I. UWM AND HIPAA
UWM is required to comply with the privacy and security regulations established pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) of 2009 because it includes health care providers (persons and units) that (i) provide, bill for and are paid for health care and (ii) transmit Protected Health Information (defined below) in connection with certain transactions. The primary purpose of HIPAA’s privacy regulations (the “Privacy Rule“) and security regulations (the “Security Rule“) is to protect the confidentiality of patient health information which is generated or maintained in the course of providing health care services.
UWM is considered a “hybrid entity” under HIPAA because it has some departments and units that are covered by HIPAA and some that are not. UWM’s Covered Departments are comprised of two parts: (i) provider units (and all the employees in these units) which perform health care and clinical services, and (ii) certain administrative units (and all the employees in these units) that provide services to the provider units and, as a result, may come into contact with confidential patent health information.
Specifically, UWM’s Covered Departments are currently as follows:
1. Provider Units:
- Community Audiology Services (College of Health Science)
- Institute for Urban Health Partnerships (College of Nursing)
2. Administrative Units:
- Privacy Officers for Covered Departments (See current List of UWM’s Privacy Officers.)
- UITS Selected Support Staff (Division of Finance & Administrative Affairs)
- Other (non-UITS) IT personnel serving Covered Departments
- Internal Audit (Division of Finance & Administrative Affairs)
- Office of Legal Affairs (Division of Finance & Administrative Affairs)
- Risk Management (Division of Finance & Administrative Affairs)
You are being asked to read and understand the information contained in this overview because you are an employee or volunteer in one of the above-mentioned administrative units. You need to comply with HIPAA because in your work with the provider units it is anticipated that you may gain access to protected health information. For example, individuals in the Bursar’s Office may be asked to bill individuals for treatment by one of the provider units; IT personnel may gain access to protected health information in their work on the systems of a provider unit.
Many of HIPAA requirements relate specifically to health care providers, however, some requirements are also applicable to, and must be followed by, the covered administrative units. What follows is a brief overview of the most important principles of HIPAA.
II. THE PRIVACY RULE
A. IMPORTANT TERMS
What is PHI or Protected Health Information?
The Privacy Rule governs how individuals can use and disclose confidential patient information called “Protected Health Information” or “PHI.” PHI can be written, spoken or electronic and includes information relating to an individual’s health or condition, the provision of health care services or the payment for such services. The Privacy Rule only covers information that is individually identifiable. However, 18 identifiers are defined under the Privacy Rule and, among other things, include a patient’s name, address, social security number, fax number, email address, vehicle identifiers, date of admission / discharge, photographs and voice recordings.2 Further, in addition to identifiers that can be specifically linked to an individual, PHI also includes information which could be reasonably expected to lead to his/her identification.
* The Privacy Rule does not apply to documents or information lacking patient identifiers. However, when in doubt, assume that all information is protected by the Privacy Rule.
What does “use” mean ?
Under the Privacy Rule, “use” means the sharing, employment, application, utilization, examination, or analysis of PHI within an entity that maintains such PHI. All sharing, employment, application, etc., of PHI within the Covered Departments is considered to be a “use”.
What does “disclosure” mean?
Under the Privacy Rule, “disclosure” means the release, transfer, provision of access to, or divulging in any other manner of PHI outside the entity holding the PHI. Any release, transfer, etc., of PHI outside of the Covered Departments is considered to be a “disclosure.”
B. TEN IMPORTANT PRIVACY RULE PRINCIPLES
- Use or Disclose Only the Minimum Necessary Information
Generally speaking, the Privacy Rule requires that individuals limit access to PHI, and use and disclosure of PHI, to the minimum amount of information necessary to perform their job and/or accomplish their intended purpose.Until additional guidance is issued by the Secretary of Health and Human Services, a Limited Data Set should be used if practicable to accomplish the intended use of disclosure. A Limited Data Set is PHI that does not contain certain direct identifiers of the patient.3 If use of a Limited Data Set is not practicable, the minimum necessary rule can be relied upon.
The minimum necessary rule does not apply to information used or disclosed in treating a patient (including rounds) and in certain other limited instances 4 and, as such, should not greatly affect the use of PHI for patient care. Nevertheless, you should always ask yourself, “Am I using or accessing more PHI than I need to?”
Covered Departments must make their own determination as to what constitutes the minimum amount of information necessary for the intended purpose of any use or disclosure, and cannot independently rely on the determination of the person making the request.
- Verify the Identity and/or Authority of Recipients of PHI
You must take reasonable steps to verify the identity and/or authority of an individual or organization requesting disclosure of PHI if that individual is unknown to you. Knowledge may take the form, for example, of a known or recognized person or organization or a known phone number, fax number, or mailing address. However, if you do not know the individual or organization requesting the PHI, you should request identifying information, documentation of authority, official credentials, or written requests to be submitted on letterhead before making the disclosure.
- Take Steps to Protect PHI
The Privacy Rule requires that individuals in UWM’s Covered Departments safeguard PHI. Common practices to help protect patient’s PHI are listed below. The Security Rule, which is discussed in detail in part II of this training, requires additional safeguards for electronic data.
- Keep patient records closed when not in use;
- Store PHI in secure/locked locations;
- Remove documents from fax machines and copiers immediately;
- Place discarded documents in confidential bins for shredding;
- Try to prevent others from overhearing your conversation and avoid using patient names in hallways or elevators;
- Leave only the minimal amount of information on an answering machine or voicemail as necessary to convey the message; and
- Never remove a patient’s hard copy medical record or billing information from the premises.
- Know What Uses and Disclosures of PHI Require Spoken Permission and the Opportunity for a Patient to Object
Patients must be given the opportunity to object to the use or disclosure of their PHI before the information is used or disclosed:
- Inclusion in patient directories (can include name, room number, condition and religion); and
- To those involved in a patient’s care: If the patient does not object, information may be shared with friends, family or others involved in the patient’s care relating to the patient’s location or general condition.
- Know What Uses and Disclosures of PHI do NOT Require Patient Permission
Many routine uses and disclosures of PHI do not require the patient’s written authorization. No permission is required for individuals to perform the everyday functions of Treatment, Payment, and Health Care Operations, collectively referred to as “TPO.”
- Treatment: patient permission is not required to use or disclose patient information when treating a patient or making arrangements to treat a patient;
- Payment: patient permission is not required to use or disclose patient information when creating bills or coordinating billing with a patient’s health insurance company; and
- Health Care Operations: permission is not required when carrying out operational activities such as training medical or other health professionals, preventing fraud and abuse, meeting licensing and accreditation requirements and conducting quality assurance or health care peer review activities.
Note, however, that the more stringent state/federal law requirements concerning the use and disclosure of mental health records, alcohol and other substance abuse records, and HIV test results continue to be in effect. Also, patients may request the Privacy Officer for the area to implement restrictions on the use of PHI, which, once granted, must also be implemented by administrative units dealing with the PHI.
Health care providers and staff can also disclose a patient’s PHI without permission for certain public health activities, to authorities when required by law, for certain employment or worker’s compensation purposes, and in many instances, to another health care provider outside of UWM’s Covered Departments for treatment purposes.
- Know What Uses and Disclosures of PHI Require Written Permission
In general, all uses and disclosures of PHI other than those listed in subsections 3 and 4 above require written authorization from the patient. Examples of such uses and disclosures include the following:
- Most research activities.
- Most marketing & fundraising activities.
- Disclosure of psychotherapy notes; and
- Disclosures to other persons or entities (e.g., patient’s attorney).
Individuals seeking to release PHI in connection with marketing and fundraising activities, relating to psychotherapy or who need to respond to miscellaneous requests for disclosure to third parties should contact his/her Privacy Officer for additional information and training if necessary.
- Know Patient’s Privacy Rights
The Privacy Rule provides patients with certain rights relating to their PHI. These rights include all of the following:
- The right to request alternative communication: Patients can ask health care providers and staff to contact them in a certain way; e.g., at home as opposed to work.
- The right to look at and obtain copies of their medical and billing records, including those maintained in electronic format.
- The right to ask for an amendment to medical and billing records.
- The right to receive a list of certain disclosures.
- The right to request restrictions on how patient information is used and disclosed: Providers and facilities are not required to agree to such requests. Individuals must never agree to such restrictions without first obtaining permission from the appropriate administrative staff.
- The right to receive a notice of privacy practices from the provider unit.
Note that if a patient requests any of the above-mentioned rights (with the exception of requests for a notice of privacy practices), the request should be forwarded to and reviewed by an appropriate Privacy Officer or supervisor. Individuals should never respond to patient requests unless directed to do so.
- Know the Administrative Rules UWM must follow
The Privacy Rule requires that UWM follow several administrative rules including the following:
- UWM must provide all personnel in its Covered Departments with HIPAA training;
- UWM must have policies and procedures in place for complying with the Privacy Rule and the Security Rule;
- UWM must have a procedure in place for accepting and processing patient privacy complaints. The Notice of Privacy Rights instructs patients as to how they can register their complaints;
- UWM must impose consequences for personnel who violate the Privacy Rule and the Security Rule. Individuals who violate the rules will face corrective actions based on the severity of the violations they commit. These actions can range from further training or an oral warning to suspension and/or termination. Individuals and entities can also face fines and prison sentences for violations; and
- UWM must appoint one or more HIPAA Privacy Officers. A list of Privacy Officers and their contact information is provided at the end of this training.
- Business Associates Must Also Follow the Privacy Rule
Individuals and businesses that provide a service to a UWM Covered Department by assisting with the treatment, payment or other functions that result in the disclosure of PHI (” Business Associates “), must comply with the Privacy Rule, the Security Rule and UWM’s HIPAA policies and procedures. Examples of Business Associates are as follows:
- Transcription agencies
- Collection agencies
- Outside attorneys
- Vendor representatives to the extent they access PHI
UWM Covered Departments must ensure that Business Associates comply with UWM’s policies and procedures relating to the Privacy and Security Rules by entering into a Business Associate Agreement with them.
- Know what to do in the Event of a Breach (!!!)
A key change under HITECH of 2009 is that breaches of PHI are now covered by rules detailing how that breach must be addressed.Therefore, any individual working in or for a Covered Department or a Business Associate who suspects that there has been an impermissible acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA should immediately report the circumstances of the suspected breach to the individual’s supervisor and the Privacy Officer for the Covered Department.
The Privacy Officer must then gather the facts about the incident and report the incident to certain university officials, as outlined in the HIPAA Policies and Procedures. Those officials will confer regarding the circumstances of the reported breach and determine appropriate next steps, including the extent of any required investigation and notification to those involved.
III. THE SECURITY RULE
The Security Rule provides additional procedures for safeguarding electronic protected health information (“EPHI“) and preventing access to such confidential information by unauthorized persons. These requirements are in addition to those mandated by the Privacy Rule as detailed above.
UWM’s Chief Information Officer has been designated the Security Officer for purposes of the Security Rule. The Security Officer has designated certain UITS employees or other IT staff to assist with implementation of the Security Rule. Contact information for these individuals can be found at the end of this training. Additionally, comprehensive guidelines to follow in safeguarding EPHI can be found in the “University of Wisconsin – Milwaukee HIPAA Security Guidelines.”
The Security Rule defines EPHI as Protected Health Information that is stored or transmitted by electronic media. EPHI includes PHI that is stored on hard drives or portable memory media (disks and CDs) as well as PHI that is transmitted via email or the internet (including faxes and voicemail transmitted in this manner). The Security Rule does not cover conventional faxes or voicemail. It also does not distinguish between data transmitted within the University as opposed to data transmitted outside the University.
The Security Rule requires UWM’s Covered Departments to:
- Ensure the confidentiality, integrity, and availability of all EPHI it creates, receives, maintains, or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted under the privacy rule; and
- Ensure compliance with these requirements by individuals in the Covered Departments.
A list of important points relating to the safeguarding of EPHI follows:
1. Know Your Unit’s Policy and Procedures for Safeguarding EPHI
The management of each unit or department within UWM’s Covered Departments must develop, in consultation with UITS or other IT staff serving such unit or department, policies and procedures for safeguarding EPHI and complying with the Security Rule. You must be aware of, and comply with, your unit’s policies and procedures on protecting EPHI. EPHI may only be stored and transmitted in a manner approved by your unit.
2. Follow Password Procedures
At a minimum, individuals in Covered Departments must follow the following password guidelines:
- All access to EPHI must be password protected (including laptops and PDAs);
- Passwords should not be shared with anyone except in rare instances;
- If you feel as if your password has been compromised in any way, you should contact UITS or other IT staff serving your department;
- If you must write down your password to remember it, place it in a secure location that only you can access. You should not keep it in or on the application or system that is being protected by it; and
- Never use the “remember password” function on any application that provides access to EPHI.
3. Maintain Workstation Security
- EPHI should only be stored on and transmitted to/from devices and locations that have been specifically approved by the management of the Covered Department in consultation with its Privacy Officer and UITS or other IT staff serving such department;
- No network device (e.g. desktop, laptop, printer, network hub and switches, wireless access points, PDAs and portable storage devices) may be connected to any network that provides access to EPHI without prior approval from the management of the Covered Department in consultation with its Privacy Officer and UITS or other IT staff serving such department;
- Workstations used for storage and transmission of EPHI must contain an updated virus scan, updated operating system patches, and an anti-spyware product. They must also be password protected and employ some variety of firewall capabilities or software;
- When a UWM owned electronic storage device is determined to be at the end of its life cycle, all EPHI must be removed from the storage device prior to disposal. The storage device must be returned to UITS or other IT staff serving your unit or department. A software application will be used to ensure that the data is removed from all sectors of the hard drive. Simply deleting the EPHI from the computer is NOT sufficient to remove it completely from the hard drive;
- Steps should be taken to restrict visual access to EPHI to authorized personnel. This may be accomplished by positioning screens to restrict viewing or by using a screen filter. Further, workstations must be configured to log off or produce a password protected “screensaver” after a period of in-activity; and
- If a workstation is located in a private office, the office must be locked when unoccupied for an extended period of time; all workstations in unlocked locations must employ anti-theft devices.
For further details on workstation security guidelines, please see the “University of Wisconsin – Milwaukee HIPAA Security Guidelines: Workstation Use and Security Guideline.”
4. Follow Guidelines on Accessing EPHI from External and/or Portable Computing Devices
Significant restrictions must be placed on individual’s access to EPHI from external and/or portable computing devices due to security concerns. Before storing EPHI on an external/portable computing device, particularly a device you intend to remove from your work environment, you should consult with UITS or other IT staff serving your department to determine if there is an acceptable alternative.
Many of the guidelines applicable to workstations are also applicable to external/portable computing devices including restricting screen visibility, backing up EPHI, safeguarding the device from theft, properly disposing of equipment and using antivirus, firewall and anti-spy software to the extent possible. Additionally, it is strongly recommended that any EPHI stored on computers outside of the office / clinic environment be protected by data encryption. Wireless data transmission of EPHI to and from external/portable computing devices, should also be encrypted.
5. Follow Guidelines on the Use of Portable Media Containing EPHI
Portable devices include, but are not limited to, the following:
- Laptop / Tablet / Handheld Computers (PDA’s)
- Portable Storage Devices
- External USB Hard Drives
- USB “Thumb” Drives
- External CD Burners, Zip Drives, Floppy Drives
Portable media include, but are not limited to, the following:
- Floppy Disks
- Zip Drives
Units and individuals comprising UWM’s Covered Departments should at a minimum implement the following protections:
- Access to EPHI on portable media must be protected by a password or other authentication procedure;
- All portable devices and media must be approved by the management of the Covered Department in consultation with its Privacy Officer and UITS or other IT staff serving such department prior to the use of such device or media for storage or transmission of EPHI;
- EPHI stored on a laptop, mobile device or other portable media should be encrypted;
- All portable media containing EPHI must be safeguarded from theft or loss (for example, laptops should be secured with a cable whenever possible and CDs containing EPHI should be locked in a cabinet);
- All portable media containing EPHI must be marked externally, if possible, as confidential and include contact information for return if lost. Lost or misplaced media must immediately be reported to UITS or other IT staff serving such department;
- Portable media used for storage must be backed up periodically; and
- Disposal of portable media containing EPHI must be done in consultation with the management of the Covered Department and UITS or other IT staff serving such department.
For further details on suggested and required guidelines relating to the use of portable devices and media containing EHPH, please see the “University of Wisconsin – Milwaukee HIPAA Security Guidelines: Portable Devices and Media Guideline.”
6. Know When Emailing PHI is Permitted
PHI should only be sent via email in two very limited circumstances. The first is when a patient requests communication via email and provides written permission to communicate in this manner. If you are a health care provider sending email to patients, please review the policies of your particular facility for the procedure to follow. Second, you may email PHI to health care providers outside of UWM if required for treatment purposes. In this case, do not include the patient’s name, social security number, or other direct identifiers in the email. Include only initials, birth date, and/or medical record number. Additionally, communicate in advance with the receiving health care provider so that he/she knows to expect the email and is able to link the minimally identifiable information to the correct patient.
If an email containing PHI is sent to another UWM employee, you must use their UWM email address ending in “uwm.edu”. Email that may contain EPHI should never be set to automatically forward to any external email provider outside of the “uwm.edu” domain. It is the responsibility of the sender to ensure that they do not inadvertently send EPHI to the wrong email address. You should be aware of the auto fill feature provided in most email programs and double check the address you are sending your email to prior to sending it.
7. Other Important Points
- EPHI may not be stored on any website outside of the Covered Departments without the permission of your supervisor and UITS or other IT staff serving your department;
- Never dispose of an electronic device containing EPHI yourself. Always provide the device to UITS or other IT staff serving your department for disposal;
- Be aware of and comply with your unit’s policies and procedures regarding the physical security of your facility; and
- You may not install software of any kind on a UWM owned computer or portable device without prior approval of UITS or other IT staff serving your department.
IV. CONTACT INFORMATION
If you have any questions on the above or about the privacy and security regulations in general, please contact your Privacy Officer or UWM’s Office of Legal Affairs.
TO PROCEED TO THE QUIZ ON THIS INFORMATION, CLICK ON THE FOLLOWING LINK: Quiz on HIPAA Overview for Employees of Covered Departments – Administrative Units
1 This document is modeled on, and certain sections are drawn directly from, University of Wisconsin – Madison’s HIPAA training materials. We would like to thank the University of Wisconsin – Madison (in particular, Rebecca Hutton) for allowing us the use of its materials.
4 Exceptions include release pursuant to a valid authorization or for an individual’s own review; disclosures made to the Secretary of the Department of Health and Human Services for HIPAA compliance and enforcement; and use and disclosures required by law.