1. HIPAA Privacy What Every Staff Member Needs to Know

2. Goals of Training Define HIPAA law Define HIPAA law Clarify what things need to be kept private Clarify what things need to be kept private Determine your role in maintaining privacy at Paraquad Determine your role in maintaining privacy at Paraquad Inform you of who to contact on issues related to privacy Inform you of who to contact on issues related to privacy Consequences of not maintaining privacy Consequences of not maintaining privacy

3. What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act of 1996 Federal Law: Public Law 104-191 (in 2003) Federal Law: Public Law 104-191 (in 2003) Privacy Rule issued by the U.S. Dept of Health and Human Services Privacy Rule issued by the U.S. Dept of Health and Human Services

4. HIPAA Enforcement What is the penalty for not enforcing HIPAA? Minimum $100 fine per person (civil). Minimum $100 fine per person (civil). You can be personally liable! You can be personally liable! In some cases, jail time and steeper fines may apply. In some cases, jail time and steeper fines may apply.

5. The HIPAA law applies to ALL forms of communication – even ORAL.

6. What is PHI? Protected Health Information

7. Examples of PHI Name Name Address Address Telephone # Telephone # Date of Birth Date of Birth SSN SSN Names of Relatives Names of Relatives Case File # Occupation Diagnosis Treatment Procedures Plan of Care

8. Where do we find PHI? Case files Case files In paper that needs shredding In paper that needs shredding On the computer; in PRISM On the computer; in PRISM In people’s cubicles and offices In people’s cubicles and offices Left on the printer (remove print-outs promptly) Left on the printer (remove print-outs promptly) On drivers’ pick up sheets On drivers’ pick up sheets

9. How Can You Maintain Confidentiality Don’t discuss private information in public settings. Don’t discuss private information in public settings. Don’t talk so loud that others hear you. Don’t talk so loud that others hear you. Do not use speaker phone in an open area. Do not use speaker phone in an open area. Don’t leave participant information where others can view it or access the information. Don’t leave participant information where others can view it or access the information. Keep diagnosis and disability-related information private. Keep diagnosis and disability-related information private.

10. “Need to Know” Principles How much do you need to know? How much do you need to know? How much do other people need to know? How much do other people need to know?

11. HIPAA Consumer Protections Notice of Privacy Practices Notice of Privacy Practices –Participants must know when we share their information with someone outside of Paraquad. –Must be written in plain language. –Must be provided at the time of first service or assessment for eligibility.

12. HIPAA Consumer Protections Amendment Amendment –Participants can request to change information in their files –That request may be made to Paraquad’s Privacy Officer. –Paraquad may either grant OR deny the request.

13. HIPAA Consumer Protections Restrictions Restrictions –Participants can request certain parts of their health information not be shared with others. –Paraquad is NOT required to accept the request. –If restriction is accepted, then Paraquad has to follow it.

14. HIPAA Consumer Protections Access Access –Participants can request to see or copy their information. –Request for access MUST be in writing. –If access is denied, the participant can appeal. –Consumer must appeal to Paraquad’s Privacy Officer.

15. HIPAA Disclosure Protections Authorization Authorization –Participants must give written permission for their information to be shared with anyone outside of Paraquad. –You must be specific:  What PHI is to be shared;  With whom;  For what purpose.

16. When No Authorization is Needed… Key examples: Key examples: –Abuse or neglect reports –Court Orders –Police need information –To help keep someone else safe

17. HIPAA Consumer Protections Accounting of Disclosures Accounting of Disclosures –Participant can ask who their information was shared with. –Applies to both verbal and written disclosure. –All disclosures are to be noted in the participant file.

18. HIPAA Consumer Protections Verification Verification –Paraquad must verify the person or agency requesting the information is who they say they are.

19. HIPAA Consumer Protections Complaint Procedure Complaint Procedure –Allows participant to file a complaint if it is felt that PHI has been improperly used or disclosed. –That complaint is to be filed with Paraquad’s Privacy Officer.

20. What Else Does HIPAA Require? Research Research –HIPAA still allows research to be conducted. –Proper authorizations must be in place.

21. QUESTIONS? If you are ever in doubt, always ask your Privacy Officer. If you are ever in doubt, always ask your Privacy Officer.

22. Summary We must all protect participant records. We must all protect participant records. Share only the information necessary for people to do their jobs. Share only the information necessary for people to do their jobs. Participants have the right to ask about use and disclosure of PHI. Participants have the right to ask about use and disclosure of PHI. Paraquad has a HIPAA policy that you need to know and follow. Paraquad has a HIPAA policy that you need to know and follow.

23. Security: Integration with HIPAA Privacy

24. Purpose of Security Purpose of Security To protect the computer system and information from unauthorized access To protect the computer system and information from unauthorized access To protect the computer system and information from misuse To protect the computer system and information from misuse

25. General Security Awareness Building/Physical Security Building/Physical Security –Building/Work Area Sign-in  All participants and visitors must sign in at the front desk and must be escorted around the building. If person is unescorted (EMC, bathroom) they must stay in the main hallway, not to enter any work areas. Do not ask the front desk to ‘send them back’ to you. –Locks and Keys  Keep keys in secure location or carry it on your person. –Front Door Code  Do not share with anyone. –Key Fob  Keep it on your person. You will be charged $10.00 for a replacement. –Printers/Copiers/Fax Machines  Pick up print-outs/copies promptly

26. General Security Awareness Computer/Electronic Security Computer/Electronic Security –Computers  Do not allow participants to use your computer. Assist them in using the computer lab pc’s. Lock your computer (Windows key + L) each time you leave your desk. –E-mail  Limit personal email so that outsiders do not have access to our email addresses.  Don’t open attachments from friends.

27. Password Management When you have a special Password: When you have a special Password: –Don’t tell anyone your password. –Don’t write your password down. –Change your password if others know it. –Pick a password you can remember.

28. Remember! Remember! Computer System security impacts privacy Computer System security impacts privacy Both building and computer security are essential! Both building and computer security are essential!

29. THE END Please take HIPAA quiz now. Please take HIPAA quiz now.