1. HIPAA WORKFORCE TRAINING
McCann Relationship Marketing LLC,
d/b/a MRM

2. What You Will Learn Today
What is the Health Insurance Portability and Accountability (“HIPAA”) Act?
What is protected health information (“PHI”)?
Who may access PHI and under what circumstances?
What do MRM’s new HIPAA Information Security Policies require?
How do these policies impact MRM and you?

3. Health Insurance Portability and Accountability Act (“HIPAA”)
PHI, Privacy and Security Rules

4. What is the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) ?
It is a federal law that…
Protects the privacy of an individual’s personal and health information
Provides for electronic and physical security of personal and health information

5. Protected Health Information (“PHI”)
PHI is any information, whether oral or recorded, transmitted in any form or medium, that-
Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school, or clearinghouse; and
Relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that:
That identifies the individual; or
With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Employees may access PHI only when necessary to perform their job-related duties.

6. All of the following are considered PHI identifiers under HIPAA:
A person’s name, address, geographic subdivisions (smaller than a state), birth date, age, phone and fax numbers, address, and social security number
Medical records, diagnosis, x- rays, photos, prescriptions, lab work, test results, health plan account numbers
Device identifiers and serial numbers; Web Universal Resource Locators (URLs); and Internet Protocol (IP) address numbers.

7. HIPAA applies to “Covered Entities,” “Business Associates,” and “Subcontractors”
3 Categories:
Health care providers – A provider of medical, psychiatric, or other health services, and any other person or entity furnishing health care services or supplies.
Health plans – an individual or group health plan that provides or pays the cost of medical care.
Clearinghouses – A public or private entity that processes or facilitates the processing of non-standard data elements of health information into standard data elements and who transmits any health information in electronic form in connection with a transaction covered in the legislation.
A person or entity to whom a covered entity discloses protected health information, to perform a function on behalf of or to provide services to a covered entity.
A person or entity to whom a business associate or subcontractor discloses protected health information, to perform a function on behalf of or to provide services to that entity.

8. Business Associate Obligations
Enter into a Business Associate Agreement (called a BAA) with the Covered Entity (the “Client”)
Use appropriate safeguards to prevent the access, use or disclosure of PHI other than as permitted by the BAA with the Client
Obtain satisfactory assurances from any MRM subcontractor that appropriate safeguards are in place to prevent the access, use or disclosure of PHI entrusted to it
Notify the Client of any breach of unsecured PHI for which the Business Associate or its subcontractors was responsible upon discovery
Ensure its employees and/or those of its subcontractors receive HIPAA training
At termination of the BAA, return or destroy PHI

9. HIPAA: Privacy Rule & Security Rule
(Protection for PHI in all forms)
Use and Disclosure of Protected Health Information
Individual Rights
Administrative Measures to Protect PHI
Security Rule
(Protection for Electronic PHI)
Administrative Procedures to Protect PHI
Physical Safeguards to Protect PHI
Technical Safeguards to Protect PHI

10. HIPAA Privacy Rule: Some Requirements
Business Associate Agreements
Minimum Necessary Requirements
Only the minimum amount of information necessary to perform or
complete the task may be used or disclosed
Workforce Training

11. HIPAA Security Rule: Requirements
Administrative Procedures
Security Management/Awareness
Employee Policies
Security Incident Procedures
Contingency Plan
Physical Safeguards
Restrictions on Facilities Access
Restrictions on Workstation Use
Device & Media Controls
Technical Safeguards
Access Rights/Authentication
Audit Controls
Protection from Alteration/Destruction
Transmission Security

12. What Is a Breach ? A breach occurs when PHI is:
lost, stolen or improperly disposed of (i.e. paper or device upon which the information is recorded cannot be accounted for);
“hacked” into by people or mechanized programs that are not authorized to have access (e.g. the system in which the information is located is compromised through a “worm”); or
communicated or sent to others who have no official need to receive it (e.g. gossip about information learned from a medical record).

