2What we want to accomplish Understand HIPAA Privacy RuleUnderstand who it applies toDiscuss PHIDefine PHIIdentify how and when it is used and disclosedIdentify the right amount of PHI to use or discloseTalk about patient rights under HIPAAUnderstand a breachReview responsibilities and safeguardsThis training covers HIPAA and what is required to comply with the Privacy Rule and who it applies to.We define protected health information and how to appropriately use and disclose it.You will learn about the rights that individuals have concerning their protected health information.You will learn what to do if protected health information is breached, which means used or disclosed in a way that violates the HIPAA rules.The most important point is to understand how HIPAA applies to you and your work responsibilities.
3What is HIPAA?Health Insurance Portability and Accountability Act of 1996Federal lawComprised of Five SectionsAdministrative SimplificationElectronic Transactions and Code Sets RulePrivacy RuleSecurity RuleHIPAA stands for the Health Insurance Portability and Accountability Act.It is a federal law that was passed in It is comprised of five sections.One of the sections, Title II, is known as the Administrative Simplification provisions. This section contains the Electronic Transactions and Code Sets Rule, the Privacy Rule, the Security Rule.The Electronic Transactions and Code Sets Rule provides for standards for the electronic exchange of health information, for example, when a health care provider sends a claim to a health plan to request payment for medical services using medical diagnosis or procedure codes.
4Privacy Rule v. Security Rule Privacy Rule identifies what information is to be protected and outlines the individual’s rights to control access to their health informationSecurity Rule defines how to protect protected health information in electronic form, called ePHIThe Privacy Rule defines what information is considered protected health information and outlines the rights that individuals have with respect to controlling their own protected health information.The requirements under the Security Rule are to ensure the confidentiality, integrity and availability of the ePHI, protected health information in electronic form so that ePHI is not disclosed to unauthorized persons, or altered or destroyed in an unauthorized manner.
5Education HIPAA PRIVACY HIPAA SECURITY The education that you are receiving today will focus on learning what responsibilities you have in order to ensure Elmcroft complies with HIPAA Privacy and HIPAA Security Regulations. The following topics will be covered:HIPAA PRIVACYHIPAA SECURITYProtected Health InformationMinimum NecessaryPatient RightsNotice of Privacy PracticesPrivacy PoliciesPrivacy OfficerReporting Privacy ConcernsElectronic Protected Health InformationUser IdentityPassword ManagementAppropriate Use of Computing DevicesSecurity PoliciesSecurity OfficerReporting Security Concerns
7HIPPA Privacy OfficerMaintains appropriate measures to guard against unauthorized access to PHI.Ensures compliance through adequate training programs and periodic audits.Maintains HIPAA policies and procedures.
8Don’t forget about state law! Other important rulesHITECH Act of 2009 – Health Information Technology for Economic and Clinical Health ActBreach Notification RuleHIPAA Omnibus RuleChanged the Breach Notification RuleDon’t forget about state law!Since the passage of HIPAA, other rules have been enacted that add more requirements.One of these rules is HITECH, the Health Information Technology for Economic and Clinical Health Act, which includes the breach notification rule. The rule mandates steps that must be taken by a Covered Entity or Business Associate when a breach of protected health information occurs, including notification to the individual.HITECH also strengthened the civil and criminal penalties for violating the HIPAA rules.The HIPAA Omnibus Rule was passed in January of 2013 and it changed some of the breach notification rules and increased enforcement penalties.It is also important to mention state privacy and breach laws. Most states have adopted laws to protect an individual’s personal and private information and some of these laws may be more stringent than the federal HIPAA rules.
9What is the Privacy Rule? Personal health information must be safeguarded by organizations and the individuals who work therePatients have rights to gain access to their medical records and restrict who sees their health informationOrganizations must train their workforce on the privacy requirementsOrganizations must appoint an individual to be responsible for seeing that privacy procedures are adopted and followedPunishes individuals and organizations that fail to keep patient information confidentialThe Privacy Rule went into effect on April 14, It mandates the protection of private health information, it gives individuals certain rights regarding getting access to their medical records, and restricts who can see their health information.The Privacy Rule requires organizations to train employees so they understand the privacy procedures.It requires the appointment of someone who is responsible for making sure that policies are adopted and followed. At the facility, the Administrator or Executive Director is the Local Privacy Officer.Finally, the Privacy Rule provides for punishment of individuals and organizations that fail to comply with HIPAA’s Privacy Rule.
10Healthcare Clearinghouses Who is Covered?Health PlansHealthcare ClearinghousesHealthcare Providers that conduct standard transactions in electronic form that involve PHIKnown as “Covered Entities”Organizations that must comply with the Privacy Rule are known as Covered Entities.Covered entities include health insurance plans, such as Humana and Anthem.Also healthcare clearinghouses. Clearinghouses are companies that turn nonstandard formats into standard transaction formats that meet HIPAA requirements and vice-versa, such as Zir Med.HIPAA also applies to health care providers, such as skilled nursing providers and assisted living providers that meet the standards of HIPAA.
11Business Associates (BA) Individual or Organization that performs duties or business functions on behalf of the Covered Entity using Protected Health Information (PHI)Law firmPharmacist consultantMedical DirectorRecord Storage CompanyPrior to disclosing PHI to the BA, the Covered Entity is required to have a written agreement with the BA that specifies the safeguards on the PHI used or disclosed by the BALike a Covered Entity, HIPAA applies to Business Associates.A Business Associate is an individual or company that performs duties or functions for a Covered Entity that involves having access to protected health information held by the Covered Entity.Examples of Business Associates include a consultant pharmacist or a law firm. And record storage companies, such as Iron Mountain.Prior to disclosing PHI to a Business Associate, the Covered Entity must have a signed written agreement with the Business Associate that requires the BA to safeguard the PHI that will be disclosed to or used by the Business Associate.
12What is Protected Health Information (PHI)? Individually identifiable health informationThat relates to an individual’s past, present or future health care, orThat relates to health care services provided to the patient, orThat relates to payment for careCreated or received by a Covered Entity or Business AssociateIn any form: paper, electronic or oralProtected health information, or PHI, is:identifiable patient information that either identifies the individual or could identify the individual,that relates to the patient’s past, present or future health, orthat relates to the health care services provided to the patient, orthat relates to the payment for the health care.created or received by a Covered Entity or Business Associate,PHI can be in any form: paper, oral or electronic.Electronic PHI is covered under the Security Rule.
13Individual Identifiers of PHI NameAddressTelephone No.Finger or voice printsSocial security numberVehicle/device serial no.Health plan numberCertificate/license No.Account NumberNames of relativesNames of employersFax numberBirth date/admission & discharge datesPhotographic images/X-raysMedical record numberAccount Number, IP address, web URLIf health information contains one or more of these identifiers, it creates protected health information because the individual is or could be identified.Some of these identifiers are more sensitive than others. For example, if an individual’s social security number is wrongfully disclosed, it creates a greater risk of harm than a fax number. But both of these incidents could potentially create a breach.The point here is, be careful when any of these identifiers are included on what your are working with as they can create PHI that must be safeguarded.
14Notice of Privacy Practices (NPP) Notice of Privacy Practice (NPP) describes how PHI may be used and disclosed by a Covered Entity.NPP explains how an individual can get access to information and how to make a complaint to the Covered Entity.NPP for health care providers must be:Distributed at the first instance of service,Posted at the service site,Posted on the website if one exists.All employees should be aware of the NPP.The Notice of Privacy Practices explains how the Covered Entity may use and disclose protected health information about an individual. A statement must be included that the Covered Entity is required by law to maintain the privacy of protected health information.It tells about the rights the individual has with respect to the information and how the individual may exercise these rights, including how the individual may complain to the Covered Entity.The NPP is distributed at the first instance of service and is posted on site and on the website if one exists.Employees should read and understand the Notice.
15When does HIPAA allow use or disclosure of PHI? Permitted by lawTreatmentPaymentHealth Care OperationsPublic interest and public benefitPermission by the resident/patientAuthorizationOne of the major purposes of HIPAA is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by a Covered Entity or Business Associate.By law, PHI can be used or disclosed for treatment, payment and health care operations purposes. This is also known as TPO.This means disclosing to a health care provider involved in a patient’s treatment is okay and so is disclosing information to a health insurance plan for payment.Health care operations are activities such as: quality assessment and improvement activities, or conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs.Examples of PHI used and disclosed for the public interest or public benefit are: (a) for national security reasons, (b) abuse reporting, (c) pursuant to court orders.The other key that always unlocks PHI is an authorization by the individual.
16Incidental Uses and Disclosures Incidental use or disclosureOccurs as a by-product of a permissible use or disclosure using reasonable safeguardsCannot be reasonably preventedMust use reasonable safeguardsExample: A visitor catches a glimpse of the information on a nursing station whiteboard as a nurse is adding information to itWe know when we can use and disclose PHI, what about an incidental disclosures.An "incidental" use and disclosure occurs as a by-product of another permissible or required use or disclosure under the Privacy Rule. It is a limited disclosure that cannot reasonably be prevented.An example of this is: a visitor catches a glimpse of a nursing station whiteboard as the nurse updates the information on the whiteboard. As long as the nurse used reasonable safeguards, meaning she didn’t carry the whiteboard into a public area to update it, this is an incidental disclosure rather than a breach.An incidental disclosure of confidential information can become a serious matter depending upon the information disclosed and the unauthorized person who saw the information.What if the white board had information about a resident having a terminal diagnosis and the visitor who saw the information was the resident’s daughter. What if the daughter didn’t know the diagnosis because the resident requested she not be told?
17Accidental Uses and Disclosures Accidental use or disclosurePotential breachAttempt to retrieve it, or limit exposure or risk to the informationReport the incident immediatelyExample: A nursing assistant is faxing lab results to a resident’s doctor but uses the wrong fax number and sends it to a garageWhen an accidental use or disclosure occurs, this could be a breach.So you should try to mitigate potential harm, for example, by trying to retrieve the information or by asking the person who received it to destroy it and certify they destroyed it.You should be reporting accidental uses and disclosures immediately so the Local Privacy Officer can analyze the facts to determine if a reportable breach occurred.An example of an accidental disclosure would be faxing PHI to the wrong fax number. If the fax goes to a garage instead of the doctor office, is this a problem? What if it goes to the wrong doctor?Even incidental or accidental disclosures of confidential information can be a serious matter. Always report these matters to your supervisor so the
18Minimum necessary does not apply when PHI is used or disclosed: Uses, disclosures, and requests of PHI limited to the “minimum necessary to accomplish the intended purpose.”Example: An insurance company requests a patient’s medical record for billing purposes. Only the information pertaining to a specific bill should be sent.Minimum necessary does not apply when PHI is used or disclosed:For treatment purposes,To the individual,When you obtained an authorization,When required by law.An important principle of HIPAA is the minimum necessary requirement. This means you use or disclose the smallest amount of PHI necessary to complete the job.An example of minimum necessary is: an insurance company requests a patient’s medical record for billing purposes. You don’t send the entire record, you send only the information pertaining to a specific bill.Minimum necessary does not apply when dealing with uses and disclosure for treatment, to the individual, when you have an authorization, and when required by law.
19Need to know Determine the information you need to know to do your job Access information only if you have a need to know itExample: a nurse needs to know PHI to provide care for the patients on his/her unit, but not for the patients that are on another unit.Another principle of HIPAA is the need to know concept.Employees must access information only when they have a need to know it. This usually comes up in the context of employees looking at the records of famous people when they have no need to know this information.An example of need to know is: a nurse needs access to PHI to provide care for patients on his/her unit. However, the nurse does not need to have access to PHI for those patients who are not on his/her unit.
20Patient Rights Receive a Notice of Privacy Practices Right to Access Right to an Accounting of DisclosuresRestriction of Use of PHIConfidential CommunicationsRequest AmendmentFile Complaint (Covered Entity and Office of Civil Rights)HIPAA affords individuals certain rights under the law.Those rights include:the right to receive a notice of privacy practices,right to access his/her medical record,right to request an accounting of disclosures,right to restrict use of his/her record,right to request confidential communication,right to request an amendment to his/her medical record,and the right to file a complaint with the organization or the Office of Civil Rights.
21You notice a list of names and current medications in the trash can. What would you do?A co-worker gets called away from the med cart. He makes sure the drawers are locked, but walks away leaving the MAR sheet uncovered and able to be viewed by the general public.A professionally dressed visitor walks into the nurses station and states that she is the daughter of Mr. Taylor, a resident in room 16, and that she wants to review his medical record.You notice a list of names and current medications in the trash can.Scenario #1: Is this a problem if the MAR sheet is left in the open for anyone to view? What should you do? You should cover the MAR sheet and the employee who did this should be re-trained.Scenario #2 - Is it inappropriate for a visitor to have access to the nurses station? What if they view the PHI of other residents? What is your facility’s procedure for providing medical records to individuals? Who determines if the person has a legitimate consent from the resident or health care surrogate? You should ask the visitor to leave the area of the nurses station that contains the protected health information of other residents. You can inform her that it is against the HIPAA rules for her to see PHI of other residents. As far as the visitor having access to a medical record, follow your facility’s procedure. Do not release information until you know it is okay to do so.Scenario #3 – Should you remove the list from the trash? What about notifying your supervisor? Yes, you should remove the list from the trash and shred it. You should also report the incident to your supervisor. Even if the incident is not a breach, the Local Privacy Officer will determine what steps should be taken to prevent it from happening again.
22Disclosure that must be tracked Patients have the right to receive an Accounting of Disclosures of PHI made by a Covered Entity for the six (6) years prior to the request.The following disclosures need to be tracked:Required by law (i.e. reports of abuse to a public health authority)Required for public health activities (i.e. reporting of disease)For health oversight activities (i.e. audits by an oversight agency)Reports of abuse (i.e. to the police, medical staff)For law enforcement purposes (i.e. to identify the perpetrator of a crime)To the coroner (i.e. for identifying a deceased person)To avert a threat of serious injury (i.e. disclosure to a person who can prevent the threat or to law enforcement)Unlawful or unauthorized disclosure (i.e. inadvertent disclosures)As mentioned on the previous slide, the HIPAA Privacy Rule provides an individual with the right to receive a listing, known as an accounting of disclosures, that provides information about when a Covered Entity discloses the individual's information to others.The disclosures to be tracked include those required by law, to law enforcement, or to a coroner … to name a few.Depending upon the circumstances, an inadvertent disclosure may also need to be tracked. This reinforces the need to protect health information in day-to-day work activities.The point here is, report to your supervisor if you think PHI was used or disclosed in a manner other than treatment or payment or with an authorization so that a determination can be made as to what needs to be tracked on an accounting.
24What is a breach?An impermissible use or disclosure that compromises the security or privacy of the PHI.A breach is presumed unless the Covered Entity or Business Associate can demonstrate there is a low probability the PHI was compromised based on a risk assessment.When PHI is used or disclosed in a manner that violates HIPAA, a breach may have occurred.HIPAA states that a breach is presumed to have occurred unless the Covered Entity or Business Associate can demonstrate there was a low probability the PHI was compromised based on a risk assessment.
25Examples of Possible Breaches Throwing PHI in the trash or dumpster (without being shredded);Sharing PHI with those who do not have a need to know;Posting another person’s PHI on your Facebook page;Faxing a document containing PHI to the wrong fax number;PHI that has been lost or stolen.These are some examples of possible breaches:Throwing PHI in the trash or dumpster is a breach unless the information is shredded in an manner that the information is not readable, meaning you can’t put the pieces of paper together to read it.Sharing PHI with someone who doesn’t have a need to know is a breach.Posting someone’s PHI on your Facebook page is a breach.Faxing PHI to the wrong fax number could be a breach.And finally, if PHI is lost or stolen, it could be a breach depending upon the facts of the incident.
26What if a breach occurred? Report incidents to your supervisor as soon as they occur or are discoveredLPO investigates to determine if the incident is a breachIncidents that are potential breaches must be reported to your supervisor as soon as they occur or are discovered.The facts of an incident will be evaluated by the Local Privacy Officer to determine if the inappropriate use or disclosure compromises the security or privacy of the PHI, meaning that a breach occurred.
27Breach NotificationA breach requires notification within a required time from the date the breach was discovered or should have been discovered:Individual, within 60 daysHHS – OCR, within 60 days if > 500 individuals involvedHHS – OCR, annually within 60 days of the end of the calendar year if < 500 individualsMedia, within 60 days if more than 500 individuals involvedWhen there is a breach, notification must be provided in accordance with the HIPAA requirements:within 60 days to the individual;within 60 days to OCR if more than 500 individuals involved;annually to OCR if less than 500 individuals involved;to a prominent media outlet if more than 500 individuals are involved.
28OCR Audits / Investigations Permanent audits in planning stageComplaints can trigger an investigationA breach can trigger an investigationThe Department of Health and Human Services, Office of Civil Rights, or OCR, is the agency that enforces HIPAA.OCR is preparing for a permanent audit program anticipated to start during 2014 or When OCR’s audit program becomes permanent, the program will look at the level of compliance at both Covered Entities and their Business Associates.OCR can also conduct an audit based on complaints they receive or if they are investigating a breach.
29Penalties for Non-Compliance Individual can be responsible, not just the Covered Entity or Business AssociateCivil Money PenaltiesViolation but you did not know or could not have known$100 per violation with annual maximum of $25,000 for repeat violationsViolation due to reasonable cause and not due to willful neglect$1,000 per violation with an annual maximum of $100,000 for repeat violationsViolation due to willful neglect but corrected within required time period$10,000 per violation with annual maximum of $250,000 for repeat violationsViolation due to willful neglect and not corrected$50,000 per violation with annual maximum of $1.5 millionFailure to comply with HIPAA can result in civil and criminal penalties. The amount of the penalty is based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.You will notice there are different standards and penalties. The lowest threshold is if you did not know or could not have known by exercising reasonable diligence that HIPAA was violated, the penalty is $100 per violation up to an annual maximum of $25,000 for repeat violations.For a cause not due to willful neglect, $1,000 per violation up to $100,000 annually.For violation due to willful neglect but corrected within the required time period, $10,000 per violation and $250,000 annual for repeat violation.For willful neglect and not corrected, $50,000 per violation with an annual maximum of $1.5 million.
30Penalties, cont. Criminal Penalties Knowingly committed the offence Up to $50,000.00Up to one year in prisonCommitted under false pretenses$100,000Up to five years in prisonCommitted for financial gain or malicious harm$250,000Up to ten years in prisonFor criminal penalties, a monetary payment can also be involved as well as a prison sentence. The penalties will vary if the crime was committed “knowingly”, or “under false pretenses”, or for “financial gain or malicious harm”.
31Headlines, Reported Breaches Southwest General Health CenterNotified 480 patients that a binder containing their personal and health information had gone missingPhoenix Cardiac SurgeryAppointments were available to the public on internet-based calendarPaid $100,000 to settle claims of lack of HIPAA safeguards and agreed to take corrective action to implement policies and procedures to safeguard PHI of its patientsNursing Assistant in Florida sentenced for HIPAA crimeFormer nursing assistant of assisted living facility in sentenced to 3 years in prison for stealing and selling patient informationOrdered to pay $12,000 in penaltiesUCLA School of MedicineResearcher terminated and in retaliation accessed the medical records of his superior and his co-workers and the patient records of celebrities, a total of 323 timesSentenced to 4 years in prisonThere are frequent headlines about breaches. Here are a few.Southwest General notified 480 patients that a binder was missing from their facility that contained their PHI including names, medical records numbers, dates of birth and clinical information.Phoenix Cardiac Surgery was extensively investigated by OCR after it received a compliant that appointments were available to the public on an internet-based calendar. They paid $100,000 to settle claims they failed to implement safeguards to protect HIPAA information and to implement HIPAA policies and procedures.The next case is about a crime that is happening more frequently. Allegedly, individuals work at a hospital or facility for a couple of weeks with the sole purpose of stealing PHI. This case involved a 24-year old nursing assistant who plead guilty to conspiring to defraud the government and wrongfully disclosing HIPAA information. The nursing assistant stole patient information from an assisted living facility and hospital and sold it to undercover law enforcement officers. A trash barrel was allegedly filled with the data. Prosecutors said little money was made off the scheme. She was sentenced to 3 years in prison and ordered to pay $12,000 in penalties.The final incident involves a researcher at the UCLA School of Medicine who received a notice of termination and in retaliation, he accessed the medical records of his superior, his co-workers, and many celebrity patient records, a total of 323 times. The researcher was sentenced to four years in prison for violating the HIPAA Privacy Rule.
32General SafeguardsProtect the privacy and security of our residents’ highly confidential information: medical, financial or other dataWhen you talk about itWhen you fax itWhen you store itWhen you use itWhen you disclose itWhen you dispose of itRemember minimum necessary and access only the amount of PHI necessary to do your job and only when you have a need to knowYou are entrusted with residents’ highly confidential and protected information and data.The information can be medical, financial or other data.The point here is, you have a responsibility to protect it and keep it confidential: when you talk about it, fax it, store it, use it, disclose it or dispose of it.Access the minimum amount of PHI necessary to do you job and only when you have a need to know.
33General Safeguards, cont. Confidential verbal conversations should be conducted away from others who do not have a need to know.Never use or disclose confidential information for any personal purpose or out of curiosity, or allow others to do so.Documents containing PHI should not be left in open areas or on desks where it can easily be seen or stolen by passerby.Hold verbal conversations in private. Do not discuss a resident’s condition in front of another resident’s family.Do not use or disclose PHI for personal purposes, or allow others to do it.If you walk away from your desk, do not leave documents containing PHI where it could easily be viewed or stolen.
34General Safeguards, cont. Dispose of resident information by shredding or storing in lock containers for destruction. Do not throw in the trash!Keep information you hear about a resident to yourself. Share only with those who have a need to know.Use reasonable safeguards to keep resident information from being accessible by others who do not have a need to know.Be aware of the PHI on your computer screen and use reasonable safeguards so visitors cannot view it.Report any fraudulent attempts to obtain PHI.Do not throw PHI in the trash or dumpster.
35General Safeguards, cont. Notify security if you see an unescorted visitor in a private area.Computer screens where PHI is viewed should be turned away from the view of visitors.Any fraudulent attempts by an unauthorized person to obtain PHI must be reported to the supervisor and the LPO.
36HIPAA Security RuleSecurity Rule defines how to protect protected health information in electronic form, called ePHI
38HIPAA: Security Rule Four Requirements of Security: Ensures confidentiality, integrity, and availability of electronic PHI.Protects against possible threats and hazards to the information.Hackers, viruses, natural disasters or system failures.Protects against unauthorized uses or disclosures.Ensures compliance by the workforce throughsecurity regulations and policies/procedures.Three Components of Security:Administrative SafeguardsPhysical SafeguardsTechnical Safeguards
39HIPAA: Security Rule Administrative Safeguards: Documentation kept for 6 years.Internal system audits minimize security violations.Logins, file accesses, and or security incidents.Information access management:Access to PHI based on what is needed to preform the job.Once computer access is requested, it will take hours to implement due to complexity of security system.Security awareness and training:Security updates, incident reporting, log-in, and password management.Security incidents will be reported if suspected or if there is an actual breach.Name and phone number of person reporting the incidentDate and time the incident was discoveredObserved behaviors that led to the incident being suspectedAny unusual circumstances surrounding the event
40HIPAA: Security Rule Physical Safeguards: Safeguard the facility and equipment, from unauthorized physical access, tampering, and theft.Workstations positioned so monitor screens/ keyboards are not directly visible to unauthorized persons. Use of privacy screens when applicable. Physical access to the server room limited to key personnel.Workstation use and security.Log on as themselves. Log off prior to leaving the workstation,Inspect the last logon information, report any discrepancies.Comply with all applicable password policies and procedures.Close files not in use.
41HIPAA: Security Rule Technical Safeguards: Access controls: User password setup is for one-time use initially. Allowing the individual to choose their own unique password for future access.User passwords reset every 180 days.All passwords must consist of at least eight (8) alphanumeric characters (numbers and letters).Passwords cannot be reused until after three (3) different generations have been used.Six (6) failed logon attempts will cause the user account to be locked out. The account is locked out for (30) minutes and then reset.Computer Desktops automatically lock after 17 minutes of inactivity.Citrix sessions automatically close after 30 minutes of inactivity.CareVoyant sessions automatically close at different intervals depending on place within the program.CareTracker sessions automatically close at different intervals depending on place within the program
42HIPPA Security Officer Maintains appropriate security measures to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards.Oversees and/or performs on-going security monitoring of organization information systems.Ensures compliance through adequate training programs and periodic security audits.Ensures security standards comply with statutory and regulatory requirements.Maintains HIPAA security policies and procedures.
43Who is responsible for HIPAA? EVERYONE at Elmcroft:Support Center Staff:IT Staff:Implement safeguards for the computer systems.Local Privacy Officer:Clinical Staff and Physicians:Create and access the majority of resident information.Managers and Supervisors:Develop and implement policies and procedures that relate to security and ensure their staff are trained properly.Clerical Staff:Create and access resident information.Volunteers:Have access to resident information in various settingsVendors and ContractorsMay have access to resident information
44Tips for HIPAA Security Compliance Log on and off the network appropriately.Never let others use your ID or work under your ID.Do NOT disable anti-virus software or install unapproved software. Never introduce new hardware or media.may be, but is not always, a secure form of data transmission. Do NOT PHI unless using encrypted means.Use caution in opening files from unknown sources.Do NOT access non-permitted information or give non-permitted information to unauthorized employees.Be aware of, and report, security threats to the Security Officer.
45Tips for HIPAA Security Compliance Passwords must be treated as sensitive and confidential information.Never share your password with anyone for any reason.Passwords should not be written down, stored electronically, or published.Good password practices:Private: tell no one your passwordSecret: never write your password down
46Tips for HIPAA Security Compliance Be sure to change initial passwords, password resets and default passwords first time you log in.Use different passwords for your different accounts.Create passwords that arenot common,avoid common keyboard sequences,do not contain personal information, such as pets, birthdays or kid’s names.Good password techniques:Easily remembered: use something you know well, then change slightlySecure with combination of letters, numbers and symbolsChange your password at least every three monthsWatch for shoulder surfers or other physical techniques to gain password
47Tips for HIPAA Security Compliance Protect sensitive information on lists and reports with social security numbers (SSNs).Limit access to lists and reports with SSNs to those who specifically need SSNs for official business.Never store SSNs or use lists with SSNs on laptops or home computers.Save and store sensitive information only on Elmcroft servers managed by IT staff.
48Tips for HIPAA Security Compliance Never copy sensitive data to CDs, disks, or portable storage devices.Do not store lists with sensitive information on the Web (Dropbox, Google+, Etc.).Lock printed materials with sensitive data in drawers or cabinets when you leave at night.When done with printed sensitive material, shred them.
49Tips for HIPAA Security Compliance Remove sensitive materials from printer right away.If problem with printer, turn off printer to remove sensitive material from printer’s memory.Personally deliver sensitive materials to recipient or distribute information electronically using the system.Arrange for shared electronic files that requires user ID and password.
50What do we do? Complete initial and annual HIPAA training Read the Notice of Privacy Practices (NPP)Understand how HIPAA regulations impact your job function and responsibilityCheck with your supervisor if you are uncertainAsk for additional training if requiredIt is our responsibility to ensure confidentiality of our residents’ health information.To comply with HIPAA, training is required and we should ask if we need additional HIPAA training.Reading the Notice of Privacy Practices will provide an understanding of the requirements.Understanding how HIPAA impacts your job function is critical and when in doubt, ask your supervisor.We must take seriously our responsibility in protecting resident health information.
51What happens at work, stays at work! General Rule for HIPAAWhat happens at work, stays at work!OR…..What happens at work, stays at work.
53ResourcesYour Local Privacy/Security Officer (Administrator/Executive Director)Susan Dawson, Privacy OfficerElmcroft Senior Living9510 Ormsby Station Road, Suite 101Louisville, KY 40223Office: Bob Dooley, VP Information SystemsElmcroft Senior Living9510 Ormsby Station Road, Suite 101Louisville, KY 40223Office: Bob Dooley, VP Information SystemsElmcroft Senior Living9510 Ormsby Station Road, Suite 101Louisville, KY 40223Office: