Compliance Education

1. Compliance Education Tulane University ( For Staff assigned to TUMG HIPAA Clinics ONLY )

2. HIPAA & HITECH HIPAA – The Health Insurance Portability & Accountability Act was passed by the U.S. Congress in 1996. Its provisions were phased in over several years. HIPAA Privacy – Protection for the privacy of Protected Health Information (PHI) was effective April 14, 2003. It set the standards for how covered entities and business associates are to maintain the privacy of PHI. It states that a covered entity is not allowed to use or disclose PHI without permission from the individual, except as the law allows. The Privacy rule applies to PHI in all formats. The Administration Simplification provision of HIPAA (standardization of electronic data interchange in health care transactions) was effective October, 2003. HIPAA Security – Protection for the security of electronic Protected Health Information (ePHI) was effective April 20, 2005. It defines the standards which require covered entities to implement basic safeguards to protect ePHI that is created, received, used or maintained by a covered entity. HITECHis part of the “American Recovery and Reinvestment Act” of 2009. It allocated $20 billion to health information technology projects expanding the reach of HIPAA by extending certain obligations to business associates and imposed a nationwide security breach notification law and increased penalties and enforcement. Like HIPAA, the various procedures will be phased in over several years.

3. HITECH-Breach Notification Provisions • The law requires covered entities and business associates to notify individuals, the Secretary of Health and Human Services and, in some cases, the media in the event of a breach of unsecured protected health information • The law applies to the Tulane Health Care Component, which consists of the Tulane University Medical Group (“TUMG”), its participating physicians and clinicians, and all Tulane University employees and departments that provide management, administrative, financial, legal and operational support services to or on behalf of TUMG to the extent that such employees and departments use and disclose individually identifiable health information in order to provide these services to TUMG, and would constitute a “business associate” of TUMG if separately incorporated. • A business associate is a person or entity that performs certain functions or services for or to TUMG involving the use and/or disclosure of PHI, but the person or entity is not part of TUMG or its workforce (examples include law firms, transcription services and record copying companies).

4. HITECH-Breach Notification Provisions • Law applies to breaches of “unsecured protected health information” • Protected Health Information (PHI) • Relates to past, present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual. • Is transmitted or maintained in any form (electronic, paper, or oral representation). • Identifies, or can be used to identify the individual. • Examples of PHI include • Health information with identifiers, such as name, address, name of employer, telephone number, or SSN • Medical Records including medical record number, x-rays, lab or test results, prescriptions or charts • Unsecured • Information must be encrypted or destroyed in order to be considered “secured”

5. HITECH-Breach Notification Obligations • If a breach has occurred, Tulane will be responsible for providing notice to • The affected individuals (without unreasonable delay and in no event later than 60 days from the date of discovery—a breach is considered discovered when the incident becomes known not when the covered entity or Business Associate concludes the analysis of whether the facts constitute a Breach) • Secretary of Health & Human Services-HHS- (timing will depend on number of individuals affected by the breach) • Media (only required if 500 or more individuals of any one state are affected)

6. No Notification; Determine if Red Flag Rules or state breach notification laws apply No Is the information PHI? Decision Tree for Breach Notification Yes No Notification; Determine if accounting and mitigation obligations under HIPAA Is the PHI unsecured? No Yes Is there an impermissible acquisition, access, use or disclosure of PHI? No Notification No Yes No Notification; Determine if accounting and mitigation obligations under HIPAA Does the impermissible acquisition, access, use or disclosure compromise the security or privacy of PHI? No Yes No Notification; Determine if accounting and mitigation obligations under HIPAA Does an exception apply? Yes Notification Required; Determine methods for notification for affected individuals, the Secretary of HHS and, if necessary, media No

7. HITECH-Reporting Breaches • Breaches of unsecured PHI (can include information in any form or medium, including electronic, paper, or oral form) or of any of Tulane’s HIPAA policies and procedures must be reported to the Privacy Official at 504-988-7739 or the Office of the General Counsel immediately. • Tulane’s policy (GC-026) states, • “Any member of the Health Care Component who knows, believes, or suspects that a breach of protected health information has occurred, must report the breach to the Privacy Official or the Office of the General Counsel immediately.” • If a breach is reported, the incident will be thoroughly investigated. • The Tulane University Covered Entity is required to attempt to remedy the harmful effects of a breach, including providing notification to affected individuals

8. Disciplinary Actions • Internal Disciplinary Actions • Individuals who breach the policies will be subject to appropriate discipline under policy GC-009

9. Minimum Privacy Violation Action

10. Disciplinary Actions • Civil Penalties • Covered entities and individuals who violate these standards will be subject to civil liability.

11. Tiered Civil Penalties

12. Disciplinary Actions • An employee who does not report a breach in accordance with the policies and procedures could lose his or her job.

13. Employee Obligations • Do not disclose PHI without patient authorization. If you have questions about whether a disclosure is permitted, ask your supervisor. • If you think there has been an unauthorized disclosure of PHI, contact the Security or Privacy Official or the Office of the General Counsel immediately. • When removing PHI from Tulane (i.e., by physician removal of medical records or through the use of a laptop), act in accordance with Tulane’s security measures.

14. Review Review of HIPAA Policies & Procedures that were revised 2010

15. Patient Access to Protected Health Information Fees – GC-008Policy Revised November 2010 • Copies – 0.25¢ per page and a handling fee of $10.00 • A fee of $25.00 will be charged for an expedited request. • A fee of $25.00 will be charged to prepare a summary of the information. • A fee of $25.00 will be charged to prepare an explanation of the information.

16. Patient Access to Protected Health Information – GC-008 continued • If a patient requesting copies of the record is unable to pay because the cost would constitute a hardship, the TUMG Financial Hardship form must be completed and become part of the patient’s record. • If any of the TUMG clinics have a third party vendor handling the copying of records then this policy is not applicable for the vendor.

17. Authorization for Release of Protected Health Information – GC-010Policy revised August 2010 • An additional authorization was added to this policy. • Form is specific “to use / disclose protected health information for marketing, public relations, and external communications.”

19. HIPAA Security Policies

20. Protecting Data in Copiers & Multifunction Devices • Copiers, faxes, and/or scanners 1. Purchasing / leasing: If you are in the process of purchasing, leasing or renting a copier, fax, and/or scanner, please ask your supplier or vendor about security options now available by most manufactures that regularly clear the memory of these devices and also encrypt the hard drives so that privacy breaches can be prevented.

21. Protecting Data in Copiers & Multifunction Devices continued • Copiers, faxes, and/or scanners 2. Existing Equipment: If you are currently in the middle of a product’s life, TS recommends you carefully follow the following guide. • Determine if it has a hard disk drive • Consult the device manual, if available • Contact your service rep • It may be possible to look up online by model on the vendor web site • If it does have a hard disk drive, you must ensure the data stored on the device does not leave our control

22. Protecting Data in Copiers & Multifunction Devices continued 3.Disposing of, transferring, or retiring old equipment: • Since it has become public knowledge that copiers/multifunction office devices may contain sensitive personal information, their disposal must be handled carefully. The university already has the following existing resources related to the disposal of hard drives and the secure removal of data, whichshould be applied to this type of equipment: • HIPAA Disposal Policy – http://www.tulane.edu/~hipaa/TS30Disposal_Policy.pdf • Computer Recycling –http://recycle.tulane.edu/recycle-news.html

23. Protecting Data in Copiers & Multifunction Devices continued • Each link below contains documentation for how to wipe the hard drive of a printing device by the particular manufacture. Some manufactures provide a feature whereby the printer will continuously or periodically wipe its hard drive. You should enable this feature where available. • Xerox Devices: http://www.xerox.com/information-security/product-security/enus.html • Ricoh Devices: http://www.ricoh.com/about/security/product/index.html • HP Devices: http://www.hp.com/large/solutions/hp-disk-erase-white-paper.pdf • Lexmark Multi-function Printer security features: http://www1.lexmark.com/documents/en_us/CIP_Piece_POD.pdf • Cannon Image RUNNER Devices: http://www.usa.canon.com/CUSA/assets/app/pdf/ISG_Security/brochure__ir_hard_disk_drive_security_kit_061009.pdf For more information on best practices, see: • http://www.prlog.org/10640424-how-to-protect-your-photocopier-hard-drive • http://www.dataerasure.com/printer_hard_drive.php

24. HIPAA Security Phishing • WARNING: Be always vigilant for email scams that could result in theft of Protected Health Information (PHI). • A common, recent variation on the scam is an email that: 1. Requires you to verify a user name and/or password, or 2. Links you to a site pretending to be one you know and requires you to enter your user name and/or password. • Tulane is particularly concerned with a current scam that tries to trick you into revealing your Tulane email user name and password, so that the sender can read all of your emails and either steal PHI that is contained in your email or use your codes to enter other password-protected accounts that you maintain for PHI.

25. HIPAA Security Phishing continued What you should do: • First, be careful following links in emails – you may be able to verify if the link’s true identity from a careful reading of the web address. If you are uncertain, you should instead check out of email and enter the desired web site using Google or another search engine to find the true home page of the desired web site. • Second, never provide confidential information to someone who initiates a contact with you. In this case, never respond to an email that directly or indirectly requires you to provide, verify or enter your Tulane email user name and password. • Finally, if you think you may have been compromised in this way, take immediate steps to change your Tulane password; then contact the University’s 24/7 Technology Help Desk and send an email to security@tulane.edu

26. SOM Vendor Policy ( http://tulane.edu/compliance/upload/IndustryPolicy-2.pdf ) • Covers all interactions between Tulane employees and Industry Representatives relating with any purchases related to patient care. • Covers interaction between vendors and Tulane employees related to meals, gifts, and entertainment.

27. SOM Vendor Policy Continued • Sets forth vendor registration process for all vendors visiting Tulane University downtown campus (not hospital). • Sets forth guidelines related to handling sample medications and vouchers. • Sets forth guidelines related to ghost writing.

28. TUMG Healthcare Compliance Manual ( http://tulane.edu/compliance/upload/Compliance-Manual.pdf ) • Resource for policies related to: • Coding, billing, and claims issues • Record keeping and retention • Patient referrals / payments for gifts • Conflict of interest • Response to investigations

29. Secure Computing Practices Safeguards for Users

30. E-mail Encryption • Email Encryption to HCA Healthcare • Email Encryption to the outside world • Email Encryption within Tulane

31. Email Encryption to HCA Healthcare Email messages between tulane.edu and hcahealthcare.com are encrypted automatically by servers policy.

32. Email Encryption to the outside world Type the word Secure: at the subject line It can be lowercase, uppercase or mix case It can be anywhere in the subject line Secure: secure: SECURE: The Colon “ : ” is important.

33. Email Encryption within Tulane By default, email within Tulane for other clients such as Mac Mail, Entourage or iPhone are automatically encrypted with SSL.

34. Resources HIPAA Security Official Hunter Ely (504) 988-8566 HIPAA Privacy Official Glenda Folse (504) 988-7739 Legal Issues Sarah Hunter (504) 988-5297 Associate General Counsel