SlideShare a Scribd company logo

Hipaa training new_staff_december 2018 - compatibility mode

R
robint2125

HIPAA training

Government & Nonprofit
1 of 26
Download to read offline
1 HIPAA Training – New Staff December 12, 2018 What is HIPAA? • Health Insurance Portability and Accountability Act • Created to improve efficiency and effectiveness of healthcare systems by standardizing the electronic exchange of clinical and administrative data. • Attempts to improve security in the electronic age. • Goal is to safeguard the confidentiality of health information & protect the integrity of health data while ensuring the availability of care. 1 2
2 • Public Law 104-191 (1996) • Overseen by Department of Health & Human Services (HHS) and enforced by Office for Civil Rights (OCR) • Regulations on: – Privacy of health information – Security of health information – Notification of breaches of confidentiality – Penalties for violating HIPAA What is HIPAA? HITECH • Health Information Technology for Economic and Clinical Health Act (HITECH) • Included in the American Recovery and Reinvestment Act (ARRA) of 2009 – Contains incentives related to healthcare technology in general and specific incentives designed to accelerate the adoption of electronic health records – Meaningful Use – Added “teeth” to HIPAA 3 4
3 HIPAA is constantly changing Omnibus Rule (2013) included: • Notice of Privacy Practices (NPP) – Must be given to all clients • Business Associate (BA) Agreements – BAs now just as responsible and accountable • Policies and Procedures • Training Requirements • Audits Security and Privacy Rules • According to the Department of Health and Human Services, the HIPAA Security Rule outlines national standards designed to protect individual’s electronic PHI (ePHI). • The HIPAA Privacy Rule set a national standard for the protection of certain health information that addresses the use and disclosure of PHI and standards for privacy rights for patients to understand and control how their health information is used. 5 6
4 Environment • Physical security: locks on doors and file cabinets. • Is there a networked printer or fax machine that is out in the open? • Awareness of who is allowed into the area with PHI. • How is your computer monitor positioned? • What paper charts/forms are left out on your desk? Think HIPAA’s No Big Deal? • $2.4 Million plus a Corrective Action Plan – Appropriate notice to Law Enforcement of patient involved in possible medical identity fraud – Inappropriate release of the story, including the patient’s identity, in a press release! 7 8
5 HIPAA: Federal vs State HIPAA (any provision, requirement, standard or implementation specification of HIPAA) shall supersede any contrary Provision of State law. Unless The state law is more stringent than the HIPAA requirement. Covered Entities (CE) • Health Plans: A plan that provides or pays the cost of medical care. Includes Medicaid, Medicare and self-funded plans. • Providers: A provider of medial or health services such as SNFs, home health, hospitals, physician clinics, etc., that transmit in electronic form. • Clearinghouses: Process health information from a non-standard content into standard data elements or to a standard transaction. Examples are billing services, health information systems. 9 10
6 Business Associates • Business Associates are entities that perform services for or on behalf of a CE involving PHI. • Must have a Business Associate Agreement (BAA). • A CE can be the business ssociate of another CE. Business Associate Agreements BAAs must contain specific privacy provisions: – Permitted uses and disclosures of PHI. – Appropriate safeguards for records. – How to report unauthorized disclosures to CE. – PHI available for inspection, amendment, accounting. – Books and records available for inspection by DHHS. – Destroy/return PHI at termination of contract. – Material breach by associate is grounds for termination. – Require all subcontractor and agents to comply with terms of BAA. 11 12
7 Protected Health Information (PHI) PHI is health information collected from an individual, created or received by a covered entity and • Relating to the past, present or future physical or mental health or condition of an individual; or the past, present, or future payment for the provision of health care to an individual; and • That identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. • Can be maintained in an electronic or any other form, and excludes educational records and employment records. Examples of Documents with PHI • Medical charts • Problem logs • Photographs and videotapes • Communications between health care professionals • Billing records • Health plan claims records • Health insurance policy number 13 14
8 What is Protected by HIPAA? • Health information protected if it directly or indirectly identifies an individual – Direct identifiers: individual’s name, SSN, driver’s license numbers – Indirect identifiers: information about an individual that can be matched with other available information to identify the individual. What is Protected by HIPAA? • If any direct or indirect identifiers are present, the information is PHI and subject to HIPAA protection. • Information can be “de-identified” – but the Privacy Officer must review to ensure all direct and indirect identifiers have been properly removed. 15 16
9 Direct and Indirect Identifiers 1. Name 2. Geographic subdivisions smaller than a State - Street Address - City - County - Precinct - Zip Code & their equivalent geocodes, except for the initial three digits 3. Dates, except year - Birth date - Admission date - Discharge date - Date of death 4. Telephone numbers 5. Fax number Direct and Indirect Identifiers 6. E-Mail Address 7. Social Security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web universal resource locations (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photographic images and any comparable data 18. Any other unique identifying number, characteristic, or code 17 18
