1. HIPAA/HITECH Privacy and Security
IPA Training
2017

2. Introduction
Welcome to HIPAA/HITECH Privacy and Security training at IPA. As you may know, all health care organizations are required to comply with HIPAA/HITECH Privacy and Security Regulations. These regulations have undergone several updates, the latest of which were enacted in late As an IPA employee, you will have access to patients’ confidential health information. Therefore, you are required to complete HIPAA/HITECH training. Training will include Powerpoint presentation and HIPAA quiz to complete and submit to your supervisor.

3. When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. David Brinkley

4. IPA’s Confidentiality Policy
All individuals are expected to be professional and maintain confidentiality at all times, whether dealing with actual records, projects or conversations.
All individuals having access to confidential information are bound by strict ethical and legal restrictions.

5. HIPAA at a Glance
HIPAA stands for: Health Insurance Portability and Accountability Act.
The “Health Insurance Portability (HIP) part of HIPAA was intended to ensure the continuity of health insurance coverage for workers changing jobs.
To facilitate this goal, Congress mandated national standards for transmitting and protecting health information.
The “Accountability” part of HIPAA was designed to ensure the security and confidentiality of patient information/data and requires uniform standards for electronic transmission of data relating to patient health information.

6. HIPAA Privacy The HIPAA Privacy Rule was enacted to :
Establish national privacy protection standards for all forms of health information created by “covered entities,” including health care providers.
Set limits on the uses and disclosures of such information.
Give patients rights over their health records.

7. HIPAA Security The HIPAA Security Rule was enacted to:
Establish national standards for the security of electronic health information (ePHI).
Protect individuals’ ePHI that is created, received, used or maintained by covered entities.
Outline administrative, technical and physical procedures to ensure the confidentiality, integrity and availability of ePHI.

8. What is HITECH? HITECH stands for:
Health Information Technology for Economic and Clinical Health Act.
It is part of the American Recovery and Reinvestment Act (ARRA).
The HITECH interim rule was enacted in 2009.
Widened the scope of privacy and security protections under HIPAA.
Included incentives related to health care information technology such as:
Creating a national health care infrastructure.
Adopting an electronic health record (EHR) system.
The HITECH final rule was enacted in January 2013.
Made a significant number of changes to HIPAA Privacy and Security.

9. We’ve Come a Long Way……Maybe
Electronic data transmission is a double edged sword.
More technology = increased vulnerability of personal information.
As technology changes we have to do more to protect that information.
The confidential information we come in contact with everyday is only as safe as our weakest link.

10. What is Protected Health Information (PHI)?
Any type of individually identifiable health information in any format including:
Paper or other media
Verbal
Photographed or duplicated
Electronically maintained or transmitted

11. What Makes PHI identifiable?
Any unique number, code or characteristic that links information to a specific individual such as:
● Name ● Dates
● Address ● Social Security Number
● Zip Code ● Medical Record Number
● Telephone Number ● Patient Account Number
● Fax Number ● Insurance Plan Numbers
● Photographs ● Vehicle Information
● Fingerprints ● License Numbers
● Address ● Medical Equipment Numbers
● Internet Address

12. What is “de-identified” information?
Information in which specific pieces (identifiers) have been removed so that is cannot be linked to any individual or be re-identified.
If patient information is de-identified, it is not considered PHI and is not protected under the HIPAA privacy regulations.

13. Genetic Information
Genetic information including family history is considered PHI under HIPAA.
Includes:
Genetic tests, requests for genetic services, or participation in clinical research that includes genetic services by an individual or his/her family member.
Any manifestation of a disease in the individual’s family member.
Genetic information may not be used for underwriting purposes.

14. Protecting PHI
All health information that can be linked to an individual must be protected under HIPAA.
As an institution, IPA has an obligation to protect the privacy of patient information and maintain the security of that information on our electronic systems.
Everyone must be vigilant in their efforts to handle confidential information in a way that prevents improper exposure.
HIPPA is ultimately about patients and their right to expect protection of their health information.

15. Patient Rights Under HIPAA

16. Patient Rights Patients have the right to:
Receive an accounting of certain disclosures of PHI.
View and obtain copies of their reports.
Request an amendment to their medical records.
Request that any communication related to PHI be directed to a specific location.
Request restrictions on the use or sharing of their information.
Receive the IPA “Notice of Privacy Practices” (NPP) outlining these rights.

17. Patient Right to an Accounting of Disclosures
Upon request, patient must be provided a list of all PHI disclosures made outside of the institution including:
Disclosures of which the patient may not otherwise be aware.
Improper disclosures resulting in a breach.
An accounting of such disclosures is maintained in the patient’s medical record on the “PHI Disclosure Tracking Log.”
Disclosures exempt from the accounting requirement include:
Those for treatment, payment, or healthcare operations (TPO).
Those directed to the patient or in response to the patient’s authorization.

18. Patient Right to Obtain a Copy of His/Her Records
Patients also have the right to request copies of their PHI in any form they choose or is mutually agreed upon provided PHI is readily producible in that format.
If PHI is maintained electronically, IPA is required to provide an electronic copy at the patient’s request.
However, IPA is not required to provide unlimited format choices.

19. Patient’s Right to Send Record Copies to Others
Patients may also request that copies of their medical records be sent to other designated individuals.
Requests must be made in writing, clearly identifying the designated recipient and where to send the copy.
Records may be sent in an unencrypted form if the patient understands the risk and agrees in writing.
It is recommended that records not be sent via .

20. Patient Requests for Record Copies
Patient requests for record copies must be addressed (granted or denied) within 30 days.
A one time 30 day extension is allowed with patient notification.
A reasonable, cost-based fee may be charged.
Requests for record copies may be denied under certain circumstances.
Patients have a right to appeal a denial.

21. Patient Right to Amend His/Her Medical Record
Patients can request corrections be made to any inaccurate or incomplete information in their medical, research, or billing records.
Only written requests are accepted.
A request to amend may be denied.
If denied, the patient may write a disagreement to which IPA may write a rebuttal.
Copies of all such documentation are maintained in the patient’s record.

22. Patient Right to Restrict Disclosures to Health Care Plans
IPA must honor patient requests to restrict certain disclosures of PHI to health plans if:
The disclosure is to carry out payment or healthcare operations, and
The disclosure is not required by law, and
The PHI pertains solely to a health care item or service for which the patient or other person has paid out of pocket and in full.

23. Notifying Patients of Their Rights Under HIPAA: Notice of Privacy Practices (NPP)
The Notice of Privacy Practices includes IPA’s pledge to patients to keep their medical and billing information private.
The NPP must be:
Provided to all patients upon their request.
Available on IPA’s website.
The NPP describes for patients:
How their PHI is used and disclosed.
Their rights regarding their health information.
How to exercise those rights.

24. PATIENT AUTHORIZATIONS REGARDING THEIR PHI

25. SHARING PHI WITHOUT AUTHORIZATION: REMEMBER “TPO”
In order to access, use or share PHI without a signed patient authorization the purpose must be related to:
Treatment within and between healthcare providers across IPA or in the community.
Payment for treatment.
Operations—normal IPA business activities
Quality Improvement
Training
Audit/legal/compliance reviews
Evaluating caregiver performance

26. SHARING PHI WITHOUT AUTHORIZATION
Other than TPO, Protected Health Information (PHI) may be shared without a signed authorization for the following reasons:
Public Health Activities
Preventing or controlling disease
Reporting abuse, neglect or domestic violence
FDA-regulated product safety
To provide further information to coroners , medical examiners, or funeral directors
Organ donation
Health oversight activities
Audits
Civil, administrative or criminal investigations
Inspections
Court order or subpoena
For law enforcement purposes related to crimes, provided certain criteria are met.

27. Disclosures Regarding Decedents
Care providers may disclose PHI to a family member or person who was involved in the care of a deceased patient unless otherwise expressed by the decedent while he or she was alive. The personal representative of deceased (executor of estate) has the ability to act on behalf of decedent under Privacy Rule.
Use your knowledge or best judgment regarding disclosure.
HIPAA will no longer apply to individuals deceased more than 50 years.

28. When is Patient Authorization Required?
In general, if the reason for access, use or disclosure of information is not related to “TPO,” you must have a signed patient authorization.
Never access, use or disclose PHI without a patient’s consent, if indicated.

29. Patient Authorizations
A valid authorization includes specific requirements:
PHI to be released
Who may release the information
Who may receive the information
Purpose of the disclosure
Expiration date
Signature of patient or patient representative
Use only IPA HIPAA-compliant authorization forms.
A patient may withdraw authorization at any time except to the extent that IPA has already used or released information under a valid authorization.

30. Protecting Confidential Patient Information

31. Minimum Necessary Rule
Except for treatment purposes, limit access, use or disclosure of PHI to the minimum necessary to accomplish the intended purpose.
Access, use or disclose:
Only PHI needed to complete an assigned task
and
Only when the specific PHI is necessary to perform that task.
Unless you need certain patient information to carry out your responsibilities, do not access that information.

32. Verifying Information Requests
Before sharing any PHI, IPA will verify:
The identity of the individual requesting the information.
That this individual has the right to obtain the information requested.
If a patient calls to obtain information about him/herself, IPA will verify the individual’s identity using information available in the Patient Registration system.
In the event that an individual’s identity and/or legal authority cannot be verified, IPA staff will not disclose the PHI and will report the request to his/her immediate supervisor.

33. Verbal Exchanges Involving PHI
Discuss PHI only with those that have a “need to know” for specific assigned job functions.
Be aware of your surroundings when discussing patient information. Move to a private area if needed.
Avoid discussions involving PHI in areas where you may be overhead such as cafeterias, hallways, elevators, etc.

34. Telephone/Voicemail/Answering Machine Disclosure of PHI
Never leave information containing PHI over the phone with someone other than the patient.
Leave only generic information on voic or answering machines.
Never leave any PHI, including indication of the services being performed or the service provider.

35. FAXING PHI
Faxing patient information outside of IPA is allowed in situations when health information is needed immediately or when mail or courier delivery will not meet a necessary timeframe.
Employees authorized to fax PHI must confirm the accuracy of the fax numbers and security of the recipient machines.
Any fax that is sent must be accompanied by an IPA-approved fax cover sheet.
RECEIVING FAXES:
Schedule with the sender whenever possible so that the faxed documents can be promptly removed from the fax machine.
Notify the sender if you receive a misdirected fax so the fax can be sent to the correct party.

36. Disposal of Paper Containing PHI
Dispose of documents with PHI (faxes, printed s, informal notes or copies of patient reports) either by shredding or by placing in secured shredder bins.
Never dispose of documents containing PHI in a trash or recycle receptacle or in a publicly accessible area.

37. Managing Electronic Information
You can’t hold firewalls and intrusion detection systems accountable.
You can only hold people accountable.
Daryl White

38. Acceptable Use of IPA’s Information Technology Resources
IPA workforce members are responsible for the appropriate use and security of ePHI when using IT resource.
Using any unauthorized IT resources or IT resources that could disrupt operations or compromise security is prohibited.

39. Mobile Computing Devices (MCD)
MCDs include:
Laptop computers
Smartphones
Tablet devices
USB storage devices
Confidential data may not be stored on MCDs unless:
Only information needed for a particular function is stored.
Information is stored only for the time period needed to perform that function.
The device is encrypted by IT.
Data is protected from unauthorized access and disclosure.

40. Encrypting USB Flash Drives
USB thumb drives are small, portable, and can be read on any device with a USB port. Due to their portability, however, they are easily lost. The files on the USB stick containing PHI/confidential data must always be encrypted either by:
Manually saving files with a password
Locking your flash drives
To protect PHI/confidential data, Windows 7 allows you to protect or lock your hard disk and removal drives by its BitLock feature. The BitLocker is an encrypting device built in with Windows 7 OS. It can encrypt your whole drive and a password is required to gain access.
Effective September 2017, upon insertion of any flash drive into a Unitypoint computer, you will automatically be prompted for encryption. If you choose not to encrypt the flash drive, the file will be a "read only" file and you will not be able to save any changes made. If you choose to encrypt the flash drive, you will assign yourself a password for that flash drive, which will need to be provided to open your drive in the future. The encryption process may take several minutes, depending on the size and format of your drive. At the end of the encryption process, you will get the option to choose to not be prompted for the password in the future when using the computer it was encrypted on. Otherwise, you will need to provide the password to unlock the drive for use on any other computer.

41. Electronic PHI (ePHI)
ePHI is Protected Health Information stored on electronic systems or transmitted through electronic means.
Includes personal information stored on:
Personal computers with internal hard drives.
Removable storage devices such as:
USB memory sticks/keys
CDs/DVDs
Disks
Back-up tapes
External hard drives
Mobile devices
Electronic transmission is data exchanged via the network, including wireless and DSL/cable home network connections.

42. Think before you click…………
“Minimum necessary” also
applies to electronic PHI.
Access/use PHI stored in
electronic systems only when
necessary to perform your
assigned job functions.
Access/use only the minimum
necessary PHI to complete your
assigned task.

43. Emailing PHI Hand deliver or mail PHI whenever possible.
When necessary for treatment, payment or operations, PHI only to individuals that are authorized to receive the information.
only from and to secure addresses within the IPA/UPH network.
Verify the recipient’s address as secure before sending PHI via .
encryption must be used to send any confidential information outside of the IPA/UPH network.

44. Encryption
communication outside of IPA/UPH network is not secure for the purpose of transmitting PHI/confidential data unless encryption is used. Electronic transmission of PHI/confidential data in an unencrypted form may be construed as a violation of Federal and State laws and IPA policy.
When using the Microsoft Outlook System to send PHI/confidential information outside the network, you MUST include [Secure] (the brackets and the word) in either the subject line (preferred) or in the body of the mail. This will trigger IPA/UPH system to electronically secure the message.
The recipient will be directed to a link to view the message sent. This link uses the recipient’s address as the username and requires a password be set up in order to view the contents.

45. Texting PHI
Texting confidential information, including PHI, is NOT permitted under any circumstances.
Text messages are not encrypted and, therefore, are never secure.
Any text message sent containing confidential information, including PHI, is a violation of IPA policy, state and federal laws and must be reported immediately.

46. Social Media
PHI or other confidential information should NEVER be shared on social media sites.
Any medical information that is posted must be completely de-identified.
Although you may think information has been de-identified, it may be possible to identify an individual, even with minimal information.
No professional information should ever be posted on social media. Failure to follow this could lead to termination.

47. Managing Breaches of PHI

48. Breaches
A breach is defined as any improper access, acquisition, use or disclosure of PHI that compromises the security or privacy of the information unless it can be proven that the risk of compromise to the information is low.
Includes situations in which more than the minimum necessary PHI is involved.
All potential breaches are evaluated by IPA and may result
in notifying the affected patient(s) and the Federal Office
for Civil Rights (OCR).
OCR may investigate any breach that is reported.

49. Managing Breaches
Known or suspected breaches must be acted upon without delay to assess the situation and mitigate risk.
There are strict timeframes for notifying:
Affected patients(s)
Office for Civil Rights
If you know or suspect that a breach has occurred, report
it to your supervisor or Compliance Officer (Dr. Abbott)
immediately.

50. Examples of Breaches Paper Electronic Verbal
Lab requisitions, test results or other confidential communications sent to the incorrect recipient. Any report sent to the incorrect recipient must be reported to your supervisor and logged as improper disclosure.
Paperwork containing PHI left in public areas.
Verbal
Discussing a patient’s medical information in a public area.
Discussing a patient’s medical information in front of others without the patient’s permission to communicate.
Electronic
Accessing patient formation for purposes that are not related to job functions, educational responsibilities and/or assigned tasks including the PHI of coworkers, family members, friends and VIPs.
Lost unencrypted laptops or other mobile devices containing PHI.
Texting PHI.
Computer screens containing PHI that are visible to unauthorized individuals.

51. Tips for Preventing Breaches
Keep track of documents containing PHI (don’t leave unattended, don’t take in the restroom, etc.)
Keep private conversations private if PHI is being discussed (you never know who may overhear).
Never text PHI.
Do not share PHI via social media.
Obtain a patient’s permission before involving others in a discussion that includes PHI.
Do not access or use patient information that is not related to your employment responsibilities.
Never discuss PHI to anyone that is not authorized to have the information.

52. Patient Complaints Regarding Breaches of PHI
Patients may contact IPA directly with any concerns related to the privacy or security of their PHI.
Patients may also elect to register a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, who is responsible for enforcing HIPAA laws.

53. Auditors
If an OCR auditor or auditors from OIG (Office of Inspector General) or RAC (Medicare Audit Recovery Contractors) arrive, immediately contact Dr. Abbott, Compliance Officer, or Scott Denker, Executive Director.

54. IPA HIPAA Policies and Contacts
For HIPAA questions or to report violations, contact:
Jared Abbott, M.D., Compliance Officer, Iowa Pathology
Associates at or
You may also submit questions, concerns or violations via the
employee portal on IPA’s website (iowapath.com) anonymously.
Please review the complete IPA HIPAA Manual, located in the Conference Room at IPA.
For more information on HIPAA rules and regulations, refer to – US Department of Health and Human Services.