13. Breach Notification
MRM is required to report a Breach to the Client whose data was affected.
Part of your responsibility as a MRM employee is to report privacy or security breaches involving PHI to either:
Workforce IT Lead
The HIPAA Security Officer
If you suspect there may be or has been unauthorized access to PHI, report it
No retaliatory action may be taken against an individual for filing a HIPAA report or complaint, including notifying of a privacy or security breach.

14. HIPAA Privacy Rule: Use and Disclosure of PHI
PHI may only be used or disclosed as permitted or required by a BAA
Required to make PHI available for compliance purposes

15. Violations of HIPAA: Civil and Criminal Penalties
$100 to $50,000 (and more) per violation.
Individuals are subject to civil and/or criminal penalties.
Individuals and companies can be also held accountable to state courts for violating these rules on behalf of state residents.
You can be personally liable!

16. Key Defensive Strategies
Documentation, documentation, documentation
(cannot defend a claim of non-compliance without it )
Continuous review of policies and procedures
(living documents)
Thorough training of all staff members
Reporting procedures
(handling complaints and potential breaches)
Sanctions/Termination procedures
(internal risks are generally greater than external risks)

17. HIPAA and MRM
Who May Access PHI and Under What Circumstances?

18. How Does HIPAA Apply to MRM?
When MRM receives PHI from a client that is a Covered Entity or a Business Associate in connection with a project, MRM will be considered a Business Associate and is required to comply with HIPAA’s Privacy and Security Rules.
MRM HIPAA Computer Resources:
MRM has set up a separate server to store and process the PHI it receives. The server, which is located in Princeton, and any devices used to access that server, including MRM communication systems and laptops, will be governed by MRM’s new HIPAA Information Security Policies. No PHI is to be placed on removable devices or accessed by mobile devices.
MRM Workforce Members:
All Interpublic employees (whether full-time, part-time or temporary), service providers, suppliers, contractors, consultants and their respective employees, and other third parties having access to PHI or the HIPAA Computer Resources, whose conduct, in the performance of services for a MRM “HIPAA” client, must comply with HIPAA and will be governed by MRM’s new HIPAA Information Security Policies.

19. MRM’s HIPAA Information Security Policies
Where to Go When You Have Questions:
MRM’s HIPAA Security Officer - Questions regarding compliance with, exceptions to, or potential or actual violations of these HIPAA Policies should be addressed to MRM’s HIPAA Security Officer.
MRM IT - Before engaging any third parties, such as a service provider, that may have access to MRM’s PHI, the Workforce IT Lead and/or MRM’s HIPAA Security Officer must be consulted.
Access Control Policy
Workforce Security and Disciplinary Policy
Facilities Access Policy
Incident Response Policy
Disaster Recovery Policy
Logging and Monitoring Policy
Encryption Policy
Network Security Policy
Vulnerability Management Policy
**These policies are mandatory, you may be subject to disciplinary action (including termination) for failure to comply with these policies.

20. Employee Responsibilities: Access to PHI
Access to the HIPAA Computer Resources is limited to Workforce Members who:
Need access in order to accomplish a legitimate task on behalf of a client; and
Have read the MRM HIPAA Information Security policies; and
Have completed this HIPAA compliance training; and
Have signed a document confirming that they:
Have read the MRM HIPAA Information Security Policies
Have participated in this compliance training; and
Agree to comply with the MRM HIPAA Information Security Policies; and
Have not previously violated the MRM HIPAA Information Security Policies.

