hipaa at uconn protecting health related information in educational settings n.
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA at UCONN: Protecting Health-Related Information in Educational Settings PowerPoint Presentation
Download Presentation
HIPAA at UCONN: Protecting Health-Related Information in Educational Settings

HIPAA at UCONN: Protecting Health-Related Information in Educational Settings

126 Views Download Presentation
Download Presentation

HIPAA at UCONN: Protecting Health-Related Information in Educational Settings

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. HIPAA at UCONN: Protecting Health-Related Information in Educational Settings University of Connecticut October 4, 2007

  2. HealthInsurancePortability andAccountabilityAct of 1996 (HIPAA)

  3. Public Law 104-191 Designed to: • assure health insurance portability • reduce health care fraud and abuse • guarantee integrity and confidentiality of health information • improve the operations of health care systems and reduce administrative costs Establishes: • Standards for privacy • Standards for security of health data • Standards for eight electronic transactions and the code sets to be used in those transactions • Unique health identifiers

  4. HIPAA Applicability and Scope Everyone in healthcare and health-related fields is impacted by this law in some way: Payers Providers Members Employers Clearinghouses Billing agents Volunteers Vendors Service organizations

  5. Who must comply? (aka-who does HIPAA apply to?) • Health Plans • Clearinghouses • Providers, if they conduct covered electronic transactions (or have someone conduct them on their behalf) • Employers who act as providers or health plans or who simply choose to comply • Other organizations that receive health data from those listed above and have formal agreements to protect the data (Business Associates)

  6. “COVERED ENTITIES” • Health Care Providers (physicians, nurses, allied health practitioners, counselors) • Health Care Facilities (hospitals, clinics) • Health Plans (HMOs, insurers) • Health Information Clearinghouses

  7. UCONN is a “Hybrid Entity” Covered components: • Student Health Services • Speech & Hearing Clinic • EMS/Fire (within Public Safety) as first responders • Nayden Physical Therapy Clinic

  8. Health Insurance Portability and Accountability Act of 1996 Title I Title II Title III Title IV Title V Administrative Simplification Insurance Portability Fraud and AbuseMedical Liability Reform Tax RelatedHealth Provision Group Health Plan Requirements RevenueOff-sets Security Privacy Electronic Data Transactions Code Sets Identifiers

  9. The 4 components in HIPAA Title II are: Health Insurance Portability and Accountability Act of 1996 Transactions & Code Sets Privacy Security Identifiers

  10. HIPAA Privacy Rule (Regulations)

  11. Privacy Regulation Application The HIPAA Privacy rule applies to any covered entity that maintains or transmits protected health information in any form: • Electronic • Oral • Written • Faxed • etc.

  12. A Look At Privacy The Privacy Regulation includes: • Client/Patient rights • Regulatory authorizations for treatment, payment and health care operations • Minimum necessary for intended use • Business Associate requirements • Required authorizations • Review processes, restriction requests, and correction process

  13. What information is protected by the HIPAA Privacy Rule?

  14. Individually Identifiable Health Information (IIHI) Any health information that is created or received by a health care provider, health plan, clearinghouse or an employer • Identifies the individual • Provides a reasonable basis to believe that the information can be used to identify the individual • Pertains to the health of an individual • Pertains to the provision of or payment of healthcare to an individual.

  15. Protection of PHI What is PHI? (Protected Health Information) • Individually identifiable health information--IIHI: (relating to past, present, future health care or payment for health care) • ORAL • WRITTEN • ELECTRONIC • but NOT student IIHI in the hands of Student Health Services (broad FERPA/HIPAA exemption) • and NOT employee IIHI in the hands of the Employer (HIPAA exemption)

  16. Scope of data covered HIPAA places considerable emphasis on the definition, use and disclosure of IIHI. Below are just a few key data elements which require de-identification in certain situations when related or linked to health information: • Name • Address; street, city,county, zip code • Social security number • Birth date • Account number • Name of employers • Telephone/Fax numbers • Electronic mail addresses • Names of relatives • Any other unique identifying number or code that could be used to identify an individual(applies to a small cell)

  17. Privacy Applicability and Scope • Does not preclude stricter state standards that apply to certain types of information (preemption) • Makes no distinction about the presumed sensitivity of information  Demographic info should be treated the same as clinical info • Protects the information itself, not the physical record, regardless of where the information appears

  18. Records not covered by HIPAA Privacy Rule Employment Records • FMLA certifications • ADA disability/accommodation records • Attendance/sick leave records • Employment physicals • Workers’ Compensation records • Enrollment/disenrollment/COBRA records

  19. Records not covered by HIPAA Privacy Rule Student Records • The definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), specifically excludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g). • FERPA provides privacy protections for student health records held by federally funded educational institutions.

  20. HIPAA Excludes FERPA “We have excluded educational records covered by FERPA [f]rom the definition of protected health information… because FERPA also provided a specific structure for the maintenance of these records.” U.S. Department of Health and Human Services, 65 Federal Register 82,483 (December 28, 2000)

  21. FERPA (not HIPAA) protected records • Student immunization/medical history records • Student disability/accommodation records • Student health clinic/counseling records • Student health insurance enrollment/disenrollment information submitted by student to University

  22. Requirements to Protect Privacy FERPA • No set, specific requirements • No clear consensus in higher ed on what is needed • No court decisions on third party breach • HIPAA • Administrative Safeguards: • (Processes, procedures, training, Risk Analysis) • Physical Safeguards: • (Facility, workstations, etc.) • Technical Safeguards: • (Access, audit control, data integrity, etc.)

