Presentation is loading. Please wait.

Presentation is loading. Please wait.

For UA Health Care Components, Business Associates & Health Plans

Published byMervyn Sims Modified over 6 years ago

Similar presentations

Presentation on theme: "For UA Health Care Components, Business Associates & Health Plans"— Presentation transcript:

1 For UA Health Care Components, Business Associates & Health Plans
HIPAA Privacy and Security Annual Renewal Training For Employees Compliance is Everyone’s Job For UA Health Care Components, Business Associates & Health Plans INTERNAL USE ONLY

2 What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation which addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers. The portions that are important for our purposes are those that deal with protecting the privacy (confidentiality) and security (safeguarding) of health data, which HIPAA calls Protected Health Information or PHI. INTERNAL USE ONLY

3 What is Protected Health Information (PHI)
Any information, transmitted or maintained in any medium, including demographic information; Created/received by covered entity or business associate; Relates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare; and Can be used to identify the patient INTERNAL USE ONLY

4 Types of Data Protected by HIPAA
Written documentation and all paper records Spoken and verbal information including voice mail messages Electronic databases and any electronic information, including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic device Photographic images Audio and Video recordings INTERNAL USE ONLY

5 To De-Identify Patient Information You Must Remove All 18 Identifiers:
Names Geographic subdivisions smaller than state (address, city, county, zip) All elements of DATES (except year) including DOB, admission, discharge, death, ages over 89, dates indicative of age Telephone, fax, SSN#s, VIN, license plate #s Med record #, account #, health plan beneficiary # Certificate/license #s address, IP address, URLs Biometric identifiers, including finger & voice prints Device identifiers and serial numbers Full face photographic and comparable images Any other unique identifying #, characteristic, or code INTERNAL USE ONLY

6 UA HIPAA Sanctions Employees, students, and volunteers who do not follow HIPAA rules are subject to disciplinary action UA sanctions depend on severity of violation, intent, pattern/practice of improper activity, etc., and might include: Dismissal from academic program Termination of employment Suspension without pay Denial of an annual raise or reduction in pay Civil and/or criminal penalties including incarceration INTERNAL USE ONLY

7 Notice of Health Information Practices
Explains how the covered entity will use/disclose patient’s PHI Explains a patient’s rights and where to file a complaint Is offered to a patient at the time of the first visit (and patient should sign & date acknowledgement of receiving at time of first visit) Is posted on facility’s web page and in patient reception area INTERNAL USE ONLY

8 TPO as Permitted Use and Disclosure of PHI
PHI may be used and disclosed to facilitate TPO, which means: For Treatment For Payment For certain healthcare Operations, such as quality improvement, credentialing, compliance, and patient/employee safety activities INTERNAL USE ONLY

9 Authorization as Permitted Use and Disclosure of PHI
A covered entity can generally use and disclose PHI for any purpose if it gets the person’s signed HIPAA-valid authorization Only designated, HIPAA-trained personnel are permitted to approve disclosure of PHI per the person’s HIPAA-valid authorization For any questions concerning authorization, please contact your Privacy Officer For a complete list of permitted uses and disclosures of PHI without the patient’s authorization, see your entity’s Notice of Health Information Practices INTERNAL USE ONLY

10 Can Family/Friends Know?
Yes, but only PHI directly relevant to that person’s involvement with the patient’s healthcare or payment related to patient’s healthcare And, only if the provider reasonably infers that the patient does not object INTERNAL USE ONLY

11 Minimum Necessary Standard
When HIPAA permits use or disclosure of PHI, a covered entity must use or disclose only the minimum necessary PHI required to accomplish the purpose of the use or disclosure. The only exceptions to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons: Treatment Purposes for which an authorization is signed Disclosures required by law Sharing information to the patient about himself/herself INTERNAL USE ONLY

12 Other Privacy Safeguards
Avoid conversations involving PHI in public or common areas such as hallways or elevators Keep documents containing PHI in locked cabinets or locked rooms when not in use During work hours, place written materials in secure areas that are not in view or easily accessed by unauthorized persons Do not leave materials containing PHI on desks or counters, in conference rooms, on fax machines/printers, or in public areas Do not remove PHI in any form from the designated work site unless authorized to do so by management Never take unauthorized photographs in patient care areas including audio and video INTERNAL USE ONLY

13 Patient Rights Under HIPAA
The Notice of Health Information Practices outlines the patient’s following rights to: Restrict disclosure of PHI to health plan if patient pays out of pocket in full for the healthcare item/service Look at and obtain a copy of record/PHI or ePHI Amend incorrect or misleading information in record Receive an accounting of disclosures of PHI Be notified of a breach of PHI File a complaint INTERNAL USE ONLY

14 HIPAA Put New Requirements on Research
If you work for a HIPAA-covered Health Care Provider, do not release PHI for research unless: The patient has signed a valid HIPAA authorization, or The Institutional Review Board (IRB) at UA has approved a waiver of authorization; or The IRB agrees that an exception applies Information regarding HIPAA and Research is available through UA’s Office for Research Compliance. INTERNAL USE ONLY

15 Business Associate (BA) Agreements
Are required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which may involve the use or disclosure of the covered entity’s PHI Law now requires BA to comply with certain Privacy and Security rules & subjects BA to HIPAA criminal and civil penalties. BA also subject to breach of contract claims BA Agreement must be approved in accordance with appropriate UA policies and procedures Individual employees are NOT authorized to sign contracts on behalf of UA. INTERNAL USE ONLY

16 What is a Breach? Breach is defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of the information. Impermissible use or disclosure is presumed to be a breach unless the facility or business associate proves that there is a low probability that PHI has been compromised. INTERNAL USE ONLY

17 What Constitutes a Breach?
A breach could result from many activities. Some examples are Accessing more than the minimum necessary Failing to log off when leaving a workstation Unauthorized access to PHI Sharing confidential information, including passwords Having patient-related conversations in public settings Improper disposal of confidential materials in any form Copying or removing PHI from the appropriate area Why? Curiosity…about a co-worker or friend Laziness…so shared sign-on to information systems Compassion…the desire to help someone Greed or malicious intent…for personal gain INTERNAL USE ONLY

18 Risk Assessment Required
To assess the probability that PHI has been compromised, we are required to consider: The nature and extent of PHI and likelihood of re-identification (credit card/SSN, etc.) Unauthorized person who used PHI or to whom disclosure was made Whether PHI was actually acquired or viewed The extent to which the risk of PHI has been mitigated (recipient destroyed it) INTERNAL USE ONLY

19 Breach Notification Regulations
If it is determined that a breach of PHI occurred, then the covered entity must notify the affected individual (or next of kin) without unreasonable delay, but not later than 60 calendar days from discovering the breach. Time runs when incident first known or reasonably should have been known (true for covered entity and business associate), NOT when it is determined that a breach occurred. Breach is treated as discovered when workforce member or other agent has knowledge of incident That means an employee or volunteer must IMMEDIATELY report! Delay permissible in certain circumstances where law enforcement has requested a delay INTERNAL USE ONLY

20 Responsibility to Report Promptly
When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please let your organization’s privacy and/or security officer know immediately It is much better to investigate and discover no breach than to wait and later discover that something DID happen INTERNAL USE ONLY

21 Security Standards – General Rules
HIPAA security standards ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (PHI –Protected Health Information) by and with all facilities Protect against any reasonably anticipated threats or hazards to the security or integrity or such information Protect against any reasonably anticipated uses or disclosures of such information that are not permitted INTERNAL USE ONLY

22 Rules for Access Access to computer systems and information is based on your work duties and responsibilities Access privileges are limited to only the minimum necessary information you need to do your work Access to an information system does not automatically mean that you are authorized to view or use all the data in that system Different levels of access for personnel to PHI is intentional If job duties change, clearance levels for access to PHI is re-evaluated Access is eliminated if employee is terminated Accessing PHI for which you are not cleared or for which there is no job-related purpose will subject you to sanctions INTERNAL USE ONLY

23 Rules for Protecting Information
Do not allow unauthorized persons into restricted areas where access to PHI could occur Arrange computer screens so they are not visible to unauthorized persons and/or patients; use security screens in areas accessible to public Log in with password, log off prior to leaving work area, and do not leave computer unattended Close files not in use/turn over paperwork containing PHI Do not duplicate, transmit, or store PHI without appropriate authorization Storage of PHI on unencrypted removable devices (Disk/CD/DVD/Thumb Drives) is prohibited without prior authorization INTERNAL USE ONLY

24 Encryption of PHI Encryption is generally necessary to protect information outside of the Electronic Medical Records (EMR) system Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization Use of any personally owned laptops, desktops or other mobile devices (non-UA equipment) for accessing PHI requires appropriate authorization Help UA avoid costly patient notification process by following University policy that requires encryption INTERNAL USE ONLY

25 Password Management Do not allow coworkers to use your computer without first logging off your user account Do not share passwords or reuse expired passwords Do not use passwords that can be easily guessed (dictionary words, pets name, birthday, etc.) Should not be written down, but if writing down the password is required, must be stored in a secured location Should be changed if you suspect someone else knows it Disable passwords or delete accounts when employees leave Passwords: Should be minimum 8 characters long Include 3 of 4 data types (upper/lower case, numeric, special characters) Should be changed periodically Good password scheme is critical for complex passwords – R0llt!de (don’t use this, just an example) INTERNAL USE ONLY

26 Protection from Malicious Software
Malicious software can be thought of as any virus, worm, malware, adware, etc. As a result of an unauthorized infiltration, PHI and other data can be damaged or destroyed Notify your supervisor, system support representative, and/or security officer immediately if you believe your computer has been compromised or infected with a virus—do not continue using computer until resolved Managed anti virus and other security software is installed on all University computers and should not be disabled Any personal devices used for access to PHI must have appropriate anti virus software Do not open or attachments from an unknown, suspicious, or untrustworthy source or if the subject line is questionable or unexpected—DELETE THEM IMMEDIATELY INTERNAL USE ONLY

27 Ransomware Ransomware is malicious software that denies access to data, usually by encrypting the data with a private encryption key that is only provided once the ransom is paid  Presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident Whether it results in an impermissible disclosure of PHI and/or a breach depends on the facts and circumstances of the attack When ePHI is encrypted due to a ransomware attack, a breach has occurred because the ePHI was acquired Once the ransomware is detected, we must initiate our security incident and response and reporting procedures If computer with encrypted data is powered on and the operating system loaded, the data is decrypted and breach notification may need to occur Notification of a breach of unencrypted or decrypted data must occur unless there is a  “low probability the PHI has been compromised” Maintaining frequent backups and ensuring ability to recover data from backups may show low probability (if no exfiltration of PHI) INTERNAL USE ONLY

28 Beware of Suspicious Emails
Be very cautious of suspicious s that request information such as ID and password, or other personal information claiming that you need to verify an account, or you are out of disk space, or some other issue with your account. If they claim to come from the University check the following: From Address: Make sure the from address has ua.edu after sign URL Link: If you can see the URL in the message, make sure it has ua.edu before the first slash (/) Hover trick: If you can’t see the URL, you can “hover” your mouse pointer over the link WITHOUT CLICKING and a box with the URL will appear. Check for ua.edu INTERNAL USE ONLY

29 Use of Technology Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization , internet use, fax and telephones are to be used for UA business purposes (see UA policies) Fax of PHI should only be done when the recipient can be reliably identified; Verify fax number and recipient before transmitting No PHI is permitted to leave facility in any format without prior approval Where technically feasible, should be avoided when communicating unencrypted sensitive PHI - follow your organization’s policy for PHI No PHI is permitted on any social networking sites (Twitter, Facebook, MySpace, etc.) without appropriate authorization No PHI is permitted on any texting or chat platforms (AOL, MSN, cell phones) If a situation requires use of or text, appropriate encryption techniques must be used. INTERNAL USE ONLY

30 Rules for Disposal of Computer Equipment
Only authorized employees should dispose of PHI in accordance with retention policies Documents containing PHI or other sensitive information must be shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding. All questions concerning media reallocation and disposal should be directed to your HIPAA Security Officer; OIT systems representatives or your departmental IT support teams are responsible for sanitization and destruction methods Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying “Sanitize” means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction NOTES: Deleting a file does not actually remove the data from the media. Formatting does not constitute sanitizing the media INTERNAL USE ONLY

31 Reporting Security Incidents
Notify your Security Officer of any unusual or suspicious incident Security incidents include the following: Theft of or damage to equipment Unauthorized use of a password Unauthorized use of a system Violations of standards or policy Computer hacking attempts Malicious software Security Weaknesses Breaches to patient, employee, or student privacy INTERNAL USE ONLY

32 UA Contacts Know Your Security and Privacy Officer:
University-wide Privacy Officer: Jan Chaisson University-wide Security Officer: Ashley Ewing University Medical Center Privacy Officer is Jan Chaisson University Medical Center Security Officer is Amy Sherwood Brewer Porch Privacy/Security Officer is Warren Williams Speech and Hearing Privacy/Security Officer is JoAnne Payne Autism Spectrum Disorders Clinic Privacy/Security Officer is Sarah Ryan UA Group Health Plan/FSA Privacy Officer is Emily Marbutt UA Group Health Plan/FSA Security Officer is Greg Gaddis WellBAMA Program Privacy/Security Officer is Heather Clayton Working on Womanhood Program (WOW) Privacy/Security Officer is Jill Beck Center for Advanced Public Safety (CAPS) Privacy/Security Officer is Vaughn Poe Institutional Review Board Compliance Officer is Tanta Myles College of Education Alabama Medicaid Agency Project Privacy/Security Officer: Rick Houser INTERNAL USE ONLY

Download ppt "For UA Health Care Components, Business Associates & Health Plans"

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Confidentiality and HIPAA

Confidentiality and HIPAA
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.

The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA

Similar presentations

Ads by Google