HIPAA Training - 2011


Published on

HIPAA Employee Security and Privacy Training for 2011

Published in: Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HIPAA Training - 2011

  1. 1. HIPAA Privacy and Security Training For EmployeesCompliance is Everyone’s Job<br />1<br />INTERNAL USE ONLY<br />
  2. 2. INTERNAL USE ONLY<br />2<br />Topics to Cover<br /><ul><li>General HIPAA Privacy and Security Overview
  3. 3. HIPAA Privacy
  4. 4. ARRA of 2009: HIPAA Breach Notification Rules and Procedures
  5. 5. HIPAA Security
  6. 6. Questions/Acknowledgment of Training</li></li></ul><li>INTERNAL USE ONLY<br />3<br />What is HIPAA?<br />The Health Insurance Portability and Accountability Act (HIPAA) addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers <br />The portions that are important for our purposes are those that deal with protecting the privacy and security of health data, which HIPAA calls Protected Health Information or PHI<br />
  7. 7. INTERNAL USE ONLY<br />4<br />Applicability of HIPAA to UA<br />HIPAA Applies to: <br /><ul><li>University Medical Center
  8. 8. Brewer-Porch Children's Center
  9. 9. The Speech & Hearing Center
  10. 10. Autism Clinic
  11. 11. Departments that have signed Business Associate Agreements
  12. 12. Group Health Insurance/Flexible Spending Plan/EAP
  13. 13. UA Administrative Departments supporting the above entities (like Legal Office, Auditing, Financial Affairs, Risk Management, OIT, UA Privacy/Security Officer, etc.)
  14. 14. Research involving PHI from a HIPAA covered entity</li></ul>Does not apply to Psychology Clinic, Student Health Center/Pharmacy, ODS records, Counseling Center, WRC, Athletic Dept health records<br />
  15. 15. INTERNAL USE ONLY<br />5<br />What is Protected Health Information (PHI)<br />Any information, transmitted or maintained in any medium, including demographic information;<br />Created/received by covered entity or business associate; <br />Relates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare; and <br />Can be used to identify the patient<br />
  16. 16. INTERNAL USE ONLY<br />6<br />Types of Data Protected by HIPAA<br />Written documentation and all paper records<br />Spoken and verbal information including voice mail messages<br />Electronic databases and any electronic information, including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic device<br />Photographic images<br />Audio and Video<br />
  17. 17. INTERNAL USE ONLY<br />7<br />To De-Identify Patient Information You Must Remove All 18 Identifiers:<br />Names<br />Geographic subdivisions smaller than state (address, city, county, zip)<br />All elements of DATES (except year) including DOB, admission, discharge, death, ages over 89, dates indicative of age<br />Telephone, fax, SSN#s, VIN, license plate #s<br />Med record #, account #, health plan beneficiary #<br />Certificate/license #s<br />Email address, IP address, URLs<br />Biometric identifiers, including finger & voice prints<br />Device identifiers and serial numbers <br />Full face photographic and comparable images<br />Any other unique identifying #, characteristic, or code<br />
  18. 18. INTERNAL USE ONLY<br />8<br />Department of Justice-Imposed Criminal Penalties for Employee<br />Wrongfully Accessing or Disclosing PHI: Fines up to $50,000 and up to 1 Year in Prison<br />Obtaining PHI Under False Pretenses: Fines up to $100,000 and up to 5 Years in Prison <br />Wrongfully Using PHI for a Commercial Activity: Fines up to $250,000 and up to 10 Years in Prison<br /><ul><li>HIPAA criminal and civil fines and penalties can be enforced against INDIVIDUALS as well as covered entities who obtain or disclose PHI without authorization. Now applies to Business Associates</li></li></ul><li>INTERNAL USE ONLY<br />9<br />Federal-Imposed Civil Penalties<br /><ul><li>Tier A: Did not realize violated and would have handled differently:
  19. 19. Minimum per violation: $100 (each name in a data set can be a violation); Maximum per calendar year: $25,000
  20. 20. Tier B: Violations due to reasonable cause, but not willful neglect:
  21. 21. Minimum per violation: $1,000; Maximum per calendar year: $50,000
  22. 22. Tier C: Violations due to willful neglect that organization corrected:
  23. 23. Minimum per violation: $10,000; Maximum per calendar year: $250,000
  24. 24. Tier D: Violations due to willful neglect that organization did not correct
  25. 25. Minimum per violation: $50,000; Maximum per calendar year: $1.5 Million
  26. 26. HHS is now required to investigate and impose civil penalties where violations are due to willful neglect
  27. 27. Feds have 6 yrs from occurrence to initiate civil penalty action
  28. 28. State attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulations
  29. 29. Civil Penalties now apply to Business Associates</li></li></ul><li>INTERNAL USE ONLY<br />10<br />Top 10 Incidents – out of 278<br />(as of 5/23/2011)<br />
  30. 30. INTERNAL USE ONLY<br />11<br />UA HIPAA Sanctions<br />Employees who do not follow Privacy and Security Policies and related workplace rules and policies are subject to disciplinary action, up to and including dismissal<br />Type of sanction depends on severity of violation, intent, pattern/practice of improper activity, etc.<br />
  31. 31. INTERNAL USE ONLY<br />12<br />HIPAA Permitted Uses and Disclosures of PHI<br />A covered entity can always use and disclose PHI for any purpose if it gets the person’s signed HIPAA-valid authorization<br />Only designated, HIPAA trained personnel are permitted to approve disclosure of PHI per the person’s HIPAA-valid authorization<br />For a complete list of permitted uses and disclosures of PHI, see your entity’s notice of health information practices<br />
  32. 32. INTERNAL USE ONLY<br />13<br />HIPAA Permitted Uses and Disclosures of PHI<br />The HIPAA Privacy Rule states that PHI may be used and disclosed to facilitate treatment, payment, and healthcare operations (TPO) which means:<br />PHI may be disclosed to other providers for treatment<br />PHI may be disclosed to other covered entities for payment<br />PHI may be disclosed to other covered entities that have a relationship with the patient for certain healthcare operations such as quality improvement, credentialing, and compliance<br />PHI may be disclosed to individuals involved in a patient’s care or payment for care unless the patient objects<br />
  33. 33. INTERNAL USE ONLY<br />14<br />Minimum Necessary Standard<br />When HIPAA permits use or disclosure of PHI, a covered entity must use or disclose only the minimum necessary PHI required to accomplish the purpose of the use or disclosure<br />The only exceptions to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons:<br />Treatment<br />Purposes for which an authorization is signed<br />Disclosures required by law<br />Sharing information to the patient about himself/herself<br />
  34. 34. INTERNAL USE ONLY<br />15<br />What HIPAA Did Not Change:<br />Family and friends can still pick up prescriptions for sick people<br />Physicians and Nurses do not have to whisper<br />State laws still govern the disclosure of minor’s health information to parents. (a minor is under the age of 19 in Alabama)<br />
  35. 35. INTERNAL USE ONLY<br />16<br />Other Privacy Safeguards<br />Avoid conversations involving PHI in public or common areas such as hallways or elevators<br />Keep documents containing PHI in locked cabinets or locked rooms when not in use<br />During work hours, place written materials in secure areas that are not in view or easily accessed by unauthorized persons<br />Do not leave materials containing PHI on desks or counters, in conference rooms, or in public areas<br />Do not remove PHI in any form from the designated work site unless authorized to do so by management<br />Never take photographs in patient care areas<br />
  36. 36. INTERNAL USE ONLY<br />17<br />Required Forms and Documents Used at UA<br />Notice of Health Information Practices<br />Acknowledgement of Receipt of Notice<br />Confidentiality Statement<br />Authorization for Use or Disclosure of Information<br />Accounting of Disclosures Documentation<br />Business Associate Agreements<br />Fax Coversheet<br />Data Use Agreement<br />
  37. 37. INTERNAL USE ONLY<br />18<br />Business Associate Agreements<br />Are required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity’s PHI<br />Binds the third party individual or vendor to the HIPAA regulations when performing the contracted services.<br />Must be approved in accordance with appropriate UA policies and procedures<br />Individual employees are NOT authorized to sign contracts on behalf of UA<br />
  38. 38. INTERNAL USE ONLY<br />19<br />HIPAA Put New Requirements on Research:<br />If you work for a Health Care Provider under HIPAA, do not release PHI for research unless:<br />The patient has signed a valid HIPAA authorization, or<br />The IRB at UA has approved a waiver of authorization; or <br />The IRB agrees that an exception applies.<br />Information regarding HIPAA and Research is available through Office of Research Compliance – Director is Tanta Myles<br />
  39. 39. 20<br />American Recovery and Reinvestment Act of 2009 (ARRA) <br /><ul><li>Expanded privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) </li></ul>One new requirement is that we must notify affected individuals and federal officials when a breach or potential breach of privacy has occurred <br />The next 12 slides discuss our obligation under these rules<br />INTERNAL USE ONLY<br />
  40. 40. 21<br />First Federal Definition of Breach <br />ARRA provides the first federal definition of a Breach:<br />The unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of the information<br />Exceptions:<br />Unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity<br />Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity to another person authorized to access PHI at the covered entity<br />Unauthorized disclosures in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information<br />INTERNAL USE ONLY<br />
  41. 41. 22<br />Secured PHI<br /><ul><li>ARRA further identified the information to which the breach notification provisions apply. It defined “unsecured protected health information” as PHI that is not secured through the use of a technology or methodology that renders it unusable, unreadable, or indecipherable and that is developed or endorsed by the American National Standards Institute
  42. 42. Therefore, for breaches involving the misuse, loss, or inappropriate disclosure of paper or electronic data, there are some “home free” methods under which the loss would indicate no harm done:
  43. 43. Paper-secured by use of crosscut shredder (or destroyed)
  44. 44. Electronic data-encrypted data files and/or transmissions</li></ul>INTERNAL USE ONLY<br />
  45. 45. INTERNAL USE ONLY<br />23<br />Encryption<br />Security Rules require Covered Entity/Business Associate to consider implementing encryption as a method for safeguarding Electronic Protected Health Information (EPHI)<br />If you choose to encrypt, then not required to notify in event of breach<br />
  46. 46. 24<br />What Constitutes a Breach?<br />A breach could result from many activities. Some examples are<br />Failing to log off when leaving a workstation<br />Unauthorized access to PHI<br />Sharing confidential information, including passwords<br />Having patient-related conversations in public settings<br />Improper disposal of confidential materials in any form<br />Copying or removing PHI/ePHI from the appropriate area<br />Why?<br />Curiosity…about a co-worker or friend<br />Laziness…so shared sign-on to information systems<br />Compassion…the desire to help someone<br />Greed or malicious intent…for personal gain<br />INTERNAL USE ONLY<br />
  47. 47. 25<br />Example 1 <br />Bill, a billing employee, receives and opens an email containing PHI which a nurse, Nancy, mistakenly sent to Bill. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email, and deletes it. <br />Was this a breach of PHI?<br />INTERNAL USE ONLY<br />
  48. 48. 26<br />And the answer is…<br />No. Bill unintentionally accessed PHI that he was not authorized to access. However, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI. <br />This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule<br />INTERNAL USE ONLY<br />
  49. 49. 27<br />Example 2<br />Rhonda is a receptionist for a covered entity, and, due to her work responsibilities, she is not authorized to access PHI. Rhonda decides to look through patient files to learn about a friend’s last visit to the doctor. <br />Does Rhonda’s action constitute a breach?<br />INTERNAL USE ONLY<br />
  50. 50. 28<br />The answer is…<br />Yes. Rhonda accessed PHI without a work-related need to know. This access was not unintentional, done in good faith, or within the scope of her job for the covered entity.<br />INTERNAL USE ONLY<br />
  51. 51. 29<br />One more example…<br />Rob, a research assistant, wanted to get ahead on some statistical work, so he copied the information from 240 research participants to his thumb drive. The information included PHI, and the thumb drive was not encrypted. On his way home to continue his work, he stopped by the store to get some snacks. When he returned to his car, he found it had been broken into. Missing were his GPS, dozens of CDs, and his book bag containing the thumb drive. <br />Does this event constitute a breach? <br />INTERNAL USE ONLY<br />
  52. 52. 30<br />The answer is…<br />Yes. Unsecured PHI was stolen because the thumb drive was unencrypted.<br />Actually, Rob violated many UA policies:<br />Removed confidential information from the unit without approval<br />Used his personal portable computing device for UA business without senior management approval<br />Copied confidential information to a portable computing device without senior management approval<br />Used a portable computing device that was not encrypted<br />INTERNAL USE ONLY<br />
  53. 53. 31<br />Breach Notification Regulations<br /><ul><li>If it is determined that a breach of PHI occurred, then the covered entity must notify the affected individual (or next of kin) without unreasonable delay, but not later than 60 calendar days from discovering the breach</li></ul>Time runs when incident first known or reasonably should have been known (true for Covered Entity and Business Associate)<br /><ul><li>If more than 500 individuals are affected additional requirements include
  54. 54. Immediate notification of the Department of Health and Human Services to post on their website
  55. 55. Notify major media outlets in covered entity area
  56. 56. Post on covered entity website home page for 90 days</li></ul>INTERNAL USE ONLY<br />
  57. 57. 32<br />Responsibility to Report<br /><ul><li>When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together
  58. 58. Immediately; cooperatively; efficiently; carefully; and confidentially
  59. 59. If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please let your organization’s privacy and/or security officer know immediately
  60. 60. It is much better to investigate and discover no breach than to wait and later discover that something DID happen</li></ul>INTERNAL USE ONLY<br />
  61. 61. INTERNAL USE ONLY<br />33<br />Security Standards – General Rules<br />HIPAA security standards ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (ePHI – Electronic Protected Health Information) by and with all facilities<br />Protect against any reasonably anticipated threats or hazards to the security or integrity or such information<br />Protect against any reasonably anticipated uses or disclosures of such information that are not permitted<br />
  62. 62. INTERNAL USE ONLY<br />34<br />Rules for Access<br /><ul><li>Access to computer systems and information is based on your work duties and responsibilities
  63. 63. Access privileges are limited to only the minimum necessary information you need to do your work
  64. 64. Access to an information system does not automatically mean that you are authorized to view or use all the data in that system
  65. 65. Different levels of access for personnel to ePHI is intentional
  66. 66. If job duties change, clearance levels for access to ePHI is re-evaluated
  67. 67. Access is eliminated if employee is terminated
  68. 68. Accessing ePHI for which you are not cleared or for which there is no job-related purpose will subject you to sanctions</li></li></ul><li>INTERNAL USE ONLY<br />35<br />Rules for Protecting Information<br />Do not allow unauthorized persons into restricted areas where access to PHI or ePHI could occur<br />Arrange computer screens so they are not visible to unauthorized persons and/or patients; use security screens in areas accessible to public<br />Log in with password, log off prior to leaving work area, and do not leave computer unattended<br />Close files not in use/turn over paperwork containing PHI <br />Do not duplicate, transmit, or store PHI without appropriate authorization<br />Storage of PHI on unencrypted removable devices (Disk/CD/DVD/Thumb Drives) is prohibited without prior authorization<br />
  69. 69. INTERNAL USE ONLY<br />36<br />Encryption of ePHI<br />Encryption is generally necessary to protect information outside of the Electronic Medical Records (EMR) system<br />Use of other mobile media for accessing and transporting ePHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires<br />Use of any personally owned laptops, desktops or other mobile devices (non-UA equipment) for accessing ePHI requires appropriate authorization<br />
  70. 70. INTERNAL USE ONLY<br />37<br />Password Management<br /><ul><li>Do not allow coworkers to use your computer without first logging off your user account
  71. 71. Do not share passwords or reuse expired passwords
  72. 72. Use passwords that cannot be easily guessed (B’day, pets, kids)
  73. 73. Choose new passwords when they must be reset
  74. 74. Do not write down passwords that could provide access to ePHI
  75. 75. Change password if you suspect anyone else knows it
  76. 76. Change passwords or delete accounts when employees are transferred or terminated
  77. 77. Pick good passwords – Recommendations for good passwords:
  78. 78. 8 characters long
  79. 79. 3 of 4 data types – Upper, Lower, Numeric and Special Character
  80. 80. Change periodically
  81. 81. Good password scheme is critical for complex passwords – R0llt!de (don’t use this, just an example)</li></li></ul><li>INTERNAL USE ONLY<br />38<br />Protection from Malicious Software<br />Malicious software can be thought of as any virus, worm, malware, adware, etc. <br />As a result of an unauthorized infiltration, ePHI and other data can be damaged or destroyed<br />Notify your supervisor, system support representative, and/or security officer immediately if you believe your computer has been compromised or infected with a virus—do not continue using computer until resolved<br />The University provides standard, managed anti virus and other security software<br />Do not disable anti-virus or other security software on individual workstations<br />Any personal devices used for access to ePHI must have appropriate anti virus software <br />Do not open e-mail or attachments from an unknown, suspicious, or untrustworthy source or if the subject line is questionable or unexpected—DELETE THEM IMMEDIATELY <br />
  82. 82. INTERNAL USE ONLY<br />39<br />Use of Technology<br />Use of other mobile media for accessing and transporting ePHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization<br />Email, internet use, fax and telephones are to be used for UA business purposes (see UA policies) <br />Fax of PHI should only be done when the recipient can be reliably identified; Verify fax number and recipient before transmitting<br />No ePHI is permitted to leave facility in any format without prior approval <br />Where technically feasible, email should be avoided when communicating unencrypted sensitive PHI - follow your organization’s email policy for ePHI<br />No ePHI is permitted on any social networking sites (Twitter, Facebook, MySpace, etc.)<br />No ePHI is permitted on any texting or chat platforms (AOL, MSN, cell phones)<br />
  83. 83. INTERNAL USE ONLY<br />40<br />Rules for Disposal of Computer Equipment<br />Only authorized employees should dispose of PHI in accordance with retention policies<br />Documents containing PHI or other sensitive information must be shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding.<br />All questions concerning media reallocation and disposal should be directed to your HIPAA Security Officer; OIT systems representatives are responsible for sanitization and destruction methods<br />Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying.<br />“Sanitize” means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media<br />If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction<br />NOTE: Deleting a file does not actually remove the data from the media. Formatting does not constitute sanitizing the media<br />
  84. 84. INTERNAL USE ONLY<br />41<br />Facility Access Controls<br />Help to monitor the controls we have for Facility Access<br />Sign-in Visitors and Vendors (as required)<br />Insure that locks, card access, or any other physical access controls are working as expected<br />Report any problems or possible problems to your security officer<br />
  85. 85. INTERNAL USE ONLY<br />42<br />Reporting Security Incidents<br /><ul><li>Notify your Security Officer of any unusual or suspicious incident
  86. 86. Security incidents include the following:
  87. 87. Theft of or damage to equipment
  88. 88. Unauthorized use of a password
  89. 89. Unauthorized use of a system
  90. 90. Violations of standards or policy
  91. 91. Computer hacking attempts
  92. 92. Malicious software
  93. 93. Security Weaknesses
  94. 94. Breaches to patient, employee, or student privacy</li></li></ul><li>INTERNAL USE ONLY<br />43<br />Contacts and References <br />Know Your Security and Privacy Officer:<br />Medical Center Privacy/Security Officer is Jan Chaisson<br />Brewer Porch Privacy/Security Officer is Warren Johnson<br />Speech and Hearing Privacy/Security Officer is Becca Brooks<br />Autism Clinic Privacy/Security Officer is Kim Camp<br />UA Group Health Plan/FSA Privacy/Security Officer is Dave Bertanzetti<br />Youth Services Institute Privacy/Security Officer is Karan Singley<br />UA Privacy Officer: Jan Chaisson<br />UA Security Officer: Ashley Ewing<br />Other References<br />Privacy:<br />www.hhs.gov/ocr/hipaa<br />Security:<br />www.cms.hhs.gov/SecurityStandard<br />
  95. 95. INTERNAL USE ONLY<br />44<br />Training Certification<br /><ul><li>Please Complete the Training Acknowledgement Form to Obtain Credit for Completing the Annual Training</li>