Compliance and Privacy/Security Training Academic Year

Compliance and Privacy/Security Training Academic Year 2017-18 Dear Student, Welcome to UConn Health. This training packet includes a general overview of compliance principles, UConn Health s Compliance Program and Privacy and Security. Please review the training and complete and sign the training attestation. Return the signed attestation to your instructor, host, and preceptor or the individual that is responsible for your student experience here at UConn Health. The Compliance/Privacy and IT Security Offices are available to answer any questions or to address any compliance- or privacy/security-related concerns during your work at UConn Health. Specific resource and contact information may be found in the training packet. Thank you in advance for your cooperation. Virginia Pack, Associate Compliance Officer

Certification of HIPAA Privacy/Security/HITECH Training Packet Completion 2017-2018 I have read and understand the UConn Health HIPAA Privacy/Security/HITECH training materials. Further, I understand that the location of additional information about UCHC's policies and procedures related to patient privacy have been detailed in the training documents. Printed Name Signature Date

UConn Health Compliance Program/Privacy Office UConn Health IT Security Office

UConn Health is dedicated to helping people achieve and maintain healthy lives and restoring wellness/health to maximum attainable levels. In this quest, we will continuously enable students, professionals and agencies in promoting the health of Connecticut s citizens. We will consistently pursue excellence and innovation in the education of health professionals; the discovery, dissemination and utilization of new knowledge; the provision of patient care; and the promotion of wellness.

Introduction to Compliance and the Office of Audit, Compliance and Ethics

What is compliance?

The rules associated with an academic health center include: Federal, state and local laws and regulations. University, UConn Health and department-specific policies and procedures. Quality and accreditation standards in areas such as medical and dental education, hospital and research. As healthcare and healthcare law become increasingly complex, practitioners and institutions must understand applicable laws to avoid the consequences associated with noncompliance such as: Negative publicity Fines Loss of funding Exclusion from participation in federal health care programs.

Compliance is about doing things right according to laws, regulations, standards, policies, etc. Ethics is about doing the right thing by our patients, research participants, fellow students, colleagues and others regardless of what the law says. Both are key to institutional integrity. The UConn Health Compliance Program, part of the University s Office of Audit, Compliance and Ethics, promotes and facilitates individual and institutional compliance, ethics and integrity in carrying out UConn Health s mission.

Interpret complex laws and regulations. Answer compliance/ethics questions and provide consultation. No question is too small or too big! Monitor institutional processes and recommend improvements. Assist in resolving compliance concerns. Investigate reports of non-compliance or unethical practice. Provide individual, departmental or institutional education.

How do we work with you as a team? Your Role Follow applicable laws and regulations. Compliance Office Role Provide information and education. Ask questions. Use available resources. Report compliance/ethics concerns or suspected violations of law or policies. Answer your compliance and ethics questions. Provide resources and guidance. Investigate and resolve reported concerns.

To report a compliance or ethics concern contact: The Office of Audit, Compliance and Ethics Phone: 860.679.4180 Email: compliance.officer@uchc.edu or REPORTLINE: (available 24 hours a day, seven days a week and completely anonymous): 1.888.685.2637. Employees and students not only have a right but an obligation to report known or suspected non-compliance or unethical practice. Retaliation against any individual who, in good faith, reports or who participates in the investigation of alleged violations is strictly forbidden.

All members of the UConn Health community are obligated to ensure the privacy and security of confidential information with which they may come in contact. As students, you may encounter situations in which you have access to patients health information and potentially to other types of confidential information. This training section will assist you to be aware of important privacy and security principles as well as UConn Health policies and procedures. Refer to the policy links throughout the training for more detailed information.

UConn Health has a responsibility to protect all types of confidential information related to: Patients Research participants Students Employees Social Security numbers, credit card numbers, and other financial data Systems IDs and passwords Institutional data and processes Unless you need to know specific confidential information to carry out your UConn Health responsibilities, do not access it, look at it, use it or share it. Please review the Confidentiality policy.

HIPAA stands for: Health Insurance Portability and Accountability Act The Privacy Rule: established national standards for the protection of all forms of health information created by covered entities, including health care providers. set limits on the uses and disclosures of such information. gave patients rights over their health records. The Security Rule: established national standards for the security of electronic health information (ephi) to protect individual ephi created, received, used or maintained by covered entities. outlined administrative, technical and physical procedures to ensure the confidentiality, integrity and availability of ephi.

HITECH stands for: Health Information Technology for Economic and Clinical Health Act HITECH resulted in significant changes to HIPAA Privacy and Security. Widened the scope of privacy and security protections under HIPAA. Includes health care information technology incentives. Electronic data transmission is a double edged sword. Advances in technology lead to increased vulnerability of personal information.

PHI is any type of health information maintained or transmitted in any medium (verbal, paper, photographed, electronic, etc.) that can be linked to a specific individual by a unique identifier. Electronic PHI (ephi) is patient information stored on computers, storage devices, or in any UConn Health electronic system.

More Obvious: Less Obvious: Name Addresses including email/internet Zip Code Phone and fax numbers Social security number Medical record number License numbers Account numbers e.g. bank, retirement and credit card Fingerprints Full or partial photo that could identify an individual Vehicle identifiers e.g. license plates/serial numbers Dates including birth, death, admission and discharge URL and IP address Device identifiers and serial numbers Codes that are related to the individual or can be translated into identifiable information Any other unique number or characteristic

Information is considered de-identified when all identifiers are removed such that the information cannot be linked to any individual or be re-identified. De-identified information is not considered PHI and, therefore, is not protected under the HIPAA Privacy rule. Refer to policy: Creation, Use and Disclosure of De-identified PHI

Privacy should be seen as important as other aspects of patient care. Consider privacy implications with regard to physical layouts and department processes and address those that place patient privacy at risk. Respect for patient privacy goes hand in hand with respect for that individual s dignity and significantly contributes to overall patient satisfaction. Patient feedback underscores how important privacy is to the overall patient experience. Assure patients and demonstrate in your care that their privacy is important. Respond right away to any patients privacy questions and concerns. In other words, stop and think: Am I doing everything that I can to respect and protect this individual s privacy?

Patients or their personal representatives may request to view/obtain copies of that patient s PHI. UConn Health must act on a request for PHI as soon as possible but no later than 30 calendar days after receiving the request. If acting on the original request within 30 days is impossible, UConn Health must provide to the requestor within the initial 30-day timeframe, a written explanation and date by which the request will be fulfilled. These requirements extend to patient requests to send information to a third party as well as for PHI maintained by UConn Health business associates.

With respect to their PHI, patients under our care are entitled to: information about their rights under HIPAA and how their PHI will be used or disclosed. protection of the privacy and security of their health information. access to their health information. request corrections of information in their records. restrict certain disclosures of their information. notification if the privacy or security of their information is compromised.

The Notice of Privacy Practices (NOPP) explaining patients rights under HIPAA is provided to all patients except Correctional Managed Health Care (CMHC) inmate/patients as part of the treatment consent process. The consent to treatment also serves the purpose of the patient s acknowledgment of receipt of the NOPP. As part of consent, a patient may give permission to communicate health information with others and request to restrict disclosure of PHI to health insurers or to be excluded from appointment reminders. If another individual signs the consent on behalf of the patient, that person s identity and his or her relationship to the patient (i.e. parent, guardian, authorized representative) must be verified. Refer to policy: Consent to Treatment

Original medical records are the property of UConn Health and may not be removed from the facility under any circumstances except by court order. Patients or their authorized representatives have the right to view their own records upon written request using approved forms. Requests to view are first reviewed with the patient s attending physician or appropriate UConn Health representative. A written response is provided to the patient for any request denial. Refer to policy: Patient Right to View His/Her Medical/Dental/Research and/or Billing Record

Most requests for patient records should be referred to the Health Information Management (HIM) Release of Information department. If information is needed immediately and the treating provider approves, clinical areas may provide to the patient copies of documents such as labs, diagnostic results and clinical notes related only to the care in that department. Information that may not be released: Psychotherapy notes (separate from the clinical record). Patient information from research labs that are exempt from Clinical Laboratory Improvement Amendment (CLIA) requirements. Information for use in pending litigation. Refer to policy: Patient Right to Request Copies of His/Her Medical/Dental/Research and/or Billing Record

