HIPAA HAZARDS & SOCIAL MEDIA SNAFUS NARHC MARCH 20, 2018 MARGARET SCAVOTTO, JD, CHC MPA ST. LOUIS, MO

Similar documents
HIPAA Training

The Privacy & Security of Protected Health Information

HIPAA and HITECH: Privacy and Security of Protected Health Information

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

MCCP Online Orientation

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

Privacy and Security For Teammates

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

HIPAA Compliance and Health IT

NOTICE OF PRIVACY PRACTICES

Health Information Privacy Policies and Procedures

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

SUMMARY OF NOTICE OF PRIVACY PRACTICES

CAPITAL SURGEONS GROUP, PLLC

OSHA & HIPAA Seminar. Northern Texas Facial & Oral Surgery

Reporting a Privacy Breach to the Commissioner

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

PETER BOWER, M.D Rolkin Court, Suite 301. Charlottesville VA (434) F(434) Today's date. Name:

HIPAA Health Insurance Portability and Accountability Act of 1996

HIPAA THE PRIVACY RULE

David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)

2018 HCCA Compliance Institute HIPAA Update: Policy & Enforcement. Policy Update: Marissa Gordon-Nguyen HHS OCR Senior Advisor

Advanced HIPAA Communications and University Relations

INVESTIGATION REPORT

NOTICE OF PRIVACY PRACTICES

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

Information Privacy and Security

Your Role in Protecting Patient Privacy 2018

Section: Medical Staff Office Page: 1 of 2

PATIENT INFORMATION Please Print

Notice of HIPAA Privacy Practices Updates

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

A general review of HIPAA standards and privacy practices 2016

Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines

Chapter 9 Legal Aspects of Health Information Management

Protecting Health Information: Health Data Security Training

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Training for Non-Clinical Workforce

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

Office of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV

Notice of Privacy Practices

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

NOTICE OF PRIVACY PRACTICES

New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

Clarifying HIPAA Privacy Rules for Mental Health and Addiction Crises. National Council for Behavioral Health March 19, 2018

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Patient Appointment Agreement

Notice of Privacy Practices for Protected Health Information (PHI)

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

FCSRMC 2017 HIPAA PRESENTATION

NOTICE OF PRIVACY PRACTICES

Patient Privacy Requirements Beyond HIPAA

NOTICE OF PRIVACY PRACTICES

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Catholic Charities Disabilities Services. In-Home Behavioral Support Services (2017)

HCCA Institute Privacy Officer Round Table Discussion

ExecTech. The following examples help explain why the US Government created the HIPAA Privacy Rule.

Slide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice

HIPAA Privacy Rule. Best PHI Privacy Practices

NOTICE OF PRIVACY PRACTICE UNIVERSITY OF CALIFORNIA SAN FRANCISCO DENTAL CENTER

Notice of Privacy Practices

CHI Mercy Health. Definitions

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

CLINICIAN S GUIDE TO HIPAA PRIVACY

2514 Stenson Dr Cedar Park TX Fax

PEDIATRIC HEALTH ASSOCIATES HIPAA NOTICE OF PRIVACY PRACTICES

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

Humana At Home-Star Member Talking Points

INFORMATION ABOUT Children s Mercy Hospitals and Clinics for our Affiliates

Southwest Idaho Ear, Nose and Throat, P.A. Notice of Privacy Practices

HIPAA Education Program

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

Mobile Mammo Registration Instructions

NOTICE OF PRIVACY PRACTICES

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

MEMPHIS LUNG PHYSICIANS FOUNDATION AN OFFICE OF BAPTIST MEDICAL GROUP NOTICE OF PRIVACY PRACTICES

Catholic Charities Disabilities Services 2017 Family Reimbursement Grant For Respite Funds 1 Park Place, Suite 200 Albany, NY (518)

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

NOTICE OF PRIVACY PRACTICES

Your Medical Record Rights in New Mexico

EMS and the Law: How to Protect Yourself from Medical Negligence Claims and other Legal Considerations. Julia A. Rush, J.D.

Informed Consent for Treatment

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

East Carolina University 2010 Annual HIPAA Privacy Training

Privacy & Security: What You Need to Know

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

Transcription:

HIPAA HAZARDS & SOCIAL MEDIA SNAFUS NARHC MARCH 20, 2018 MARGARET SCAVOTTO, JD, CHC MPA ST. LOUIS, MO

EXPECT THE UNEXPECTED

SNOOPING EMPLOYEES WILL BE TEMPTED TO SNOOP MEDICAL RECORDS.

SNOOPING A nurse snooped the medical records of her nephew s girlfriend, and learned she had a baby and gave it up for adoption. This secret was announced at a family funeral. Hospital employee snooped patient records for 14 years. When Britney Spears was hospitalized in 2008 for psychiatric care, 13 employees and 6 physicians at UCLA medical center looked at her medical records without a reason.

SNOOPING Who are YOUR celebrities?

SNOOPING What can you do? Address snooping in your SRA and policies Limit access Terminate access Review info system activity Set up alerts Use access controls TRAIN

INSIDERS & BURGLARS WHAT COULD SOMEBODY TAKE FROM YOU?

INSIDERS An ex-employee stole patient information and patient photos from a Rodeo Drive plastic surgery clinic and put them on social media. A mental health tech stole census sheets from a behavioral health facility and sold them for $1,000 each.

INSIDERS What can you do? Background checks. Consider insiders in your HIPAA Security risk analysis and mitigation plan. Use the minimum necessary rule. Terminate access when employees leave.

BURGLARS What could a burglar steal from you? Burglars stole an unencrypted computer containing PHI for 24,000 patients from a dermatology practice. It was not encrypted. Burglars stole paper PHI from an eye doctors office leaving electronic PHI systems untouched. Burglars took 13 boxes of paper medical records from an off-site storage facility. The burglar was caught when he tried to sell the patient records.

BURGLARS What can you do? Remember there is no such thing as secure paper PHI. If you use off-site storage, ask about their HIPAA security program. Signing a BAA is required but doesn t guarantee your records are safe.

MAIL WHAT S IN YOUR ENVELOPE? HIPAA WANTS TO KNOW.

MAIL What could go wrong? Aetna used a contractor to complete a mailing. The contractor used windowed envelopes. Through the window, the following words could be seen: when filling prescriptions for HIV medications. The Ohio Dept of Mental Health and Addiction Services sent a satisfaction survey to its patients via postcard (rather than sealed envelopes).

MAIL Email issues A hospital executive assistant sent an electronic survey to patients by email. The goal of the survey was to identify ways to improve patient discharge paperwork. Hundreds of patient email addresses were visible in the To field of the email.

MINIMUM NECESSARY RULE BREACHES WHEN STAFF NEED TO USE PHI, BUT THEY USE TOO MUCH.

MINIMUM NECESSARY RULE BREACHES A university student health center employee discussed the results of a student s pregnancy test with a female coworker. A nurse was fired from a Kentucky hospital after she told a physician and EKG technician to wear gloves for a procedure because the patient has Hepatitis C.

MINIMUM NECESSARY RULE BREACHES What can you do? TRAIN.

AUGMENTED REALITY PEOPLE USE THEIR PHONES AND CAMERAS FOR EVERYTHING.

POKÉMON GO Pokemon Go uses the smartphone s camera phone to superimpose Pokemon characters on real-time photographs. Pokemon Go lets the user take a screenshot of the app (e.g., the real-time photograph).

ONLINE REVIEWS THE COMMENTS CONUNDRUM

ONLINE REVIEWS I looked very closely at your radiographs and it was obvious that you have cavities and gum disease that your other dentist has overlooked You can live in a world of denial and simply believe what you want to hear from your other dentist or make an educated and informed decision. - [Your dentist]

SOCIAL MEDIA EVERYBODY S DOING IT

PROTECTED HEALTH INFORMATION HIPAA protects PHI: information that can identify a patient and relates to the patient s health condition, treatment, and payment for treatment. 23

PHOTOS AND VIDEOS SAY CHEESE!

PHOTOS & VIDEOS Two paramedics were arrested and face criminal charges after they engaged in a selfie war by text.

IT WAS JUST A PICTURE OF HER BUTT They just blew everything out of proportion It was just a picture of her butt. How many people take a picture of people s butts?... I worked in health care for five years. Everybody takes pictures of residents all the time. I m not the only one. https://www.propublica.org/article/nursing-home-workers-share-explicitphotos-of-residents-on-snapchat

PHOTOS AND VIDEOS Doctor posted plastic surgery photos online. Hospital employees took photos of a patient with a genital injury.

PROUD PROMOTION Entry level clinical staff received a promotion to an administrative role. This promotion came with an office. The staff took a video of his desk and posted it to Facebook.

SOCIAL MEDIA: IS IT PHI?

IS IT PHI? Sad day at work today 30

IS IT PHI? Sad day at work treating someone so young today 31

IS IT PHI? Sad day at work treating an amputee today 32

IS IT PHI? SAD DAY AT WORK TREATING MY THIRD GRADE TEACHER TODAY 33

IS IT PHI? SAD DAY AT WORK TREATING MY THIRD GRADE TEACHER AT WALNUT ELEMENTARY TODAY 34

SOCIAL MEDIA What you can do: Social media policy Breach notification policy Train, train, train Audit

IGNORING BREACHES 89% OF HEALTHCARE PROVIDERS HAVE HAD A BREACH

IGNORING BREACHES Presence Health entered a $475,000 settlement with the OCR after it missed the 60 day breach notification deadline. 10-22-13: Presence discovered breach (paper OR schedules were missing) 1-31-14: Presence notified OCR of the breach.

BREACH NOTIFICATION Unsecured PHI = not encrypted or destroyed Within 60 days of discovery Who: The patient OCR The media (maybe) 38

BREACH NOTIFICATION What can you do? Breach Notification policy Breach analysis decision tree HIPAA attorney on speed dial

BREACH NOTIFICATION Don t mess with Texas. No risk of harm required. Texas DHHS contractors that provide HHS services and create, receive, maintain, use or disclose Confidential Information on behalf of HHS programs or clients must notify HHS of breaches of federal data within 60 minutes

YOUR ACTION PLAN HOW TO EXPECT THE UNEXPECTED

SECURITY RISK ANALYSIS Conduct a HIPAA Security risk analysis Mitigate risks Update the risk analysis

POLICIES Privacy Security Breach Notification Omnibus updates effective September 2013

TRAIN, TRAIN New hires Annual training Quarterly or monthly reminders Board, employees, contractors, managers In-services, written reminders, email, flyers, video, skits

AUDIT Walk throughs Security Audits Privacy audits Breach notification audits Social media audits

LOOK FOR GUIDANCE At HCCA s 2017 Compliance Institute, Iliana Peters advised that the OCR is developing guidance and FAQ addressing: Texting Social media Minimum necessary

Margaret Scavotto, JD, CHC President 314-394-2222 ext. 24 mcs@healthcareperformance.com (c) 2018 Management Performance Associates This presentation does not constitute legal advice Questions?

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback