I. UWM AND HIPAA
UWM is required to comply with the privacy and security regulations established pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) of 2009 because UWM’s operations include health care providers (persons and units) that (i) provide, bill for and are paid for health care and (ii) transmit Protected Health Information (defined below) in connection with certain transactions. The primary purpose of HIPAA’s privacy regulations (the “Privacy Rule“) and security regulations (the “Security Rule“) is to protect the confidentiality of patient health information which is generated or maintained in the course of providing health care services.
UWM is considered a “hybrid entity” under HIPAA because it has some departments and units that are covered by HIPAA and some that are not. The covered units (and all the employees in these units), together with administrative units that provide certain services to the provider units, and certain researchers outside of those units, comprise UWM’s Covered Departments. All employees and volunteers in UWM’s Covered Departments must comply with the Privacy and Security Rules.
UWM’s Covered Departments are currently comprised of the following entities:
A. Provider Units:
- Community Audiology Services (College of Health Science)
- Institute for Urban Health Partnerships (College of Nursing)
B. Administrative Units:
- Privacy Officers for Covered Departments(See current List of UWM’s Privacy Officers.)
- UITS Selected Support Staff (Division of Finance & Administrative Affairs)
- Other (Non-UITS) IT personnel serving Covered Departments
- Internal Audit (Division of Finance & Administrative Affairs)
- Office of Legal Affairs (Division of Finance & Administrative Affairs)
- Risk Management (Division of Finance & Administrative Affairs)
II. THE PRIVACY RULE
A. IMPORTANT TERMS
What is PHI or Protected Health Information?
The Privacy Rule governs how individuals can use and disclose confidential patient information called “Protected Health Information” or “PHI.” PHI can be written, spoken or electronic and includes information relating to an individual’s health or condition, the provision of health care services or the payment for such services. The Privacy Rule only covers information that is individually identifiable. However, 18 identifiers are defined under the Privacy Rule and, among other things, include a patient’s name, address, social security number, fax number, email address, vehicle identifiers, date of admission / discharge, photographs and voice recordings.2 Further, in addition to identifiers that can be specifically linked to an individual, PHI also includes information which could be reasonably expected to lead to his/her identification.
* The Privacy Rule does not apply to documents or information lacking patient identifiers. However, when in doubt, assume that all information is protected by the Privacy Rule.
What does “use” mean ?
Under the Privacy Rule, “use” means the sharing, employment, application, utilization, examination, or analysis of PHI within an entity that maintains such PHI. All sharing, employment, application, etc., of PHI within the Covered Departments is considered to be a “use”.
What does “disclosure” mean?
Under the Privacy Rule, “disclosure” means the release, transfer, provision of access to, or divulging in any other manner of PHI outside the entity holding the PHI. Any release, transfer, etc., of PHI outside of the Covered Departments is considered to be a “disclosure.”
B. STATE LAW AND THE PRIVACY RULE
The Privacy Rule takes the place of Wisconsin State laws governing health care record confidentiality only where the Privacy Rule is more protective than state law. Although the Privacy Rule does not require significant deviations from current practice in many areas, the rule does require some changes. By including written, electronic and spoken information and images in the definition of PHI, the Privacy Rule broadens the types of protected information and it requires disclosure of only the minimum necessary information in many instances. Additionally, the Privacy Rule requires workforce training, notice of privacy practices, accounting of PHI disclosures and verification of the identity and/or authority of recipients of PHI. It also adds a number of new requirements for the use and disclosure of PHI for human subjects research and fundraising. These practices are discussed below.
C. TEN IMPORTANT PRIVACY RULE PRINCIPLES
- Use or Disclose Only the Minimum Necessary Information
Generally speaking, the Privacy Rule requires that individuals limit access to PHI, and use and disclosure of PHI, to the minimum amount of information necessary to perform their job and/or accomplish their intended purpose.Until additional guidance is issued by the Secretary of Health and Human Services, a Limited Data Set should be used if practicable to accomplish the intended purpose of the use or disclosure. A Limited Data Set is PHI that does not contain certain direct identifiers of the patient.3 If use of a Limited Data Set is not practicable, the minimum necessary rule can be relied upon.
The minimum necessary rule does not apply to information used or disclosed in treating a patient (including rounds) and in certain other limited instances 4 and, as such, should not greatly affect the use of PHI for patient care.
Nevertheless, you should always ask yourself, “Am I using or accessing more PHI than I need to?”
- A receptionist may open an individual’s file for the purpose of scheduling an appointment but may not read the contents of the file.
- A volunteer in a clinic is working on the files of four patients. The volunteer may not access any other patient’s files.
