HIPAA establishes rules to protect patient privacy and confidentiality. It regulates protected health information (PHI), which is essentially any information about a patient's healthcare, identity, or payment. PHI includes details like names, addresses, medical conditions, and treatments. Healthcare workers can access and use PHI for treatment, payment, and operations, and may disclose it as required by law. However, workers should only access the minimum necessary information needed to do their jobs and must protect electronic PHI, following rules for devices, email, and internet use. Violations of privacy policies can result in penalties.

1. What Every Healthcare
Worker Needs to Know
About HIPAA and Privacy

2. What is HIPAA?
• Health Insurance Portability and Accountability
Act (HIPAA) is broad federal legislation that
includes rules to protect the privacy and confidentiality
of patient information.
• Does not replace existing confidentiality laws
• Establishes a minimum requirement

3. Protected Health
Information
• HIPAA regulates the use and disclosure of what is
known as protected health information or “PHI.”
• PHI is any information that can be used to identify
the past, present, or future healthcare of an individual
or the payment for that care.

4. Protected Health
Information
This is virtually all information about a patient,
whether written on paper, saved on a computer, or
spoken aloud. This includes their:
• Name
• Address
• Age
• Social Security number
• Other personal information
• License plate numbers
• Fax machine numbers

5. HIPAA Confidentiality
HIPAA privacy also protects the following:
• The reason the patient is sick or in the hospital
• The treatments and medication he or she receives
• Caregivers’notes
• Information about past health conditions

6. Use of Protected Health
Information
• In general, a healthcare provider can access and use
PHI without specific patient authorization, if it is to
be used for treatment, payment, or healthcare
operations (TPO).
• Before looking at a patient’s health information,
ask yourself, “Do I need to know this to do my
job?”

7. Use of Protected Health
Information
A healthcare provider can also disclose PHI without
patient authorization as follows:
• As required by law
• Public Health Activities
• Law Enforcement
• Other national priorities - funeral directors, organ
donation, research, prevent a disaster, special
government functions, workers compensation

8. Use of Protected Health
Information
• Minimum Necessary Standard – Always use or
disclose only the Minimum amount of information
necessary to honor the request
• If you are not sure whether you should disclose any
form of PHI, ASK your supervisor, department
compliance representative or the compliance officer
• Once the disclosure is made it’s too late to get it
back.

9. What Every
Healthcare Worker
Needs to Know About
HIPAA Security

10. Use of Electronic Protected Health
Information(ePHI)
49
• HIPAA security rules apply only to ePHI stored,
maintained or transmitted in an electronic format
• ePHI is the same information as PHI; it is anything
that could identify the patient, their medical
condition or method of payment
• Security rules require additional compliance

11. 50
• Workforce members cannot use their computers or
access to review personal or family PHI.
• If you use a laptop, flash drive, PDA or other
storage media, it is your responsibility to:
– Obtain approval before transferring ePHI to a portable
device
– It is your responsibility to protect ALL ePHI from theft
both electronic and physical
Use of Electronic Protected
Health Information (ePHI)

12. Use of Electronic Protected
Health Information (ePHI)
51
• Monitor the use of cellular phones
– information and images (ePHI) can be sent over Internet.
This ePHI is not encrypted
• It is not allowed to send ePHI over the text message
• Use E-mail and Internet access appropriately
– workforce members should remember that e-mails sent to or
from work computers are not considered private. Your
employer may audit e-mail and Internet usage

13. Use of Electronic Protected
Health Information (ePHI)
• HIPAA and PHI says that you should not disclose anything
more specific than the State in which they live
• You may send PHI, ePHI in emails if you are using your
work assigned email, but DO NOT place sensitive
information such as patient name in the Subject field
because the subject field is not encrypted when it
travels over the internet.
52

14. What Does HIPAA
Mean To Me?
53
• Our patients have a right to expect we will keep their information
confidential. This information includes anything that could identify
Or be used to find out the identity of the patient or their medical
condition.
• As employees, volunteers, and physicians, we come in contact
with many forms of patient information. We need to understand
what are acceptable uses of this information.
• Follow the “need to know” rule. Ask yourself “do I need to see
patient information to perform my job”. If the answer is “Yes”, you
have nothing to worry about. If the answer is “no”, STOP.

15. What Does This All Mean
To Me?
• The cafeteria, the elevator or any of the social media sites are notthe
place to discuss the medical condition or other aspects of a patient’s
care.
• Information you have access to must not be the subject of
conversation with family, friends or neighbors.
• The minimum necessary standard needs to be applied to all
disclosures except for treatment purposes, disclosures to the
patient or as required by law.

16. What Does This All Mean
To Me?
• Never send ePHI to anyone unless you have verified who will
receive the information and how the information will be used.
If it doesn’t seem right to you, it probably isn’t.
• Remember follow the “need to know” rule. Ask yourself “do I
need to see patient information to perform my job”.
If the answer is “Yes”, you have nothing to worry about.
If the answer is “no”, STOP.
• Use e-mail and Internet services in the proper manner.

17. What Does This All Mean
To Me?
• Always protect your password. NEVER give your password or
sign-on to anyone.If you think your password or sign-on has
been compromised, notify the Administrator immediately.
• Violations can also result in personal civil penalties of up to
$25,000 per person and criminal penalties of up to $250,000
and/or 10 years in prison.
• Violations of confidentiality and privacy policies can result in
disciplinary action up to and including discharge.

18. What Does This All Mean
To Me?
• If you know of any violation of our existing
confidentiality policies or the Privacy Policy, it is your
obligation to bring the violation to the attention of your
supervisor, Administrator, or Compliance Officer.
Compliance is the responsibility
of every employee!