1. HIPAA Privacy & Security Training Module

2. What we want to accomplish
Understand HIPAA Privacy Rule
Understand who it applies to
Discuss PHI
Define PHI
Identify how and when it is used and disclosed
Identify the right amount of PHI to use or disclose
Talk about patient rights under HIPAA
Understand a breach
Review responsibilities and safeguards
This training covers HIPAA and what is required to comply with the Privacy Rule and who it applies to.
We define protected health information and how to appropriately use and disclose it.
You will learn about the rights that individuals have concerning their protected health information.
You will learn what to do if protected health information is breached, which means used or disclosed in a way that violates the HIPAA rules.
The most important point is to understand how HIPAA applies to you and your work responsibilities.

3. What is HIPAA?
Health Insurance Portability and Accountability Act of 1996
Federal law
Comprised of Five Sections
Administrative Simplification
Electronic Transactions and Code Sets Rule
Privacy Rule
Security Rule
HIPAA stands for the Health Insurance Portability and Accountability Act.
It is a federal law that was passed in It is comprised of five sections.
One of the sections, Title II, is known as the Administrative Simplification provisions. This section contains the Electronic Transactions and Code Sets Rule, the Privacy Rule, the Security Rule.
The Electronic Transactions and Code Sets Rule provides for standards for the electronic exchange of health information, for example, when a health care provider sends a claim to a health plan to request payment for medical services using medical diagnosis or procedure codes.

4. Privacy Rule v. Security Rule
Privacy Rule identifies what information is to be protected and outlines the individual’s rights to control access to their health information
Security Rule defines how to protect protected health information in electronic form, called ePHI
The Privacy Rule defines what information is considered protected health information and outlines the rights that individuals have with respect to controlling their own protected health information.
The requirements under the Security Rule are to ensure the confidentiality, integrity and availability of the ePHI, protected health information in electronic form so that ePHI is not disclosed to unauthorized persons, or altered or destroyed in an unauthorized manner.

5. Education HIPAA PRIVACY HIPAA SECURITY
The education that you are receiving today will focus on learning what responsibilities you have in order to ensure Elmcroft complies with HIPAA Privacy and HIPAA Security Regulations. The following topics will be covered:
HIPAA PRIVACY
HIPAA SECURITY
Protected Health Information
Minimum Necessary
Patient Rights
Notice of Privacy Practices
Privacy Policies
Privacy Officer
Reporting Privacy Concerns
Electronic Protected Health Information
User Identity
Password Management
Appropriate Use of Computing Devices
Security Policies
Security Officer
Reporting Security Concerns

7. HIPPA Privacy Officer
Maintains appropriate measures to guard against unauthorized access to PHI.
Ensures compliance through adequate training programs and periodic audits.
Maintains HIPAA policies and procedures.

8. Don’t forget about state law!
Other important rules
HITECH Act of 2009 – Health Information Technology for Economic and Clinical Health Act
Breach Notification Rule
HIPAA Omnibus Rule
Changed the Breach Notification Rule
Don’t forget about state law!
Since the passage of HIPAA, other rules have been enacted that add more requirements.
One of these rules is HITECH, the Health Information Technology for Economic and Clinical Health Act, which includes the breach notification rule. The rule mandates steps that must be taken by a Covered Entity or Business Associate when a breach of protected health information occurs, including notification to the individual.
HITECH also strengthened the civil and criminal penalties for violating the HIPAA rules.
The HIPAA Omnibus Rule was passed in January of 2013 and it changed some of the breach notification rules and increased enforcement penalties.
It is also important to mention state privacy and breach laws. Most states have adopted laws to protect an individual’s personal and private information and some of these laws may be more stringent than the federal HIPAA rules.

9. What is the Privacy Rule?
Personal health information must be safeguarded by organizations and the individuals who work there
Patients have rights to gain access to their medical records and restrict who sees their health information
Organizations must train their workforce on the privacy requirements
Organizations must appoint an individual to be responsible for seeing that privacy procedures are adopted and followed
Punishes individuals and organizations that fail to keep patient information confidential
The Privacy Rule went into effect on April 14, It mandates the protection of private health information, it gives individuals certain rights regarding getting access to their medical records, and restricts who can see their health information.
The Privacy Rule requires organizations to train employees so they understand the privacy procedures.
It requires the appointment of someone who is responsible for making sure that policies are adopted and followed. At the facility, the Administrator or Executive Director is the Local Privacy Officer.
Finally, the Privacy Rule provides for punishment of individuals and organizations that fail to comply with HIPAA’s Privacy Rule.

10. Healthcare Clearinghouses
Who is Covered?
Health Plans
Healthcare Clearinghouses
Healthcare Providers that conduct standard transactions in electronic form that involve PHI
Known as “Covered Entities”
Organizations that must comply with the Privacy Rule are known as Covered Entities.
Covered entities include health insurance plans, such as Humana and Anthem.
Also healthcare clearinghouses. Clearinghouses are companies that turn nonstandard formats into standard transaction formats that meet HIPAA requirements and vice-versa, such as Zir Med.
HIPAA also applies to health care providers, such as skilled nursing providers and assisted living providers that meet the standards of HIPAA.

11. Business Associates (BA)
Individual or Organization that performs duties or business functions on behalf of the Covered Entity using Protected Health Information (PHI)
Law firm
Pharmacist consultant
Medical Director
Record Storage Company
Prior to disclosing PHI to the BA, the Covered Entity is required to have a written agreement with the BA that specifies the safeguards on the PHI used or disclosed by the BA
Like a Covered Entity, HIPAA applies to Business Associates.
A Business Associate is an individual or company that performs duties or functions for a Covered Entity that involves having access to protected health information held by the Covered Entity.
Examples of Business Associates include a consultant pharmacist or a law firm. And record storage companies, such as Iron Mountain.
Prior to disclosing PHI to a Business Associate, the Covered Entity must have a signed written agreement with the Business Associate that requires the BA to safeguard the PHI that will be disclosed to or used by the Business Associate.

12. What is Protected Health Information (PHI)?
Individually identifiable health information
That relates to an individual’s past, present or future health care, or
That relates to health care services provided to the patient, or
That relates to payment for care
Created or received by a Covered Entity or Business Associate
In any form: paper, electronic or oral
Protected health information, or PHI, is:
identifiable patient information that either identifies the individual or could identify the individual,
that relates to the patient’s past, present or future health, or
that relates to the health care services provided to the patient, or
that relates to the payment for the health care.
created or received by a Covered Entity or Business Associate,
PHI can be in any form: paper, oral or electronic.
Electronic PHI is covered under the Security Rule.

13. Individual Identifiers of PHI
Name
Address
Telephone No.
Finger or voice prints
Social security number
Vehicle/device serial no.
Health plan number
Certificate/license No.
Account Number
Names of relatives
Names of employers
Fax number
Birth date/admission & discharge dates
Photographic images/X-rays
Medical record number
Account Number
, IP address, web URL
If health information contains one or more of these identifiers, it creates protected health information because the individual is or could be identified.
Some of these identifiers are more sensitive than others. For example, if an individual’s social security number is wrongfully disclosed, it creates a greater risk of harm than a fax number. But both of these incidents could potentially create a breach.
The point here is, be careful when any of these identifiers are included on what your are working with as they can create PHI that must be safeguarded.

14. Notice of Privacy Practices (NPP)
Notice of Privacy Practice (NPP) describes how PHI may be used and disclosed by a Covered Entity.
NPP explains how an individual can get access to information and how to make a complaint to the Covered Entity.
NPP for health care providers must be:
Distributed at the first instance of service,
Posted at the service site,
Posted on the website if one exists.
All employees should be aware of the NPP.
The Notice of Privacy Practices explains how the Covered Entity may use and disclose protected health information about an individual. A statement must be included that the Covered Entity is required by law to maintain the privacy of protected health information.
It tells about the rights the individual has with respect to the information and how the individual may exercise these rights, including how the individual may complain to the Covered Entity.
The NPP is distributed at the first instance of service and is posted on site and on the website if one exists.
Employees should read and understand the Notice.

15. When does HIPAA allow use or disclosure of PHI?
Permitted by law
Treatment
Payment
Health Care Operations
Public interest and public benefit
Permission by the resident/patient
Authorization
One of the major purposes of HIPAA is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by a Covered Entity or Business Associate.
By law, PHI can be used or disclosed for treatment, payment and health care operations purposes. This is also known as TPO.
This means disclosing to a health care provider involved in a patient’s treatment is okay and so is disclosing information to a health insurance plan for payment.
Health care operations are activities such as: quality assessment and improvement activities, or conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs.
Examples of PHI used and disclosed for the public interest or public benefit are: (a) for national security reasons, (b) abuse reporting, (c) pursuant to court orders.
The other key that always unlocks PHI is an authorization by the individual.

16. Incidental Uses and Disclosures
Incidental use or disclosure
Occurs as a by-product of a permissible use or disclosure using reasonable safeguards
Cannot be reasonably prevented
Must use reasonable safeguards
Example: A visitor catches a glimpse of the information on a nursing station whiteboard as a nurse is adding information to it
We know when we can use and disclose PHI, what about an incidental disclosures.
An "incidental" use and disclosure occurs as a by-product of another permissible or required use or disclosure under the Privacy Rule. It is a limited disclosure that cannot reasonably be prevented.
An example of this is: a visitor catches a glimpse of a nursing station whiteboard as the nurse updates the information on the whiteboard. As long as the nurse used reasonable safeguards, meaning she didn’t carry the whiteboard into a public area to update it, this is an incidental disclosure rather than a breach.
An incidental disclosure of confidential information can become a serious matter depending upon the information disclosed and the unauthorized person who saw the information.
What if the white board had information about a resident having a terminal diagnosis and the visitor who saw the information was the resident’s daughter. What if the daughter didn’t know the diagnosis because the resident requested she not be told?

17. Accidental Uses and Disclosures
Accidental use or disclosure
Potential breach
Attempt to retrieve it, or limit exposure or risk to the information
Report the incident immediately
Example: A nursing assistant is faxing lab results to a resident’s doctor but uses the wrong fax number and sends it to a garage
When an accidental use or disclosure occurs, this could be a breach.
So you should try to mitigate potential harm, for example, by trying to retrieve the information or by asking the person who received it to destroy it and certify they destroyed it.
You should be reporting accidental uses and disclosures immediately so the Local Privacy Officer can analyze the facts to determine if a reportable breach occurred.
An example of an accidental disclosure would be faxing PHI to the wrong fax number. If the fax goes to a garage instead of the doctor office, is this a problem? What if it goes to the wrong doctor?
Even incidental or accidental disclosures of confidential information can be a serious matter. Always report these matters to your supervisor so the

18. Minimum necessary does not apply when PHI is used or disclosed:
Uses, disclosures, and requests of PHI limited to the “minimum necessary to accomplish the intended purpose.”
Example: An insurance company requests a patient’s medical record for billing purposes. Only the information pertaining to a specific bill should be sent.
Minimum necessary does not apply when PHI is used or disclosed:
For treatment purposes,
To the individual,
When you obtained an authorization,
When required by law.
An important principle of HIPAA is the minimum necessary requirement. This means you use or disclose the smallest amount of PHI necessary to complete the job.
An example of minimum necessary is: an insurance company requests a patient’s medical record for billing purposes. You don’t send the entire record, you send only the information pertaining to a specific bill.
Minimum necessary does not apply when dealing with uses and disclosure for treatment, to the individual, when you have an authorization, and when required by law.

19. Need to know Determine the information you need to know to do your job
Access information only if you have a need to know it
Example: a nurse needs to know PHI to provide care for the patients on his/her unit, but not for the patients that are on another unit.
Another principle of HIPAA is the need to know concept.
Employees must access information only when they have a need to know it. This usually comes up in the context of employees looking at the records of famous people when they have no need to know this information.
An example of need to know is: a nurse needs access to PHI to provide care for patients on his/her unit. However, the nurse does not need to have access to PHI for those patients who are not on his/her unit.

20. Patient Rights Receive a Notice of Privacy Practices Right to Access
Right to an Accounting of Disclosures
Restriction of Use of PHI
Confidential Communications
Request Amendment
File Complaint (Covered Entity and Office of Civil Rights)
HIPAA affords individuals certain rights under the law.
Those rights include:
the right to receive a notice of privacy practices,
right to access his/her medical record,
right to request an accounting of disclosures,
right to restrict use of his/her record,
right to request confidential communication,
right to request an amendment to his/her medical record,
and the right to file a complaint with the organization or the Office of Civil Rights.

21. You notice a list of names and current medications in the trash can.
What would you do?
A co-worker gets called away from the med cart. He makes sure the drawers are locked, but walks away leaving the MAR sheet uncovered and able to be viewed by the general public.
A professionally dressed visitor walks into the nurses station and states that she is the daughter of Mr. Taylor, a resident in room 16, and that she wants to review his medical record.
You notice a list of names and current medications in the trash can.
Scenario #1: Is this a problem if the MAR sheet is left in the open for anyone to view? What should you do? You should cover the MAR sheet and the employee who did this should be re-trained.
Scenario #2 - Is it inappropriate for a visitor to have access to the nurses station? What if they view the PHI of other residents? What is your facility’s procedure for providing medical records to individuals? Who determines if the person has a legitimate consent from the resident or health care surrogate? You should ask the visitor to leave the area of the nurses station that contains the protected health information of other residents. You can inform her that it is against the HIPAA rules for her to see PHI of other residents. As far as the visitor having access to a medical record, follow your facility’s procedure. Do not release information until you know it is okay to do so.
Scenario #3 – Should you remove the list from the trash? What about notifying your supervisor? Yes, you should remove the list from the trash and shred it. You should also report the incident to your supervisor. Even if the incident is not a breach, the Local Privacy Officer will determine what steps should be taken to prevent it from happening again.

22. Disclosure that must be tracked
Patients have the right to receive an Accounting of Disclosures of PHI made by a Covered Entity for the six (6) years prior to the request.
The following disclosures need to be tracked:
Required by law (i.e. reports of abuse to a public health authority)
Required for public health activities (i.e. reporting of disease)
For health oversight activities (i.e. audits by an oversight agency)
Reports of abuse (i.e. to the police, medical staff)
For law enforcement purposes (i.e. to identify the perpetrator of a crime)
To the coroner (i.e. for identifying a deceased person)
To avert a threat of serious injury (i.e. disclosure to a person who can prevent the threat or to law enforcement)
Unlawful or unauthorized disclosure (i.e. inadvertent disclosures)
As mentioned on the previous slide, the HIPAA Privacy Rule provides an individual with the right to receive a listing, known as an accounting of disclosures, that provides information about when a Covered Entity discloses the individual's information to others.
The disclosures to be tracked include those required by law, to law enforcement, or to a coroner … to name a few.
Depending upon the circumstances, an inadvertent disclosure may also need to be tracked. This reinforces the need to protect health information in day-to-day work activities.
The point here is, report to your supervisor if you think PHI was used or disclosed in a manner other than treatment or payment or with an authorization so that a determination can be made as to what needs to be tracked on an accounting.

24. What is a breach?
An impermissible use or disclosure that compromises the security or privacy of the PHI.
A breach is presumed unless the Covered Entity or Business Associate can demonstrate there is a low probability the PHI was compromised based on a risk assessment.
When PHI is used or disclosed in a manner that violates HIPAA, a breach may have occurred.
HIPAA states that a breach is presumed to have occurred unless the Covered Entity or Business Associate can demonstrate there was a low probability the PHI was compromised based on a risk assessment.

25. Examples of Possible Breaches
Throwing PHI in the trash or dumpster (without being shredded);
Sharing PHI with those who do not have a need to know;
Posting another person’s PHI on your Facebook page;
Faxing a document containing PHI to the wrong fax number;
PHI that has been lost or stolen.
These are some examples of possible breaches:
Throwing PHI in the trash or dumpster is a breach unless the information is shredded in an manner that the information is not readable, meaning you can’t put the pieces of paper together to read it.
Sharing PHI with someone who doesn’t have a need to know is a breach.
Posting someone’s PHI on your Facebook page is a breach.
Faxing PHI to the wrong fax number could be a breach.
And finally, if PHI is lost or stolen, it could be a breach depending upon the facts of the incident.

26. What if a breach occurred?
Report incidents to your supervisor as soon as they occur or are discovered
LPO investigates to determine if the incident is a breach
Incidents that are potential breaches must be reported to your supervisor as soon as they occur or are discovered.
The facts of an incident will be evaluated by the Local Privacy Officer to determine if the inappropriate use or disclosure compromises the security or privacy of the PHI, meaning that a breach occurred.

27. Breach Notification
A breach requires notification within a required time from the date the breach was discovered or should have been discovered:
Individual, within 60 days
HHS – OCR, within 60 days if > 500 individuals involved
HHS – OCR, annually within 60 days of the end of the calendar year if < 500 individuals
Media, within 60 days if more than 500 individuals involved
When there is a breach, notification must be provided in accordance with the HIPAA requirements:
within 60 days to the individual;
within 60 days to OCR if more than 500 individuals involved;
annually to OCR if less than 500 individuals involved;
to a prominent media outlet if more than 500 individuals are involved.

28. OCR Audits / Investigations
Permanent audits in planning stage
Complaints can trigger an investigation
A breach can trigger an investigation
The Department of Health and Human Services, Office of Civil Rights, or OCR, is the agency that enforces HIPAA.
OCR is preparing for a permanent audit program anticipated to start during 2014 or When OCR’s audit program becomes permanent, the program will look at the level of compliance at both Covered Entities and their Business Associates.
OCR can also conduct an audit based on complaints they receive or if they are investigating a breach.

29. Penalties for Non-Compliance
Individual can be responsible, not just the Covered Entity or Business Associate
Civil Money Penalties
Violation but you did not know or could not have known
$100 per violation with annual maximum of $25,000 for repeat violations
Violation due to reasonable cause and not due to willful neglect
$1,000 per violation with an annual maximum of $100,000 for repeat violations
Violation due to willful neglect but corrected within required time period
$10,000 per violation with annual maximum of $250,000 for repeat violations
Violation due to willful neglect and not corrected
$50,000 per violation with annual maximum of $1.5 million
Failure to comply with HIPAA can result in civil and criminal penalties. The amount of the penalty is based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.
You will notice there are different standards and penalties. The lowest threshold is if you did not know or could not have known by exercising reasonable diligence that HIPAA was violated, the penalty is $100 per violation up to an annual maximum of $25,000 for repeat violations.
For a cause not due to willful neglect, $1,000 per violation up to $100,000 annually.
For violation due to willful neglect but corrected within the required time period, $10,000 per violation and $250,000 annual for repeat violation.
For willful neglect and not corrected, $50,000 per violation with an annual maximum of $1.5 million.

30. Penalties, cont. Criminal Penalties Knowingly committed the offence
Up to $50,000.00
Up to one year in prison
Committed under false pretenses
$100,000
Up to five years in prison
Committed for financial gain or malicious harm
$250,000
Up to ten years in prison
For criminal penalties, a monetary payment can also be involved as well as a prison sentence. The penalties will vary if the crime was committed “knowingly”, or “under false pretenses”, or for “financial gain or malicious harm”.

31. Headlines, Reported Breaches
Southwest General Health Center
Notified 480 patients that a binder containing their personal and health information had gone missing
Phoenix Cardiac Surgery
Appointments were available to the public on internet-based calendar
Paid $100,000 to settle claims of lack of HIPAA safeguards and agreed to take corrective action to implement policies and procedures to safeguard PHI of its patients
Nursing Assistant in Florida sentenced for HIPAA crime
Former nursing assistant of assisted living facility in sentenced to 3 years in prison for stealing and selling patient information
Ordered to pay $12,000 in penalties
UCLA School of Medicine
Researcher terminated and in retaliation accessed the medical records of his superior and his co-workers and the patient records of celebrities, a total of 323 times
Sentenced to 4 years in prison
There are frequent headlines about breaches. Here are a few.
Southwest General notified 480 patients that a binder was missing from their facility that contained their PHI including names, medical records numbers, dates of birth and clinical information.
Phoenix Cardiac Surgery was extensively investigated by OCR after it received a compliant that appointments were available to the public on an internet-based calendar. They paid $100,000 to settle claims they failed to implement safeguards to protect HIPAA information and to implement HIPAA policies and procedures.
The next case is about a crime that is happening more frequently. Allegedly, individuals work at a hospital or facility for a couple of weeks with the sole purpose of stealing PHI. This case involved a 24-year old nursing assistant who plead guilty to conspiring to defraud the government and wrongfully disclosing HIPAA information. The nursing assistant stole patient information from an assisted living facility and hospital and sold it to undercover law enforcement officers. A trash barrel was allegedly filled with the data. Prosecutors said little money was made off the scheme. She was sentenced to 3 years in prison and ordered to pay $12,000 in penalties.
The final incident involves a researcher at the UCLA School of Medicine who received a notice of termination and in retaliation, he accessed the medical records of his superior, his co-workers, and many celebrity patient records, a total of 323 times. The researcher was sentenced to four years in prison for violating the HIPAA Privacy Rule. 

32. General Safeguards
Protect the privacy and security of our residents’ highly confidential information: medical, financial or other data
When you talk about it
When you fax it
When you store it
When you use it
When you disclose it
When you dispose of it
Remember minimum necessary and access only the amount of PHI necessary to do your job and only when you have a need to know
You are entrusted with residents’ highly confidential and protected information and data.
The information can be medical, financial or other data.
The point here is, you have a responsibility to protect it and keep it confidential: when you talk about it, fax it, store it, use it, disclose it or dispose of it.
Access the minimum amount of PHI necessary to do you job and only when you have a need to know.

33. General Safeguards, cont.
Confidential verbal conversations should be conducted away from others who do not have a need to know.
Never use or disclose confidential information for any personal purpose or out of curiosity, or allow others to do so.
Documents containing PHI should not be left in open areas or on desks where it can easily be seen or stolen by passerby.
Hold verbal conversations in private. Do not discuss a resident’s condition in front of another resident’s family.
Do not use or disclose PHI for personal purposes, or allow others to do it.
If you walk away from your desk, do not leave documents containing PHI where it could easily be viewed or stolen.

34. General Safeguards, cont.
Dispose of resident information by shredding or storing in lock containers for destruction. Do not throw in the trash!
Keep information you hear about a resident to yourself. Share only with those who have a need to know.
Use reasonable safeguards to keep resident information from being accessible by others who do not have a need to know.
Be aware of the PHI on your computer screen and use reasonable safeguards so visitors cannot view it.
Report any fraudulent attempts to obtain PHI.
Do not throw PHI in the trash or dumpster.

35. General Safeguards, cont.
Notify security if you see an unescorted visitor in a private area.
Computer screens where PHI is viewed should be turned away from the view of visitors.
Any fraudulent attempts by an unauthorized person to obtain PHI must be reported to the supervisor and the LPO.

36. HIPAA Security Rule
Security Rule defines how to protect protected health information in electronic form, called ePHI

38. HIPAA: Security Rule Four Requirements of Security:
Ensures confidentiality, integrity, and availability of electronic PHI.
Protects against possible threats and hazards to the information.
Hackers, viruses, natural disasters or system failures.
Protects against unauthorized uses or disclosures.
Ensures compliance by the workforce through
security regulations and policies/procedures.
Three Components of Security:
Administrative Safeguards
Physical Safeguards
Technical Safeguards

39. HIPAA: Security Rule Administrative Safeguards:
Documentation kept for 6 years.
Internal system audits minimize security violations.
Logins, file accesses, and or security incidents.
Information access management:
Access to PHI based on what is needed to preform the job.
Once computer access is requested, it will take hours to implement due to complexity of security system.
Security awareness and training:
Security updates, incident reporting, log-in, and password management.
Security incidents will be reported if suspected or if there is an actual breach.
Name and phone number of person reporting the incident
Date and time the incident was discovered
Observed behaviors that led to the incident being suspected
Any unusual circumstances surrounding the event

40. HIPAA: Security Rule Physical Safeguards:
Safeguard the facility and equipment, from unauthorized physical access, tampering, and theft.
Workstations positioned so monitor screens/ keyboards are not directly visible to unauthorized persons. Use of privacy screens when applicable. Physical access to the server room limited to key personnel.
Workstation use and security.
Log on as themselves. Log off prior to leaving the workstation,
Inspect the last logon information, report any discrepancies.
Comply with all applicable password policies and procedures.
Close files not in use.

41. HIPAA: Security Rule Technical Safeguards: Access controls:
User password setup is for one-time use initially. Allowing the individual to choose their own unique password for future access.
User passwords reset every 180 days.
All passwords must consist of at least eight (8) alphanumeric characters (numbers and letters).
Passwords cannot be reused until after three (3) different generations have been used.
Six (6) failed logon attempts will cause the user account to be locked out. The account is locked out for (30) minutes and then reset.
Computer Desktops automatically lock after 17 minutes of inactivity.
Citrix sessions automatically close after 30 minutes of inactivity.
CareVoyant sessions automatically close at different intervals depending on place within the program.
CareTracker sessions automatically close at different intervals depending on place within the program

42. HIPPA Security Officer
Maintains appropriate security measures to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards.
Oversees and/or performs on-going security monitoring of organization information systems.
Ensures compliance through adequate training programs and periodic security audits.
Ensures security standards comply with statutory and regulatory requirements.
Maintains HIPAA security policies and procedures.

43. Who is responsible for HIPAA?
EVERYONE at Elmcroft:
Support Center Staff:
IT Staff:
Implement safeguards for the computer systems.
Local Privacy Officer:
Clinical Staff and Physicians:
Create and access the majority of resident information.
Managers and Supervisors:
Develop and implement policies and procedures that relate to security and ensure their staff are trained properly.
Clerical Staff:
Create and access resident information.
Volunteers:
Have access to resident information in various settings
Vendors and Contractors
May have access to resident information

44. Tips for HIPAA Security Compliance
Log on and off the network appropriately.
Never let others use your ID or work under your ID.
Do NOT disable anti-virus software or install unapproved software. Never introduce new hardware or media.
may be, but is not always, a secure form of data transmission. Do NOT PHI unless using encrypted means.
Use caution in opening files from unknown sources.
Do NOT access non-permitted information or give non-permitted information to unauthorized employees.
Be aware of, and report, security threats to the Security Officer.

45. Tips for HIPAA Security Compliance
Passwords must be treated as sensitive and confidential information.
Never share your password with anyone for any reason.
Passwords should not be written down, stored electronically, or published.
Good password practices:
Private: tell no one your password
Secret: never write your password down

46. Tips for HIPAA Security Compliance
Be sure to change initial passwords, password resets and default passwords first time you log in.
Use different passwords for your different accounts.
Create passwords that are
not common,
avoid common keyboard sequences,
do not contain personal information, such as pets, birthdays or kid’s names.
Good password techniques:
Easily remembered: use something you know well, then change slightly
Secure with combination of letters, numbers and symbols
Change your password at least every three months
Watch for shoulder surfers or other physical techniques to gain password

47. Tips for HIPAA Security Compliance
Protect sensitive information on lists and reports with social security numbers (SSNs).
Limit access to lists and reports with SSNs to those who specifically need SSNs for official business.
Never store SSNs or use lists with SSNs on laptops or home computers.
Save and store sensitive information only on Elmcroft servers managed by IT staff.

48. Tips for HIPAA Security Compliance
Never copy sensitive data to CDs, disks, or portable storage devices.
Do not store lists with sensitive information on the Web (Dropbox, Google+, Etc.).
Lock printed materials with sensitive data in drawers or cabinets when you leave at night.
When done with printed sensitive material, shred them.

49. Tips for HIPAA Security Compliance
Remove sensitive materials from printer right away.
If problem with printer, turn off printer to remove sensitive material from printer’s memory.
Personally deliver sensitive materials to recipient or distribute information electronically using the system.
Arrange for shared electronic files that requires user ID and password.

50. What do we do? Complete initial and annual HIPAA training
Read the Notice of Privacy Practices (NPP)
Understand how HIPAA regulations impact your job function and responsibility
Check with your supervisor if you are uncertain
Ask for additional training if required
It is our responsibility to ensure confidentiality of our residents’ health information.
To comply with HIPAA, training is required and we should ask if we need additional HIPAA training.
Reading the Notice of Privacy Practices will provide an understanding of the requirements.
Understanding how HIPAA impacts your job function is critical and when in doubt, ask your supervisor.
We must take seriously our responsibility in protecting resident health information.

51. What happens at work, stays at work!
General Rule for HIPAA
What happens at work, stays at work!
OR…..
What happens at work, stays at work.

52. Questions

53. Resources
Your Local Privacy/Security Officer (Administrator/Executive Director)
Susan Dawson, Privacy Officer
Elmcroft Senior Living
9510 Ormsby Station Road, Suite 101
Louisville, KY 40223
Office:   
Bob Dooley, VP Information Systems
Elmcroft Senior Living
9510 Ormsby Station Road, Suite 101
Louisville, KY 40223
Office:   
Bob Dooley, VP Information Systems
Elmcroft Senior Living
9510 Ormsby Station Road, Suite 101
Louisville, KY 40223
Office: