2. Has been a federal privacy regulation since 2003. Covers
privacy and security of health information.
Reviewed in annual education
Taught in new employee orientation
The facility Security Officer is Michael Boudreaux
The facility Privacy Officer is Alane Bryan
3. Does not replace HIPAA—it gives it TEETH!
Requires a breach notification policy
Encourages EHR adoption
Provides strict data protection regulations for more
secure patient privacy
4. Violation Type Each Violation Repeat Violations/Yr.
Did not know $100 - $50,000 $1.5 million
Reasonable Cause $1,000 - $50,000 $1.5 million
Willful Neglect – Corrected $10,000 - $50,000 $1.5 million
Willful Neglect – Not
Corrected
$50,000 $1.5 million
•Healthcare organizations or providers may be held liable
for violations.
•Individual employees may be prosecuted or may be sued
for civil penalties.
5. Must notify individuals and HHS and, in some cases the media, of
any substantiated breaches within 60 days.
Breaches affecting 500 or more patients will be posted to the
HHS.gov website.
Four factors are used to determine if low to high probability of PHI
is compromise:
1. The nature and extent of the PHI involved in the incident
Is the PHI sensitive information i.e. Social Security Numbers, or
infectious disease test results
2. The unauthorized recipient of the PHI
Is another physician receiving the PHI?
3. Whether the PHI was actually acquired or viewed
4. The extent to which the risk to the PHI has been mitigated
Was it immediately destroyed?
6. Mass General
California Breaches
BCBS of TN Breach
Individual Prosecution
Personal Gain
8. Using Social Networking to talk about patients
Discussing PHI with employees or family who do not
have a job-related need
Looking at EMR out of concern or curiosity
Telling others that a patient was “in” for treatment
Discussing progress or prognosis in front of family
without permission
9. Using chart to get information to use against patient in
lawsuit or divorce
Looking in minor child’s EMR
Taking a peek for “educational purposes”
Starting conversations with “Don’t tell anyone I told
you this, but…”
Sharing computer access/passwords
10. Treatment, Payment, Operations
Some law enforcement exceptions
Public health reporting
When in doubt, get a Signed Release
Disclose “minimal necessary” amount of PHI
11. Patients/family members requesting patient
information AFTER DISCHARGE should be referred
to the HIM Department
If a patient requests information during an admission,
make sure the report is FINAL before giving the
information to the patient or to their designee
(document the designee). We do not release
information unless it is in a FINAL status.
Discuss patient information as quietly as possible
12. Try not to say the patient’s name repeatedly
Make sure paper containing PHI makes it to a shred bin
Shred bins should be dumped in large bins each day
Use fax cover sheets with the confidentiality clause
Do not leave messages with too much information
Wear your employee ID badge at all times
Do not take pictures in patient care areas. Patients ,
their names, or their family members may be visible
without you realizing it. It is not worth the risk!!
13. Use workstations for intended purposes
No gaming, no unauthorized downloading of files,
personal emails are subject to access by P&S Surgical
Hospital
Log-off or lock your computer when you are not using
it
Make sure others cannot view your computer screen
14. Keep passwords secure
Use your own individual password
Avoid sharing passwords
Trigger encryption for emails containing PHI being
sent outside the organization
If photos must be taken of a patient, use a P&S camera
or device; NEVER use your personal camera or smart
phone
15. Never share proprietary or confidential information in
blogs or on social media sites
Report potential breaches, inappropriate disclosures,
or otherwise suspect behavior to your direct
supervisor, the Privacy Officer, the Security Officer, or
the Corporate Compliance Officer