Patients can request record amendments at any time during or after treatment. Whether granted or denied, all amendment requests must be acted upon promptly but no later than 60 days after the request is made. For guidance and assistance with amendment requests in: Medical/Dental records contact Health Information Management (HIM) Research records contact HIM or the study s Principal Investigator Billing records contact Patient Services Refer to policy: Patient Right to Amend His/Her Medical/Dental/Research and/or Billing Record

UConn Health must honor all patient requests: to receive communications of PHI from UConn Health by alternative means or at alternative locations. to restrict certain disclosures of PHI to health plans if specific criteria are met. Patients may also choose to be excluded from automated, verbal or written appointment reminders. Refer to policies: Patient Right to Request Confidential Communications Patient Right to Request Restrictions on Use And Disclosure of Protected Health Information

Disclosure Tracking Logs must be completed when PHI is released outside of UConn Health for reasons unrelated to treatment, payment or health care operations and of which the patient is otherwise unaware (e.g. to regulatory agencies, for judicial proceedings, to medical examiners, for research purposes or to report abuse, neglect and domestic violence). Unauthorized disclosures that result in a privacy incident must also be documented on the tracking log. Refer to policy: Accounting of Disclosures of Protected Health Information to Patients

Patient authorization to access, use or share their PHI is needed unless: the purpose is related to treatment, payment for treatment, or healthcare operations such as quality improvement, training, performance evaluations, audits or as required by law A valid authorization must include specific information to ensure the patient or representative understands what PHI is involved, who is requesting PHI, the purpose of the requested use or disclosure, and the right to revoke an authorization. Regardless of the need for patient authorization, PHI that is accessed, used or shared for any purpose other than treatment, should be limited to the minimum necessary information required to accomplish the task at hand. Refer to policies: Authorization for Release of Information Minimum Necessary Data

Patient complaints related to the privacy or security of their PHI should be directed to the UConn Health Patient Relations Department or to the Privacy or Security office. Patients may also elect to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. Refer to policy: Patient Complaint Regarding Use and Disclosure of PHI

Verbal Communications Involving PHI

The Privacy Rule is not intended to interfere with necessary patient care communications. Discuss PHI only with those that need to know for their assigned job or student functions. Be sensitive to your surroundings and who may be able to overhear you. Discuss PHI in a private area if possible. Lower your voice in open areas. Avoid discussions in public areas such as elevators and cafeterias, even if you think no one is nearby. HIPAA recognizes that incidental disclosures may be unavoidable at times as long as safeguards are in place to minimize such disclosures.

UConn Health institutional policy Use and Disclosure Involving Family and Friends refers to policies in each type of patient area to guide communications with a patient s family and friends: Inpatient Outpatient Outpatient Psychiatry Dental Permission to Communicate covers disclosures needed to assist with coordination of a patient s care but does not necessarily grant the right to disclose PHI that is unrelated to the current care of a patient. When others are present during a discussion with a patient, ask for the patient s permission at that time before sharing PHI. Do not assume it s OK to discuss patient information in front of family or other visitors just because they are there. If circumstances make it impossible to obtain patient permission, share only information you believe to be in the patient s best interest.

PHI may be shared with a patient s personal representative who has verified legal authority to act on behalf of that patient. It is not necessary for personal representatives to be designated on the Permission to Communicate form. HIPAA recognizes that a personal representative has the same rights as the patient and should be treated in the same manner with regard to PHI use and disclosure.

When calling a patient: Use the phone number designated by the patient remember, it may be an alternate phone number. Confirm that you are speaking with the patient or someone that has permission to communicate about the patient. Do not leave PHI on answering machines or with individuals not authorized by the patient. If leaving a message, provide only your name, that you are calling from UConn Health, who the message is intended for, and ask that the individual return your call. Refer to policy: Telephone/Voicemail/Answering Machine Disclosure of PHI

Unless a patient has specifically opted out, individuals may disclose: a patient s hospital room and telephone number to persons that inquire about that patient by name (except patients on the Psychiatric and Department of Correction units). a patient s religious affiliation to members of the clergy. All inquiries about John Dempsey Hospital patients must be forwarded to the UConn Health Information Desk or telephone operators. All media requests for patient information must be forwarded to Health Marketing and Multimedia. Refer to policies: Directory Information: Disclosure of a Patient s Information Media Relations