10 Think HIPAA’s No Big Deal? • Don’t let anyone ‘monkey’ with your computer or network! • A physician attempted to deactivate a personally owned computer which opened up a network firewall, allowing internet access to PHI • New York Presbyterian Hospital & Columbia University paid $4.8Million for that failure How HIPAA Protects PHI • Limits who may use or disclose PHI. • Limits the purposes for which PHI may be used or disclosed. • Limits the amount of information that may be used or disclosed (Minimum Necessary rule). • Requires use of safeguards over how PHI is used, stored and disclosed. 19 20
11 Who May Use PHI? • Workforce members trained on HIPAA privacy. – You are only given access to PHI if you need it in order to perform your job. – You must agree to protect the confidentiality of the information. – You are subject to discipline if you violate CIBHS privacy policies and procedures. How May PHI May Used? • General Rule: – Workforce members may use or disclose PHI only for permitted uses without an individual’s specific written authorization. 21 22
12 Permitted Uses For PHI • “TPO” – Treatment – Payment – Health care operations • Specified public policy exceptions (public health and law enforcement) • Any other use requires individual written authorization Safeguarding PHI • People consider health information their most confidential information, and we must protect it accordingly. – Do not access PHI that you do not need – Do not discuss PHI with individuals who do not need to know it. – Do not provide PHI to anyone not authorized to receive it • Misuse of PHI can result in discipline, legal penalties and loss of trust. 23 24
13 Value of Medical Information • Medical information can be worth ten times more than credit card numbers on the deep web. Fraudsters can use this data to create fake IDs to buy medical equipment or drugs, or combine a patient number with a false provider number and file fictional claims with insurers. • Consumers often discover their credentials have been stolen a long time after fraudsters have used their personal medical ID to impersonate them and obtain health services. Be HIPAA Aware - Know who’s around you! • Don’t discuss PHI where you can be easily overheard. • Keep discussion of PHI to a minimum. • Limit PHI on whiteboards, chart holders, view boxes or limit the ability to view them. • Position monitors so others cannot view them. HIPAA Hotline 214-456-4444 J Podleski, CCEP, CHRC, CHPC, CHC 25 26
14 Safeguarding PHI • Follow safe practices for your computer system ID and password. – Use strong passwords—see your Privacy Officer for guidelines. – Keep your user ID and password confidential and secure. – Do not allow anyone else to access the computer system under your ID! – Any access that happens under your credentials belongs to you! HIPAA Hints • Papers with PHI should NEVER go in the trash! • Do not unnecessarily print or copy PHI. • Shredding is the right way to dispose of them. • Have an office shredder or take your papers to the nearest Shred- It container at least daily! • Don’t keep papers in another container – they might end up in the trash by mistake. 27 28
15 Safeguarding PHI • Only access electronic PHI from a workstation approved for HIPAA or PHI access. • Only save electronic PHI to a HIPAA- designated server. • Do not leave computer station unattended without locking it first. • Do not engage in risky practices with computers used to access PHI How to be a good HIPAA fairy • Think about patient privacy first • Report unusual activity to your supervisor and the Privacy Officer • Never guess about ‘the right way’ -- check with your supervisor or the Privacy Office 29 30
16 Basic Requirements for CEs • Notify patients of their rights and how their PHI will be used. • Adopt and implement Privacy Policies and Procedures, including sanctions for violations. • Train workforce to understand and follow the P&P’s. • Designate individuals to be responsible for compliance. • Secure PHI so it’s not available to those who don’t need to know. • Provide a way for complaints to be made concerning Privacy violations. Minimum Necessary Standard • Role based access – Assure that individuals only have access to the information needed to do their job. • Disclosures – Disclose only the minimal necessary to meet the purpose of the disclosure – Does not apply to disclosures made • With an authorization • To a provider for treatment • To the subject of the information • To the Secretary of DHHS • As required by law • As required to comply with the regulations 31 32
17 Patient Rights under HIPAA • To see their medical record & obtain a copy • Request amendments to their medical record • Request disclosure restrictions • To receive a Notice of Privacy Practices • To have an accounting of disclosures • To authorize disclosures • Timely notification of any breaches Breach Breach Definition An impermissible use or disclosure under the Privacy Rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised Breaches of more than 500 patient records must be reported to the news media and are posted on the Wall of Shame. 33 34
18 Wall of Shame https://ocrportal.hhs.gov/ocr/breach/breach_ report.jsf Think HIPAA’s No Big Deal? HIPAA Hotline 214-456-4444 Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016. On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014. 35 36
19 Breach Notification • Following a breach of unsecured PHI, notification must be provided to the affected individual, the Secretary of DHHS, and in certain circumstances, to the media. • Breach is based on risk assessment. • Business Associates must notify the Covered Entity of a breach. • Provided without unreasonable delay, no later than 60 days following the discovery of the breach. – CA requires a 15 day maximum • If you believe a HIPAA breach has occurred, you should immediately report it to the Privacy Officer and your supervisor. OCR Enforcement Highlights (As of May 2017) • Number of complaints – 156,874 • Resolved – 154,777 (98%) • Complaints Investigated – 36,423 • No violations – 11,256 • Referred to DOJ – 620 • Ineligible for OCR enforcement – 96,807 37 38
20 Why should we care about the HIPAA rules? CIBHS • Disciplinary action up to and including termination of employment Civil Penalties • Up to $1.5 million per year per violation Criminal Penalties • Up to $250,000, imprisonment of up to ten years, or both Penalty Descriptions HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising  reasonable diligence would not have known)  that he/she violated HIPAA $100 per violation, with an annual maximum  of $25,000 for repeat violations (Note:  maximum that can be imposed by State  Attorneys General regardless of the type of  violation) $50,000 per violation, with an annual  maximum of $1.5 million HIPAA violation due to reasonable cause and  not due to willful neglect $1,000 per violation, with an annual  maximum of $100,000 for repeat violations $50,000 per violation, with an annual  maximum of $1.5 million HIPAA violation due to willful neglect but  violation is corrected within the required  time period $10,000 per violation, with an annual  maximum of $250,000 for repeat violations $50,000 per violation, with an annual  maximum of $1.5 million HIPAA violation is due to willful neglect and  is not corrected $50,000 per violation, with an annual  maximum of $1.5 million $50,000 per violation, with an annual  maximum of $1.5 million 39 40
21 42 CFR Part 2 42 CFR Part 2  42 CFR Part 2 are the federal regulations governing the confidentiality of drug and alcohol abuse treatment and prevention records. • Privacy protections afforded to alcohol and drug abuse patient records. • Motivated by the understanding that stigma and fear of prosecution might dissuade persons from seeking treatment. https://www.ecfr.gov/cgi-bin/text- idx?SID=0f9b2a146b539944f00b5ec90117d296&mc=true&node=pt42.1.2&r gn=div5 41 42
22 Who is Covered? • 42 CFR Part 2 applies to any individual or entity that is federally assisted and provides alcohol or drug abuse treatment or referral for treatment (42 CFR § 2.11) • Consider funding, treatment provided and clinical licenses that are at the federal level (DEA license) Regulations • Restrict the disclosure and use of alcohol and drug client records • Any information disclosed by a covered program that “would identify a patient as an alcohol or drug abuser” • With limited exceptions, 42 CFR Part 2 requires client consent for disclosures of PHI even for the purposes of TPO. • Consent must be in writing 43 44
23 Written Consent The primary way in which patient substance abuse information may be disclosed is with a patient’s written consent. Substance abuse programs and providers must give patients a written summary of the federal laws and regulations that protect the confidentiality of patient substance abuse records and a description of the circumstances when the patient’s information may be disclosed without his/her consent. Consent Forms For all other disclosures, consent must be obtained using a written consent form. A single consent form may authorize disclosure to multiple parties or for multiple purposes. Consent forms must contain specific elements (see right column). • Patient Name • Agency making disclosure • agency name of the person or agency to which disclosure is made • nature and amount of information to be disclosed (minimum necessary), • purpose of the disclosure (as specific as possible), • effective and expiration dates and event or condition upon which the consent expires • language explaining the consent process and may include a statement about possible denial of services if not signed for purposes of treatment, payment or healthcare operations • and signatures of client, authorized representative and description of authority to sign on the client’s behalf 45 46
24 Exceptions-Always work with Privacy Officer • Program Communications • To communicate with Qualified Service Organizations (QSO) – Similar to other covered entities or business associates • Medical Emergencies • Response to a crime against program personnel or on program premises • Research activities (approved by IRB) • Audit and Evaluation • Report suspected child abuse or neglect • Circumstances involving certain minors or incompetent patients • Response to a valid court order • Cause of death HIPAA and 42 CFR Part 2 • Substance use programs must comply with both HIPAA 45 CFR and 42 CFR Part 2. • If there is a conflict, the more stringent rule applies. • Addiction treatment providers fall under the more stringent laws of 42 CFR, Part 2, in most cases. 47 48
25 Policies and Procedures • Must be current and reference 45 CFR for both privacy and security • Agency must have an interconnected set of polices, plans, procedures and security roles assigned to have the end result be a secure, compliant and auditable environment 49 50
26 Please complete the survey! iPhone or iPad: 1. Open up the camera app on your iPhone or iPad 2. Hold the device’s camera up to the QR code 3. No need to hit the shutter button, your iOS device will automatically  recognize the QR code 4. Click the  pop up window that appears and complete the survey 5. Make sure you have mobile signal or you’re connected to Wi‐Fi  Android: For android  devices you  will need to  have a QR  code reader  app installed  on your  phone.  You can also  type in the  link below in  your browser  and  complete the  survey 51

Recommended

Hipaa and social media using new
Hipaa and social media using newHipaa and social media using new
Hipaa and social media using newOnlineAudio Training
 
Hcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.comHcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.comejazmazhar
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
UNA HIPAA Training 8-13
UNA HIPAA Training 8-13UNA HIPAA Training 8-13
UNA HIPAA Training 8-13University of North Alabama - Academic Affairs
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 

Recommended

Hipaa and social media using new
Hipaa and social media using newHipaa and social media using new
Hipaa and social media using newOnlineAudio Training
 
Hcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.comHcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.comejazmazhar
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
UNA HIPAA Training 8-13
UNA HIPAA Training 8-13UNA HIPAA Training 8-13
UNA HIPAA Training 8-13University of North Alabama - Academic Affairs
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA DamianKnowles1
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummieshipaacompliance
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
5 hipaa training
5 hipaa training5 hipaa training
5 hipaa trainingJasonPickerill1
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYmariaradziminski
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2martykoepke
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basicsmlireton
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Compliancy Group
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAAMargery Lynn
 
HIPAA
HIPAAHIPAA
HIPAAbelziebub
 
HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training MDManagement
 
HIPPA Security Presentation
HIPPA Security PresentationHIPPA Security Presentation
HIPPA Security PresentationRebecca Norman
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
What is hipaa
What is hipaaWhat is hipaa
What is hipaadigitalpractice
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
Geek Sync | Keep your Healthcare Databases Secure and Compliant
Geek Sync | Keep your Healthcare Databases Secure and CompliantGeek Sync | Keep your Healthcare Databases Secure and Compliant
Geek Sync | Keep your Healthcare Databases Secure and CompliantIDERA Software
 
Confidentiality Awareness
Confidentiality AwarenessConfidentiality Awareness
Confidentiality Awarenessitchomecare
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?TriageLogic
 

More Related Content

What's hot

Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYmariaradziminski
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2martykoepke
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basicsmlireton
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Compliancy Group
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAAMargery Lynn
 
HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training MDManagement
 
HIPPA Security Presentation
HIPPA Security PresentationHIPPA Security Presentation
HIPPA Security PresentationRebecca Norman
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
Geek Sync | Keep your Healthcare Databases Secure and Compliant
Geek Sync | Keep your Healthcare Databases Secure and CompliantGeek Sync | Keep your Healthcare Databases Secure and Compliant
Geek Sync | Keep your Healthcare Databases Secure and CompliantIDERA Software
 

What's hot (20)

The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummies
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
 
5 hipaa training
5 hipaa training5 hipaa training
5 hipaa training
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basics
 
HIPAA
HIPAAHIPAA
HIPAA
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAA
 
HIPAA
HIPAAHIPAA
HIPAA
 
HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training
 
HIPPA Security Presentation
HIPPA Security PresentationHIPPA Security Presentation
HIPPA Security Presentation
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit Implementation
 
What is hipaa
What is hipaaWhat is hipaa
What is hipaa
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
 
Geek Sync | Keep your Healthcare Databases Secure and Compliant
Geek Sync | Keep your Healthcare Databases Secure and CompliantGeek Sync | Keep your Healthcare Databases Secure and Compliant
Geek Sync | Keep your Healthcare Databases Secure and Compliant
 

Similar to Hipaa training new_staff_december 2018 - compatibility mode

Confidentiality Awareness
Confidentiality AwarenessConfidentiality Awareness
Confidentiality Awarenessitchomecare
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?TriageLogic
 
Hipaa basics.pp2
Hipaa basics.pp2Hipaa basics.pp2
Hipaa basics.pp2martykoepke
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy PracticesSpringfield Clinic
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxamartya2087
 
MHA690 confidentiality training
MHA690 confidentiality trainingMHA690 confidentiality training
MHA690 confidentiality trainingsdavis49
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research TrainingCynthia Holland
 
2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptxFariida Osman
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarcEtienne6
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowShred-it
 
HIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptxHIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptxRAJIV RANJAN DAS
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power pointchwiso8418
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentialitychwiso8418
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power pointchwiso8418
 
Patient confidentiality.ppt
Patient confidentiality.pptPatient confidentiality.ppt
Patient confidentiality.pptchwiso8418
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 Meg Oser
 

Similar to Hipaa training new_staff_december 2018 - compatibility mode (20)

Confidentiality Awareness
Confidentiality AwarenessConfidentiality Awareness
Confidentiality Awareness
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?
 
