1. Data Security & Privacy
Practices
Springfield Clinic
HIPAA Review for Students, Job Shadow, and
Residents
Presented by: Privacy & Information Security 2/2019
2. Training Objectives:
• Overview of HIPAA Privacy and Security
requirements.
• Understanding of Patient Rights under HIPAA.
• Breach prevention and ensuring patient
confidentiality.
• Understanding of your responsibilities as it relates
to patient confidentiality.
3. HIPAA Overview
• HIPAA: Health Insurance Portability and Accountability Act
• Federal Law enacted in 1996 to standardize electronic health insurance
transactions. Its primary purpose was to reduce the gap in health
insurance coverage occurring with change of employment.
• HIPAA defines how covered entities (Springfield Clinic) can use and
disclose Protected Health Information (PHI).
• HIPAA defines patient rights, as described in the Notice of Privacy
Practices. These rights include:
• Right to receive a copy of the Clinic’s NPP Pamphlet
• Right to access
• Right to request an amendment of health information
• Right to accounting of disclosures
• Right to request privacy restrictions/ confidential communications
• Who to contact to file a complaint
4. Health Insurance Portability &
Accountability Act
HIPAA Privacy Rule gave patients 6 new civil
rights. Requires delivery of a Notice of Privacy
Practices before the first service, contractual
agreements for privacy between
Organizations, and mandatory internal and
government reporting with mitigation of
violations.
HIPAA Security Rule focuses on the
Confidentiality, Integrity, and Availability
of patient-identifiable electronic health and
billing information. There are Organizational
requirements, and safeguards include
administrative, physical and technical
safeguards.
HITECH expands penalties, requirements, and
enforcement capacity. Expands the definition
and responsibilities of a Business Associate
(BA) to the same level as CE (Covered Entity).
Requires HHS proactive auditing of CE’s. Adds
patient right to Cash Restrictions. Requires
patient notification within 60 days of PHI
breach with potential harm. Requires that any
breach over 500 patients is reported to HHS,
media outlets, and patients. It also provides
Meaningful Use incentives for Providers to use
electronic records.
OMNIBUS The “Final Rule” expands requirements for BA’s and
their subcontractors, increases penalties, expands HHS audit
numbers, and audit scope where evidence of willful negligence
is found. Huge increases in fines. It requires the CE to audit
compliance of its Business Associates. BA’s are directly liable for
their breaches. It changes the definition of Business Associate
and “breach notification”. Lack of BA contract does not prevent
the BA designation. State Attorneys General are given “private
right to action” to prosecute on a patient’s behalf (the state gets a
percentage). Genetic information is now PHI. Decedent info is no
longer PHI 50 years after death. Documented Risk Analysis is now
required for incidents not reported to HHS due to low probability
that PHI was “compromised”. Patients can ask for records in
electronic format and must accommodate if reasonable. Entities
that create, receive, maintain or transmit ePHI for CE’s are now
BA’s. BA’s must provide an accounting of disclosures if requested.
Business associates will be subject to audits, compliance reviews,
and enforcement actions by HHS.
6. Transactions that Define a CE
1. Health care claims or equivalent encounter information
2. Health care payment and remittance advice
3. Coordination of benefits
4. Health care claim status
5. Enrollment and disenrollment in a health plan
6. Eligibility for a health plan
7. Health plan premium payments
8. Referral certification and authorization
9. First report of injury
10. Health claims attachments
Note: HHS generally considers all providers, sites, and services within
an Organization or System to be one CE.
7. Business Associates (BA)
• A Business Associate is defined as a business or individual who performs
services as part of the workforce of a Covered Entity.
• HIPAA requires written contracts with legally specific language which
requires the BA to handle all PHI according to HIPAA rules even when
subcontracting.
• Examples of Business Associates include:
• Answering services
• Claims processing or medical billing companies
• Collection agencies
• Consultant firms/ Law firms
• Document storage or disposal companies
8. HIPAA Privacy Rule
You may not use a patient’s Protected Health Information (PHI)
without patient authorization, except for Treatment, Payment
and/or Health Care Operations (TPO).
9. Disclosure Without an Authorization
Contact the Privacy Department for questions
related to disclosures without authorization
12. HIPAA Privacy Rule
• HIPAA requires “Minimum Necessary” for every transaction.
• When using, disclosing, or requesting PHI, you must make
reasonable efforts to limit the PHI to minimum amount
necessary to accomplish the intended purpose.
13. HIPAA Privacy Rule
Always double-check the DOB before choosing the patient
especially when there are multiple patients with the same name.
Selecting the wrong patient can cause:
• Miscommunications
• Loss of confidence with our patients
• HIPAA violation
• Investigation by the Office of Civil Rights with potential fines
to our organization
14. Breach Prevention
Examples:
• Faxing, handing, mailing the wrong patient information
• Inappropriate access to PHI
• Improper disposal of PHI
• Patient complaint and investigation resulting in a Breach
• Posting patient information on Social Media
• Indexing/Scanning other patient information into another patient’s chart
• Use of unencrypted USB devices/unencrypted e-mails
• Use of unapproved devices that have not been approved by security
15. Breach Notification
• Springfield Clinic is required by law to notify
affected patients of a breach of their health
information.
• Notification must be no later than 60 days
from the date that the Clinic became aware
of the incident.
• Patients have a right to file a complaint with
the Office of Civil Rights.
• Failure to timely notify the patient and or the
Department of Health & Human Services can
result in penalties/ fines.
• HIPAA requires you to report
privacy/security incidents or suspected
violations. Contact the Privacy Office at
ext. 14218.
16. Sanctions for Privacy Violations
Criminal
• (HIPAA - For personal gain
or malicious use)
• 1-5 years in prison and
$50,000 -$250,000 in
fines.
• Courts are requiring
restitution and
blacklisting the person
on the HHS website.
Civil
• (HITECH/Omnibus Law
penalties)
• Up to $1.5 million per
type of violation per year.
• Federal enforcement has
referred 500+ cases for
prosecution.
17. Information Security
The following Information Security reminders apply for Residents, or
students that have been approved for system access/ authorized user.
• Always lock your workstation whenever you leave your work area
• Do not share passwords.
• Your access is monitored regularly. Only access what is required
to perform your duties.
• DO NOT use Clinic applications as personal applications.
• If you have Clinic email, do not open email attachments/ click on
email links unless you are confident of their validity.
Note: Job Shadowing individuals are not
approved for system access to any Clinic
system.
18. Safeguarding Patient Information
1. Please keep all patient-related conversations out of patient areas. Our
patients perceive a lack of privacy when this happens – even if names
are not used.
2. Do not discuss patient information with anyone outside of your
rotation/ job shadowing experience.
3. Accessing or viewing patient information out of curiosity is a violation of
Clinic Policies, and a violation of the HIPAA Privacy Rule.
4. You are not allowed to copy, transmit or print patient information for
your own use or for your school. Any documentation that you feel you
need to send external for completion of your duties should be de-
identified by the ROI Services Manager in Health Information
Management (ext. 43742).
5. Texting patient information or using or disclosing patient information
through social media is strictly prohibited!
20. Lets Test Your Knowledge
• Answer each of the following questions.
Click here to access the quiz
• Be sure to click “Submit the Quiz” in order to meet
your training requirement
• Thank you!