1. HIPAA & HITECH

2. HIPAA
• Has been a federal privacy regulation since
2003. Covers privacy and security of health
information.
• Reviewed in annual education
• Taught in new employee orientation
• The facility Security Officer is Christie
Messinger
• The facility Privacy Officer is Alane Bryan

3. HITECH
• Does not replace HIPAA—it gives it TEETH!
• Requires a breach notification policy
• Encourages EHR adoption
• Provides strict data protection regulations for
more secure patient privacy

4. New Fines as of March 26, 2013
Violation Type Each Violation Repeat Violations/Yr.
Did not know $100 - $50,000 $1.5 million
Reasonable Cause $1,000 - $50,000 $1.5 million
Willful Neglect – Corrected $10,000 - $50,000 $1.5 million
Willful Neglect – Not Corrected $50,000 $1.5 million
•Healthcare organizations or providers may be held liable for
violations.
•Individual employees may be prosecuted or may be sued for
civil penalties.

5. Breach Notifications
 Must notify individuals and HHS and, in some
cases the media, of any substantiated
breaches within 60 days.
 Breaches affecting 500 or more patients will
be posted to the HHS.gov website.

6. Documented Breaches
• Mass General
• California Breaches
• BCBS of TN Breach
• Individual Prosecution
• Personal Gain

7. Top Privacy Violations
• Stolen laptops/computers
• Lost CDs
• ID theft/Social Security Numbers
• Medicare Fraud
• Access to EMR with no job-related need

8. Privacy Breach Examples
• Using Social Networking to talk about patients
• Discussing PHI with employees or family who
do not have a job-related need
• Looking at EMR out of concern or curiosity
• Telling others that a patient was “in” for
treatment
• Discussing progress or prognosis in front of
family without permission

9. More Privacy Breach Examples
• Using chart to get information to use against
patient in lawsuit or divorce
• Looking in minor child’s EMR
• Taking a peek for “educational purposes”
• Starting conversations with “Don’t tell anyone
I told you this, but…”
• Sharing computer access/passwords

10. Permitted HIPAA Exceptions
• Treatment, Payment, Operations
• Some law enforcement exceptions
• Public health reporting
• When in doubt, get a Signed Release
• Disclose “minimal necessary” amount of PHI

11. HIPAA, HITECH, & YOU
• Patients/family members requesting patient
information AFTER DISCHARGE should be
referred to the HIM Department
• If a patient requests information during an
admission, make sure the report is FINAL before
giving the information to the patient or to their
designee (document the designee). We do not
release information unless it is in a FINAL status.
• Discuss patient information as quietly as possible

12. HIPAA, HITECH, & YOU
• Try not to say the patient’s name repeatedly
• Make sure paper containing PHI makes it to a shred bin
• Shred bins should be dumped in large bins each day
• Use fax cover sheets with the confidentiality clause
• Do not leave messages with too much information
• Wear your employee ID badge at all times

13. HIPAA, HITECH, & YOU
• Use workstations for intended purposes
– No gaming, no unauthorized downloading of files,
personal emails are subject to access by P & S
Surgical Hospital
• Log-off or lock your computer when you are
not using it
• Make sure others cannot view your computer
screen

14. HIPAA, HITECH, & YOU
• Keep passwords secure
• Use your own individual password
• Avoid sharing passwords
• Trigger encryption for emails containing PHI
being sent outside the organization
• If photos must be taken of a patient, use a
P & S camera or device; NEVER use your
personal camera or smart phone

15. HIPAA, HITECH, & YOU
• Never share proprietary or confidential
information in blogs or on social media sites
• Report potential breaches, inappropriate
disclosures, or otherwise suspect behavior to
your direct supervisor, the Privacy Officer, the
Security Officer, or the Corporate Compliance
Officer

16. End of Presentation
• This is the end of presentation. Click on blue
Quiz button next.