Hipaa basics.pp2
Hipaa basics.pp2Hipaa basics.pp2
Hipaa basics.pp2
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy Practices
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
 
MHA690 confidentiality training
MHA690 confidentiality trainingMHA690 confidentiality training
MHA690 confidentiality training
 
Dustin HIPAA
Dustin HIPAADustin HIPAA
Dustin HIPAA
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training
 
2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentation
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
 
HIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptxHIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptx
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
 
Basic HIPAA Training by CMU
Basic HIPAA Training by CMUBasic HIPAA Training by CMU
Basic HIPAA Training by CMU
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power point
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentiality
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power point
 
Patient confidentiality.ppt
Patient confidentiality.pptPatient confidentiality.ppt
Patient confidentiality.ppt
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017
 
5 hipaa training
5 hipaa training5 hipaa training
5 hipaa training
 

Recently uploaded

VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...Suhani Kapoor
 
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdfYHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdfyalehistoricalreview
 
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...“Exploring the world: One page turn at a time.” World Book and Copyright Day ...
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...Christina Parmionova
 
WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.Christina Parmionova
 
Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...
Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...
Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...narwatsonia7
 
Goa Escorts WhatsApp Number South Goa Call Girl … 8588052666…
Goa Escorts WhatsApp Number South Goa Call Girl … 8588052666…Goa Escorts WhatsApp Number South Goa Call Girl … 8588052666…
Goa Escorts WhatsApp Number South Goa Call Girl … 8588052666…nishakur201
 
Club of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological CivilizationClub of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological CivilizationEnergy for One World
 
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With RoomVIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Roomishabajaj13
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...yalehistoricalreview
 
Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...ResolutionFoundation
 
13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.ppt13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.pptsilvialandin2
 
DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024Energy for One World
 
Call Girls Connaught Place Delhi reach out to us at ☎ 9711199012
Call Girls Connaught Place Delhi reach out to us at ☎ 9711199012Call Girls Connaught Place Delhi reach out to us at ☎ 9711199012
Call Girls Connaught Place Delhi reach out to us at ☎ 9711199012rehmti665
 
How the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists LawmakersHow the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists LawmakersCongressional Budget Office
 
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Start Donating your Old Clothes to Poor People kurnool
Start Donating your Old Clothes to Poor People kurnoolStart Donating your Old Clothes to Poor People kurnool
Start Donating your Old Clothes to Poor People kurnoolSERUDS INDIA
 

Recently uploaded (20)

VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
 
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdfYHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
 
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...“Exploring the world: One page turn at a time.” World Book and Copyright Day ...
“Exploring the world: One page turn at a time.” World Book and Copyright Day ...
 
WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.
 
Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...
Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...
Premium Call Girls Btm Layout - 7001305949 Escorts Service with Real Photos a...
 
Goa Escorts WhatsApp Number South Goa Call Girl … 8588052666…
Goa Escorts WhatsApp Number South Goa Call Girl … 8588052666…Goa Escorts WhatsApp Number South Goa Call Girl … 8588052666…
Goa Escorts WhatsApp Number South Goa Call Girl … 8588052666…
 
Club of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological CivilizationClub of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological Civilization
 
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With RoomVIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
 
Hot Sexy call girls in Palam Vihar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Palam Vihar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Palam Vihar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Palam Vihar🔝 9953056974 🔝 escort Service
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
 
Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...
 
9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR
9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR
9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR
 
13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.ppt13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.ppt
 
DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024
 
Call Girls Connaught Place Delhi reach out to us at ☎ 9711199012
Call Girls Connaught Place Delhi reach out to us at ☎ 9711199012Call Girls Connaught Place Delhi reach out to us at ☎ 9711199012
Call Girls Connaught Place Delhi reach out to us at ☎ 9711199012
 
The Federal Budget and Health Care Policy
The Federal Budget and Health Care PolicyThe Federal Budget and Health Care Policy
The Federal Budget and Health Care Policy
 
Model Town (Delhi) 9953330565 Escorts, Call Girls Services
Model Town (Delhi) 9953330565 Escorts, Call Girls ServicesModel Town (Delhi) 9953330565 Escorts, Call Girls Services
Model Town (Delhi) 9953330565 Escorts, Call Girls Services
 
How the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists LawmakersHow the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists Lawmakers
 
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
 
Start Donating your Old Clothes to Poor People kurnool
Start Donating your Old Clothes to Poor People kurnoolStart Donating your Old Clothes to Poor People kurnool
Start Donating your Old Clothes to Poor People kurnool
 

Hipaa training new_staff_december 2018 - compatibility mode

  • 1. 1 HIPAA Training – New Staff December 12, 2018 What is HIPAA? • Health Insurance Portability and Accountability Act • Created to improve efficiency and effectiveness of healthcare systems by standardizing the electronic exchange of clinical and administrative data. • Attempts to improve security in the electronic age. • Goal is to safeguard the confidentiality of health information & protect the integrity of health data while ensuring the availability of care. 1 2
  • 2. 2 • Public Law 104-191 (1996) • Overseen by Department of Health & Human Services (HHS) and enforced by Office for Civil Rights (OCR) • Regulations on: – Privacy of health information – Security of health information – Notification of breaches of confidentiality – Penalties for violating HIPAA What is HIPAA? HITECH • Health Information Technology for Economic and Clinical Health Act (HITECH) • Included in the American Recovery and Reinvestment Act (ARRA) of 2009 – Contains incentives related to healthcare technology in general and specific incentives designed to accelerate the adoption of electronic health records – Meaningful Use – Added “teeth” to HIPAA 3 4
  • 3. 3 HIPAA is constantly changing Omnibus Rule (2013) included: • Notice of Privacy Practices (NPP) – Must be given to all clients • Business Associate (BA) Agreements – BAs now just as responsible and accountable • Policies and Procedures • Training Requirements • Audits Security and Privacy Rules • According to the Department of Health and Human Services, the HIPAA Security Rule outlines national standards designed to protect individual’s electronic PHI (ePHI). • The HIPAA Privacy Rule set a national standard for the protection of certain health information that addresses the use and disclosure of PHI and standards for privacy rights for patients to understand and control how their health information is used. 5 6
  • 4. 4 Environment • Physical security: locks on doors and file cabinets. • Is there a networked printer or fax machine that is out in the open? • Awareness of who is allowed into the area with PHI. • How is your computer monitor positioned? • What paper charts/forms are left out on your desk? Think HIPAA’s No Big Deal? • $2.4 Million plus a Corrective Action Plan – Appropriate notice to Law Enforcement of patient involved in possible medical identity fraud – Inappropriate release of the story, including the patient’s identity, in a press release! 7 8
  • 5. 5 HIPAA: Federal vs State HIPAA (any provision, requirement, standard or implementation specification of HIPAA) shall supersede any contrary Provision of State law. Unless The state law is more stringent than the HIPAA requirement. Covered Entities (CE) • Health Plans: A plan that provides or pays the cost of medical care. Includes Medicaid, Medicare and self-funded plans. • Providers: A provider of medial or health services such as SNFs, home health, hospitals, physician clinics, etc., that transmit in electronic form. • Clearinghouses: Process health information from a non-standard content into standard data elements or to a standard transaction. Examples are billing services, health information systems. 9 10
  • 6. 6 Business Associates • Business Associates are entities that perform services for or on behalf of a CE involving PHI. • Must have a Business Associate Agreement (BAA). • A CE can be the business ssociate of another CE. Business Associate Agreements BAAs must contain specific privacy provisions: – Permitted uses and disclosures of PHI. – Appropriate safeguards for records. – How to report unauthorized disclosures to CE. – PHI available for inspection, amendment, accounting. – Books and records available for inspection by DHHS. – Destroy/return PHI at termination of contract. – Material breach by associate is grounds for termination. – Require all subcontractor and agents to comply with terms of BAA. 11 12
  • 7. 7 Protected Health Information (PHI) PHI is health information collected from an individual, created or received by a covered entity and • Relating to the past, present or future physical or mental health or condition of an individual; or the past, present, or future payment for the provision of health care to an individual; and • That identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. • Can be maintained in an electronic or any other form, and excludes educational records and employment records. Examples of Documents with PHI • Medical charts • Problem logs • Photographs and videotapes • Communications between health care professionals • Billing records • Health plan claims records • Health insurance policy number 13 14
  • 8. 8 What is Protected by HIPAA? • Health information protected if it directly or indirectly identifies an individual – Direct identifiers: individual’s name, SSN, driver’s license numbers – Indirect identifiers: information about an individual that can be matched with other available information to identify the individual. What is Protected by HIPAA? • If any direct or indirect identifiers are present, the information is PHI and subject to HIPAA protection. • Information can be “de-identified” – but the Privacy Officer must review to ensure all direct and indirect identifiers have been properly removed. 15 16
  • 9. 9 Direct and Indirect Identifiers 1. Name 2. Geographic subdivisions smaller than a State - Street Address - City - County - Precinct - Zip Code & their equivalent geocodes, except for the initial three digits 3. Dates, except year - Birth date - Admission date - Discharge date - Date of death 4. Telephone numbers 5. Fax number Direct and Indirect Identifiers 6. E-Mail Address 7. Social Security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web universal resource locations (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photographic images and any comparable data 18. Any other unique identifying number, characteristic, or code 17 18
  • 10. 10 Think HIPAA’s No Big Deal? • Don’t let anyone ‘monkey’ with your computer or network! • A physician attempted to deactivate a personally owned computer which opened up a network firewall, allowing internet access to PHI • New York Presbyterian Hospital & Columbia University paid $4.8Million for that failure How HIPAA Protects PHI • Limits who may use or disclose PHI. • Limits the purposes for which PHI may be used or disclosed. • Limits the amount of information that may be used or disclosed (Minimum Necessary rule). • Requires use of safeguards over how PHI is used, stored and disclosed. 19 20
  • 11. 11 Who May Use PHI? • Workforce members trained on HIPAA privacy. – You are only given access to PHI if you need it in order to perform your job. – You must agree to protect the confidentiality of the information. – You are subject to discipline if you violate CIBHS privacy policies and procedures. How May PHI May Used? • General Rule: – Workforce members may use or disclose PHI only for permitted uses without an individual’s specific written authorization. 21 22
  • 12. 12 Permitted Uses For PHI • “TPO” – Treatment – Payment – Health care operations • Specified public policy exceptions (public health and law enforcement) • Any other use requires individual written authorization Safeguarding PHI • People consider health information their most confidential information, and we must protect it accordingly. – Do not access PHI that you do not need – Do not discuss PHI with individuals who do not need to know it. – Do not provide PHI to anyone not authorized to receive it • Misuse of PHI can result in discipline, legal penalties and loss of trust. 23 24
  • 13. 13 Value of Medical Information • Medical information can be worth ten times more than credit card numbers on the deep web. Fraudsters can use this data to create fake IDs to buy medical equipment or drugs, or combine a patient number with a false provider number and file fictional claims with insurers. • Consumers often discover their credentials have been stolen a long time after fraudsters have used their personal medical ID to impersonate them and obtain health services. Be HIPAA Aware - Know who’s around you! • Don’t discuss PHI where you can be easily overheard. • Keep discussion of PHI to a minimum. • Limit PHI on whiteboards, chart holders, view boxes or limit the ability to view them. • Position monitors so others cannot view them. HIPAA Hotline 214-456-4444 J Podleski, CCEP, CHRC, CHPC, CHC 25 26
  • 14. 14 Safeguarding PHI • Follow safe practices for your computer system ID and password. – Use strong passwords—see your Privacy Officer for guidelines. – Keep your user ID and password confidential and secure. – Do not allow anyone else to access the computer system under your ID! – Any access that happens under your credentials belongs to you! HIPAA Hints • Papers with PHI should NEVER go in the trash! • Do not unnecessarily print or copy PHI. • Shredding is the right way to dispose of them. • Have an office shredder or take your papers to the nearest Shred- It container at least daily! • Don’t keep papers in another container – they might end up in the trash by mistake. 27 28
  • 15. 15 Safeguarding PHI • Only access electronic PHI from a workstation approved for HIPAA or PHI access. • Only save electronic PHI to a HIPAA- designated server. • Do not leave computer station unattended without locking it first. • Do not engage in risky practices with computers used to access PHI How to be a good HIPAA fairy • Think about patient privacy first • Report unusual activity to your supervisor and the Privacy Officer • Never guess about ‘the right way’ -- check with your supervisor or the Privacy Office 29 30
  • 16. 16 Basic Requirements for CEs • Notify patients of their rights and how their PHI will be used. • Adopt and implement Privacy Policies and Procedures, including sanctions for violations. • Train workforce to understand and follow the P&P’s. • Designate individuals to be responsible for compliance. • Secure PHI so it’s not available to those who don’t need to know. • Provide a way for complaints to be made concerning Privacy violations. Minimum Necessary Standard • Role based access – Assure that individuals only have access to the information needed to do their job. • Disclosures – Disclose only the minimal necessary to meet the purpose of the disclosure – Does not apply to disclosures made • With an authorization • To a provider for treatment • To the subject of the information • To the Secretary of DHHS • As required by law • As required to comply with the regulations 31 32
  • 17. 17 Patient Rights under HIPAA • To see their medical record & obtain a copy • Request amendments to their medical record • Request disclosure restrictions • To receive a Notice of Privacy Practices • To have an accounting of disclosures • To authorize disclosures • Timely notification of any breaches Breach Breach Definition An impermissible use or disclosure under the Privacy Rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised Breaches of more than 500 patient records must be reported to the news media and are posted on the Wall of Shame. 33 34
  • 18. 18 Wall of Shame https://ocrportal.hhs.gov/ocr/breach/breach_ report.jsf Think HIPAA’s No Big Deal? HIPAA Hotline 214-456-4444 Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016. On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014. 35 36
  • 19. 19 Breach Notification • Following a breach of unsecured PHI, notification must be provided to the affected individual, the Secretary of DHHS, and in certain circumstances, to the media. • Breach is based on risk assessment. • Business Associates must notify the Covered Entity of a breach. • Provided without unreasonable delay, no later than 60 days following the discovery of the breach. – CA requires a 15 day maximum • If you believe a HIPAA breach has occurred, you should immediately report it to the Privacy Officer and your supervisor. OCR Enforcement Highlights (As of May 2017) • Number of complaints – 156,874 • Resolved – 154,777 (98%) • Complaints Investigated – 36,423 • No violations – 11,256 • Referred to DOJ – 620 • Ineligible for OCR enforcement – 96,807 37 38
  • 20. 20 Why should we care about the HIPAA rules? CIBHS • Disciplinary action up to and including termination of employment Civil Penalties • Up to $1.5 million per year per violation Criminal Penalties • Up to $250,000, imprisonment of up to ten years, or both Penalty Descriptions HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising  reasonable diligence would not have known)  that he/she violated HIPAA $100 per violation, with an annual maximum  of $25,000 for repeat violations (Note:  maximum that can be imposed by State  Attorneys General regardless of the type of  violation) $50,000 per violation, with an annual  maximum of $1.5 million HIPAA violation due to reasonable cause and  not due to willful neglect $1,000 per violation, with an annual  maximum of $100,000 for repeat violations $50,000 per violation, with an annual  maximum of $1.5 million HIPAA violation due to willful neglect but  violation is corrected within the required  time period $10,000 per violation, with an annual  maximum of $250,000 for repeat violations $50,000 per violation, with an annual  maximum of $1.5 million HIPAA violation is due to willful neglect and  is not corrected $50,000 per violation, with an annual  maximum of $1.5 million $50,000 per violation, with an annual  maximum of $1.5 million 39 40
  • 21. 21 42 CFR Part 2 42 CFR Part 2  42 CFR Part 2 are the federal regulations governing the confidentiality of drug and alcohol abuse treatment and prevention records. • Privacy protections afforded to alcohol and drug abuse patient records. • Motivated by the understanding that stigma and fear of prosecution might dissuade persons from seeking treatment. https://www.ecfr.gov/cgi-bin/text- idx?SID=0f9b2a146b539944f00b5ec90117d296&mc=true&node=pt42.1.2&r gn=div5 41 42
  • 22. 22 Who is Covered? • 42 CFR Part 2 applies to any individual or entity that is federally assisted and provides alcohol or drug abuse treatment or referral for treatment (42 CFR § 2.11) • Consider funding, treatment provided and clinical licenses that are at the federal level (DEA license) Regulations • Restrict the disclosure and use of alcohol and drug client records • Any information disclosed by a covered program that “would identify a patient as an alcohol or drug abuser” • With limited exceptions, 42 CFR Part 2 requires client consent for disclosures of PHI even for the purposes of TPO. • Consent must be in writing 43 44
  • 23. 23 Written Consent The primary way in which patient substance abuse information may be disclosed is with a patient’s written consent. Substance abuse programs and providers must give patients a written summary of the federal laws and regulations that protect the confidentiality of patient substance abuse records and a description of the circumstances when the patient’s information may be disclosed without his/her consent. Consent Forms For all other disclosures, consent must be obtained using a written consent form. A single consent form may authorize disclosure to multiple parties or for multiple purposes. Consent forms must contain specific elements (see right column). • Patient Name • Agency making disclosure • agency name of the person or agency to which disclosure is made • nature and amount of information to be disclosed (minimum necessary), • purpose of the disclosure (as specific as possible), • effective and expiration dates and event or condition upon which the consent expires • language explaining the consent process and may include a statement about possible denial of services if not signed for purposes of treatment, payment or healthcare operations • and signatures of client, authorized representative and description of authority to sign on the client’s behalf 45 46
  • 24. 24 Exceptions-Always work with Privacy Officer • Program Communications • To communicate with Qualified Service Organizations (QSO) – Similar to other covered entities or business associates • Medical Emergencies • Response to a crime against program personnel or on program premises • Research activities (approved by IRB) • Audit and Evaluation • Report suspected child abuse or neglect • Circumstances involving certain minors or incompetent patients • Response to a valid court order • Cause of death HIPAA and 42 CFR Part 2 • Substance use programs must comply with both HIPAA 45 CFR and 42 CFR Part 2. • If there is a conflict, the more stringent rule applies. • Addiction treatment providers fall under the more stringent laws of 42 CFR, Part 2, in most cases. 47 48
  • 25. 25 Policies and Procedures • Must be current and reference 45 CFR for both privacy and security • Agency must have an interconnected set of polices, plans, procedures and security roles assigned to have the end result be a secure, compliant and auditable environment 49 50
  • 26. 26 Please complete the survey! iPhone or iPad: 1. Open up the camera app on your iPhone or iPad 2. Hold the device’s camera up to the QR code 3. No need to hit the shutter button, your iOS device will automatically  recognize the QR code 4. Click the  pop up window that appears and complete the survey 5. Make sure you have mobile signal or you’re connected to Wi‐Fi  Android: For android  devices you  will need to  have a QR  code reader  app installed  on your  phone.  You can also  type in the  link below in  your browser  and  complete the  survey 51