Hcc_hipaa hitech training_Basic www.hcctecnologies.com

© 2013 Copyright Health Compliance Consultants, LLC. All rights reserved.
HIPAA / HITECH
PRIVACY AND SECURITY
TRAINING
Health Compliance Consultants

LEGAL STATEMENT
 No Part of this presentation may be
copied or reproduced, modified or
adapted, without the prior written consent
of Health Compliance Consultants, LLC.
 Commercial use and distribution of the
contents of this presentation in not
permitted without express and prior written
consent of Health Compliance
Consultants, LLC.

HIPAA OVERVIEW
Health Information Portability and Accountability Act (HIPAA) - 1996
Administrative
Simplification
Transactions/Code
Sets/Identifiers
(10/16/02-10/16/03)
Privacy
(4/14/2003)
Security
(4/20/2005)
HITECH (2009)
Health Information Technology for
Economic and Clinical Health
Insurance
Reform
Fraud and
Abuse

DO I NEED HIPAA TRAINING?
• All Staff working at [Practice Name] should receive HIPAA (Privacy and
Security training) at the time of hiring, and at least once every year
thereafter.
• HIPAA Training is not job specific and is mandatory for all Staff.
• All staff have to complete the training, attain a passing grade in the training
quiz and submit a completion certificate to Human Resources for record.
• Staff may be required to get additional training if a significant change in
company infrastructure, administrative or operational environment takes
place during the year.

WHAT ARE THE PRIVACY AND
SECURITY CONCERNS
• Theft of Patient Data
• Identity Theft
• Stolen laptop
• Loss of Patient Data
• Incorrect disposal
• USB Drives
• Misuse of Patient Data
• Privacy Breach

SHOULD I BE WORRIED
(SOME REAL LIFE EXAMPLES)
THEFT
• An employee from the Admissions Department at a prestigious NYC
hospital has been accused of stealing and selling information of
nearly 50,000 patients
LOSS
• CVS Caremark Corp. paid $2.25 million to settle allegations that it
dumped credit-card data, Social Security numbers and customer
medical records into garbage containers outside a number of its
stores.
MISUSE
• 27 employees were disciplined for a privacy breach related to the
Octomom. Two were fired, nine were disciplined, and 16 resigned.
The LA Hospital was also fined $250,000.

SOME BASIC HIPAA GUIDELINES
• Provide patients with the Notice of Privacy Practices
• Shred protected health information (PHI)
• Fax patient information utilizing a cover sheet
• Telephone Guidance – leaving messages and caller requests for info
• Verify patient at the time of new registration
• Avoid unintentional disclosure (telephone /privacy screens/ email / mail)
• Report Privacy Breaches & Complaints

DEALING WITH PATIENTS
• Notice of Privacy Practices (NOPP) must be offered to the
patient at the time of their first visit.
On first visit only, not every visit.
Whenever the NOPP is revised / updated.
• Tells patients their specific rights regarding their health
information. This information is included in the NOPP.
• A signed acknowledgement must be placed in the patient’s
medical record, this can be recorded electronically and
inserted directly into the EMR.

WHAT’S IN THE NOPP
• Patients have the right to:
Request restrictions on release of their PHI
Receive confidential communications
Inspect and copy medical records (access)
Request amendment to medical records
Make a complaint
Receive an accounting of any external releases.
Obtain a paper copy of the Notice of Privacy Practices on request

USING OR DISCLOSING PHI
• Written Authorization required to release medical
information
• Physician may share information with referring physician
“patient in common” without an authorization
• Emergency request for medical information should be
documented in the medical record.
• All access to or sharing of PHI must be documented /
recorded in the patient’s medical records.

EMR AND PHI CONSIDERATIONS
• Information Security
• Access, Use and Disclosure
• Release & Disclosure
• Printing Medical Information
• Loss or theft
• Research
• Copies

MEDICAL RECORDS PRIVACY
ISSUES
• Medical Record sent to wrong person
• Medical Record mailed to wrong address
• Medical Record given to wrong person
• Information sent is not consistent with the
authorization signed by patient.

5 IMPORTANT CONSIDERATIONS
REGARDING HIPAA SECURITY
1. Never share your password
2. Assure that you sign out of EMR after use, and lock
you computer screen before leaving your station.
3. Secure (encrypt) portable electronic devices, if
authorized, with patient, financial or research
information.
4. Promptly Report loss or theft of electronic devices
with protected health information and inform
Privacy Officer of improper use/ privacy breach.
5. SS# number should not be used when not required.

PASSWORD SECURITY
• Passwords are like underwear:
• Change them often
• Don’t share with friends
• Be mysterious
• Longer the better
• Don’t leave yours lying around

USE OF PORTABLE STORAGE
HIPAA SECURITY
• Examples: USB thumb drives, external hard drives, SD cards,
CDs/DVDs.
• Use only if authorized.
• All PHI stored on these devices should be encrypted.
• Report immediately if a portable device containing PHI is
misplaced or lost.
• Wipe off PHI before discarding or loaning.

ACCESSING EMRS
HIPAA PRIVACY
• Your access to EMR is recorded and
subject to audit
• Periodic audits are done and
access is monitored
• If you access medical information
without a legitimate business
purpose you will be disciplined
• Do not access the medical records of
friends, family members coworkers or
anyone else.

SECURING DOCUMENTS
CONTAINING PHI
• If you are using Microsoft Office programs and include any PHI in a
document, then make sure you encrypt the file:

EMAIL USAGE
HIPAA SECURITY
E-Mail is like a “postcard.” It may pass through several post
offices and are readable.
• Use secure, encrypted E-Mail software officially provided
to you.
• If you send an attachment with PHI: Encrypt the file
or do not send the attachment via e-mail!
• Do not use individual names, medical record numbers or
account numbers in unencrypted e-mails
• Forwarding or consolidating email with PHI on 3rd party
sites such as Google, Yahoo, or Hotmail is explicitly
prohibited.

USE OF 3RD PARTY CALENDARS FOR
SCHEDULING
• Use of 3rd party online calendars, such as Google
Calendars, leads to the risk of PHI disclosure.
• Do not use these calendar systems for official
purposes.
• Instead…use an internal calendar / scheduling
system built into our EMR application.

WHAT IS PHI?
• With a couple of exceptions, protected health information (PHI) includes
all individually identifiable health information that is transmitted or
maintained in any form or medium. This includes demographic
information that ties the identity of the individual to his or her health
record. Examples are names, addresses, geographic codes smaller than
state, all dates (except year) elements related to the person, telephone
numbers, fax numbers, license numbers, social security numbers, etc. The
information is protected if it can possibly identify the person.
• One notable exception involves disclosures of patient information that
are required by law. For example, we are required by law to report
communicable diseases to the appropriate authorities.

PHI SECURITY - REVISITED
Reminder:
• Only share PHI in accordance with company policies.
• Do not share PHI through unauthenticated websites.
• Do not email PHI unencrypted.
• Do not send PHI through unencrypted channels:
• Examples include FTP, Telnet and HTTP
• Use secure alternatives, such as sFTP , SSH and HTTPS
• Do not store PHI on online storage sites:
• Examples include Dropbox, One Drive, iCloud, Google
Drive, etc.

NOW YOU KNOW HIPAA, BUT
WHAT IS HITECH?
HITECH Act (ARRA): Health Information Technology for Economic and
Clinical Health
• New Federal Breach Notification Law – Effective Sept 2009
• Applies to all electronic PHI or ePHI
• Requires immediate notification to the Federal Government if more than
500 individuals effected
• Annual notification if less that 500 individuals effected
• Requires notification to a major media outlet
• Breach will be listed on a public website
• Requires individual notification to patients
• Criminal penalties - apply to individual or employee of a covered entity
• Increased Enforcement & Fines for Breaches

INFORMATION SECURITY REVISITED
• Password protect all data and computer workstations
• Dispose off PHI properly
• Keep work area properly secured, no unauthorized person permitted
• Only use officially authorized messaging/email system for communicating
patient information
• Only use officially authorized scheduling/calendar system
• Be wary of visiting unauthorized websites that may introduce viruses,
spam ware and malware to your system
• Do not copy PHI onto portable storage media without proper
authorization and without encryption
• Do not share your password with anyone. It is used to audit your activities.

AND THEN THERE IS OMNI BUS RULE
EFFECTIVE 3/26/2013• Main highlights:
• Business Associates are now Covered Entities, and requires update
Business Associates Agreements.
• Breach Notification standards revised: Each breach evaluated for:
• What information breached
• To whom was the information exposed
• Was the information actually accessed, used or disclosed
• Any mitigation steps required and taken
• Patients right to access PHI revised:
• If patient requests their PHI to be transmitted in an unsecure way,
they should be warned and transmitted as per their request if they
still persist. This applies only to the individual whose PHI is being
transmitted.

NEED MORE INFORMATION
• Contact Company Privacy Security Officer:
• Name:
• Phone:
• Email:
• Mailing Address:

Hcc_hipaa hitech training_Basic www.hcctecnologies.com

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (11)

Similar to Hcc_hipaa hitech training_Basic www.hcctecnologies.com

Similar to Hcc_hipaa hitech training_Basic www.hcctecnologies.com (20)

Recently uploaded

Recently uploaded (20)

Hcc_hipaa hitech training_Basic www.hcctecnologies.com