This document outlines policies and procedures for a facility that provides psychiatric care for veterans regarding protected health information and compliance with HIPAA regulations. Key points: - The facility treats veterans for post-traumatic stress disorder through both in-person and electronic services. Reimbursement comes from federal, state, private insurance and pro bono sources. - Michela Desmond is the facility director and they have designated an office manager as the HIPAA privacy officer responsible for developing and enforcing privacy policies. - Policies address securing electronic protected health information, implementing security standards, providing security awareness training, and responding to any security breaches or violations of patient privacy. Non-compliance can result in fines.

1. Michela Desmond, MD
Ana Turbin, RN
Jann Barham, Office Manager
Jana Barham, Billing
Sonya Steadham, Reception
Joyce Cook, LVN
Protected Health Information and
Electronic Protected Health Information
Safeguarding ePHI
This facility provides psychiatric care for the treatment of
veterans and post traumatic stress disorder.
Services are provided face to face and through electronic
transmission.
Reimbursement is through federal funding, state funding,
private pay insurance and pro bono.

2. Michela Desmond, MD
Certified by The American Board of Psychiatry and Neurology

3. The HIPAA Privacy Rule protects the privacy of individually identifiable health information.
Sanctions are required by HIPAA in the event of violations.
HIPAA PRIVACY RULE
Lee Ann Torrans
Covered entities must designate a privacy official responsible for developing and implementing
policies and procedures. Our office manager is our HIPAA Privacy Officer.
HIPAA requires not only that our policies be created and communicated to staff but employees must also
sign documents indicating they understand and will adhere to the policies.

4. Information created, received, used or maintained by a HIPAA covered entity is included.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the
confidentiality, integrity, and security of ePHI.
HIPAA covers both ePHI and PHI (protected health information).
HIPAA SECURITY RULE
Lee Ann Torrans
The HIPAA Security Rule sets national standards for the security of electronic protected health
information (e-PHI).

5. Protecting patient healthcare information is important for the patient, our facility and legal compliance.
Understanding the broad scope of issues health care providers face and why we engage in these
activities will help you support and improve our service.
It is everyone’s duty to not only observe our policies but to contribute to enhancing our policies to better
address issues of protecting health information of our patients by both this office and our business
associates.
By understanding the scope of our duties you can better contribute and participate in the protection of
health information.
ePHI and PHI Review
Lee Ann Torrans

6. The HIPAA Security Rule requires covered providers to implement security measures, which help protect
patients’ privacy by creating the conditions for protected health information to be available but not be
improperly used or disclosed.
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the
security or privacy of PHI such that the use or disclosure poses a significant risk of financial, reputational,
or other harm to the affected individual.
What is a Breach?
Lee Ann Torrans
The “Breach Notification Rule” requires covered providers to promptly notify individuals and the
Secretary of the HHS of the loss, theft, or certain other impermissible uses or disclosures of unsecured
PHI. Health care providers must also promptly notify the Secretary of HHS if there is any breach of
unsecured protected health information if the breach affects 500 or more individuals, and notify the
media if the breach affects more than 500 individuals of a State or jurisdiction.

7. Business Associates
Healthcare Providers
Who Is a Covered Provider?
Lee Ann Torrans
State Law Expands Definition - Review
Your State

8. Breaches of unsecured PHI that affect 500 or more individuals are publicly reported on the OCR website.
We are required to notify the media if the breach affects more than 500 individuals of a state or
jurisdiction.
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is responsible for
administering and enforcing the HIPAA Privacy and Security Rules and conducts associated complaint
investigations, compliance reviews, and audits. OCR may impose fines on covered providers for failure
to comply with the HIPAA Rules.
State Attorneys General may also enforce provisions of the HIPAA Rules.
Breach Occurrence?
Lee Ann Torrans

9. Risk analysis and risk management serve as tools to assist in the development of a covered entity’s
strategy to protect the confidentiality, integrity, and availability of ePHI.
Your feedback and contribution to any potential risk or threat to the security of ePHI is crucial for
success. Always bring concerns to our HIPAA Privacy Officer, our office manager.
We are required as a covered entity to have a sanction policy that reinforces our security policies and
procedures.
The Information System Activity Review implementation specification requires us to promote a continual
awareness of any information system activity that could suggest a security incident.
Organizational Standards
Lee Ann Torrans

