1. OBJECTIVES
๏ What is HIPAA?
๏ What is the Company’s responsibility? What is YOUR responsibility?
๏ What information should be protected?
๏ What can we, as a TEAM, do to ensure patient health information is protected?
๏ What is the organization’s policy for a violation?

2. WHAT IS HIPPA?
๏ The HIPAA Privacy Rule provides federal protection for personal health
information held by covered entities and gives patients an array of rights, with
respect to that information. At the same time, the Privacy Rule is balanced so
that it permits the disclosure of personal health information needed for patient
care and other important purposes. (www.hhs.gov)
๏ The Security Rule specifies a series of administrative, physical, and technical
safeguards for covered entities to use to assure the confidentiality, integrity, and
availability of electronic protected health information. (www.hhs.gov)

3. WHO ENSURES HIPPA
๏ Doctors, nurses, and all allied healthcare staff
๏ Hospitals, clinics, pharmacies and nursing homes
๏ Health insurance companies
๏ Health maintenance organizations (HMOs)
๏ Employer group health plans
๏ Government programs that pay for healthcare, such as Medicare and Medicaid.
๏ The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects
the privacy of individually identifiable health information; the HIPAA Security
Rule, which sets national standards for the security of electronic protected
health information; and the confidentiality provisions of the Patient Safety Rule,
which protects identifiable information being used to analyze patient safety

4. HOW HIPPA RELATES TO US
๏ As an organization, it is our corporate social responsibility to ensure that we
protect patient health information.
๏ How do we accomplish this as an organization?
๏ Ensure that our company website is secure
๏ Educate all of our employees through annual competencies
๏ Have an open door policy for reporting any incident that might be a
HIPPA violation
๏ Have a toll free reporting line, available 24/7, for anonymous reporting
๏ Have a non-retaliatory policy for reporting, in case there is a
misunderstanding

5. HOW HIPPA RELATE TO YOU
๏ As a clinician, what can you do to make sure that you are protecting patient
health information?
๏ Don’t talk out loud about patients, especially in public areas, like the
cafeteria, elevator, bathroom, etc, where someone can over hear patient
confidential information.
๏ ALWAYS Log off of your computer, when you leave it.
๏ Don’t share your passwords to anyone
๏ Call IT if you have lost or forgotten your password
๏ All emails that contains PHI must automatically be encrypted for security
๏ Report any and all suspicious activity

6. RESPONSIBILITY
๏ Everyone who has access to patient health information is responsible to ensure that
we comply with the law: clinicians, allied healthcare workers, cashiers, medical
records employees, medical assistants, etc. EVERYONE
๏ The Organization is responsible to ensure that we educate, empower and audit any
reported incidents.
๏ The organization is responsible to ensure the website, email and any PHI are being
held on a secured site and being protected against hackers and malicious attacks
from inside or outside of the company.

7. WHAT IS PHI?
๏ Protected Health Information or PHI. The Privacy Rule protects all "individually
identifiable health information" held or transmitted by a covered entity or its
business associate, in any form or media, whether electronic, paper, or oral. The
Privacy Rule calls this information "protected health information (PHI)
๏ “Individually identifiable health information”, including demographic data, that
relates to:
๏ An individual’s past, present or future physical or mental health or condition,
๏ The provision of health care to the individual, or
๏ The past, present, or future payment for the provision of health care to the
individual

8. WHAT IS PHI? (CONT)
๏ Anything that identifies the individual or for which there is a reasonable basis to
believe can be used to identify the individual. Individually identifiable health
information includes many common identifiers (e.g., name, address, birth date,
Social Security Number).
๏ The Privacy Rule excludes from protected health information, employment records
that a covered entity maintains in its capacity as an employer and education and/or
certain other records subject to, or defined in, the Family Educational Rights and
Privacy Act, 20 U.S.C. §1232g. (U.S. Department of Health & Human Services, 2003,
pp.3-4)

9. HOW DO WE ENSURE
๏ The organization has done everything it can in order to be compliant.
๏ We have policies and procedures in place
๏ Pamphlets and brochures are provided to educate patients and employees as to
their rights
๏ We have annual training as part of our annual competencies
๏ HIPPA information is available 24/7 in the intranet
๏ We have a Compliance Officer to handle questions or concerns
๏ Each employee has their own password and restricted access to PHI,
๏ All computers and instruments that carry PHI are tracked 24/7

10. HOW DO WE ENSURE
๏ The organization has done everything it can in order to be compliant.
๏ We have a toll free number available for reporting 24/7
๏ We have a non-retaliation policy
๏ HIPPA consent form is mandatory for any PHI to be released to a third party
๏ Automatic log out and data save for computers that are idle

11. ZERO TOLERANCE
๏ The company takes the HIPPA Act very seriously. All practitioners are only to
access PHI if they have direct patient contact. We have a computer alert for all
practitioners and they must acknowledge that they are in direct contact with that
patient before access is granted. Violation of the HIPPA rules are grounds for
immediate termination. No exceptions.
๏ The organization wants to express the seriousness of this issue. We want to make
sure that we communicate our expectations.

12. REFERENCES
U.S. Department of Health & Human Services. (2003). OCR privacy brief:
Summary of the HIPAA privacy rule.
Center for Medicare and Medicaid Services. (2009). HIPPA compliance review
analysis and summary of results