21. Employee Responsibilities: Access to PHI
Only Workforce Members who have been granted access to the HIPAA Computer Resources by MRM’s HIPAA Security Officer, and who have been issued a unique user ID and password combination, may access PHI
Report access control changes to the HIPAA Security Officer or Workforce IT Lead
You may never use the HIPAA Computer Resources:
Without prior authorization from MRM’s HIPAA Security Officer
To gain unauthorized access to PHI
To damage, alter, or disrupt the operations of any other information systems
To capture or otherwise obtain passwords, encryption keys, or any other access control mechanism that could permit unauthorized access
****Attempting to obtain or use, actually obtaining or using, or assisting others to access the HIPAA Computer Resources, when unauthorized and/or improper, will result in Disciplinary Action.

22. Employee Responsibilities: Access to PHI
Password Controls
Do:
Choose a password without a clear link to you personally
Choose a password that at least eight characters
Use characters from three of the following four categories:
uppercase, lowercase, base 10 digits (0 through 9), and non-alphabetic characters (for example, !, $, #, %)
Memorize your password → users will be locked out after several unsuccessful attempts
Change your passwords frequently to prevent hackers from using automated tools to guess your password
DO NOT:
Choose a password with a clear link to you
Choose a password that uses public information such as SSN, credit card or ATM #, birthday, date, etc.
Reuse old passwords or any variation
Use your user ID or any variation
**It is a violation of MRM’s HIPAA Information Security Policies to share your password with anyone. Electronic audit records track information based on activity associated with user IDs .

23. Employee Responsibilities: Access to PHI
You may use PHI only when you have been authorized to do so and need it to do your job.
You may discuss PHI with a Workforce Member only when it is necessary to do your job.
You may not pull any PHI or files containing PHI off the server.

24. Employee Responsibilities: Engaging with Third Parties
Before engaging a service provider that may have access to MRM’s PHI it must be determined whether that service provider:
is capable of maintaining the safeguards set forth in MRM’s HIPAA Policies to protect PHI; and
is otherwise obligated by contract to use all reasonable methods to protect the security and integrity of PHI.
** You should not engage a third party that will need to access or use PHI without first consulting MRM’s HIPAA Security Officer. PHI should never be disclosed to a third party without prior authorization.

25. Employee Responsibilities: The Return of PHI
Upon your departure from MRM, you must:
Return all MRM HIPAA Computer Resources and your Access Card on your last day
Return all confidential or proprietary MRM information in your possession to your immediate supervisor and/or MRM HR Officer
**You must not retain, give away, or remove from the MRM Facilities any confidential or proprietary data belonging to MRM, including PHI

26. Tips for Complying with HIPAA
Always keep portable devices physically secure to prevent theft and unauthorized access.
Access PHI only as necessary for your authorized job responsibilities.
Keep your passwords confidential.
Comply with the HIPAA Information Security Policies.
Report promptly to your supervisor and the HIPAA Security Officer the loss or misuse of devices storing PHI or other sensitive information.

27. Tips for Complying with HIPAA: Safe Browsing Habits
Safeguard sensitive information
Look for signs of security when providing sensitive information (i.e. the web address starts with “https” or a padlock icon is displayed in the status bar)
Keep browser updated and use security settings
Stay current with browser updates and application updates such as Adobe Flash and Acrobat
Enable browsing security settings to alert you to threats to your computer like popups, spyware, and malicious cookies
When in doubt just don’t do it! Downloaded files like software or other media can contain hidden malware that may compromise the security of PHI

28. Tips for Complying with HIPAA: Protecting Mobile Devices
Never leave mobile computing devices unattended in unsecured areas.
Select complex passwords for your mobiles devices (e.g, cell phones)
Immediately report the loss or theft of any mobile computing device to your supervisor and the HIPAA Security Officer.

29. Remember….. When in doubt, don’t give information out.
Log off before you walk off from your computer.
Never share your password with anyone.
Access information on a need to know basis, only to do your job.
Dispose of confidential information according to proper procedures.

30. Revocation of access to the HIPAA Computer Resources
Disciplinary Actions
Mandatory Retraining +
Verbal Warning
Revocation of access to the HIPAA Computer Resources
Termination
Written Warning

31. Questions??