SlideShare a Scribd company logo

Data Security and Privacy Practices

Springfield Clinic
Springfield Clinic

Springfield Clinic Data Security and Privacy Practices (HIPAA) student training

Education
1 of 20
Data Security & Privacy Practices Springfield Clinic HIPAA Review for Students, Job Shadow, and Residents Presented by: Privacy & Information Security 2/2019
Training Objectives: • Overview of HIPAA Privacy and Security requirements. • Understanding of Patient Rights under HIPAA. • Breach prevention and ensuring patient confidentiality. • Understanding of your responsibilities as it relates to patient confidentiality.
HIPAA Overview • HIPAA: Health Insurance Portability and Accountability Act • Federal Law enacted in 1996 to standardize electronic health insurance transactions. Its primary purpose was to reduce the gap in health insurance coverage occurring with change of employment. • HIPAA defines how covered entities (Springfield Clinic) can use and disclose Protected Health Information (PHI). • HIPAA defines patient rights, as described in the Notice of Privacy Practices. These rights include: • Right to receive a copy of the Clinic’s NPP Pamphlet • Right to access • Right to request an amendment of health information • Right to accounting of disclosures • Right to request privacy restrictions/ confidential communications • Who to contact to file a complaint
Health Insurance Portability & Accountability Act HIPAA Privacy Rule gave patients 6 new civil rights. Requires delivery of a Notice of Privacy Practices before the first service, contractual agreements for privacy between Organizations, and mandatory internal and government reporting with mitigation of violations. HIPAA Security Rule focuses on the Confidentiality, Integrity, and Availability of patient-identifiable electronic health and billing information. There are Organizational requirements, and safeguards include administrative, physical and technical safeguards. HITECH expands penalties, requirements, and enforcement capacity. Expands the definition and responsibilities of a Business Associate (BA) to the same level as CE (Covered Entity). Requires HHS proactive auditing of CE’s. Adds patient right to Cash Restrictions. Requires patient notification within 60 days of PHI breach with potential harm. Requires that any breach over 500 patients is reported to HHS, media outlets, and patients. It also provides Meaningful Use incentives for Providers to use electronic records. OMNIBUS The “Final Rule” expands requirements for BA’s and their subcontractors, increases penalties, expands HHS audit numbers, and audit scope where evidence of willful negligence is found. Huge increases in fines. It requires the CE to audit compliance of its Business Associates. BA’s are directly liable for their breaches. It changes the definition of Business Associate and “breach notification”. Lack of BA contract does not prevent the BA designation. State Attorneys General are given “private right to action” to prosecute on a patient’s behalf (the state gets a percentage). Genetic information is now PHI. Decedent info is no longer PHI 50 years after death. Documented Risk Analysis is now required for incidents not reported to HHS due to low probability that PHI was “compromised”. Patients can ask for records in electronic format and must accommodate if reasonable. Entities that create, receive, maintain or transmit ePHI for CE’s are now BA’s. BA’s must provide an accounting of disclosures if requested. Business associates will be subject to audits, compliance reviews, and enforcement actions by HHS.
Springfield Clinic: Covered Entity(CE)
Transactions that Define a CE 1. Health care claims or equivalent encounter information 2. Health care payment and remittance advice 3. Coordination of benefits 4. Health care claim status 5. Enrollment and disenrollment in a health plan 6. Eligibility for a health plan 7. Health plan premium payments 8. Referral certification and authorization 9. First report of injury 10. Health claims attachments Note: HHS generally considers all providers, sites, and services within an Organization or System to be one CE.
Business Associates (BA) • A Business Associate is defined as a business or individual who performs services as part of the workforce of a Covered Entity. • HIPAA requires written contracts with legally specific language which requires the BA to handle all PHI according to HIPAA rules even when subcontracting. • Examples of Business Associates include: • Answering services • Claims processing or medical billing companies • Collection agencies • Consultant firms/ Law firms • Document storage or disposal companies
HIPAA Privacy Rule You may not use a patient’s Protected Health Information (PHI) without patient authorization, except for Treatment, Payment and/or Health Care Operations (TPO).
Disclosure Without an Authorization Contact the Privacy Department for questions related to disclosures without authorization
Protected Health Information(PHI)
18 PHI Elements Defined by HIPAA
HIPAA Privacy Rule • HIPAA requires “Minimum Necessary” for every transaction. • When using, disclosing, or requesting PHI, you must make reasonable efforts to limit the PHI to minimum amount necessary to accomplish the intended purpose.
HIPAA Privacy Rule Always double-check the DOB before choosing the patient especially when there are multiple patients with the same name. Selecting the wrong patient can cause: • Miscommunications • Loss of confidence with our patients • HIPAA violation • Investigation by the Office of Civil Rights with potential fines to our organization
Breach Prevention Examples: • Faxing, handing, mailing the wrong patient information • Inappropriate access to PHI • Improper disposal of PHI • Patient complaint and investigation resulting in a Breach • Posting patient information on Social Media • Indexing/Scanning other patient information into another patient’s chart • Use of unencrypted USB devices/unencrypted e-mails • Use of unapproved devices that have not been approved by security
Breach Notification • Springfield Clinic is required by law to notify affected patients of a breach of their health information. • Notification must be no later than 60 days from the date that the Clinic became aware of the incident. • Patients have a right to file a complaint with the Office of Civil Rights. • Failure to timely notify the patient and or the Department of Health & Human Services can result in penalties/ fines. • HIPAA requires you to report privacy/security incidents or suspected violations. Contact the Privacy Office at ext. 14218.
Sanctions for Privacy Violations Criminal • (HIPAA - For personal gain or malicious use) • 1-5 years in prison and $50,000 -$250,000 in fines. • Courts are requiring restitution and blacklisting the person on the HHS website. Civil • (HITECH/Omnibus Law penalties) • Up to $1.5 million per type of violation per year. • Federal enforcement has referred 500+ cases for prosecution.
Information Security The following Information Security reminders apply for Residents, or students that have been approved for system access/ authorized user. • Always lock your workstation whenever you leave your work area • Do not share passwords. • Your access is monitored regularly. Only access what is required to perform your duties. • DO NOT use Clinic applications as personal applications. • If you have Clinic email, do not open email attachments/ click on email links unless you are confident of their validity. Note: Job Shadowing individuals are not approved for system access to any Clinic system.
Safeguarding Patient Information 1. Please keep all patient-related conversations out of patient areas. Our patients perceive a lack of privacy when this happens – even if names are not used. 2. Do not discuss patient information with anyone outside of your rotation/ job shadowing experience. 3. Accessing or viewing patient information out of curiosity is a violation of Clinic Policies, and a violation of the HIPAA Privacy Rule. 4. You are not allowed to copy, transmit or print patient information for your own use or for your school. Any documentation that you feel you need to send external for completion of your duties should be de- identified by the ROI Services Manager in Health Information Management (ext. 43742). 5. Texting patient information or using or disclosing patient information through social media is strictly prohibited!
Questions? Contact Privacy Phone: ext. 14818 Email: pofficer@springfieldclinic.com
Lets Test Your Knowledge • Answer each of the following questions. Click here to access the quiz • Be sure to click “Submit the Quiz” in order to meet your training requirement • Thank you!

Recommended

Hazcom Training
Hazcom TrainingHazcom Training
Hazcom Training
Springfield Clinic
 
Bloodborne Pathogens and Infection Control Training
Bloodborne Pathogens and Infection Control TrainingBloodborne Pathogens and Infection Control Training
Bloodborne Pathogens and Infection Control Training
Springfield Clinic
 
Fire Safety Training
Fire Safety TrainingFire Safety Training
Fire Safety Training
Springfield Clinic
 
Hazcom Training
Hazcom TrainingHazcom Training
Hazcom Training
Springfield Clinic
 
Fire Safety Training
Fire Safety TrainingFire Safety Training
Fire Safety Training
Springfield Clinic
 
Bloodborne Pathogens and Infection Control Training
Bloodborne Pathogens and Infection Control TrainingBloodborne Pathogens and Infection Control Training
Bloodborne Pathogens and Infection Control Training
Springfield Clinic
 
Osha (occupational safety and health administration)(1)
Osha (occupational safety and health administration)(1)Osha (occupational safety and health administration)(1)
Osha (occupational safety and health administration)(1)
kgriffin62
 
Spill Prevention and Control Training by USMRA
Spill Prevention and Control Training by USMRASpill Prevention and Control Training by USMRA
Spill Prevention and Control Training by USMRA
Atlantic Training, LLC.
 

Recommended

Hazcom Training
Hazcom TrainingHazcom Training
Hazcom Training
Springfield Clinic
 
Bloodborne Pathogens and Infection Control Training
Bloodborne Pathogens and Infection Control TrainingBloodborne Pathogens and Infection Control Training
Bloodborne Pathogens and Infection Control Training
Springfield Clinic
 
Fire Safety Training
Fire Safety TrainingFire Safety Training
Fire Safety Training
Springfield Clinic
 
Hazcom Training
Hazcom TrainingHazcom Training
Hazcom Training
Springfield Clinic
 
Fire Safety Training
Fire Safety TrainingFire Safety Training
Fire Safety Training
Springfield Clinic
 
Bloodborne Pathogens and Infection Control Training
Bloodborne Pathogens and Infection Control TrainingBloodborne Pathogens and Infection Control Training
Bloodborne Pathogens and Infection Control Training
Springfield Clinic
 
Osha (occupational safety and health administration)(1)
Osha (occupational safety and health administration)(1)Osha (occupational safety and health administration)(1)
Osha (occupational safety and health administration)(1)
kgriffin62
 
Spill Prevention and Control Training by USMRA
Spill Prevention and Control Training by USMRASpill Prevention and Control Training by USMRA
Spill Prevention and Control Training by USMRA
Atlantic Training, LLC.
 
Infection prevention in healthcare construction and renovation
Infection prevention in healthcare construction and renovationInfection prevention in healthcare construction and renovation
Infection prevention in healthcare construction and renovation
Moustapha Ramadan
 
Lone Working Policy
Lone Working PolicyLone Working Policy
Lone Working Policy
The Pathway Group
 
Ic lecture for general hospital orientation program updated
Ic lecture for general hospital orientation program updatedIc lecture for general hospital orientation program updated
Ic lecture for general hospital orientation program updated
Nashwa Elsayed
 
Ppe and tools
Ppe and toolsPpe and tools
Ppe and tools
quazimohiuddin2
 
Chemical Safety
Chemical SafetyChemical Safety
Chemical Safety
vasant oak
 
Workshop Safety & Health Powerpoint
Workshop Safety & Health PowerpointWorkshop Safety & Health Powerpoint
Workshop Safety & Health Powerpoint
Go-NPS
 
Surveillance of healthcare associated infections
Surveillance of healthcare associated infectionsSurveillance of healthcare associated infections
Surveillance of healthcare associated infections
THL
 
Material Safety Data Sheets
Material Safety Data SheetsMaterial Safety Data Sheets
Material Safety Data Sheets
Atlantic Training, LLC.
 
Hospital Safety Education
Hospital Safety EducationHospital Safety Education
Hospital Safety Education
DirkRhodes
 
Risk Assessment (Master).pdf
Risk Assessment (Master).pdfRisk Assessment (Master).pdf
Risk Assessment (Master).pdf
RafiullahKhan88
 
MSDS Training by University of Sheffield
MSDS Training by University of SheffieldMSDS Training by University of Sheffield
MSDS Training by University of Sheffield
Atlantic Training, LLC.
 
chemical safety
chemical safetychemical safety
chemical safety
HARSHAL KHODE
 
SPILL MANAGEMENT (1).ppt
SPILL MANAGEMENT (1).pptSPILL MANAGEMENT (1).ppt
SPILL MANAGEMENT (1).ppt
SUNIL SHARMA
 
Spill Prevention and Response Training by IMCOM
Spill Prevention and Response Training by IMCOMSpill Prevention and Response Training by IMCOM
Spill Prevention and Response Training by IMCOM
Atlantic Training, LLC.
 
presentation blood spill handling AMC
presentation blood spill handling AMCpresentation blood spill handling AMC
presentation blood spill handling AMC
Wafa AlAhmed
 
Msds training
Msds trainingMsds training
Msds training
Emeka Anugom
 
Hazard Communication Training by PA L&I
Hazard Communication Training by PA L&IHazard Communication Training by PA L&I
Hazard Communication Training by PA L&I
Atlantic Training, LLC.
 
Needle stick
Needle stickNeedle stick
Needle stick
VASS Yukon
 
Hazard Communication
Hazard Communication Hazard Communication
Hazard Communication
Hvacmach
 
Hazmat
HazmatHazmat
Hazmat
Jared Hiett
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
Karna *
 
2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx
Fariida Osman
 

More Related Content

What's hot

Chemical Safety
Chemical SafetyChemical Safety
Chemical Safety
vasant oak
 
Hospital Safety Education
Hospital Safety EducationHospital Safety Education
Hospital Safety Education
DirkRhodes
 
MSDS Training by University of Sheffield
MSDS Training by University of SheffieldMSDS Training by University of Sheffield
MSDS Training by University of Sheffield
Atlantic Training, LLC.
 
presentation blood spill handling AMC
presentation blood spill handling AMCpresentation blood spill handling AMC
presentation blood spill handling AMC
Wafa AlAhmed
 

What's hot (20)

Infection prevention in healthcare construction and renovation
Infection prevention in healthcare construction and renovationInfection prevention in healthcare construction and renovation
Infection prevention in healthcare construction and renovation
 
Lone Working Policy
Lone Working PolicyLone Working Policy
Lone Working Policy
 
Ic lecture for general hospital orientation program updated
Ic lecture for general hospital orientation program updatedIc lecture for general hospital orientation program updated
Ic lecture for general hospital orientation program updated
 
Ppe and tools
Ppe and toolsPpe and tools
Ppe and tools
 
Chemical Safety
Chemical SafetyChemical Safety
Chemical Safety
 
Workshop Safety & Health Powerpoint
Workshop Safety & Health PowerpointWorkshop Safety & Health Powerpoint
Workshop Safety & Health Powerpoint
 
Surveillance of healthcare associated infections
Surveillance of healthcare associated infectionsSurveillance of healthcare associated infections
Surveillance of healthcare associated infections
 
Material Safety Data Sheets
Material Safety Data SheetsMaterial Safety Data Sheets
Material Safety Data Sheets
 
Hospital Safety Education
Hospital Safety EducationHospital Safety Education
Hospital Safety Education
 
Risk Assessment (Master).pdf
Risk Assessment (Master).pdfRisk Assessment (Master).pdf
Risk Assessment (Master).pdf
 
MSDS Training by University of Sheffield
MSDS Training by University of SheffieldMSDS Training by University of Sheffield
MSDS Training by University of Sheffield
 
chemical safety
chemical safetychemical safety
chemical safety
 
SPILL MANAGEMENT (1).ppt
SPILL MANAGEMENT (1).pptSPILL MANAGEMENT (1).ppt
SPILL MANAGEMENT (1).ppt
 
Spill Prevention and Response Training by IMCOM
Spill Prevention and Response Training by IMCOMSpill Prevention and Response Training by IMCOM
Spill Prevention and Response Training by IMCOM
 
presentation blood spill handling AMC
presentation blood spill handling AMCpresentation blood spill handling AMC
presentation blood spill handling AMC
 
Msds training
Msds trainingMsds training
Msds training
 
Hazard Communication Training by PA L&I
Hazard Communication Training by PA L&IHazard Communication Training by PA L&I
Hazard Communication Training by PA L&I
 
Needle stick
Needle stickNeedle stick
Needle stick
 
Hazard Communication
Hazard Communication Hazard Communication
Hazard Communication
 
Hazmat
HazmatHazmat
Hazmat
 

Similar to Data Security and Privacy Practices

HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
Karna *
 
Introduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPIntroduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUP
Atlantic Training, LLC.
 
This training program is designed to introduce staff
This training program is designed to introduce staffThis training program is designed to introduce staff
This training program is designed to introduce staff
sawanda
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power point
chwiso8418
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power point
chwiso8418
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
Harshit Trivedi
 
Patient confidentiality.ppt
Patient confidentiality.pptPatient confidentiality.ppt
Patient confidentiality.ppt
chwiso8418
 
Health care confidentiality and privacy
Health care confidentiality and privacyHealth care confidentiality and privacy
Health care confidentiality and privacy
sawanda
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
Atlantic Training, LLC.
 
Hipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility modeHipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility mode
robint2125
 

Similar to Data Security and Privacy Practices (20)

HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
 
2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx
 
Introduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPIntroduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUP
 
This training program is designed to introduce staff
This training program is designed to introduce staffThis training program is designed to introduce staff
This training program is designed to introduce staff
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power point
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentiality
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power point
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
 
Patient confidentiality.ppt
Patient confidentiality.pptPatient confidentiality.ppt
Patient confidentiality.ppt
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inservice
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
Welcome to the hippa, privacy and security
Welcome to the hippa, privacy and securityWelcome to the hippa, privacy and security
Welcome to the hippa, privacy and security
 
Health care confidentiality and privacy
Health care confidentiality and privacyHealth care confidentiality and privacy
Health care confidentiality and privacy
 
HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2
 
HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI Training
 
Hippa
HippaHippa
Hippa
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
 
CONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.pptCONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.ppt
 
Hipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility modeHipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility mode
 

Recently uploaded

Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSSpellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
AnaAcapella
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Recently uploaded (20)

FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSSpellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
 
Philosophy of china and it's charactistics
Philosophy of china and it's charactisticsPhilosophy of china and it's charactistics
Philosophy of china and it's charactistics
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdf
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 

Data Security and Privacy Practices

  • 1. Data Security & Privacy Practices Springfield Clinic HIPAA Review for Students, Job Shadow, and Residents Presented by: Privacy & Information Security 2/2019
  • 2. Training Objectives: • Overview of HIPAA Privacy and Security requirements. • Understanding of Patient Rights under HIPAA. • Breach prevention and ensuring patient confidentiality. • Understanding of your responsibilities as it relates to patient confidentiality.
  • 3. HIPAA Overview • HIPAA: Health Insurance Portability and Accountability Act • Federal Law enacted in 1996 to standardize electronic health insurance transactions. Its primary purpose was to reduce the gap in health insurance coverage occurring with change of employment. • HIPAA defines how covered entities (Springfield Clinic) can use and disclose Protected Health Information (PHI). • HIPAA defines patient rights, as described in the Notice of Privacy Practices. These rights include: • Right to receive a copy of the Clinic’s NPP Pamphlet • Right to access • Right to request an amendment of health information • Right to accounting of disclosures • Right to request privacy restrictions/ confidential communications • Who to contact to file a complaint
  • 4. Health Insurance Portability & Accountability Act HIPAA Privacy Rule gave patients 6 new civil rights. Requires delivery of a Notice of Privacy Practices before the first service, contractual agreements for privacy between Organizations, and mandatory internal and government reporting with mitigation of violations. HIPAA Security Rule focuses on the Confidentiality, Integrity, and Availability of patient-identifiable electronic health and billing information. There are Organizational requirements, and safeguards include administrative, physical and technical safeguards. HITECH expands penalties, requirements, and enforcement capacity. Expands the definition and responsibilities of a Business Associate (BA) to the same level as CE (Covered Entity). Requires HHS proactive auditing of CE’s. Adds patient right to Cash Restrictions. Requires patient notification within 60 days of PHI breach with potential harm. Requires that any breach over 500 patients is reported to HHS, media outlets, and patients. It also provides Meaningful Use incentives for Providers to use electronic records. OMNIBUS The “Final Rule” expands requirements for BA’s and their subcontractors, increases penalties, expands HHS audit numbers, and audit scope where evidence of willful negligence is found. Huge increases in fines. It requires the CE to audit compliance of its Business Associates. BA’s are directly liable for their breaches. It changes the definition of Business Associate and “breach notification”. Lack of BA contract does not prevent the BA designation. State Attorneys General are given “private right to action” to prosecute on a patient’s behalf (the state gets a percentage). Genetic information is now PHI. Decedent info is no longer PHI 50 years after death. Documented Risk Analysis is now required for incidents not reported to HHS due to low probability that PHI was “compromised”. Patients can ask for records in electronic format and must accommodate if reasonable. Entities that create, receive, maintain or transmit ePHI for CE’s are now BA’s. BA’s must provide an accounting of disclosures if requested. Business associates will be subject to audits, compliance reviews, and enforcement actions by HHS.
  • 6. Transactions that Define a CE 1. Health care claims or equivalent encounter information 2. Health care payment and remittance advice 3. Coordination of benefits 4. Health care claim status 5. Enrollment and disenrollment in a health plan 6. Eligibility for a health plan 7. Health plan premium payments 8. Referral certification and authorization 9. First report of injury 10. Health claims attachments Note: HHS generally considers all providers, sites, and services within an Organization or System to be one CE.
  • 7. Business Associates (BA) • A Business Associate is defined as a business or individual who performs services as part of the workforce of a Covered Entity. • HIPAA requires written contracts with legally specific language which requires the BA to handle all PHI according to HIPAA rules even when subcontracting. • Examples of Business Associates include: • Answering services • Claims processing or medical billing companies • Collection agencies • Consultant firms/ Law firms • Document storage or disposal companies
  • 8. HIPAA Privacy Rule You may not use a patient’s Protected Health Information (PHI) without patient authorization, except for Treatment, Payment and/or Health Care Operations (TPO).
  • 9. Disclosure Without an Authorization Contact the Privacy Department for questions related to disclosures without authorization
  • 11. 18 PHI Elements Defined by HIPAA
  • 12. HIPAA Privacy Rule • HIPAA requires “Minimum Necessary” for every transaction. • When using, disclosing, or requesting PHI, you must make reasonable efforts to limit the PHI to minimum amount necessary to accomplish the intended purpose.
  • 13. HIPAA Privacy Rule Always double-check the DOB before choosing the patient especially when there are multiple patients with the same name. Selecting the wrong patient can cause: • Miscommunications • Loss of confidence with our patients • HIPAA violation • Investigation by the Office of Civil Rights with potential fines to our organization
  • 14. Breach Prevention Examples: • Faxing, handing, mailing the wrong patient information • Inappropriate access to PHI • Improper disposal of PHI • Patient complaint and investigation resulting in a Breach • Posting patient information on Social Media • Indexing/Scanning other patient information into another patient’s chart • Use of unencrypted USB devices/unencrypted e-mails • Use of unapproved devices that have not been approved by security
  • 15. Breach Notification • Springfield Clinic is required by law to notify affected patients of a breach of their health information. • Notification must be no later than 60 days from the date that the Clinic became aware of the incident. • Patients have a right to file a complaint with the Office of Civil Rights. • Failure to timely notify the patient and or the Department of Health & Human Services can result in penalties/ fines. • HIPAA requires you to report privacy/security incidents or suspected violations. Contact the Privacy Office at ext. 14218.
  • 16. Sanctions for Privacy Violations Criminal • (HIPAA - For personal gain or malicious use) • 1-5 years in prison and $50,000 -$250,000 in fines. • Courts are requiring restitution and blacklisting the person on the HHS website. Civil • (HITECH/Omnibus Law penalties) • Up to $1.5 million per type of violation per year. • Federal enforcement has referred 500+ cases for prosecution.
  • 17. Information Security The following Information Security reminders apply for Residents, or students that have been approved for system access/ authorized user. • Always lock your workstation whenever you leave your work area • Do not share passwords. • Your access is monitored regularly. Only access what is required to perform your duties. • DO NOT use Clinic applications as personal applications. • If you have Clinic email, do not open email attachments/ click on email links unless you are confident of their validity. Note: Job Shadowing individuals are not approved for system access to any Clinic system.
  • 18. Safeguarding Patient Information 1. Please keep all patient-related conversations out of patient areas. Our patients perceive a lack of privacy when this happens – even if names are not used. 2. Do not discuss patient information with anyone outside of your rotation/ job shadowing experience. 3. Accessing or viewing patient information out of curiosity is a violation of Clinic Policies, and a violation of the HIPAA Privacy Rule. 4. You are not allowed to copy, transmit or print patient information for your own use or for your school. Any documentation that you feel you need to send external for completion of your duties should be de- identified by the ROI Services Manager in Health Information Management (ext. 43742). 5. Texting patient information or using or disclosing patient information through social media is strictly prohibited!
  • 19. Questions? Contact Privacy Phone: ext. 14818 Email: pofficer@springfieldclinic.com
  • 20. Lets Test Your Knowledge • Answer each of the following questions. Click here to access the quiz • Be sure to click “Submit the Quiz” in order to meet your training requirement • Thank you!