Privacy and Security Training Sections

Welcome to the 1. What is HIPAA? 8. Release of Information

(ROI)
Privacy and Security Training Session! 2. Why is HIPAA Important?
9. HIPAA Security Rule
3. HIPAA Definitions
10. PHI Safeguarding Tips
4. HIPAA Enforcement
11. Business Associate
5. Patient Rights
Agreements
6. HIPAA Privacy
12. HIPAA Violations and
Requirements
Complaints
7. The Breach Notification
13. Discussion Slides
Rule

1 2

Privacy and Security Officers Section I

Introduction
Privacy Officer:
[Ploena Hoang]
What is HIPAA?
Security Officer:
[Thu Hoang]

3 4

What is HIPAA? What is HIPAA?

Health Information Privacy and Portability Act of 1996
•Acronym for Health Insurance Portability & Accountability
Act of 1996 (45 C.F.R. parts 160 & 164). 1 • Privacy Rule
•Provides a framework for establishment of nationwide
protection of patient confidentiality, security of electronic
2 • Security Rule
systems, and standards and requirements for electronic
transmission of health information.
• Electronic Data
3 Exchange

Each part of HIPAA is governed by different laws

6
5
 Privacy Rule
Security Rule
• Privacy Rule went into effect April 14, 2003.
• Security (IT) regulations went into effect April 21,
• Privacy refers to protection of an individual’s health care
data. 2005.
• Defines how patient information used and disclosed. • Security means controlling:

• Gives patients privacy rights and more control over their • Confidentiality of electronic protected health
own health information. information (ePHI).
• Outlines ways to safeguard Protected Health Information • Storage of electronic protected health information
(PHI). (ePHI)
• Access into electronic information

7 8

Why Comply With HIPAA?

Electronic Data Exchange (EDI) • To show our commitment to protecting privacy
• As an employee, you are obligated to comply with CENTRIC
HEALTHCARE’s privacy and security policies and procedures.
• Defines transfer format of electronic information between
providers and payers to carry out financial or • Our patients/members are placing their trust in us to preserve the
privacy of their most sensitive and personal information.
administrative activities related to health care.
• Compliance is not an option, it is required.
• Information includes coding, billing and insurance
• If you choose not to follow the rules:
verification.
• You could be put at risk, including personal penalties and sanctions
• Goal of using the same formats is to ultimately make
• You could put [insert organization name] at risk, including financial
billing process more efficient. and reputational harm

9 10

HIPAA Regulations
HIPAA Regulations require we protect our patients’ PHI in all media including, but not
limited to, PHI created, stored, or transmitted in/on the following media:
Section II
• Verbal Discussions (i.e. in person or on the phone)
• Written on paper (i.e. chart, progress notes, encounter forms, prescriptions, x-ray Why is HIPAA Important?
orders, referral forms and explanation of benefit (EOBs) forms
• Computer Applications and Systems (i.e. electronic health record (EHR),
Practice Management, Lab and X-Ray
• Computer Hardware/Equipment (i.e. PCs, laptops, PDAs, pagers, fax machines,
servers and cell phones

This training session provides you with REMINDERS of our organizational POLICIES and
how YOU are required to PROTECT PHI.

11 12
Why is Privacy and Security Training Important? Why is Privacy and Security Training
Important?
•Outlines ways to prevent accidental and intentional
misuse of PHI. •It is everyone’s responsibility to take the confidentiality of patient
•Makes PHI secure with minimal impact to staff and information seriously.
business processes. •Anytime you come in contact with patient information or any PHI
•It’s not just about HIPAA – it’s about doing the right that is written, spoken or electronically stored, YOU become
thing! involved with some facet of the privacy and security regulations.
•Shows our commitment to managing electronic protected •The law requires us to train you.
health information (ePHI) with the same care and respect •To ensure your understanding of the Privacy and Security Rules as
as we expect of our own private information they relate to your job.

13
14

HIPAA Definitions
What is Protected Health Information (PHI)?

