HIPAA Overview

Summary What is HIPPA? HIPPA & Patient Privacy Patient Privacy PHI at Medtronic What can you do?

What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was enacted August 21st, 1996. Its purpose is to assure that individuals’ health information is protected.

What is HIPAA? HIPAA is a federal law that affects: The way Medtronic obtains medical information from Health Care providers and how we provide technical support, product safety, and quality. How Medtronic uses, discloses, and maintains the information.

HIPAA & Patient Privacy So what exactly is private information? HIPAA describes it as “protected health information (PHI).” PHI is individually identifiable health information in any form, oral or written; and Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and Relates to the past, present or future physical or mental health of condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and Identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

HIPAA & Patient Privacy Individually identifiable information includes: Names Location - including street address, zip code, etc. Dates (except year) Ages over 89 - including years Telephone numbers Fax numbers Email addresses SSNs Medical record numbers Health plan numbers Account numbers Certification/License numbers Device identifiers/serial numbers URLs IP address numbers Biometric identifiers Photographic images

HIPAA & Patient Privacy Medtronic U.S. Patient Privacy Principles: Preservation of, and respect for, our customers’ trust is critical to our continued success. We will always treat such patient information: -Confidentially, according to applicable laws -Appropriately, according to the promises we make to our customers -Respectfully, in honor of the patients’ willingness to trust us to use the sensitive information to oversee the quality, safety and effectiveness of the devices that they make part of their daily lives

PHI at Medtronic Appropriate Uses: Device Tracking Field Actions or other Quality Investigations Therapy and Technical Support for Patient’s Device Other MDT Legal Requirements Medtronic Operations and Audit Support *If ever in doubt contact the legal department.

PHI at Medtronic Inappropriate uses: Marketing purposes -Privacy laws allow certain limited exceptions, approval from legal is required for any use of PHI for marketing Any use or access of PHI information beyond your job function.

What can you do? PREVENT THEFT RESTRICT E-MAIL OF PATIENT INFORMATION Secure your laptop, PDA, and any programmers you have in your possession. Keep them with you at all times and do not leave them in cars or other locations unattended RESTRICT E-MAIL OF PATIENT INFORMATION Only use email to send patient-identifiable information if the transmission is encrypted, or within the Medtronic email network. If you need to communicate procedure-related information for billing purposes or limited, logistical information (appointments, mailings, etc.), do not include the patient’s SSN, use only patient initials and do not include patient medical information such as medical condition or historical diagnosis When faxing confidential information, call ahead to confirm the recipient will be standing by to receive your fax. DON’T USE PORTABLE STORAGE Do not copy and store patient personal or health information on portable storage devices or public or remote computers, and do not send patient information via unencrypted email or other open networks (subject to above guidance)

What can you do? Electronically stored PHI Keep only for as long as absolutely necessary Delete as soon as possible Most data on MDT laptops is encrypted. Do not tamper with it! Use standard folders to store sensitive records (i.e. My Documents)

What can you do? Prominently mark confidential information as “MEDTRONIC BUSINESS CONFIDENTIAL” or “MEDTRONIC PERSONAL CONFIDENTIAL” Do not produce copies of MDT Confidential information unless necessary. Dispose of confidential information in designated shredder bins or according to procedures outlined for your specific location or function. If you think you may have leaked information, contact your manager immediately to begin remediation of exposed information. If someone is requesting confidential information (i.e. patient records), refer them to your Compliance/Legal Department to ensure appropriate processes are followed.

What can you do? Be aware of and comply with: MDT Information Risk Management Information Classification Standard This categorizes MDT Information into personal confidential (includes PHI), Business Confidential and Controlled (all other) information. It also proscribes minimal security requirements for protecting each classification of data.