10. The Security Rule defines administrative safeguards as, “administrative actions, and policies and
procedures, to manage the selection, development, implementation, and maintenance of security
measures to protect electronic protected health information and to manage the conduct of the covered
entity’s workforce in relation to the protection of that information.”
“Implement policies and procedures to prevent, detect, contain and correct security violations.”
Risk analysis
Risk management
Security Management
Lee Ann Torrans
Sanction policy
Information system activity

11. “Implement policies and procedures to ensure that all members of its workforce have appropriate access
to electronic protected health information, as provided under [the Information Access Management
standard], and to prevent those workforce members who do not have access under [the Information
Access Management standard] from obtaining access to electronic protected health information.”
The Authorization and/or Supervision implementation specification provides the necessary checks and
balances to ensure that all members of the workforce have appropriate or limited access to EPHI.
Isolating Health Care Clearinghouse Functions
Access Authorization
Work Force Security
Lee Ann Torrans
Access Establishment and Modification

12. “Implement policies and procedures for authorizing access to electronic protected health.”
The Information Access Management implementation specifications are closely related to the
implementation specifications under the Workforce Security standard.
Isolating Health Care Clearinghouse Functions
Access Authorization
Information Access
Lee Ann Torrans
Access Establishment and Modification Managing

13. “Implement policies and procedures to address security incidents.”
Create contingency plans in the event of software / hardware failure or natural disaster.
“Implement procedures for periodic testing and revision of contingency plans.”
“Assess the relative criticality of specific applications and data in support of other contingency plan
components.”
Security Plans
Lee Ann Torrans
“Evaluation: On-going evaluation of security measures is the best way to ensure all EPHI is adequately
protected.”

14. “Implement a security awareness and training program for all members of its workforce including
management.”
Security Reminders
Protection from Malicious Software
Log-in Monitoring
Security Awareness Training
Lee Ann Torrans
Password Management
We are required to have periodic training for all new employees and associates

15. Internet and eMail Use
Lee Ann Torrans
Complex passwords are an effective safeguard against unauthorized access of PHI.
HIPAA Security Rule requires that covered entities establish guidelines for creating passwords and
changing them during periodic change cycles.
Password policies require passwords to be changed every 90 days
Passwords must have a length of 8 characters containing a mix of upper- and lowercase letters, special
characters, and numbers.
Never share passwords with co-workers or write them down and leave them in areas that are visible and
accessible to others.

16. ePHI Electronic Transmission
Lee Ann Torrans
No patient images may be forwarded.
HIPAA allows patients to waive using HIPAA encrypted transmission of patient information. The
Information Privacy Officer must forward and receive the signed waiver before this process may
begin.
Skype, owned my Microsoft is NOT HIPAA compliant. It can never be used. Drop Box must have specific
BA HIPAA compliant agreements. Both require waivers.
Without a patient waiver approved by our Security Officer only our designated email service and text service
can be used.

17. Phishing Emails
Lee Ann Torrans
Display name do not trust – look at actual senders email address and
source
Phishers often ‘steal’ and reuse legitimate logos
Phishing can introduce malicious software by opening suspicious e-mail attachments, e-mail from unfamiliar
senders, and hoax e-mail. Contact the office manager before you open suspicious email.
Downloading – our system will not allow you to download any thing to your computer that is not on our own servers. This
includes not only the internet but diskettes, CD’s, or DVD’s.

18. Protections from Malicious Software
Lee Ann Torrans
Malicious software refers to viruses, worms, Trojan horses and backdoor programs
Virus scans and protection are run three times a day on individual computers and our entire system.
Phishing can introduce malicious software by opening suspicious e-mail attachments, e-mail from unfamiliar
senders, and hoax e-mail. Contact the office manager before you open suspicious email.
Downloading – our system will not allow you to download any thing to your computer that is not on our own servers. This
includes not only the internet but diskettes, CD’s, or DVD’s.

