any, is needed To the US Department of Health and Human Services (HHS), in which case UCSF may be investigated for HIPAA compliance To an attorney, which could result in costly lawsuits and damage to UCSF s reputation Understanding the HIPAA regulations will help you avoid activities that are likely to trigger complaints.

HIPAA the Health Insurance Portability and Accountability Act requires UCSF to: 6 Protect the privacy of patient information Secure patient health information (physically and electronically) Adhere to the minimum necessary standard for use and disclosure of patient health information Specify patients rights for access, use and disclosure of their health information The Health Information Technology for Economic and Clinical Health (HITECH) Act and the HIPAA Final Omnibus Rule updated HIPAA: Clarified the definition of marketing uses and disclosures requiring patient authorization Mandated breach notifications Increased fine and penalties for privacy violations Mandated that Business Associates are directly liable for compliance with HIPAA provisions

The HIPAA Privacy Standards present some operational challenges, but they also: Reinforce what has always been central to our work the need to protect patient information Supplement California s already strict patient privacy laws A stricter or more protective rule preempts a less strict or less protective rule. 7 We have a legal, moral and ethical responsibility to protect patient information as if it were our own.

California Medical Information Privacy Laws Apply to individuals as well as institutions Unauthorized access includes the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment or other lawful use Licensed facilities, like UCSF Medical Center, are required to report incidents of unauthorized access, use, or disclosure of PHI to the California Department of Public Health, and to the affected patient within 5 business days after breach detection 8 When you suspect or know of a breach you must report it to the Privacy Office immediately Medical Center employees must also submit an Incident Report

HIPAA and the University of California System 9 UC is a Single Hybrid Health Care Component All 10 UC campuses, UC-managed national labs, etc. UC has multiple Covered Entities (CEs) Health Care Providers Medical Centers, Medical Schools, Student Health Services, etc. Self-Insured Health Plans Entities within UC that provide business/financial services to CEs UC has common policies and procedures for all CEs Reduces cost of policy development and implementation Enhances compliance throughout the UC system Minimizes risk

The Key to Compliance: Understand the definition of PHI Protected Health Information and when it may be used and disclosed. PHI: Information related to a patient s past, present or future physical and/or mental health or condition In any format written, spoken or electronic (including videos, photographs and x-rays) Includes at least one of the 18 personal identifiers (see next slide) PHI includes health information about individuals who have been deceased for less than 50 years 10

What are the PHI Identifiers? The 18 identifiers defined by HIPAA are: 11 Name Postal address All elements of dates except year Telephone number Fax number Email address URL address IP address Social security number Account numbers License numbers Medical record number Health plan beneficiary # Device identifiers and their serial numbers Vehicle identifiers and serial number Biometric identifiers (finger and voice prints) Full face photos and other comparable images Any other unique identifying number, code, or characteristic

HIPAA tells us that PHI Protected Health Information may be used and disclosed for: 12 Treatment Broadest permission Ex: Patient s referring physician calls and asks for a copy of the patient s recent exam at UCSF Payment More restrictive permission Ex: Patient s insurance company calls and requests a copy of the patient s medical record for a specific service date Operations Most restrictive permission Ex: Communications, fundraising, marketing, media relations and public affairs Certain other uses and disclosures of PHI such as those required by law are permitted. But most others will require the patient s specific authorization.

HIPAA also tells us how much PHI can be used and disclosed. 13 The Minimum Necessary Standard applies for all uses and disclosures except for treatment. Access only what you need to know Authorization is required for: Disclosures to the media Uses and disclosures of PHI for marketing HIPAA permits Incidental Use and Disclosure as long as: The disclosure is incidental to other permitted uses and disclosures Reasonable safeguards are in place to protect PHI that may be disclosed incidentally Never use and disclose PHI which you are not allowed to access in the first place.

HIPAA and Marketing What do the HIPAA regulations say? HIPAA has a unique definition of Marketing. A communication is defined as Marketing when: It encourages a recipient of the communication to purchase or use a product or service, except for communications related to: Treatment or healthcare operations where UCSF did not receive payment from a 3 rd party in exchange for making that communication 14 If a communication (even if for treatment or healthcare operations) involves UCSF receiving payment from a 3 rd party in exchange for making the communication: Patient authorization is required The authorization must state that UCSF is receiving payment for the communication

Getting Down to Business Marketing The rules for marketing are clear and simple: UCSF cannot use or disclose PHI for purposes that meet the definition of marketing without an Authorization. Although HIPAA allows the use of demographic information for fundraising purposes, it absolutely prohibits this use for marketing purposes. 15

Health Care Communication What do the regulations say? 16 HIPAA defines many of the things generally considered marketing as Health Care Communication. Health Care Communication is defined as when the communication meets the following criteria: Occurs in a face-to-face encounter between the patient and health care provider; or Involves a promotional gift of nominal value; or Describes health-related products or services that UCSF provides; or Provides information about the recipient s treatment or promotes health in general; AND UCSF does not receive payment from a 3rd party for making the communication If payment is exchanged for the communication, it is marketing and requires Authorization.

University Relations What do the regulations say? 17 UCOP has determined that University Relations is a part of Operations defined in the Regulations as business management and general administrative activities of the Covered Entity. Specific activities include: Providing crisis communications expertise and serving as members of the crisis response team Determining the newsworthiness of stories and other communications that support management and the Covered Entity s operations Collaborating with a patient s health care provider team in order to protect the patient s privacy, such as with celebrity patients

Getting Down to Business University Relations 18 In all circumstances only the minimum necessary information may be used or disclosed. Requests to physicians or other members of the health care provider team should seek the minimum necessary information to achieve the purpose. Restrict information discussed internally with the physician or other members of the media or health care provider team for purposes of determining the newsworthiness of stories to gender, age, ethnicity, dates of service, city of residence, zip code, occupation and general descriptions of disease or diagnosis.

Getting Down to Business University Relations 19 In order to provide any PHI to an outside media organization, you must obtain the patient s Authorization using the approved UCSF Authorization form. You do not need an Authorization to provide de-identified information. However, in order to appropriately de-identify the information, you must remove ALL of the following identifiers: Name, address (including city and zip code), full face photo or similar images, biometric identifiers (including finger prints) Dates of treatment, date of birth Telephone number, fax number, e-mail address, URL, IP address Social Security number, medical record number, health plan ID number, account number, certificate/license number Device and vehicle identifiers and serial numbers Any other unique identifying number, code or characteristic

HIPAA is very specific about how the Authorization is structured. 20 The Authorization itself must contain very specific language, including but not limited to: What kind of PHI may be used and disclosed Who can disclose the PHI To whom the PHI will be disclosed For what purpose the PHI will be disclosed When the Authorization will expire Do not create your own Authorization forms use only the approved UCSF Authorization forms. To access the forms, visit the HIPAA Forms section of http://hims.ucsfmedicalcenter.org/ Note that HIPAA does not recognize verbal authorizations or negative consent authorizations.

HIPAA is very specific about how the Authorization is obtained. 21 For UCSF patients, the Authorization may be obtained: By the Health Care Provider, or By a member of the Health Care Provider team, or By a UCSF staff member ONLY if preceded by a conversation between the Health Care Provider and the patient. The Health Care Provider should inform the patient that a staff member will be discussing an Authorization for the purpose of providing his/her information to the media For non-ucsf patients, the Authorization may be obtained: By a UCSF staff member without prior dialog between the non-ucsf patient and his/her non-ucsf Health Care Provider

Understand when a Business Associate Agreement is required. Vendors or other third parties that use or disclose PHI for or on behalf of the Covered Entity must sign a Business Associate Agreement. Examples of Business Associates include: Consultants working for clinical departments or in any other setting where PHI may be used or disclosed Professional photographers taking photos while on UCSF Medical Center premises 22 Contact your Purchasing or Procurement Office for assistance with Business Associate Agreements.