Covered Departments must make their own determination as to what constitutes the minimum amount of information necessary for the intended purpose of any use or disclosure, and cannot independently rely on the determination of the person making the request.
- Verify the Identity and/or Authority of Recipients of PHI
You must take reasonable steps to verify the identity and/or authority of an individual or organization requesting disclosure of PHI if that individual is unknown to you. Knowledge may take the form, for example, of a known or recognized person or organization or a known phone number, fax number, or mailing address. However, if you do not know the individual or organization requesting the PHI, you should request identifying information, documentation of authority, official credentials, or written requests to be submitted on letterhead before making the disclosure.
- Take Steps to Protect PHI
The Privacy Rule requires that individuals in UWM’s Covered Departments safeguard PHI. Common practices to help protect patient’s PHI are listed below. The Security Rule, which is discussed in detail in Part III of this training, requires additional safeguards for electronic data.
- Keep patient records closed when not in use;
- Store PHI in secure/locked locations;
- Remove documents from fax machines and copiers immediately;
- Place discarded documents in confidential bins for shredding;
- Try to prevent others from overhearing your conversation and avoid using patient names in hallways or elevators;
- Leave only the minimal amount of information on an answering machine or voicemail as necessary to convey the message and exclude references to clinical details unless the patient has clearly authorized you to leave such details;
- Never remove a patient’s hard copy medical record from the health care facility.
At the same time, the Privacy Rule specifically recognizes the potential for incidental uses and disclosures of PHI in the course of providing patient care that are necessary to ensure that patients receive prompt and effective health care. The Privacy Rule permits an incidental use or disclosure so long as (1) it is secondary to a permissible or required use or disclosure and (2) the provider has applied reasonable safeguards and implemented the minimum necessary standard (where appropriate) with respect to the primary use or disclosure.
For example, the following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby:
- Health care staff may orally coordinate services at nursing stations;
- Health care staff may discuss a patient’s condition over the phone with the patient, a provider, or a family member;
- Health care staff may discuss a patient’s condition or treatment during training rounds;
- Providers may use sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited;
- Providers may maintain patient charts outside of exam rooms and display patient names on the outside of patient charts.
- Know What Uses and Disclosures of PHI Require Spoken Permission and the Opportunity for a Patient to Object
In the following instances, patients must be given the opportunity to object to the use or disclosure of their PHI before the information is used or disclosed:
- Inclusion in patient directories (can include name, room number, condition and religion); and
- To those involved in a patient’s care: If the patient does not object, information may be shared with friends, family or others involved in the patient’s care relating to the patient’s location or general condition.
If the patient is present and has capacity to make health care decisions, you may use professional judgment to infer from the circumstances that the patient does not object to the disclosure. If you cannot infer from the circumstances that the patient does not object to the disclosure, or if there are circumstances that suggest the patient would object, you should ask the patient for his or her permission to make the disclosure or otherwise provide the patient with an opportunity to object to the disclosure.
It is recommended that you make a note in the chart of any discussions you have with the patient regarding disclosing information to family members or others involved in the patient’s care and/or for notification purposes.
When the opportunity to agree or to object cannot be practicably given because the patient is not present, is incapacitated, or because of an emergency, you may, in the exercise of professional judgment, determine whether the disclosure is in the best interest of the patient. If so, you may disclose only the PHI that is directly relevant to the person’s involvement with the patient’s health care or that is needed for notification purposes. In general, it will be considered to be in the patient’s best interest for staff to disclose such information to those present, accompanying the patient, or others involved in the patient’s care.
- Know What Uses and Disclosures of PHI do NOT Require Patient Permission
Many routine uses and disclosures of PHI do not require the patient’s written authorization. No permission is required for individuals to perform the everyday functions of Treatment, Payment, and Health Care Operations, collectively referred to as “TPO.”
- Treatment: patient permission is not required to use or disclose patient information when treating a patient or making arrangements to treat a patient;
- Payment: patient permission is not required to use or disclose patient information when creating bills or coordinating billing with a patient’s health insurance company; and
- Health Care Operations: permission is not required when carrying out operational activities such as training medical or other health professionals, preventing fraud and abuse, meeting licensing and accreditation requirements and conducting quality assurance or health care peer review activities.
Health care providers and staff can also disclose a patient’s PHI without permission for certain public health activities, to authorities when required by law, for certain employment or worker’s compensation purposes, and in many instances, to another health care provider outside of UWM’s Covered Departments for treatment purposes.
Note, however, that the more stringent state/federal law requirements concerning the use and disclosure of mental health records, alcohol and other substance abuse records, and HIV test results continue to be in effect. Also, patients may request restrictions on the use of PHI, which, once granted, must be implemented.
- Know What Uses and Disclosures of PHI Require Written Permission
In general, all uses and disclosures of PHI other than those listed in subsections 3 and 4 above require written authorization from the patient. Examples of such uses and disclosures include the following:
- Most research activities: Please see UWM’s HIPAA Research Training for more information on this topic;
- Most marketing & fundraising activities;
- Disclosure of psychotherapy notes; and
- Disclosures to other persons or entities (e.g., patient’s attorney).
If you use PHI for research purposes you should also take the HIPAA Research Training. Individuals seeking to release PHI in connection with marketing and fundraising activities or who need to respond to miscellaneous requests for disclosure to third parties should contact his/her Privacy Officer for additional information and training if necessary.
- Know Patient’s Privacy Rights
The Privacy Rule provides patients with certain rights relating to their PHI. These rights include all of the following:
- The right to request alternative communication: Patients can ask health care providers and staff to contact them in a certain way; e.g., at home as opposed to work. The provider must accommodate such requests if they are reasonable. Individual practitioners should refer the patient to an appropriate staff member or Privacy Officer when such a request is made. You should not independently agree to such a request as it involves coordination throughout the unit or department.
- The right to look at and obtain copies of their medical and billing records. Patients have the right to inspect and obtain copies of their PHI. If the requested information is maintained electronically, the patient may request the information in electronic format, or ask that the information be sent to another entity or person, electronically.
- The right to ask for an amendment to medical and billing records. Health care providers may deny such requests if the provider considers the PHI to be accurate and complete. If an amendment request is denied, the patient must be given the opportunity to submit a statement of disagreement and that statement must be included in future disclosures of the medical or billing record.
- The right to receive an accounting of disclosures: In general, disclosures of PHI made without patient authorization, including electronic disclosures for treatment, payment, and health care operations, must be included in the accounting. For example, reports required under state law (e.g., suspected child abuse, communicable diseases, coroner cases, etc.) and some reports permitted under state law (e.g., reports of impaired drivers) must be included. Each facility or unit you work with must have specific policies and forms for documenting disclosures.
- The right to request restrictions on how patient information is used and disclosed: Providers and facilities are not required to agree to such requests, except for restrictions to health plans, if the patient has paid in full for the related product or service. Failure to observe an agreed upon request will lead to a violation of HIPAA. Due to the complexity of many requests, they will rarely be granted. Individuals must never agree to such restrictions without first obtaining permission from the appropriate administrative staff.
- The right to receive a notice of privacy practices: Every patient must be given a copy of a Notice of Privacy Practices and we must make reasonable efforts to obtain from the patient acknowledgement of receipt of such notice. This notice describes how medical information about a patient may be used and disclosed and the patient’s rights under the Privacy Rule. As such, you should familiarize yourself with this document.
Note that if a patient requests any of the above-mentioned rights (with the exception of requests for a notice of privacy practices), the request should be forwarded to and reviewed by an appropriate Privacy Officer or supervisor. Individuals should never respond to patient requests unless directed to do so.
- Know the Administrative Rules UWM must follow
The Privacy Rule requires that UWM follow several administrative rules including the following:
- UWM must provide all personnel in its Covered Departments with HIPAA training;
- UWM must have policies and procedures in place for complying with the Privacy Rule and the Security Rule;
- UWM must have a procedure in place for accepting and processing patient privacy complaints. The Notice of Privacy Rights instructs patients as to how they can register their complaints;
- UWM must impose consequences for personnel who violate the Privacy Rule and the Security Rule. Individuals who violate the rules will face corrective actions based on the severity of the violations they commit. These actions can range from further training or an oral warning to suspension and/or termination. Individuals and entities can also face fines and prison sentences for violations; and
- UWM must appoint one or more HIPAA Privacy Officers. A list of Privacy Officers and their contact information is provided at the end of this training.
- Business Associates Must Also Follow the Privacy Rule
Individuals and businesses that provide a service to a UWM Covered Department by assisting with the treatment, payment or other functions that result in the disclosure of PHI (“Business Associates“), must comply with the Privacy Rule, the Security Rule and UWM’s HIPAA policies and procedures. Examples of Business Associates are as follows:
- Transcription agencies
- Collection agencies
- Outside attorneys
- Vendor representatives to the extent they access PHI
UWM Covered Departments must ensure that Business Associates comply with UWM’s policies and procedures relating to the Privacy and Security Rules by entering into a Business Associate Agreement with them.
- Know what to do in the Event of a Breach (!!!)
A key change under HITECH of 2009 is that breaches of PHI are now covered by rules detailing how that breach must be addressed.Therefore, any individual working in or for a Covered Department or a Business Associate who suspects that there has been an impermissible acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA should immediately report the circumstances of the suspected breach to the individual’s supervisor and the Privacy Officer for the Covered Department.
The Privacy Officer must then gather the facts about the incident and report the incident to certain university officials, as outlined in the HIPAA Policies and Procedures. Those officials will confer regarding the circumstances of the reported breach and determine appropriate next steps, including the extent of any required investigation and notification to those involved.
III. THE SECURITY RULE
The Security Rule provides additional procedures for safeguarding electronic protected health information (EPHI) and preventing access to such confidential information by unauthorized persons. These requirements are in addition to those mandated by the Privacy Rule as detailed above.
UWM’s Chief Information Officer has been designated the Security Officer for purposes of the Security Rule. The Security Officer has designated certain UITS employees or other IT staff to assist with implementation of the Security Rule. Contact information for these individuals can be found at the end of this training. Additionally, comprehensive guidelines to follow in safeguarding EPHI can be found in the “University of Wisconsin – Milwaukee HIPAA Security Guidelines.”
The Security Rule defines EPHI as Protected Health Information that is stored or transmitted by electronic media. EPHI includes PHI that is stored on hard drives or portable memory media (disks and CDs) as well as PHI that is transmitted via email or the internet (including faxes and voicemail transmitted in this manner). The Security Rule does not cover conventional faxes or voicemail. It also does not distinguish between data transmitted within the University as opposed to data transmitted outside the University.
The Security Rule requires UWM’s Covered Departments to:
- Ensure the confidentiality, integrity, and availability of all EPHI it creates, receives, maintains, or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted under the privacy rule; and
- Ensure compliance with these requirements by individuals in the Covered Departments.
A list of important points relating to the safeguarding of EPHI follows:
- Know Your Unit’s Policy and Procedures for Safeguarding EPHI
The management of each unit or department within UWM’s Covered Departments must develop, in consultation with UITS or other IT staff serving such unit or department, policies and procedures for safeguarding EPHI and complying with the Security Rule. You must be aware of, and comply with, your unit’s policies and procedures on protecting EPHI. EPHI may only be stored and transmitted in a manner approved by your unit.
- Follow Password Procedures
At a minimum, individuals in Covered Departments must follow the following password guidelines:
- All access to EPHI must be password protected (including laptops and PDAs);
- Passwords should not be shared with anyone except in rare instances;
- If you feel as if your password has been compromised in any way, you should contact UITS or other IT staff serving your department;
- If you must write down your password to remember it, place it in a secure location that only you can access. You should not keep it in or on the application or system that is being protected by it; and
- Never use the “remember password” function on any application that provides access to EPHI.
- Maintain Workstation Security
- EPHI should only be stored on and transmitted to/from devices and locations that have been specifically approved by the management of the Covered Department in consultation with its Privacy Officer and UITS or other IT staff serving such department;
- No network device (e.g. desktop, laptop, printer, network hub and switches, wireless access points, PDAs and portable storage devices) may be connected to any network that provides access to EPHI without prior approval from the management of the Covered Department in consultation with its Privacy Officer and UITS or other IT staff serving such department;
- Workstations used for storage and transmission of EPHI must contain an updated virus scan, updated operating system patches, and an anti-spyware product. They must also be password protected and employ some variety of firewall capabilities or software;
- When a UWM owned electronic storage device is determined to be at the end of its life cycle, all EPHI must be removed from the storage device prior to disposal. The storage device must be returned to UITS or other IT staff serving your unit or department. A software application will be used to ensure that the data is removed from all sectors of the hard drive. Simply deleting the EPHI from the computer is NOT sufficient to remove it completely from the hard drive;
- Steps should be taken to restrict visual access to EPHI to authorized personnel. This may be accomplished by positioning screens to restrict viewing or by using a screen filter. Further, workstations must be configured to log off or produce a password protected “screensaver” after a period of in-activity; and
- If a workstation is located in a private office, the office must be locked when unoccupied for an extended period of time; all workstations in unlocked locations must employ anti-theft devices.
For further details on workstation security guidelines, please see the “University of Wisconsin – Milwaukee HIPAA Security Guidelines: Workstation Use and Security Guideline.”
- Follow Guidelines on Accessing EPHI from External and/or Portable Computing Devices
Significant restrictions must be placed on individual’s access to EPHI from external and/or portable computing devices due to security concerns. Before storing EPHI on an external/portable computing device, particularly a device you intend to remove from your work environment, you should consult with UITS or other IT staff serving your department to determine if there is an acceptable alternative.Many of the guidelines applicable to workstations are also applicable to external/portable computing devices including restricting screen visibility, backing up EPHI, safeguarding the device from theft, properly disposing of equipment and using antivirus, firewall and anti-spy software to the extent possible. Additionally, it is strongly recommended that any EPHI stored on computers outside of the office / clinic environment be protected by data encryption. Wireless data transmission of EPHI to and from external/portable computing devices, should also be encrypted.
- Follow Guidelines on the Use of Portable Media Containing EPHI
Portable devices include, but are not limited to, the following:
- Laptop / Tablet / Handheld Computers (PDA’s)
- Portable Storage Devices
- External USB Hard Drives
- USB “Thumb” Drives
- External CD Burners, Zip Drives, Floppy Drives
Portable media include, but are not limited to, the following:
- Floppy Disks
- Zip Drives
Units and individuals comprising UWM’s Covered Departments should at a minimum implement the following protections:
- Access to EPHI on portable media must be protected by a password or other authentication procedure;
- All portable devices and media must be approved by the management of the Covered Department in consultation with its Privacy Officer and UITS or other IT staff serving such department prior to the use of such device or media for storage or transmission of EPHI;
- EPHI stored on a laptop, mobile device or other portable media should be encrypted;
- All portable media containing EPHI must be safeguarded from theft or loss (for example, laptops should be secured with a cable whenever possible and CDs containing EPHI should be locked in a cabinet);
- All portable media containing EPHI must be marked externally, if possible, as confidential and include contact information for return if lost. Lost or misplaced media must immediately be reported to UITS or other IT staff serving such department;
- Portable media used for storage must be backed up periodically; and
- Disposal of portable media containing EPHI must be done in consultation with the management of the Covered Department and UITS or other IT staff serving such department.
For further details on suggested and required guidelines relating to the use of portable devices and media containing EHPH, please see the “University of Wisconsin – Milwaukee HIPAA Security Guidelines: Portable Devices and Media Guideline.”
- Know When Emailing PHI is Permitted
PHI should only be sent via email in two very limited circumstances. The first is when a patient requests communication via email and provides written permission to communicate in this manner. If you are a health care provider sending email to patients, please review the policies of your particular facility for the procedure to follow. Second, you may email PHI to health care providers outside of UWM if required for treatment purposes. In this case, do not include the patient’s name, social security number, or other direct identifiers in the email. Include only initials, birth date, and/or medical record number. Additionally, communicate in advance with the receiving health care provider so that he/she knows to expect the email and is able to link the minimally identifiable information to the correct patient.If an email containing PHI is sent to another UWM employee, you must use their UWM email address ending in “uwm.edu”. Email that may contain EPHI should never be set to automatically forward to any external email provider outside of the “uwm.edu” domain. It is the responsibility of the sender to ensure that they do not inadvertently send EPHI to the wrong email address. You should be aware of the auto fill feature provided in most email programs and double check the address you are sending your email to prior to sending it.
- If Using EPHI for Research, Know the Guidelines Governing its Use
The Security Rule applies to EPHI used for research. As noted above, on-line training specific to HIPAA research issues is available. Use of PHI for research will likely require a patient authorization or a waiver of authorization approved by the Internal Review Board (IRB). UITS or other IT staff serving your department must be consulted whenever you wish to (1) transmit PHI electronically for research purposes and/or (2) create an electronic file or database containing EPHI for research.
- Other Important Points
- EPHI may not be stored on any website outside of the Covered Departments without the permission of your supervisor and UITS or other IT staff serving your department;
- Never dispose of an electronic device containing EPHI yourself. Always provide the device to UITS or other IT staff serving your department for disposal;
- Be aware of and comply with your unit’s policies and procedures regarding the physical security of your facility; and
- You may not install software of any kind on a UWM owned computer or portable device without prior approval of UITS or other IT staff serving your department.
IV. CONTACT INFORMATION
If you have any questions on the above or about the privacy and security regulations in general, please contact your Privacy Officer or UWM’s Office of Legal Affairs.
TO PROCEED TO THE QUIZ ON THIS INFORMATION, CLICK ON THE FOLLOWING LINK: Quiz on HIPAA Overview for Employees of Covered Departments
1 This document is modeled on, and certain sections are drawn directly from, University of Wisconsin – Madison’s HIPAA training materials. We would like to thank the University of Wisconsin – Madison (in particular, Rebecca Hutton) for allowing us the use of its materials.
4 Exceptions include release pursuant to a valid authorization or for an individual’s own review; disclosures made to the Secretary of the Department of Health and Human Services for HIPAA compliance and enforcement; and use and disclosures required by law.