Health Insurance Portability and Accountability Act

ATTENTION:

HIPAA Security Updates and Reminders, Effective Immediately

Yale has updated its HIPAA Policies and Guidelines. All faculty and staff members, trainees, students and others in Yale University HIPAA Covered Components (Yale School of Medicine (excluding the School of  Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, MolecularBiophysics & Biochemistry, Neurobiology, and Pharmacology), Yale School of Nursing, University Health Services, Department of Psychology Clinics and the Group Health Plan component) must comply with all University HIPAA policies including these updates.

Please review and familiarize yourself with these updates.

At Yale University, we are committed to providing quality health care which includes respecting patients' and clinical research subjects’ rights to maintain the privacy of their health information and ensuring appropriate security of all protected health information. The standards for protecting patient health information are described in the federal law known as the Health Insurance Portability and Accountability Act (HIPAA). This Web site provides information and guidance on the policies and procedures related to HIPAA compliance at Yale University.

Improved HIPAA Monitoring Process

October 2012

Yale is coordinating with Yale New Haven Hospital on plans to improve our monitoring of access to patient records through a new automated system.  Last fall, Yale New Haven Hospital began implementation of an access auditing tool known as FairWarning.  FairWarning simplifies our ability to detect potentially inappropriate accesses to hospital systems such as the new EPIC electronic medical record and other clinical systems.  FairWarning combines access logs from multiple data systems which can then be queried for a variety of access characteristics.  For example, reports can be generated on individuals accessing family member or co-workers records.  These reports will then be reviewed by HIPAA Privacy staff in collaboration with departmental supervisors to determine work-related vs inappropriate record access.  Inappropriate access is subject to disciplinary action in accordance with University policies.  The ability to combine data sources will help to augment our current monitoring capacity and facilitate increased oversight of access to data. 

HIPAA limits how we can use and disclose health information to a set of activities which mainly encompass activities related to treatment, payment for treatment and our healthcare operations.  Details on how we can use and disclose health information is described in HIPAA Policy 5031, Authorization Requirements for Use and Disclosure of Protected Health Information, available at http://mire.med.yale.edu/hipaapolicies/ .   As a general rule, even though a person’s job duties allows them access to patient information, that  information should not be accessed unless it is needed to perform their job-related duties.  This is true not only for information related to VIP patients but also for access to your family members’ or friends records.   If you do not need the information to do your job, you are violating HIPAA and Yale policy by looking at the information.

There may be times staff will have a business reason to access records of individuals they know. In such cases, reviews of work queues or duty lists are expected to be enough to explain the access. There may also be times that a staff member pulls up or accesses a record that they do not have a business reason to look at in the process of searching for a record that they do need to access. For example typinginto a search box may lead to the wrong record being accessed. Review of work queues and access log attributes such as length of time in a record or access to additional patient record screens is expected to differentiate unintentional from intentional record access. Nonetheless, some areas of the University have created processes to document unintentional access for reference should the access be questioned in a subsequent review of audit logs. For example in Yale School of Nursing and Yale Health, the event should be reported to the Deputy HIPAA Privacy Officer. Please check with your supervisor or the Deputy Privacy Officer in your area for further information on how such events are handled where you work.

Enforcement of the HIPAA Privacy and Security Rules by the US Department of Health and Human Services (DHHS) was strengthened under the HITECH Act including increased fines and penalties for individuals and institutions that fail to comply.  Recent enforcement activities such as the $865,500 settlement with UCLA Health System for inappropriate employee access to patient records indicate the seriousness with which DHHS intends to pursue HIPAA violations.  FairWarning provides Yale the opportunity to ensure rigorous monitoring of access to patient records.

If you have any questions about HIPAA and the augmented monitoring practices, feel free to contact the HIPAA Privacy Office at hipaa@yale.edu or 432-5919.