Security of ephi Consider Recent Headlines Ever evolving technology brings opportunities and efficiency but only when managed properly. Consider these recent headlines: October 2013 An academic medical center notified 3,541 patients that their ephi was compromised after the theft of an unencrypted personal laptop June 2013 A healthcare organization notified 13,000 patients that their ephi was compromised after the theft of an unencrypted laptop 23 September 2012 A healthcare organization agreed to pay the U.S. Department of Health and Human Services $1.5 million to settle HIPAA violations after the theft of an unencrypted personal laptop, containing ephi of ~3500 patients and research subjects How could these incidents have been avoided? By ENCRYPTING the device. 23

Do you use your personal device (e.g., laptop, iphone, ipad, external hard drive) for UCSF business? 24 Hint: This includes checking your UCSF email from your personal device. Even if you don t intentionally save PHI onto your device, your UCSF email files may download to your device without your knowledge. 24

Power of Encryption If you use your device for UCSF business, it MUST BE ENCRYPTED!! Encryption is the only federally recognized method for securing ephi By having your device encrypted, you can rest assured that the information it contains is secure and inaccessible to others if the device is lost or stolen For assistance with encryption, contact the IT Service Desk at (415) 514-4100 For guidance to install encryption on your personal device: https://it.ucsf.edu/how_do/encrypt-my-personal-laptopdesktopinstallation-guidelines 25 You may need to attest annually that all of your devices used for UCSF business are encrypted Best Practice: Do not use your personal device to store UCSF data or access UCSF email unless absolutely necessary. And if necessary, the device must be encrypted. 25

Taking PHI Offsite Involves Risk 26 Theft and loss of PHI is a high risk Your car is burglarized and the thief takes off with the PHI (this happens very often, especially in San Francisco) Leaving PHI in a coffee shop, restaurant or public transportation If your job requires you to work from home or transport PHI between sites, follow best practices: Access PHI remotely via Virtual Private Network (VPN) Securely fax or email the PHI to yourself and securely access it to avoid carrying PHI Ensure all devices used to access ephi or UCSF email are encrypted (including your personal laptop, ipad, iphone, etc.) Never leave PHI unattended in your bag, briefcase or your car (even if it s locked in the trunk!) This applies to all types of PHI paper, films, photos, cameras, CDs, and ephi stored on laptops Treat PHI like it s an infant: You are responsible for securing and keeping it in your possession at ALL TIMES 26

One Last Time H Helping UCSF comply with HIPAA is everyone s job. I If you re bending the rules, you may be breaking the law. P Protect PHI as if it were your own. A Always take the most conservative approach. 27 A Ask for permission with an Authorization not for forgiveness. Imagine that it s your PHI, and do the right thing!

Scenario 1 A reporter calls University Relations asking for the condition of a 43-year old man who was the victim of a car crash. He gives you the patient s name but has no other details. Can you disclose the patient s condition to the reporter? A.No B.Yes 28

Scenario 1 - Answer The correct answer is B. 29 You may disclose the patient s condition in general terms (good, fair, serious, critical or undetermined) only after obtaining permission from the patient or the patient s designated representative. Refer to the following for additional guidance: Medical Center Policy 1.03.07 Press Code UCSF Media Coverage Guidelines: http://www.ucsf.edu/news/news-media-services/mediacoverage-guidelines A.No B.Yes

Scenario 2 A national magazine reporter calls regarding a story on liver transplantations. She would like to interview a patient who has recently undergone a transplant to help illustrate the importance of organ donation. How can the media relations representative find an appropriate patient for the story? A. Identify recent liver transplant patients at UCSF and contact them to see if they would be interested in being interviewed by the reporter. 30 B. Discuss the concept for the story with a physician to determine if there is an individual who would make a good spokesperson for the institution s liver transplant program. If the patient agrees, the patient must sign an Authorization prior to UCSF releasing any PHI to the media.

Scenario 2 Answer The correct answer is B. The discussion of PHI must be limited to the minimum necessary in order to make the decision and only to those persons who need to know for the decision to be made. Once it has been decided that the patient might be a good spokesperson, the physician should make the initial contact. If the patient agrees, the physician or media relations representative must obtain an Authorization for release of any PHI to the news media. A. Identify the recent liver transplant patients at UCSF and contact them to see if they would be interested in being interviewed by the reporter. 31 B. Discuss the concept for the story with a physician to determine if there is an individual who would make a good spokesperson for the institution s liver transplant program. If the patient agrees, the patient must sign an Authorization prior to UCSF releasing any PHI to the media.

Scenario 3 A member of the UCSF staff overhears the name of a well known television personality when it is called out in a patient waiting room. She shares the information with her family at dinner that evening. Is this a violation of HIPAA? A.No B.Yes 32

Scenario 3 Answer The correct answer is B. Although HIPAA tolerates Incidental Use and Disclosure, such as when a name is overheard in a patient waiting room, it does not permit a staff member to discuss that information in any context or setting not directly related to his/her work. 33 A.No B.Yes

Scenario 4 UCSF recently purchased new state-of-the-art medical equipment. The equipment manufacturer wants UCSF to make a communication to its patients regarding this recent acquisition, and is willing to pay UCSF in exchange for making that communication. Under what circumstances is UCSF permitted to make the communication? A. UCSF is free to make the communication to any of its patients, as it is related to a service provided by UCSF. 34 B. Because UCSF is receiving payment for the communication, UCSF must obtain Authorization from each patient before making the communication. The Authorization must state that UCSF received compensation from the equipment manufacturer in exchange for the communication.

Scenario 4 Answer The correct answer is B. If UCSF receives payment from a 3 rd party in exchange for making a communication that encourages the purchase or use of a product or service, then patient authorization is required and the authorization must state that UCSF is receiving payment for the communication. A. UCSF is free to make the communication to any of its patients, as it is related to a service provided by UCSF. 35 B. Because UCSF is receiving payment for the communication, UCSF must obtain an Authorization from each patient before making the communication. The Authorization must state that UCSF received compensation from the equipment manufacturer in exchange for the communication.

Scenario 5 You are upset after a frustrating conversation with a patient and their family. You want to share this experience and your thoughts and feelings with your family and friends on Facebook. What must you consider before doing this? A. Posting this on Facebook is OK, as long as you do not identify the patient by name, or identify the hospital, and you are limiting the recipients to your friends and family 36 B. You cannot post anything on Facebook that could possibly lead to identification of the patient

Scenario 5 Answer The correct answer is B. Do not share on social media any patient information acquired through your work at UCSF Facebook is considered public domain, and anything you post there is considered public information Posting PHI without prior authorization is a violation of the patient s privacy and confidentiality Your Facebook profile may identify your place of work and occupation. When linked with your posting, the additional details may identify the patient. Refer to UCSF s Social Media Best Practices: http://www.ucsf.edu/about/social-media-overview/social-mediabest-practices 37 A. Posting this on Facebook is OK, as long as you do not identify the patient by name, or identify the hospital, and you are limiting the recipients to your friends and family B. You cannot post anything on Facebook that could possibly lead to identification of the patient

HIPAA Help If you re confused about HIPAA, ask for help! Start with your supervisor or manager You may also contact: UCSF Privacy Office 415/353-2750 http://hipaa.ucsf.edu/ 38

Completing this Course When you close this window, you will be asked if you have completed this course. By clicking yes, you indicate that you have reviewed these materials and agree to comply with the provisions of Advanced HIPAA Communications and University Relations. 39

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback