Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy & Security Training Module

Similar presentations

Presentation on theme: "HIPAA Privacy & Security Training Module"— Presentation transcript:

1 HIPAA Privacy & Security Training Module

2 What we want to accomplish
Understand HIPAA Privacy Rule Understand who it applies to Discuss PHI Define PHI Identify how and when it is used and disclosed Identify the right amount of PHI to use or disclose Talk about patient rights under HIPAA Understand a breach Review responsibilities and safeguards This training covers HIPAA and what is required to comply with the Privacy Rule and who it applies to. We define protected health information and how to appropriately use and disclose it. You will learn about the rights that individuals have concerning their protected health information. You will learn what to do if protected health information is breached, which means used or disclosed in a way that violates the HIPAA rules. The most important point is to understand how HIPAA applies to you and your work responsibilities.

3 What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Federal law Comprised of Five Sections Administrative Simplification Electronic Transactions and Code Sets Rule Privacy Rule Security Rule HIPAA stands for the Health Insurance Portability and Accountability Act. It is a federal law that was passed in It is comprised of five sections. One of the sections, Title II, is known as the Administrative Simplification provisions. This section contains the Electronic Transactions and Code Sets Rule, the Privacy Rule, the Security Rule. The Electronic Transactions and Code Sets Rule provides for standards for the electronic exchange of health information, for example, when a health care provider sends a claim to a health plan to request payment for medical services using medical diagnosis or procedure codes.

4 Privacy Rule v. Security Rule
Privacy Rule identifies what information is to be protected and outlines the individual’s rights to control access to their health information Security Rule defines how to protect protected health information in electronic form, called ePHI The Privacy Rule defines what information is considered protected health information and outlines the rights that individuals have with respect to controlling their own protected health information. The requirements under the Security Rule are to ensure the confidentiality, integrity and availability of the ePHI, protected health information in electronic form so that ePHI is not disclosed to unauthorized persons, or altered or destroyed in an unauthorized manner.

The education that you are receiving today will focus on learning what responsibilities you have in order to ensure Elmcroft complies with HIPAA Privacy and HIPAA Security Regulations. The following topics will be covered: HIPAA PRIVACY HIPAA SECURITY Protected Health Information Minimum Necessary Patient Rights Notice of Privacy Practices Privacy Policies Privacy Officer Reporting Privacy Concerns Electronic Protected Health Information User Identity Password Management Appropriate Use of Computing Devices Security Policies Security Officer Reporting Security Concerns


7 HIPPA Privacy Officer Maintains appropriate measures to guard against unauthorized access to PHI. Ensures compliance through adequate training programs and periodic audits. Maintains HIPAA policies and procedures.

8 Don’t forget about state law!
Other important rules HITECH Act of 2009 – Health Information Technology for Economic and Clinical Health Act Breach Notification Rule HIPAA Omnibus Rule Changed the Breach Notification Rule Don’t forget about state law! Since the passage of HIPAA, other rules have been enacted that add more requirements. One of these rules is HITECH, the Health Information Technology for Economic and Clinical Health Act, which includes the breach notification rule. The rule mandates steps that must be taken by a Covered Entity or Business Associate when a breach of protected health information occurs, including notification to the individual. HITECH also strengthened the civil and criminal penalties for violating the HIPAA rules. The HIPAA Omnibus Rule was passed in January of 2013 and it changed some of the breach notification rules and increased enforcement penalties. It is also important to mention state privacy and breach laws. Most states have adopted laws to protect an individual’s personal and private information and some of these laws may be more stringent than the federal HIPAA rules.

9 What is the Privacy Rule?
Personal health information must be safeguarded by organizations and the individuals who work there Patients have rights to gain access to their medical records and restrict who sees their health information Organizations must train their workforce on the privacy requirements Organizations must appoint an individual to be responsible for seeing that privacy procedures are adopted and followed Punishes individuals and organizations that fail to keep patient information confidential The Privacy Rule went into effect on April 14, It mandates the protection of private health information, it gives individuals certain rights regarding getting access to their medical records, and restricts who can see their health information. The Privacy Rule requires organizations to train employees so they understand the privacy procedures. It requires the appointment of someone who is responsible for making sure that policies are adopted and followed. At the facility, the Administrator or Executive Director is the Local Privacy Officer. Finally, the Privacy Rule provides for punishment of individuals and organizations that fail to comply with HIPAA’s Privacy Rule.

10 Healthcare Clearinghouses
Who is Covered? Health Plans Healthcare Clearinghouses Healthcare Providers that conduct standard transactions in electronic form that involve PHI Known as “Covered Entities” Organizations that must comply with the Privacy Rule are known as Covered Entities. Covered entities include health insurance plans, such as Humana and Anthem. Also healthcare clearinghouses. Clearinghouses are companies that turn nonstandard formats into standard transaction formats that meet HIPAA requirements and vice-versa, such as Zir Med. HIPAA also applies to health care providers, such as skilled nursing providers and assisted living providers that meet the standards of HIPAA.

11 Business Associates (BA)
Individual or Organization that performs duties or business functions on behalf of the Covered Entity using Protected Health Information (PHI) Law firm Pharmacist consultant Medical Director Record Storage Company Prior to disclosing PHI to the BA, the Covered Entity is required to have a written agreement with the BA that specifies the safeguards on the PHI used or disclosed by the BA Like a Covered Entity, HIPAA applies to Business Associates. A Business Associate is an individual or company that performs duties or functions for a Covered Entity that involves having access to protected health information held by the Covered Entity. Examples of Business Associates include a consultant pharmacist or a law firm. And record storage companies, such as Iron Mountain. Prior to disclosing PHI to a Business Associate, the Covered Entity must have a signed written agreement with the Business Associate that requires the BA to safeguard the PHI that will be disclosed to or used by the Business Associate.

12 What is Protected Health Information (PHI)?
Individually identifiable health information That relates to an individual’s past, present or future health care, or That relates to health care services provided to the patient, or That relates to payment for care Created or received by a Covered Entity or Business Associate In any form: paper, electronic or oral Protected health information, or PHI, is: identifiable patient information that either identifies the individual or could identify the individual, that relates to the patient’s past, present or future health, or that relates to the health care services provided to the patient, or that relates to the payment for the health care. created or received by a Covered Entity or Business Associate, PHI can be in any form: paper, oral or electronic. Electronic PHI is covered under the Security Rule.

13 Individual Identifiers of PHI
Name Address Telephone No. Finger or voice prints Social security number Vehicle/device serial no. Health plan number Certificate/license No. Account Number Names of relatives Names of employers Fax number Birth date/admission & discharge dates Photographic images/X-rays Medical record number Account Number , IP address, web URL If health information contains one or more of these identifiers, it creates protected health information because the individual is or could be identified. Some of these identifiers are more sensitive than others. For example, if an individual’s social security number is wrongfully disclosed, it creates a greater risk of harm than a fax number. But both of these incidents could potentially create a breach. The point here is, be careful when any of these identifiers are included on what your are working with as they can create PHI that must be safeguarded.

14 Notice of Privacy Practices (NPP)
Notice of Privacy Practice (NPP) describes how PHI may be used and disclosed by a Covered Entity. NPP explains how an individual can get access to information and how to make a complaint to the Covered Entity. NPP for health care providers must be: Distributed at the first instance of service, Posted at the service site, Posted on the website if one exists. All employees should be aware of the NPP. The Notice of Privacy Practices explains how the Covered Entity may use and disclose protected health information about an individual. A statement must be included that the Covered Entity is required by law to maintain the privacy of protected health information. It tells about the rights the individual has with respect to the information and how the individual may exercise these rights, including how the individual may complain to the Covered Entity. The NPP is distributed at the first instance of service and is posted on site and on the website if one exists. Employees should read and understand the Notice.

15 When does HIPAA allow use or disclosure of PHI?
Permitted by law Treatment Payment Health Care Operations Public interest and public benefit Permission by the resident/patient Authorization One of the major purposes of HIPAA is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by a Covered Entity or Business Associate. By law, PHI can be used or disclosed for treatment, payment and health care operations purposes. This is also known as TPO. This means disclosing to a health care provider involved in a patient’s treatment is okay and so is disclosing information to a health insurance plan for payment. Health care operations are activities such as: quality assessment and improvement activities, or conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs. Examples of PHI used and disclosed for the public interest or public benefit are: (a) for national security reasons, (b) abuse reporting, (c) pursuant to court orders. The other key that always unlocks PHI is an authorization by the individual.

16 Incidental Uses and Disclosures
Incidental use or disclosure Occurs as a by-product of a permissible use or disclosure using reasonable safeguards Cannot be reasonably prevented Must use reasonable safeguards Example: A visitor catches a glimpse of the information on a nursing station whiteboard as a nurse is adding information to it We know when we can use and disclose PHI, what about an incidental disclosures. An "incidental" use and disclosure occurs as a by-product of another permissible or required use or disclosure under the Privacy Rule. It is a limited disclosure that cannot reasonably be prevented. An example of this is: a visitor catches a glimpse of a nursing station whiteboard as the nurse updates the information on the whiteboard. As long as the nurse used reasonable safeguards, meaning she didn’t carry the whiteboard into a public area to update it, this is an incidental disclosure rather than a breach. An incidental disclosure of confidential information can become a serious matter depending upon the information disclosed and the unauthorized person who saw the information. What if the white board had information about a resident having a terminal diagnosis and the visitor who saw the information was the resident’s daughter. What if the daughter didn’t know the diagnosis because the resident requested she not be told?

17 Accidental Uses and Disclosures
Accidental use or disclosure Potential breach Attempt to retrieve it, or limit exposure or risk to the information Report the incident immediately Example: A nursing assistant is faxing lab results to a resident’s doctor but uses the wrong fax number and sends it to a garage When an accidental use or disclosure occurs, this could be a breach. So you should try to mitigate potential harm, for example, by trying to retrieve the information or by asking the person who received it to destroy it and certify they destroyed it. You should be reporting accidental uses and disclosures immediately so the Local Privacy Officer can analyze the facts to determine if a reportable breach occurred. An example of an accidental disclosure would be faxing PHI to the wrong fax number. If the fax goes to a garage instead of the doctor office, is this a problem? What if it goes to the wrong doctor? Even incidental or accidental disclosures of confidential information can be a serious matter. Always report these matters to your supervisor so the

18 Minimum necessary does not apply when PHI is used or disclosed:
Uses, disclosures, and requests of PHI limited to the “minimum necessary to accomplish the intended purpose.” Example: An insurance company requests a patient’s medical record for billing purposes. Only the information pertaining to a specific bill should be sent. Minimum necessary does not apply when PHI is used or disclosed: For treatment purposes, To the individual, When you obtained an authorization, When required by law. An important principle of HIPAA is the minimum necessary requirement. This means you use or disclose the smallest amount of PHI necessary to complete the job. An example of minimum necessary is: an insurance company requests a patient’s medical record for billing purposes. You don’t send the entire record, you send only the information pertaining to a specific bill. Minimum necessary does not apply when dealing with uses and disclosure for treatment, to the individual, when you have an authorization, and when required by law.

19 Need to know Determine the information you need to know to do your job
Access information only if you have a need to know it Example: a nurse needs to know PHI to provide care for the patients on his/her unit, but not for the patients that are on another unit. Another principle of HIPAA is the need to know concept. Employees must access information only when they have a need to know it. This usually comes up in the context of employees looking at the records of famous people when they have no need to know this information. An example of need to know is: a nurse needs access to PHI to provide care for patients on his/her unit. However, the nurse does not need to have access to PHI for those patients who are not on his/her unit.

20 Patient Rights Receive a Notice of Privacy Practices Right to Access
Right to an Accounting of Disclosures Restriction of Use of PHI Confidential Communications Request Amendment File Complaint (Covered Entity and Office of Civil Rights) HIPAA affords individuals certain rights under the law. Those rights include: the right to receive a notice of privacy practices, right to access his/her medical record, right to request an accounting of disclosures, right to restrict use of his/her record, right to request confidential communication, right to request an amendment to his/her medical record, and the right to file a complaint with the organization or the Office of Civil Rights.

21 You notice a list of names and current medications in the trash can.
What would you do? A co-worker gets called away from the med cart. He makes sure the drawers are locked, but walks away leaving the MAR sheet uncovered and able to be viewed by the general public. A professionally dressed visitor walks into the nurses station and states that she is the daughter of Mr. Taylor, a resident in room 16, and that she wants to review his medical record. You notice a list of names and current medications in the trash can. Scenario #1: Is this a problem if the MAR sheet is left in the open for anyone to view? What should you do? You should cover the MAR sheet and the employee who did this should be re-trained. Scenario #2 - Is it inappropriate for a visitor to have access to the nurses station? What if they view the PHI of other residents? What is your facility’s procedure for providing medical records to individuals? Who determines if the person has a legitimate consent from the resident or health care surrogate? You should ask the visitor to leave the area of the nurses station that contains the protected health information of other residents. You can inform her that it is against the HIPAA rules for her to see PHI of other residents. As far as the visitor having access to a medical record, follow your facility’s procedure. Do not release information until you know it is okay to do so. Scenario #3 – Should you remove the list from the trash? What about notifying your supervisor? Yes, you should remove the list from the trash and shred it. You should also report the incident to your supervisor. Even if the incident is not a breach, the Local Privacy Officer will determine what steps should be taken to prevent it from happening again.

22 Disclosure that must be tracked
Patients have the right to receive an Accounting of Disclosures of PHI made by a Covered Entity for the six (6) years prior to the request. The following disclosures need to be tracked: Required by law (i.e. reports of abuse to a public health authority) Required for public health activities (i.e. reporting of disease) For health oversight activities (i.e. audits by an oversight agency) Reports of abuse (i.e. to the police, medical staff) For law enforcement purposes (i.e. to identify the perpetrator of a crime) To the coroner (i.e. for identifying a deceased person) To avert a threat of serious injury (i.e. disclosure to a person who can prevent the threat or to law enforcement) Unlawful or unauthorized disclosure (i.e. inadvertent disclosures) As mentioned on the previous slide, the HIPAA Privacy Rule provides an individual with the right to receive a listing, known as an accounting of disclosures, that provides information about when a Covered Entity discloses the individual's information to others. The disclosures to be tracked include those required by law, to law enforcement, or to a coroner … to name a few. Depending upon the circumstances, an inadvertent disclosure may also need to be tracked. This reinforces the need to protect health information in day-to-day work activities. The point here is, report to your supervisor if you think PHI was used or disclosed in a manner other than treatment or payment or with an authorization so that a determination can be made as to what needs to be tracked on an accounting.


24 What is a breach? An impermissible use or disclosure that compromises the security or privacy of the PHI. A breach is presumed unless the Covered Entity or Business Associate can demonstrate there is a low probability the PHI was compromised based on a risk assessment. When PHI is used or disclosed in a manner that violates HIPAA, a breach may have occurred. HIPAA states that a breach is presumed to have occurred unless the Covered Entity or Business Associate can demonstrate there was a low probability the PHI was compromised based on a risk assessment.

25 Examples of Possible Breaches
Throwing PHI in the trash or dumpster (without being shredded); Sharing PHI with those who do not have a need to know; Posting another person’s PHI on your Facebook page; Faxing a document containing PHI to the wrong fax number; PHI that has been lost or stolen. These are some examples of possible breaches: Throwing PHI in the trash or dumpster is a breach unless the information is shredded in an manner that the information is not readable, meaning you can’t put the pieces of paper together to read it. Sharing PHI with someone who doesn’t have a need to know is a breach. Posting someone’s PHI on your Facebook page is a breach. Faxing PHI to the wrong fax number could be a breach. And finally, if PHI is lost or stolen, it could be a breach depending upon the facts of the incident.

26 What if a breach occurred?
Report incidents to your supervisor as soon as they occur or are discovered LPO investigates to determine if the incident is a breach Incidents that are potential breaches must be reported to your supervisor as soon as they occur or are discovered. The facts of an incident will be evaluated by the Local Privacy Officer to determine if the inappropriate use or disclosure compromises the security or privacy of the PHI, meaning that a breach occurred.

27 Breach Notification A breach requires notification within a required time from the date the breach was discovered or should have been discovered: Individual, within 60 days HHS – OCR, within 60 days if > 500 individuals involved HHS – OCR, annually within 60 days of the end of the calendar year if < 500 individuals Media, within 60 days if more than 500 individuals involved When there is a breach, notification must be provided in accordance with the HIPAA requirements: within 60 days to the individual; within 60 days to OCR if more than 500 individuals involved; annually to OCR if less than 500 individuals involved; to a prominent media outlet if more than 500 individuals are involved.

28 OCR Audits / Investigations
Permanent audits in planning stage Complaints can trigger an investigation A breach can trigger an investigation The Department of Health and Human Services, Office of Civil Rights, or OCR, is the agency that enforces HIPAA. OCR is preparing for a permanent audit program anticipated to start during 2014 or When OCR’s audit program becomes permanent, the program will look at the level of compliance at both Covered Entities and their Business Associates. OCR can also conduct an audit based on complaints they receive or if they are investigating a breach.

29 Penalties for Non-Compliance
Individual can be responsible, not just the Covered Entity or Business Associate Civil Money Penalties Violation but you did not know or could not have known $100 per violation with annual maximum of $25,000 for repeat violations Violation due to reasonable cause and not due to willful neglect $1,000 per violation with an annual maximum of $100,000 for repeat violations Violation due to willful neglect but corrected within required time period $10,000 per violation with annual maximum of $250,000 for repeat violations Violation due to willful neglect and not corrected $50,000 per violation with annual maximum of $1.5 million Failure to comply with HIPAA can result in civil and criminal penalties. The amount of the penalty is based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. You will notice there are different standards and penalties. The lowest threshold is if you did not know or could not have known by exercising reasonable diligence that HIPAA was violated, the penalty is $100 per violation up to an annual maximum of $25,000 for repeat violations. For a cause not due to willful neglect, $1,000 per violation up to $100,000 annually. For violation due to willful neglect but corrected within the required time period, $10,000 per violation and $250,000 annual for repeat violation. For willful neglect and not corrected, $50,000 per violation with an annual maximum of $1.5 million.

30 Penalties, cont. Criminal Penalties Knowingly committed the offence
Up to $50,000.00 Up to one year in prison Committed under false pretenses $100,000 Up to five years in prison Committed for financial gain or malicious harm $250,000 Up to ten years in prison For criminal penalties, a monetary payment can also be involved as well as a prison sentence. The penalties will vary if the crime was committed “knowingly”, or “under false pretenses”, or for “financial gain or malicious harm”.

31 Headlines, Reported Breaches
Southwest General Health Center Notified 480 patients that a binder containing their personal and health information had gone missing Phoenix Cardiac Surgery Appointments were available to the public on internet-based calendar Paid $100,000 to settle claims of lack of HIPAA safeguards and agreed to take corrective action to implement policies and procedures to safeguard PHI of its patients Nursing Assistant in Florida sentenced for HIPAA crime Former nursing assistant of assisted living facility in sentenced to 3 years in prison for stealing and selling patient information Ordered to pay $12,000 in penalties UCLA School of Medicine Researcher terminated and in retaliation accessed the medical records of his superior and his co-workers and the patient records of celebrities, a total of 323 times Sentenced to 4 years in prison There are frequent headlines about breaches. Here are a few. Southwest General notified 480 patients that a binder was missing from their facility that contained their PHI including names, medical records numbers, dates of birth and clinical information. Phoenix Cardiac Surgery was extensively investigated by OCR after it received a compliant that appointments were available to the public on an internet-based calendar. They paid $100,000 to settle claims they failed to implement safeguards to protect HIPAA information and to implement HIPAA policies and procedures. The next case is about a crime that is happening more frequently. Allegedly, individuals work at a hospital or facility for a couple of weeks with the sole purpose of stealing PHI. This case involved a 24-year old nursing assistant who plead guilty to conspiring to defraud the government and wrongfully disclosing HIPAA information. The nursing assistant stole patient information from an assisted living facility and hospital and sold it to undercover law enforcement officers. A trash barrel was allegedly filled with the data. Prosecutors said little money was made off the scheme. She was sentenced to 3 years in prison and ordered to pay $12,000 in penalties. The final incident involves a researcher at the UCLA School of Medicine who received a notice of termination and in retaliation, he accessed the medical records of his superior, his co-workers, and many celebrity patient records, a total of 323 times. The researcher was sentenced to four years in prison for violating the HIPAA Privacy Rule. 

32 General Safeguards Protect the privacy and security of our residents’ highly confidential information: medical, financial or other data When you talk about it When you fax it When you store it When you use it When you disclose it When you dispose of it Remember minimum necessary and access only the amount of PHI necessary to do your job and only when you have a need to know You are entrusted with residents’ highly confidential and protected information and data. The information can be medical, financial or other data. The point here is, you have a responsibility to protect it and keep it confidential: when you talk about it, fax it, store it, use it, disclose it or dispose of it. Access the minimum amount of PHI necessary to do you job and only when you have a need to know.

33 General Safeguards, cont.
Confidential verbal conversations should be conducted away from others who do not have a need to know. Never use or disclose confidential information for any personal purpose or out of curiosity, or allow others to do so. Documents containing PHI should not be left in open areas or on desks where it can easily be seen or stolen by passerby. Hold verbal conversations in private. Do not discuss a resident’s condition in front of another resident’s family. Do not use or disclose PHI for personal purposes, or allow others to do it. If you walk away from your desk, do not leave documents containing PHI where it could easily be viewed or stolen.

34 General Safeguards, cont.
Dispose of resident information by shredding or storing in lock containers for destruction. Do not throw in the trash! Keep information you hear about a resident to yourself. Share only with those who have a need to know. Use reasonable safeguards to keep resident information from being accessible by others who do not have a need to know. Be aware of the PHI on your computer screen and use reasonable safeguards so visitors cannot view it. Report any fraudulent attempts to obtain PHI. Do not throw PHI in the trash or dumpster.

35 General Safeguards, cont.
Notify security if you see an unescorted visitor in a private area. Computer screens where PHI is viewed should be turned away from the view of visitors. Any fraudulent attempts by an unauthorized person to obtain PHI must be reported to the supervisor and the LPO.

36 HIPAA Security Rule Security Rule defines how to protect protected health information in electronic form, called ePHI


38 HIPAA: Security Rule Four Requirements of Security:
Ensures confidentiality, integrity, and availability of electronic PHI. Protects against possible threats and hazards to the information. Hackers, viruses, natural disasters or system failures. Protects against unauthorized uses or disclosures. Ensures compliance by the workforce through security regulations and policies/procedures. Three Components of Security: Administrative Safeguards Physical Safeguards Technical Safeguards

39 HIPAA: Security Rule Administrative Safeguards:
Documentation kept for 6 years. Internal system audits minimize security violations. Logins, file accesses, and or security incidents. Information access management: Access to PHI based on what is needed to preform the job. Once computer access is requested, it will take hours to implement due to complexity of security system. Security awareness and training: Security updates, incident reporting, log-in, and password management. Security incidents will be reported if suspected or if there is an actual breach. Name and phone number of person reporting the incident Date and time the incident was discovered Observed behaviors that led to the incident being suspected Any unusual circumstances surrounding the event

40 HIPAA: Security Rule Physical Safeguards:
Safeguard the facility and equipment, from unauthorized physical access, tampering, and theft. Workstations positioned so monitor screens/ keyboards are not directly visible to unauthorized persons. Use of privacy screens when applicable. Physical access to the server room limited to key personnel. Workstation use and security. Log on as themselves. Log off prior to leaving the workstation, Inspect the last logon information, report any discrepancies. Comply with all applicable password policies and procedures. Close files not in use.

41 HIPAA: Security Rule Technical Safeguards: Access controls:
User password setup is for one-time use initially. Allowing the individual to choose their own unique password for future access. User passwords reset every 180 days. All passwords must consist of at least eight (8) alphanumeric characters (numbers and letters). Passwords cannot be reused until after three (3) different generations have been used. Six (6) failed logon attempts will cause the user account to be locked out. The account is locked out for (30) minutes and then reset. Computer Desktops automatically lock after 17 minutes of inactivity. Citrix sessions automatically close after 30 minutes of inactivity. CareVoyant sessions automatically close at different intervals depending on place within the program. CareTracker sessions automatically close at different intervals depending on place within the program

42 HIPPA Security Officer
Maintains appropriate security measures to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards. Oversees and/or performs on-going security monitoring of organization information systems. Ensures compliance through adequate training programs and periodic security audits. Ensures security standards comply with statutory and regulatory requirements. Maintains HIPAA security policies and procedures.

43 Who is responsible for HIPAA?
EVERYONE at Elmcroft: Support Center Staff: IT Staff: Implement safeguards for the computer systems. Local Privacy Officer: Clinical Staff and Physicians: Create and access the majority of resident information. Managers and Supervisors: Develop and implement policies and procedures that relate to security and ensure their staff are trained properly. Clerical Staff: Create and access resident information. Volunteers: Have access to resident information in various settings Vendors and Contractors May have access to resident information

44 Tips for HIPAA Security Compliance
Log on and off the network appropriately. Never let others use your ID or work under your ID. Do NOT disable anti-virus software or install unapproved software. Never introduce new hardware or media. may be, but is not always, a secure form of data transmission. Do NOT PHI unless using encrypted means. Use caution in opening files from unknown sources. Do NOT access non-permitted information or give non-permitted information to unauthorized employees. Be aware of, and report, security threats to the Security Officer.

45 Tips for HIPAA Security Compliance
Passwords must be treated as sensitive and confidential information. Never share your password with anyone for any reason. Passwords should not be written down, stored electronically, or published. Good password practices: Private: tell no one your password Secret: never write your password down

46 Tips for HIPAA Security Compliance
Be sure to change initial passwords, password resets and default passwords first time you log in. Use different passwords for your different accounts. Create passwords that are not common, avoid common keyboard sequences, do not contain personal information, such as pets, birthdays or kid’s names. Good password techniques: Easily remembered: use something you know well, then change slightly Secure with combination of letters, numbers and symbols Change your password at least every three months Watch for shoulder surfers or other physical techniques to gain password

47 Tips for HIPAA Security Compliance
Protect sensitive information on lists and reports with social security numbers (SSNs). Limit access to lists and reports with SSNs to those who specifically need SSNs for official business. Never store SSNs or use lists with SSNs on laptops or home computers. Save and store sensitive information only on Elmcroft servers managed by IT staff.

48 Tips for HIPAA Security Compliance
Never copy sensitive data to CDs, disks, or portable storage devices. Do not store lists with sensitive information on the Web (Dropbox, Google+, Etc.). Lock printed materials with sensitive data in drawers or cabinets when you leave at night. When done with printed sensitive material, shred them.

49 Tips for HIPAA Security Compliance
Remove sensitive materials from printer right away. If problem with printer, turn off printer to remove sensitive material from printer’s memory. Personally deliver sensitive materials to recipient or distribute information electronically using the system. Arrange for shared electronic files that requires user ID and password.

50 What do we do? Complete initial and annual HIPAA training
Read the Notice of Privacy Practices (NPP) Understand how HIPAA regulations impact your job function and responsibility Check with your supervisor if you are uncertain Ask for additional training if required It is our responsibility to ensure confidentiality of our residents’ health information. To comply with HIPAA, training is required and we should ask if we need additional HIPAA training. Reading the Notice of Privacy Practices will provide an understanding of the requirements. Understanding how HIPAA impacts your job function is critical and when in doubt, ask your supervisor. We must take seriously our responsibility in protecting resident health information.

51 What happens at work, stays at work!
General Rule for HIPAA What happens at work, stays at work! OR….. What happens at work, stays at work.

52 Questions

53 Resources Your Local Privacy/Security Officer (Administrator/Executive Director) Susan Dawson, Privacy Officer Elmcroft Senior Living 9510 Ormsby Station Road, Suite 101 Louisville, KY 40223 Office:    Bob Dooley, VP Information Systems Elmcroft Senior Living 9510 Ormsby Station Road, Suite 101 Louisville, KY 40223 Office:    Bob Dooley, VP Information Systems Elmcroft Senior Living 9510 Ormsby Station Road, Suite 101 Louisville, KY 40223 Office:   

Download ppt "HIPAA Privacy & Security Training Module"

Similar presentations

Ads by Google