1) The training focused on HIPAA privacy and security regulations for UCLA hospital employees and covered topics such as protected health information, patient rights, privacy, and documentation. 2) Federal law requires covered entities to provide training to all workforce members on privacy policies and procedures. 3) UCLA hospital must ensure unique user identities for employees, provide ongoing privacy and security updates, and document all training compliance for auditing purposes.

1. Confidentiality Training
Trainer: Mercy William
3/5/15

2. Confidentiality Training
Problems:
• Over 120 UCLA Hospital staff saw celebrity
health records
• Some employees are in the habit of viewing
patients’ medical records without reason

3. Federal Requirements
HIPAA Privacy Rule
Section 164.530 of the HIPAA privacy rule states:
“A covered entity must train all members of its
work force on the policies and procedures with
respect to PHI required by this subpart, as
necessary the work force to carry out their function
within the covered entity.”

4. Training Focus
The focus of this training will be on HIPAA Privacy and Security Regulations for UCLA
Hospital Employees
The following topics will be covered:
• Protected Health Information (PHI)
• Minimum Necessary
• Patient Rights
• Privacy
• User Identity
• Implementation Specifications for Training
• HIPPA Security Rule
• State Laws and Regulations
• Who is Trained
• Documentation

5. Protected Health Information (PHI)
The Privacy Rule –
• Protects information known as PROTECTED HEALTH INFORMATION that exists in written, oral, and
electronic formats.
• Limits the way in which a user may use and disclose (release) PHI. As a UCLA Hospital Employee, you must
have a job-related reason to use and or disclose PHI.
Examples of PHI Include:
– Name
– Birth Date
– Fax Number
– Account Number
– Web Universal Resource Locator (URL)
– Street Address
– Admission Date
– Electronic mail address
– Certificate/License Number
– License Plate Number
– City
– Discharge Date
– Social Security Number
– Any Other Unique Identifying Number, Characteristic, or Code

6. Minimum Necessary
The Privacy rule also requires that all UCLA Hospital Employees use only the
minimum amount of PHI necessary as their job requires. This is the HIPAA
definition of the Minimum Necessary Standard.
Minimum Necessary Scenario [http://www.slideserve.com/arnaud/gbmc-hipaa-
compliance-program]
• I am a unit clerk and while I was working night shift, a nurse named Mary became very ill. Another nurse
named Alice transported Mary to the Emergency Dept (ED) & described for the nursing staff in the ED
what symptoms Mary had complained of having. Alice was thanked for her assistance & told that she
could return to her floor. Later that evening, I walked by Alice while she was on the computer & she called
me over. She had Mary’s lab results up on her screen. Can she do this?
– No, Alice should not look at this information. She has violated the minimum necessary standard.
Such violation is punishable up to and including termination.

7. Patient Rights
The Privacy Rule provides patients with PATIENT PRIVACY RIGHTS. These rights are
communicated to the patients via the Notice of Privacy Practices (NOPP).
The Patient Privacy Rights are as follows:
• Right to access PHI
• Right to request an amendment to PHI
• Right to request restrictions on how PHI is used for treatment, payment, and healthcare
operations
• Right to receive confidential communications
• Right to request an accounting of disclosures
• Right to complain to the Department of Health and Human Services’ Office for Civil Rights
UCLA Hospital provides all patients with a copy of its NOTICE OF PRIVACY PRACTICES. Each
patient must sign an acknowledgment after receiving the NOPP unless the patient is unable
to do so at the time of registration.
The Notice of Privacy Practices
 The Notice is a useful tool not only for you but also for the patient. The NOPP:
– describes how UCLA Hospital may use a patient’s PHI
– provides a clear and concise description of the patient’s rights
– discusses how a patient may opt-out of the facility directory
– discusses how the medical staff may interact with the patient’s family

8. Privacy
The Privacy Rule requires that UCLA Hospital
• Create policies regarding how UCLA Hospital Employees will use and disclose (release) PHI
• Train and educate it’s workforce on it’s privacy policies
• Make the policies available to all the employees
• Provide a way for patients and workforce to report privacy issues and/or concerns
Privacy Compliance Tips
• Keep all PHI locked and in a secured place when you are away from your work space.
• Do not incorporate any unique patient identifiers in the subject line of an email. For example,
do not include a patient’s name or social security number in a subject line while sending an
email
• UCLA Hospital should encrypt emails containing PHI
• Do not talk about PHI in public or common areas.
• Make sure to check the fax number for accuracy before sending a fax that contains PHI.
• If a fax is sent to the wrong recipient in error, you must contact the UCLA Privacy Officer
immediately and report the incident.

9. User Identity
• UCLA Hospital;
– Is obligated to provide each computer system user with a unique user identity
– Should provide only relevant security levels as an employee’s job function requires
– This unique user identity should be used to perform a routine audit trail on user
accounts to ensure that it’s employees are only accessing PHI that is relevant to
getting their work done
• Each UCLA Hospital Employee;
– Should have an exclusive username and password
– Must not share his/her password with any other person
– Must not place the password in a place where it can be easily identified by another
person
– Must always log out of their computer when they are away from it. All Employees
must note that they are ultimately responsible for any activities that are performed
under their user identity.

10. Implementation Specifications for Training
A covered entity must provide training that meets the following
requirements :
• To each member of the covered entity's work force by no later than the
compliance date for the covered entity
• Thereafter, to each new member of the work force within a reasonable
period of time after the person joins the covered entity's work force
• To each member of the covered entity's work force whose functions are
affected by a material change in the policies or procedures required by this
subpart, within a reasonable period of time after the material change becomes
effective

11. HIPAA Security Rule
• A covered entity must train the entire workforce on
HIPAA-directed privacy policies and procedures necessary
to comply with the rule.
• Workforce training should be executed through normal
or existing organizational educational operations.
• All covered entities must provide ongoing updates and
document evidence of compliance in written or electronic
form and retain it for a minimum of six years from the
implementation date.

12. State Laws and Regulations
• Although few states have had regulations
specifically requiring training for privacy and
security, any existing regulations are preempted
by HIPAA except in cases of a more stringent
status designation.
• Organizations should be aware of state
circumstances

13. Who Is Trained
HIPAA's privacy rule;
• Defines workforce as "employees, volunteers, trainees, and other
persons whose conduct, in the performance of work for a covered entity,
is under the direct control of such entity, whether or not they are paid by
the covered entity."
• It further directs that training include "all workforce members on its
privacy policies and procedures, as necessary and appropriate to carry
out their function."
• In addition, covered entities must have and apply appropriate
sanctions against workforce members who violate its privacy policies and
procedures or the privacy rule itself.

14. Documentation
• The privacy rule requires that "a covered entity must document that the training has been
provided."
• The security rule addresses documentation in a general manner for all appropriate security
standards in section 164.316 - requiring the maintenance of policies and procedures as
necessary to comply with the requirements
• It is recommended that the documentation include content, training dates, and attendee
names
• Methods of documenting privacy and security training efforts include the following:
o Training program sign-in sheets
o Signed confidentiality statements acknowledging receipt and understanding of any training level
attended
o Electronic access trails to record computer-based training completion or quiz results
o Documenting and retaining meeting handouts, aids, and minutes
o Retention of e-mail messages
o A compliance training database recording details such as broadcast e-mails, flier distribution, screen
saver or banner launching, or cafeteria tent displays

15. References
AHIMA. (2003). HIPAA Privacy and Security Training.
Retrieved from
http://library.ahima.org/xpedio/groups/public/document
s/ahima/bok1_048509.hcsp?dDocName=bok1_048509
http://www.hhs.gov/ocr/privacy/hipaa/understanding/su
mmary/index.html
http://www.slideserve.com/arnaud/gbmc-hipaa-
compliance-program