Section III •Protected Health Information (PHI) is individually identifiable

HIPAA Definitions health information that is:
• Created or received by a health care provider, health plan,
employer, or health care clearinghouse and that
• Relates to the past, present, or future physical or mental
health or condition of an individual;
• Relates to the provision of health care to an individual
• The past, present or future payment for the provision of
health care to an individual.

15 16

HIPAA Definitions HIPAA Definitions

What Does PHI Include? What Are Uses and Disclosures?

• Uses ▶ Disclosures:
• Information in the health record, such as: • When we review or ◦ When we release or
• Encounter/visit documentation use PHI internally
• Lab results provide PHI to
Lab (i.e. audits, training,
• Appointment dates/times
customer service, or someone (i.e.
• Invoices
quality attorney, patient or
• Radiology films and reports faxing records to
improvement).
• History and physicals (H&Ps) Physica another provider).
X-Ray
• Patient Identifiers l

17 18
 HIPAA Definitions HIPAA Definitions
What is Minimum Necessary? What is Treatment, Payment and Health Care Operations (TPO)?

• To use or disclose/release only the minimum necessary to accomplish • HIPAA allows Use and/or Disclosure of PHI for purpose of:
intended purposes of the use, disclosure, or request.
• Requests from employees at [Organization]:- • Treatment – providing care to patients.
• Identify each workforce member who needs to access PHI. • Payment – the provision of benefits and premium payment.
• Limit the PHI provided on a “need-to-know” basis.
• Requests from individuals not employed at Centric Healthcare:- • Health Care Operations – normal business activities (i.e.
• Limit the PHI provided to what is needed to accomplish the purpose for reporting, quality improvement, training, auditing, customer
which the request was made.
service and resolution of grievances data collection and
eligibility checks and accreditation).

19 20

Why Do We Need to Protect PHI?

Section IV
• It’sthe law.
HIPAA Enforcement • To protect our reputation.
• To avoid potential withholding of federal Medicaid
and Medicare funds.
• To build trust between providers and patients.

If patients feel their PHI will be kept confidential, they will be more likely to share information needed for care.

[p
21 22

Who or What Protects PHI? Enforcement

• Federal Government protects PHI through HIPAA regulations
• Civil penalties up to $1,500,000/year for identical types of violations. How are the HIPAA Regulations Enforced?
• Willful neglect violations are mandatory!
• Criminal penalties: •The Public. The public is educated about their privacy rights
• $50,000 fine and 1 year prison for knowingly obtaining and wrongfully and will not tolerate violations! They will take action.
sharing information. •Office For Civil Rights (OCR). The agency that enforces the
• $100,000 fine and 5 years prison for obtaining and disclosing through privacy regulations providing guidance and monitoring
false pretenses. compliance.
• $250,000 fine and 10 years prison for obtaining and disclosing for •Department of Justice (DOJ). Agency involved in criminal
commercial advantage, personal gain, or malicious harm. privacy violations. Provides fines, penalties and imprisonment to
• Our organization, through the Notice of Privacy Practices (NPP). offenders.
• You, by following our policies and procedures. Department of
Justice

You
Organization HIPAA
Office for Civil Rights
Government Enforcement

Public

23
24
 Section V HIPAA Regulations
What Are the Patient’s Rights Under HIPAA?

Patient Rights

•The Right to Individual Privacy

•The Right to Expect Health Care Providers Will Protect These
Rights
Other Patient Rights Include: Access, Communications, Special Requests,
Amendment, Accounting of Disclosures, Notice of Privacy Practices and
Reminders, and the Right to File Complaints.

25 26

Patient Rights Patient Rights

Notice of Privacy Practices (NPP) Access and Inspect PHI
• What is the purpose of the NPP? • Patient’s have the right to inspect and copy their PHI.
✔ Summarizes how Centric Healthcare uses and discloses • However, there are some situations where access may be denied or delayed:
patient’s PHI. • Psychotherapy notes.
✔ Details patient’s rights with respect to their PHI • PHI compiled for civil, criminal or administrative action or proceedings.
• PHI subject to CLIA Act of 1988 when access prohibited by law.
• The Organization must request that new patients sign the • If access would endanger a person’s life or safety based upon professional
NPP acknowledgment form at the time of their first visit. judgment.
✔ Patients sign the Acknowledgment of Receipt to confirm that • If a correctional inmate’s request may jeopardize health and safety of the
inmate, other inmates or others at the correctional institution.
they have been offered and/or received the NPP.
• If a research study has previously secured agreement from the individual to
✔ If unable to obtain a signed Acknowledgement, the deny access.
Organization must document its good faith efforts to obtain • If access is protected by the Federal Privacy Act.
such acknowledgement and the reason why it could not obtain • If PHI was obtained under promise of confidentiality and access would reveal
it. the source of the PHI.

27 28

Patient Rights Patient Rights

Request Restriction Accounting of Disclosures
• Record Restriction may be requested by the patient if he/she wishes to change • Accounting of Disclosures is a request for a list of disclosures of a patient’s
or restrict how your organization uses and discloses your PHI. PHI that did not require an authorization or the opportunity for the patient to
• The agency must honor request to restrict disclosure to a health plan: agree or object.
• If the disclosure is for the purpose of carrying out payment or health care • The agency typically has a form to complete to request the accounting
operations and is not otherwise required by law; and • The HIPAA rules require the organization to provide certain information
• The PHI pertains to items and services paid by the patient or patient about the disclosure, such as date, name of person who received the PHI, a
representative in-full.
description of the PHI and the purpose of the disclosure.
• For all other requests for restrictions, organization must make reasonable
effort to honor request, but approval is not required. • Individual may request accounting of disclosures as far back as six years before
the time of the request.
• Organization typically has a form to complete to request the restriction • The agency must provide the first accounting without charge. Subsequent
• Patient may later revoke a request for record restriction. requests for accountings by the same individual within a 12 month period
may be charged a reasonable, cost-based fee, as long as the organization
provides notice to the individual.

29 30
 Patient Rights Patient Rights
Accounting of Disclosures (cont’d) Accounting of Disclosures (cont’d)
Accounting of Disclosures Does Not Include Disclosures For: Accounting of Disclosures Does Include Disclosures For:
• Treatment (to persons involved in the individual’s care), payment
or health care operations.
• Individual subject of PHI. • Required by law • Organ/eye/tissue donations
• Incident to an otherwise permitted disclosure. • For public health activities • Research purposes
• Disclosure based on individual’s signed authorization. • Victims of abuse, neglect, • To avert threat to health and
• For facility directory. violence safety
• For national security or intelligence purposes. • Health oversight activities • For specialized government
• To correctional facilities or law enforcement on behalf of • Judicial/Administrative functions
inmates. proceedings • About decedents
• As part of a limited data set (see 45 CFR s. 164.514). • Workers’ compensation
• Law enforcement purposes
• Releases made in error to an
incorrect person/entity (i.e.
breach)

31 32

Personnel Designation
Privacy Officer
Section VI • Privacy Officer Responsibilities
• Development and implementation of the policies and
HIPAA Privacy Requirements procedures of the entity.
• Designated to receive and address complaints regarding
Privacy.
• Provide additional information as requested about
matters covered by the Notice of Privacy Practices.
• Designation of the Privacy Officer must be
documented.

33 34

Safeguards
Training
• Implementation of administrative, physical and
• Members of the workforce who handle PHI
require training technical safeguards (work in tandem with
• Required upon hire and recommended annually. Security rule).
• As material changes are implemented, training to • Safeguard PHI from any intentional or
appropriate workforce members affected by that unintentional use or disclosure.
change. • Limit incidental uses and disclosures that occur
• Documentation of the training, who attended, the
as a result of otherwise permitted or required
topic covered and date the training was held.
uses and disclosures.
• Example: create safeguards to prevent others from
overhearing PHI.

35 36
 Patient Right Policies and Procedures
File Privacy Complaint
• Centric Healthcare must implement policies and procedures
•Individuals may file complaints with Centric designed to comply with the Breach and Privacy Rules.
Healthcare’s Privacy Official regarding health • Centric Healthcare must change policies and procedures as
necessary and appropriate to comply with changes in the law and
information privacy violations or its privacy maintain consistency between policies, procedures and the Notice of
compliance program. Privacy Practices.
• Centric Healthcare must document all changes made to policies and
•Individuals may file complaints with the procedures and maintain all policies for 6 years.
Department of Health and Human Services • Centric Healthcare must train employees on changes made to
Office of Civil Rights. policies and procedures.

37 38

Documentation
Definition of PHI Misuse
• CentricHealthcare must maintain all documentation
for 6 years from the date of its creation, including: ▶ The following activities occurring in the absence of patient
• Policiesand procedures in written or electronic form; authorization are considered misuse of protected health information
(PHI):
• Communications in written or electronic form when such
◦ Access
communications are required in writing; ◦ Using
• Written or electronic records of actions, activities, or ◦ Taking
designations as required. No! You must have
authorization first! ◦ Possession
◦ Release
◦ Editing
◦ Destruction

Corrective
Event Investigation Resolution Documentation
Action

39 40

How Do Privacy Violations Happen?

Types of Privacy Violations
➢ Fax Document to Wrong Location
• Type I -- Inadvertent or Unintentional Disclosure ➢ “Hello, this is Pizza Plaza on Stark Street. Did
• Inadvertent, unintentional or negligent act which violates policy and which may
or may not result in PHI being disclosed. you mean to fax me this lab result for Fred
• Disciplinary action for a Type I disclosure will typically be a verbal warning, Flintstone?”
re-education, and review and signing of the Confidentiality Agreement.
However, disciplinary action is determined with the collaboration of the Privacy
Officer, Director of Human Resources and the department manager. ➢ Enter Incorrect Medical Record Number
• Type II – Intentional Disclosure ➢ “I guess I was just typing too fast.”
• Intentional act which violates the organization’s policies pertaining to that PHI
which may or may not result in actual harm to the patient or personal gain to the
employee. ➢ Forgetting to Verify Patient Identity
• Breach notification processes will be followed as described in the Breach ➢ “There were seven patients with the name
Notification Policy. Barney Rubble. I should have confirmed his
date of birth.”

42
41
 Release of Information
Permitted Uses and Disclosures of PHI Without
Authorization
• Uses and disclosures of PHI for (TPO):
• Treatment
Section VII • Payment
• Health Care Operations
Release of Information • Disclosures required or permitted by law.
• If use of the information does not fall under one of these
categories you must have the patient’s signed
authorization (written permission) before sharing that
information with anyone.

44
43

Release of Information Release of Information

When Authorization Is and Is Not Required Another Regulation to Consider

When Authorization IS Required:

Statute Summary
• Use or disclosure of psychotherapy notes 42 CFR, Part 2 Federal Alcohol and Drug Regulations which covers use
• Except in limited circumstances, use and disclosure of PHI for and release of a patient’s drug and alcohol abuse records
marketing purposes in a federally assisted program
• When selling PHI

When Authorization IS NOT Required:

• Disclosures to the individual
• Uses and disclosures for treatment by your physician
• Uses and disclosures for quality assurance activities

45 46

Release of Information
Release of Information Minimum Necessary
Restrictions and Alerts •HIPAA requires reasonable steps to limit the use and disclosures
of, and requests for, protected health information to the
•Your organization may have restrictions or alerts designed to minimum necessary to accomplish the intended purpose.
bring an employee’s attention to specific information
•For example: •The standard does not apply to the following:
• Patient is adopted. Check Centric Healthcare Personnel Policies for • Disclosures to or requests by a health care provider for treatment purposes
special instructions • Disclosures to the individual subject of the information
• Patient has authorized spouse to receive lab results on her behalf. • Uses or disclosures made pursuant to the individual’s authorization
Check Centric Healthcare Personnel Policies for more information • Use or disclosures required for compliance with Health Insurance HIPAA
administrative Simplification Rules
• Disclosures to the Dept. of Health and Human Services (HHS) when
disclosure is required under the Privacy Rule for enforcement purposes
• Uses or disclosures that are required by other laws

48
 Release of Information Release of Information
To Another Facility Faxing PHI
• Can I release a patient’s address and/or insurance information • May PHI Be Transmitted via Fax Machine?
to a nursing home? • Yes, but only when in best interest of patient care or payment of
• Yes, if you know the requesting individual and the claims.
request is legitimate. • Faxing sensitive PHI, such as HIV, mental health, AODA, and
• If you are unfamiliar with the individual requesting the STD’s is strongly discouraged.
information, ask for the following in writing: • It is best practice to test a fax number prior to transmitting
• Patient’s name, date of birth, and address information. If this is not possible:
• Why the information is needed • Restate the fax number to the individual providing it.
• Specific reason (e.g. treatment or payment) • Obtain telephone number to contact the recipient with any
• The requestor’s name, name of the nursing home, and a direct telephone questions.
to the nursing home (switchboard) • Do not include PHI on the cover sheet.
• If uncertain, obtain patient authorization • Verify you are including only correct patient’s information (i.e.
check the top and bottom pages).
• Double check the fax number prior to transmission

49 50

Release of Information
Release of Information E-Mail (cont’d)
E-Mail • We may communicate with patients through e-mail only if
the patient has signed the agency’s privacy and security
• We may not communicate with patients through e-mail at this time.
E-Mail Agreement.
• The patient portal will provide the opportunity to electronically
communicate with our patients. • When sending ePHI to anyone for treatment, payment or
• When sending ePHI to other organizations for required business functions healthcare operations, encrypt the e-mail per Centric
(i.e. treatment, payment or healthcare operations), encrypt the email per Healthcare procedures, and verify the organization’s
agency’s procedures. confidentiality disclaimer is included.

Note to Organization: Depending on your Email policy, include either this slide, or the previous, but not both
Note to Organization: Depending on your Email policy, include either this slide, or the next, but not both

51 52

HIPAA Security Rule

• In general, the HIPAA Security Rule requires covered
entities and business associates to do the following:
Section VIII ✔ Implement administrative, physical, and technical safeguards
that reasonably and appropriately protect the confidentiality,
integrity, and availability of electronic protected health
HIPAA Security Rule information (ePHI) that is created, received, maintained or
transmitted.
✔ Protect against any reasonably anticipated threats or hazards to
the security or integrity of ePHI.
✔ Protect against any reasonably anticipated uses or disclosures of
ePHI that are not permitted or required under the Privacy Rule.
✔ Ensure compliance with security by its workforce.

53 54
 How We Apply the Security Rule How We Apply the Security Rule
Policies and Procedures
Administrative Safeguards
Policies and procedures are REQUIRED and must be followed by
employees to maintain security (i.e. disaster, internet and e-mail use) • Internet Use
• Access only trusted, approved sites
Technical Safeguards
• Don’t download programs to your workstation
Technical devices needed to maintain security.
• Assignment of different levels of access
• Screen savers
• Devices to scan ID badges
• E-Mail
• Audit trails • Keep e-mail content professional
Physical Safeguards
• Use work e-mail for work purposes only
Must have physical barriers and devices: • Don’t open e-mails or attachments if you are suspicious of or
◦ Lock doors don’t know the sender
◦ Monitor visitors
• Don’t forward jokes
◦ Secure unattended computers
• Follow [Organization’s] policy for sending secure E-mails

55 56

Access to ePHI
How We Apply the Security Rule Passwords
ePHI Access
• The Security Rule requires the agency to implement
• How Do We Control ePHI Access? procedures regarding access controls, which can
include the creation and use of passwords, to verify
✔ User names and passwords that a person or entity seeking access to ePHI is the
✔ Biometrics one claimed.
✔ Screen savers • The use of a strong password to protect access to
✔ Automatic logoff ePHI is an appropriate and expected risk
management strategy.

57 58

What Can I Do to Help Protect E-Mail Security

Our Computer Systems and Equipment?
Appropriate use of e-mail can prevent the accidental
• Workstation use disclosure of ePHI. Some tips or best practices include:
• Restrict viewing access to others
• Follow appropriate log-on and log-off procedures ✔ Use email in accordance with policies and procedures
• Lock your workstation, press Ctrl-Alt-Del or Windows key• + “L” defined by the Centric Healthcare.
• Use automatic screen savers that lock your computer when not in use ✔ Use e-mail for business purposes and do not use e-mail
• Do not add your own software and do not change or delete ours in a way that is disruptive, offensive, or harmful.
• Know and follow organizational policies
• If devices are lost, stolen or compromised, notify your supervisor immediately! ✔ Verify email address before sending.
• Do not store PHI on mobile devices unless you are authorized to do so and ✔ Include a confidentiality disclaimer statement.
appropriate security safeguards have been implemented by your organization
✔ Don’t open e-mail containing attachments when you
don’t know the sender.

59 60
 Safeguarding PHI
Confidentiality

Section IX •Securing information from improper disclosure also includes

• Sharing PHI with only those that need to know (direct care workers, staff) in a
discreet manner.
• Refraining from discussing patient visits, conditions, progress, etc. with family,
PHI Safeguarding Tips friends, neighbors, and co-workers that do not have a need to know.
• Ensuring the disclosure of information reaches the intended
person:
• Validating fax numbers prior to faxing PHI.
• Verification of identity prior to releasing information without the patient present.
• Requesting verbal authorization from the patient to discuss their health, conditions,
etc. with those that may be present.

What else can I do to protect our patients’ PHI?

61 62

Safeguarding PHI Safeguarding PHI

Family, Friends, You and PHI Delivery of PHI
• Do not share with family, friends, or anyone else a patient’s
• I need to transport paper records/PHI to another department. Is this okay?
name, or any other information that may identify him/her, for
• Yes, you may transport documents to another department.
instance:
• Secure so you don’t drop them:
• It would not be a good idea to tell your friend that a • Carry them close to your person.
patient came in to be seen after a severe car accident. • Carry them in a facility designated bag, box, or container.
• Why? Your friend may hear about the car accident on the news • Ensure no names are visible.
and know the person involved.
• Ensure no records are left unattended.
• Do not inform anyone that you know a famous person, or
their family members, were seen at this organization.

63 64

Safeguarding PHI
Transporting PHI Offsite
• When necessary to transport PHI externally:
• Place in a locked briefcase, closed container, sealed, self-addressed
interoffice envelope; Section X
• Place PHI in the trunk of your vehicle, if available, or on the floor HIPAA Violations and Complaints
behind the front seat;
• Lock vehicles when PHI is left unattended
• [Include if this applies to your organization]: You may not transport patient
charts between departments or offsite unless authorized by the Director of
Health Information Management.

65 66
 HIPAA and Your Role HIPAA Violations
• Remember, it is your responsibility, as a Centric • Three types of violations:
Healthcare’s employee or independent contractor, to •Incidental
comply with all privacy and security laws, regulations, •Accidental
and all agency’s policies pertaining to them.
•Intentional
• Employees and independent contractors suspected of
violating a privacy or security law, regulation, or
agency’s policy are provided reasonable opportunity to
explain their actions.
• Violations of any law, regulation, and/or agency’s policy
will result in disciplinary action, up to and including
termination, according to agency’s HR Policy.
How much is enough? How much is too much?

67 68

How Do I Report
HIPAA Privacy Violations?
Patient Complaints
• Directly to your Supervisor, who in turn reports it to the
Agency’s Privacy Officer.
We Must Respond to Privacy and Security Complaints
• Call or email the Privacy Officer.
All Privacy Complaints Must Be Reported

69 70

How Do I Report Source

HIPAA Security Violations?
• US Department of Health and Human Services
• Same as for Privacy Violations, except instead of https://www.hhs.gov/hipaa/for-professionals/index.html
reporting to the Privacy Officer, report to the Agency’s
HIPAA Security Officer.

71
72