19. Workstation and Info Access
Lee Ann Torrans
Our clear-screen policy means your must either log off or lock your computer when you are away from your desk to
ensure that the information on the computer is protected from unauthorized access.
We use a keyboard shortcuts that allow you to quickly lock your computer:
Control - LO
Users will be locked out after three attempts to login with an incorrect password.
Screen savers which lock are set to automatically turn on after two minutes of no use or computer
inactivity.

20. Control Access
Lee Ann Torrans
Both the HIPAA Privacy Rule and the Security Rule limit the uses and disclosures of PHI to the "minimum
necessary." This means that access to PHI should be authorized only when it's appropriate based on the
employee's role. Covered entities must also implement technical policies and procedures that allow only
authorized personnel to access e-PHI.
Access to PHI should be authorized only when it's appropriate based on the employee's role
Our technical policies provide access to specific categories of information by specific job functions.
Only authorized personnel can access specific e-PHI.

21. Lock Up
Lee Ann Torrans
Our clear-screen policy means your must either log off or lock your computer when you are away from your desk to
ensure that the information on the computer is protected from unauthorized access.
We use a keyboard shortcuts that allow you to quickly lock your computer:
Control - LO
Users will be locked out after three attempts to login with an incorrect password.
Screen savers which lock are set to automatically turn on after two minutes of no use or computer
inactivity.

22. Lee Ann
Breaches
Fines
Report to
OCR
Report to Media
Over 500
Consequence
No Internal
Sanctions for
Violations
No HIPAA
Education
Programs
Sharing
Passwords
Using
another
person’s
workstation
Unlawful Actions
Examples of HIPAA
Violations
Lee Ann

23. Lee Ann
− Do not text or email ePHI outside of our encrypted system
− Patient waiver of encryption must be approved by security officer / office
manager
− Sharing Passwords
− Sending medical records via email not directed through encrypted
system
− Losing laptop with unencrypted ePHI
− Placing PHI on portable device of any kind that is not encrypted violates
company protocol
Examples of
Violations

24. Lee Ann
Business
Associates

25. Lee Ann
TWO POLICIES
Encrypted Email: Our email system has encryption protocols enabled for a high level of secured
transmission between our email system and patients. Complete message can be encrypted by typing [encrypt]
in the subject line. Make sure there is a space before or after [encrypt] for the subject line The [encrypt] text
will be stripped from the email during processing. This is the only email system which accessible on our
system and the only one that may be used for our medical practice.
Unsolicited Receipt of PHI: If you have received inappropriate or misdirected PHI please follow these steps
as required under our HIPAA Compliance program; Reply to the sender of the material that a PHI request was
not made; delete or properly dispose of the PHI and notify the project office manager that this event has
occurred.
Do not open or retain the unsolicited PHI.

26. Lee Ann
Each workstation or class of workstations have a define purpose and authorization to access EPHI.
Purposes and functions are authorized for workstations and
Workstations cannot be used for unauthorized purposes or to perform unauthorized functions.
report any unauthorized activity at a workstation
Do not to share passwords with others, except to assure business continuity
Suspected misuse of user IDs or passwords should promptly reported
Workstations accessing EPHI are located in physically secure areas and display screens are positioned or
protected, in order to minimize the risk of access by unauthorized individuals and prevent unauthorized
viewing of EPHI.
Locking software should be activated upon leaving workstations unattended for a period which exceeds five
minutes.
Log off from their workstations when shift is complete.
Take reasonable and appropriate steps to ensure that workstations removed from facilities are protected with
security controls equivalent to on-site workstations
Workstation Policies

27. Lee Ann

28. Lee Ann
References:
Brodnick, M., Rinehart-Thompson, L., Reynolds, R. (2012). Fundamentals of Law for Health Informatics and Information Management 2nd ed. Edition. Chicago, Il: AHIMA Press.
Amatayakul, K. (2013). Electronic Health Records: A Practical Guide for Professionals and Organizations 5th Edition. Chicago, Il: AHIMA Press.
Castro, A. (2013). Principles of Healthcare Reimbursement 4th Edition. Chicago, Il: AHIMA Press.