1. HIPAA Security at Jewett Orthopaedic Clinic

2. Definition of HIPAA HIPAA : Acronym that stands for the Health Insurance Portability and Accountability Act, a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Developed by the Department of Health and Human Services, these new standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. They represent a uniform, federal floor of privacy protections for consumers across the country. State laws providing additional protections to consumers are not affected by this new rule. HIPAA took effect on April 14, 2003.Health Insurance Portability and Accountability ActDepartment of Health and Human Services

3. HIPAA Administrative Simplification Statute and Rules To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information. HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans). HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).

4. Why is the HIPAA Security Rule needed and what is the purpose of the security standards? Answer: In enacting HIPAA, Congress mandated the establishment of Federal standards for the security of electronic protected health information (e-PHI). The purpose of the Security Rule is to ensure that every covered entity has implemented safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. Standards for security are needed because there is a growth in the exchange of protected health information between covered entities as well as non- covered entities. The standards mandated in the Security Rule protect an individual's health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans. The Security Rule establishes a Federal floor of standards to ensure the availability, confidentiality and integrity of e-PHI. State laws which provide more stringent standards will continue to apply over and above the new Federal security standards. Health care providers, health plans and their business associates have a strong tradition of safeguarding private health information. However, in today’s world, the old system of paper records in locked filing cabinets is not enough. With information broadly held and transmitted electronically, the Rule provides clear standards for the protection of e-PHI.

5. Protect Electronic Patient Health Information in Three ways Confidentiality: PHI concealed from people who do not have the right to see information. Integrity: Information has not been improperly changed or deleted. Availability: Healthcare provider can access the information when it is needed.

6. JEWETT ORTHOPAEDIC CLINIC CONFIDENTIALITY AND NON-DISCLOSURE AGREEMENT Jewett Orthopaedic Clinic’s information systems contain confidential records pertaining to business operations, patients, business associate vendors or subcontractors, and Jewett Orthopaedic Clinic employees. Because this information is vital to the operation of Jewett Orthopaedic Clinic in providing quality service, it must be protected (“protected information”). As such, in accordance with current HIPAA and HITECH Act regulations, state law and Jewett Orthopaedic Clinic’s policies governing the access, use, and disclosure of protected health information, you have the responsibility to protect such data. This agreement is not intended, and should not be construed, to limit or prevent an employee from exercising rights under the National Labor Relations Act. The purpose of this agreement is to provide you with information to assist you in understanding your duty and obligations relative to confidential information. Your signature on this document indicates that the information contained herein has been explained to you.

7. JEWETT ORTHOPAEDIC CLINIC CONFIDENTIALITY AND NON-DISCLOSURE AGREEMENT ( con’d) YOU AGREE: To respect the privacy and confidentiality of any information you may have access to through Jewett Orthopaedic Clinic’s computer network and that you will access or use only that information necessary to perform your job. 2) To refrain (whenever possible) from communicating information about a patient or an employee in a manner that would allow others to overhear such information and further to refrain from discussing a patient’s information with anyone not permitted access to such information in accordance with Jewett Orthopaedic Clinic’s established policies or that particular patient’s wishes (e.g., friends, relatives, visitors, family members or patients, etc.). 3) To disclose confidential patient or staff information ONLY to those authorized to receive it. 4) To safeguard and not disclose your password or user ID code or any other authorization you may have that allows your access to protected information. You accept responsibility for all entries and actions recorded using your password and user ID code. 5) Not to attempt to learn or use another user password and user ID code to log-on to Jewett Orthopaedic Clinic’s computer network. 6) To immediately report to the Security Officer any suspicions that your password and user ID code have been compromised. 7) Not to release or disclose the contents of any patient or staff records or reports except to fulfill your work assignment. 8) To obtain the approval for use of portable media devices from the Security Officer, to obtain approval to copy any of Jewett Orthopaedic Clinic’s data, exclusive of patient and employee personal information and protected health information to a portable media device from the Security Officer, to maintain the security of data on portable media devices, and to connect portable media devices to a computer secured by the most up to date antivirus software and operating patches as recommended by the Security Officer.

8. JEWETT ORTHOPAEDIC CLINIC CONFIDENTIALITY AND NON-DISCLOSURE AGREEMENT ( con’d) 10) Not to sell, loan, alter or destroy any protected information or reports except as properly authorized within the scope of your job assignment. 11) Not to leave your computer terminal or workstation unattended without locking or turning off your terminal before leaving your work area or securing hardcopy information so that it may not be disclosed to unauthorized persons. 12) Not to access or request any protected information that is not necessary to perform your assigned job function. 13) Not to permit others to access Jewett Orthopaedic Clinic’s computer network using your password or ID code. 14) To permit your access to Jewett Orthopaedic Clinic’s computer network to be monitored; 15) Not to download or make copies of any software or applications without proper authorization or license. 16) Not to access or download any pornography or other illegal materials or perform any illegal activity such as gambling while on Jewett Orthopaedic Clinic’s computer network. 17) Not to use our corporation’s computer network to send/forward harassing, insulting, defamatory, obscene, offending or threatening messages. 18) To promptly report any suspected or known unauthorized access, use, or disclosure of protected information.

9. JEWETT ORTHOPAEDIC CLINIC CONFIDENTIALITY AND NON-DISCLOSURE AGREEMENT ( con’d) 19) To abide by Jewett Orthopaedic Clinic’s “Notice of Privacy Practices,” the policies and procedures set forth by Jewett Orthopaedic Clinic and current federal and state regulations governing privacy issues. 20) To restrict personal use of the corporation’s computer network to meal and break periods and to follow Jewett Orthopaedic Clinic’s established policies governing such personal use. 21) Not to store personal files or electronic information on Jewett Orthopaedic Clinic’s computer network.

10. Goal of Electronic Health Records Improve the nation’s quality of healthcare. Reduce costs of providing healthcare through widespread adoption of HER and electronic prescription ordering system.

11. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Administrative Safeguards: focus on policy and procedures Physical Safeguards: are a set of rules and guidelines outlined in the HIPAA Security Rule that focus on the physical access to Protected Health Information (PHI). Technical Safeguards: Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI). Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI. Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed. Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

12. Accountability for Secure Operations HIPAA Security Officer: T.J. Black- 407-643-1342 HIPAA Privacy Officer: Diane Paradise- 407-643-1286 Compliance Manager: Kimberly Hopkinson- 407-643-1369

13. Responsibilities for Security Officer, Privacy Officer and Compliance Manager HIPAA Security Officer: determine strategies and develop security plans, referred to as ePHI plans, that can meet both state and federal laws associated with protecting electronic personal health information. A thorough knowledge of HIPAA requirements and information systems security enables HIPAA security officers to develop plans that can maintain the confidentially, integrity and availability of electronic medical information. HIPAA Privacy Officer: oversee all ongoing activities related to the development, implementation and maintenance of the practice/organization’s privacy policies in accordance with applicable federal and state laws.

14. Responsibilities for Security Officer, Privacy Officer and Compliance Manager (cont’d) Compliance Manager: oversees the Corporate Compliance Program, functioning as an independent and objective body that reviews and evaluates compliance issues/concerns within the organization. The position ensures the Board of Directors, management and employees are in compliance with the rules and regulations of regulatory agencies, that company policies and procedures are being followed, and that behavior in the organization meets the company’s Standards of Conduct. The three individuals also provide the structure for annual training that is required by state and federal regulations and the development of Policies and Procedures for the organization.

15. HIPAA Security Officer Responsible for the development and implementation of our policies and procedures required by the HIPAA Security Rule. Develop the process to create and disable assigned log ins/passwords for all emplyees. Create a written risk assessment (annually) to evaluate anticipated risks to our electronic health data. Evaluate firewall soft ware- insure that all computers have the most updated anti virus installed. Identify and keep out malicious software.

16. Specific Ways Staff Can Help with Security Manage your password Identify and keep out malicious software- notify the IT department when this appears. Learn and follow all policies and procedures Familiarize yourself with the organizations sanction policies

17. Specific Ways Staff Can Help with Security (cont’d) Creating a Password 1.Choose a song, a saying, a poem-something you will not forget Pulse- requires 8 character, which must include at least one number Windows/SRS- requires 8 characters 2.Do not share your password, leave a copy of it on your workstation or in a draw. 3.Inform the IT department if you feel that someone has learned your password,or has been using your password. ( change it immediately) 4.Know how to change your password; change it according to our policy. 5.Use separate passwords for your personal accounts, use the same password for all of your accounts.

18. Specific Ways Staff Can Help with Security (cont’d) Managing work stations: 1.Workstations containing ePHI must be physically located in such a manner as to minimize the risk that unauthorized individuals can gain access to them. The display screen of all of our workstations containing ePHI must be positioned such that information cannot be readily viewed through a window, by persons walking in a hallway, or by persons waiting in reception, public, or other related areas. 2.Employees will log off or lock their workstation whenever they leave their workstation for 5 minutes or more and when their shifts are complete. 3.Removing documents from the fax machine: When removing a document from the fax machine verify that the document is for the individual patient that you are working with. 4.Oral communication with Patients: Staff members should be extremely cautious when speaking in the office. In any conversation that deals with patient care, we are certain that voices are lowered and that we discuss only the "minimum necessary" information. These types of conversations should take place only on a need-to-know basis for the patient's care in a private area.

19. Identify and Keep Out Malicious Software Warning signs that indicate your workstation may be infected: – System is running particularly slow – Storage capacity is suddenly at the maximum – Activity on the computer at unusual times – Activity logs erased – Warnings from monitoring software that you have a virus in the computer *Report any or all of these situations to the IT department

20. Identify and Keep Out Malicious Software (cont’d) How Can You Help: – Only open email attachments from known sources – Clear the use of Instant Messaging Program with the IT department – Use office computers only for practice business – Use internet explorer only for practice business- no web surfing for personal enjoyment, no downloading free programs or music from the internet onto office machines ( this can introduce viruses to the computer) – Don’t download or install any software. If there is a need for a different software inform IT they will take care of it.

21. Specific Ways Staff Can Help with Security (cont’d) Protect our Practice: – Follow our policies about what you put in emails and when you delete them – Encrypt documents that contain PHI before faxing – Put a password protected time-out on all portable devices since they are frequently lost or stolen – Report the loss of any equipment which might contain PHI

22. Policies and Procedures A copy of our Policies and Procedure are located 3 ways: – On the Share Drive in the P&P folder – In the IT department – In the Compliance Managers office * They will be reviewed and updated at least annually and when changes are made to the system. * All employees,administration and Providers will be trained and responsible for all P&Ps. * Training records will be maintained in the Compliance Manager’s office and also on the S-Drive in folder labeled signed acknowledgements.

23. Sanction Policies Because the security of our patients information depends on each of you: – Our practice must have and enforce a written sanction policy – Unintentional and intentional infractions must be documented and action will be taken.

24. Consequences for Violations Intentional infractions may lead directly to dismissal Infractions can result in civil and governmental penalties for the violator, as well as for those responsible for implementing and monitoring our security policies Knowingly misusing patient information ( in electric form or any form) is a felony under HIPAA