Ask open ended verification questions such as Can you please verify your address? rather than Is your address still.? Before sharing any PHI, verify: the identity of the individual requesting the information, including that of a patient who calls for information about himself/herself. that any individual other than the patient has the right to obtain information that is requested. If an individual s identity and/or legal authority cannot be verified, do not disclose any PHI and report the request to your supervisor. Refer to policy: Verification of Individuals or Entities Requesting Disclosure of Protected Health Information

Use particular caution when PHI is requested for law enforcement reasons. Do not assume that a subpoena or court order requires immediate release of PHI. Check before disclosing. Refer all law enforcement PHI requests (including those by UConn Health Police Department) to your supervisor.

Managing Confidential Information on Paper

Keep documents with confidential information in locked areas or cabinets. Do not leave papers lying around or unattended in offices or any desks/counters, printers, or fax machines. If you must carry papers with PHI, keep track of all pages and shred them as soon as they are no longer needed. Avoid taking notes or documents with confidential information into bathrooms, cafeterias, lounges or other public places. Do not leave documents with any confidential information in your personal vehicle. Do not personally transport patient records or ask a patient to transport his or her own record from one UConn Health location to another. Refer to policy: Medical/Dental Patient Records: Transportation of Paper Records and Other MediaRecords

Locked entrances and restricted access areas reduce privacy risks only when proper procedures are followed. Wear your UConn Health ID badge at all times to safely enter and exit restricted areas. Do not hold a door open or allow anyone without proper identification to access a restricted area, especially if you do not recognize the person. If you see anyone in your department without proper ID, ask questions or notify your department manager or person in charge. Do not assume an individual has authorized access just because he or she is there. Notify UConn Health police if you have any immediate safety concerns.

Follow the steps in policy: Handling Paper Communications About Patients including PHI Be particularly careful to: Check and initial each page before mailing or handing documents with PHI. The greatest risk exists when pages are not checked. Use two forms of identification when preparing and when handing documents to a recipient. Use extra caution with shared printers and guard against inadvertently picking up papers that can be mistakenly included with other documents.

Take extra precautions when faxing: Verify that you are sending a document to the correct number before faxing. Use only UConn Health approved cover sheets for both external and internal faxes. Remember to dial 9 followed by the number when faxing outside of UConn Health. Collect papers when you leave a fax machine. If you send a fax to the wrong recipient or location or learn that a fax sent from UConn Health was misdirected, notify your supervisor or contact the Privacy Office immediately. If you receive a misdirected fax from another entity, notify the sender. Refer to policy: Faxing of PHI

Non-textual patient data includes patient photographs, radiology images, pathology slides, physiological tracings and audio/video recordings. Consent to treatment includes permission to capture non-textual patient data for clinical purposes. Patient authorization may be required to use or disclose identifiable non-textual data. Be especially aware of privacy implications when using video monitoring equipment in patient care. Refer to policy: Visual, Audio, or Other Recording of Patient Data Obtained Through Any Other Medium

Protection of Electronic PHI (ephi)

Electronic resources are university/state agency property and should be used only for UConn Health-related business purposes. Accesses to electronic patient information systems are monitored regularly. Confidential electronic data should be accessed only as needed for assigned UConn Health responsibilities. There should be no expectation of privacy. All data stored on UConn Health systems is discoverable under certain circumstances. Always log off when you step away from a computer on which you have been working. You will be held accountable for improper accesses by another individual using your login information. When you leave UConn Health, all information must be properly destroyed or returned to your supervisor. Refer to policies: Information Technology Computer/Electronic Resource Use Policy UCHC Information Security: Acceptable Use UCHC HIPAA Security Virus Protection Policy

To use UConn Health electronic systems, you must have and protect your unique login and password information. Create strong passwords that are easy to remember by replacing letters with numbers and special characters. Examples include: MyD0GJon@th@n, H1ker$GuiDe42, N0!Pr0mises?, Ph0t0gr@ph!, IL<3EdSh33ran! Do not share passwords with any other person or allow anyone to access electronic systems using your login information. Do not request, store or use anyone else s credentials in any way. IT does not need your password to provide you or your team with support. Whatever you do, don t write your password down and leave the paper in an area accessible to others. Refer to policy: UCHC Information Security: Systems Access Control

UConn Health s new electronic medical record (EMR), referred to as HealthONE or Epic is expected to go live in April, 2018. Stay up-to-date on the latest developments, get questions answered and check plans for training on the UConn HealthONE website.

Securing mobile devices is a must! Any device used to access confidential UConn Health data and/or clinical network must have security controls as defined by Information Technology. Personal smartphones or tablets used for email or any other UConn Health business must be registered and secured using Bring Your Own Device (BYOD). Report any lost or stolen mobile devices to the UConn Health Police Department immediately. Refer to policy: Mobile Computing Device (MCD) Security

Treat any email containing PHI with the same degree of privacy as a patient s medical record. Communicate only with individuals that have a need to know and are properly authorized to receive the information. Double check all email recipients to be sure you are including the correct individual(s). Use extra care when choosing names from the address book, persons with similar names or when recipient names auto-populate in the To or cc lines. Emails containing any confidential information or PHI that are sent outside of the UConn Health network must be encrypted. Refer to policies: Electronic Communication of Confidential Data and Email Communication with Patients/Research Participants

Click the secure icon in the upper left hand corner of the email message screen or Type [secure] (brackets and the word) in the email subject line or body. [secure]

Do not text confidential information unless a UConn Health approved secure text application has been installed and activated. Secure texting applications ensure that encrypted messages are transmitted from a secure server and prevent cell phone networks from keeping a message copy. Immediately report to your program director and the IT Security Office any text that is sent without using appropriate software. Information related to your UConn Health work should never be shared on social media sites. Patients may be identified even when minimal information is posted.

Email spam ( junk mail ) may pose extreme risk to the user and to UConn Health. Phishing scams are a form of cybercrime that involve conning users by acting as legitimate companies or organizations in order to obtain personal information such as passwords and login credentials. Do not click on unsolicited links or attachments in messages. Contact the IT Help Desk at 860.679.4400 helpdesk@uchc.edu if you have any doubts about received messages.

Be wary when: The request is urgent and asks for some type of credentials. There are penalties for not complying with the request. There are spelling errors. The email and signature are generic, such as Thank you The Helpdesk and are missing logos, accurate phone numbers, names and titles. The URL web address doesn t make sense and is unrelated to the supposed requesting party.

Ransomware is malicious software designed to block access to a computer system until a sum of money (ransom) is paid. Healthcare has been specifically targeted by attackers and is especially vulnerable as ransomware can block access to electronic patient records. Patient care services may be disrupted putting patients at risk. The confidentiality of patient information is severely jeopardized. Ransomware is usually loaded by clicking on links or attachments in email. Do not click on unsolicited links or attachments without verifying the authenticity of the sender or message.

Remember the red flags that signal possible ID theft such as: suspicious documents that appear to be forged or altered. inconsistent personal identifying information such as address and phone number. an individual s inability to provide any other identity authentication such as answers to challenge questions. Synthetic identity theft often includes a combination of real and fake credentials that are used to create new, "synthetic identities. Since only parts of an individual s actual information is used in combination with other individuals or fictitious information, the risk may be overlooked as an innocent information error. Trust your gut. If something doesn t seem right, seek guidance. Contact the Compliance Office with questions or concerns regarding known or suspected identity theft.

Dispose of paper with PHI or other confidential information including faxes, printed emails or notes only in locked shredder bins to render the information undecipherable. Never discard PHI in wastebaskets, recycling bins, or in any publicly accessible area. Contact the Office of Logistics Management (OLM) to scrub all UConn Health information from electronic devices, especially PHI, before removing any electronic storage media/devices. Store computers/laptops or other devices in a locked, secure area when planning disposal. Do not leave them in hallways or other unlocked areas. Refer to policy: Disposal of Documents/Materials Containing PHI and Receipt, Tracking and Disposal of Equipment and Electronic Media Containing Electronic Protected Health Information.

Other Privacy and Security Considerations

PHI in any form may be used or disclosed for research purposes provided there is a valid participant authorization. Ensure that appropriate consents and authorizations are complete and signed. Obtain research HIPAA authorizations separately from consent unless an exception is granted by the UConn Health Institutional Review Board (IRB). Authorizations must clearly articulate how participants PHI will be used and with whom it will be shared. Alterations to or waivers of authorizations must be approved by the IRB. When conducting collaborative research with UConn Storrs or other entities, clearly define project roles, particularly those that include access to or use of PHI. Refer to applicable IRB protocols and to policy: Use and Disclosure of Protected Health Information for Research Purposes

In some instances, a Limited Data Set from which all direct identifiers associated with PHI have been removed may be used for research or other purposes. Follow specific steps when creating, using or disclosing a Limited Data Set. Ensure an appropriate data use agreement is in place. Use of PHI in preparation for research must be clearly defined and should include the minimum necessary to complete a preparatory review. PHI accessed, used or disclosed without proper authorization or outside of the IRB protocol parameters must be evaluated as potential breaches. Report privacy incidents immediately to the Privacy Office and to the IRB. Refer to policy: Limited Date Set-Creation, Use and Disclosure

Business Associates (BAs) are entities outside of the UConn Health workforce that may create, receive, maintain, or transmit PHI on behalf of UConn Health. A Business Associate must have processes in place to appropriately safeguard the PHI it creates or receives from UConn Health. Business Associate Agreements (BAAs) outline the respective responsibilities of UConn Health and the BA as well as document the BA s assurances to safeguard PHI. Refer to policy: Business Associate Contracts

UConn Health fundraising is coordinated through the UConn Foundation. Patients may opt out of fundraising communications and treatment cannot be conditioned on an individual s choice to opt out. Marketing is communication that encourages individuals to use a particular product or service. Specific HIPAA Privacy rules apply. Refer to policies: HIPAA Fundraising Compliance HIPAA Marketing Compliance

Managing Privacy and Security Incidents

Access, use or disclosure of PHI in violation of the HIPAA Privacy or Security Rules must be reported as a privacy or security incident. Notify the Privacy Office immediately of any incident that involves improper access, use or disclosure of PHI. Notify your program director and IT Security immediately if you know of or suspect a security incident such as: Hacking of any UConn Health electronic system. Compromise of an electronic device or system that may affect the privacy and security of stored confidential information. Notify the UConn Health Police Department about any lost or stolen electronic device that may contain PHI or other confidential information.

All Privacy and Security incidents must be evaluated but not all result in reportable breaches. A breach occurs when PHI is compromised resulting in significant risk of financial, reputational, or other harm to the individual. Every individual affected by a privacy or security breach must be notified of the incident. Breaches must also be reported to the Office for Civil Rights. Refer to policy: Breaches of Privacy and Security of PHI and Confidential Information

Privacy Office IT Security Office Privacy policies Security policies Iris Mauriello, Privacy Officer 860.679.3501 mauriello@uchc.edu Bruce Metz, Chief Information Officer 860.679.5517 metz@uchc.edu Peg DeMeo, Associate Compliance Officer 860.679.1226 demeo@uchc.edu Carrie Gray, Director, IT Security 860.679.2295 cagray@uchc.edu Ginny Pack, Associate Compliance Officer 860.679.1280 pack@uchc.edu Privacy Office email: privacyoffice@uchc.edu REPORTLINE:1.888.685.2637

and a team effort is key!

Thank you for completing Compliance and Privacy/Security training. Training Questions? Contact Ginny Pack at 860.679.1280 or pack@uchc.edu

UConn Health Office of Audit, Compliance and Ethics Nonpaid Student Experience Academic Year 2017-2018 I have completed the following trainings: o Compliance and Ethics Overview o Privacy and Security I have read, understood and will abide by the University of Connecticut Code of Conduct. I agree to abide by all policies referenced in these trainings. I have been informed about how to ask questions of, or to report concerns to, the UConn Health Compliance/Privacy and IT Security Offices. I understand that University policy prohibits retaliation toward any individual asking questions of, or reporting concerns to, the appropriate authority. I understand that violations of the University of Connecticut Code of Conduct and/or University/UConn Health policies may result in disciplinary measures as appropriate. Signature Printed Name Date