  23. A Look At Privacy The Privacy Regulation includes: • Client/Patient rights • Regulatory authorizations for treatment, payment and health care operations • Minimum necessary for intended use • Business Associate requirements • Required authorizations • Review processes, restriction requests, and correction process

  24. Some Administrative Requirements • Notice of Privacy Practices • Individual Rights • Business Associate Agreements

  25. Notice of Privacy Practices • First Date of Service • Acknowledgment

  26. Basic Individual Rights • Right to privacy of PHI • Treatment, Payment, Health Care Operations Uses • Specified disclosures allowed (public health, subpoenas, etc.) • Other disclosures with authorization • Individual right to access, amendment, accounting • Individual right to request restricted communications and uses/disclosures

  27. Business Associate Agreements • Covered entities must have agreements with vendors, administrators, brokers, accountants, etc. that need PHI to perform services on behalf of or with the covered entity • Agreement must ensure business associate’s compliance with HIPAA Privacy Rule

  28. Other Administrative Requirements • Designate a Privacy Officer • Create policies and procedures • Provide privacy training • Provide a means for individuals to lodge complaints • Process for responding to complaints

  29. Other Administrative Requirements (cont’d) • Administrative, technical, and physical safeguards to protect PHI • Maintain HIPAA documentation for 6 years • Sanctions for HIPAA privacy violations • Mitigate harmful effects from violations • Avoid retaliation or waiver of HIPAA rights

  30. Authorization • Obtain an authorization when appropriate • Usually a customized document • Used for specified purposes, other than TPO • Covers only the PHI for uses and disclosures specified in the authorization • Required for uses and disclosures of PHI not otherwise allowed by the rule

  31. Uses Requiring Authorization • Marketing • Insurance pre-enrollment activities • Employer/uses for employment • Fund raising • Other uses not exempted by these rules

  32. Uses & Disclosures Exceptions -- TPO • Treatment • Payment • Health Care Operations

  33. “Health Care Operations” • Quality assessment/improvement • Determining clinical privileges • Reviewing plan performance • Insurance rating, underwriting, etc. • Medical review and auditing • Fraud and abuse detection • Compiling PHI for legal proceedings

  34. Other Permissible Uses Without Consent Based on capacity or authority • Public health activities • Health care oversight • Judicial/administrative proceedings • Coroners/medical examiners • Law enforcement, banking, or payment • Research, emergencies, and next of kin

  35. “Minimum Necessary” • Only disclose the PHI needed to accomplish a function • Case-by-case determination • Designated decision maker • Exceptions for: • DHHS access • plan audit and “as required by law”

  36. Why Should You Care? Civil penalties for improper PHI disclosure: • $100 per day, up to $25,000 per year for identical violations • Penalty may be avoided if disclosure was for reasonable cause, not willful neglect

  37. Criminal Sanctions Criminal penalties for knowing wrongful disclosure of PHI: • Fine of not more than $50,000/imprisonment for one year/both • If committed under false pretenses, fine of not more than $100,000/imprisonment for not more than five years/both • If committed with intent to sell, transfer or use such health information for gain or malicious harm, fine of not more than $250,000/imprisonment of ten years/both

  38. The Bottom Line . . . • Know Your Permitted Uses and Disclosures of PHI • Limit Access/Disclosure to Permitted Group • Safeguard PHI • Keep PHI Out of Employment-Related Actions and Decisions • most importantly…

  39. Don’t be afraid to ask questions!

  40. Questions? Rachel Krinsky Rudnick, JD, CIPP University Privacy Officer Office of Audit, Compliance & Ethics (860) 486-5256

  41. HIPAA Security Awareness Training Elaine David, Director of IT Security, Policy & Quality Assurance

  42. HIPAA SECURITY AWARENESS TRAINING HIPAA Security Rule: The purpose of the final HIPAA rule is to adopt national standards for safeguards to protect the confidentiality, integrity and availability of electronic protected health information. These standards require measures to be taken to secure ePHI while in the custody of covered entities as well as in transit between covered entities and from covered entities to others.

  43. HIPAA SECURITY AWARENESS TRAINING HIPAA Security Rule Requirements: • Administrative Safeguards • Physical Safeguards • Technical Safeguards

  44. HIPAA SECURITY AWARENESS TRAINING Administrative Safeguards: • Security Management (Risk Analysis, Sanctions, Activity Review) • Workforce Security • Access Management • Awareness & Training • Incident Response & Reporting • Business Associate Contracts • Evaluation of Compliance

  45. HIPAA SECURITY AWARENESS TRAINING Physical Safeguards: • Facility Access controls • Workstation Acceptable Use & Responsibility • Workstation/Server and Mobile Systems security • Device and Media Control Security

  46. HIPAA SECURITY AWARENESS TRAINING Technical Safeguards: • Access controls (e.g. unique id, password structure, firewall use, wireless access, remote access, etc.) • Security Audit controls • Authentication • Transmission security

  47. HIPAA SECURITY AWARENESS TRAINING Compliance with HIPAA Security Rule: Development and dissemination of many security and data policies. See or

  48. HIPAA SECURITY AWARENESS TRAINING What is information security? The steps taken to protect the confidentiality, integrity and availability of our information resources. • Confidentiality: assurance that information can only be seen or used by those who are authorized to access the information. • Integrity: assurance that information that we use has not been modified inappropriately during storage, transmission, etc. • Availability: assurance that computer resources are available when we expect them to be.

  49. HIPAA SECURITY AWARENESS TRAINING What is security awareness? • Recognizing the various types of security issues; • Knowing how to prevent a breach; • Knowing how to react to a breach.

  50. Good Computing Practices - Safeguards for Users #1: Passwords: - Choose your password carefully • Use at least 8 characters • Do not use repetitive characters • Combine alpha, numeric and non-alpha numeric characters, upper and lower-case • Do not base password on familiar words or words/names that can be associated with you • Choose one that is easy to remember and easy to type