The document provides an overview of HIPAA compliance training for employees, detailing regulations concerning the privacy and security of protected health information (PHI). It covers essential topics such as the definition of PHI, applicable entities, and consequences of violations, including potential criminal and civil penalties. Additionally, it outlines the necessary safeguards, permitted disclosures, and responsibilities for reporting privacy breaches in accordance with HIPAA and the American Recovery and Reinvestment Act of 2009.

1. HIPAA Privacy and Security
Training for Employees
Compliance Is Everyone‟s Job
1

2. Topics to Cover
• General HIPAA Privacy and Security Overview
• HIPAA Privacy
• ARRA of 2009: HIPAA Breach Notification Rules
and Procedures
• HIPAA Security
• Questions/Acknowledgment of Training
2

3. What is HIPAA?
The Health Insurance Portability and Accountability
Act (HIPAA) is federal legislation which addresses
issues ranging from health insurance coverage to
national standard identifiers for healthcare
providers.
The portions that are important for our purposes
are those that deal with protecting the privacy and
security of health data, which HIPAA calls
Protected Health Information or PHI.
3

4. Question 1
HIPAA addresses
a. Privacy
b. Security
c. Both A and B
4

5. Correct Answer
c: HIPAA establishes requirements for both the
privacy and security of PHI. Privacy refers to the
confidentiality of protected information.
Security addresses the safe keeping of both paper
and electronic (computer-based) records.
5

6. Applicability of HIPAA to UNA
• HIPAA Applies to:
- Departments that have signed Business Associate
Agreements
- Group Health Insurance/Flexible Spending Plan/EAP
- UNA Administrative Departments supporting above
entities (such as Business Affairs, Information
Technology Services)
- Research Involving PHI from a HIPAA covered entity
• Does not apply to Student Health Center, Counseling
Centers, Athletic Department Health Records
6

7. What is Protected Health
Information? (PHI)
• Any information, transmitted or maintained in any
medium, including demographic information;
• Created/received by covered entity or business
associate;
• Relates to/describes past, present or future
physical or mental health or condition; or past,
present or future payment for provision of
healthcare; and
• Can be used to identify the patient
7

8. Type of Data Protected by HIPAA
• Written documentation and all paper records
• Spoken and verbal information including voice
mail messages
• Electronic databases and any electronic
information, including research
information, containing PHI stored on a
computer, smart phone, memory card, USB
drive, or other electronic device
• Photographic images
• Audio and Video Recordings
8

9. Question 2
Jenny, a pediatric nurse, needs to report lab results
to the mother of a 3 year old child who is sitting in
the waiting room. She sticks her head in the waiting
room door and says, “Good news. The lab results
are normal.” Is this a privacy breach?
a. Yes
b. No
9

10. Correct Answer
a: Yes, unless no one else was in the waiting room.
The nurse should have asked the mother to step
out into the hallway or taken other steps to be
certain that no one else would overhear the
conversation.
10

11. To De-Identify Patient Information
You Must Remove All 18 Identifiers:
• Names
• Geographic subdivisions smaller than state
(address, city, county, zip)
• All elements of DATES (except year) including
DOB, admission, discharge, death ages over 89, dates
indicative of age
• Telephone, fax, SSN#s, VIN, license plate #s
• Medical record#, account#, health plan beneficiary#
• Certificate/license #s
• Email address, IP address, URLs
• Biometric identifiers, including finger & voice prints
• Device identifiers and serial numbers
• Full face photographic and comparable images
• Any other unique identifying#, characteristic or code 11

12. Question 3
Photographs are considered PHI.
a. True
b. False
12

13. Correct Answer
a: Photographs as well as video and audio
recordings are protected under HIPAA regulations.
13

14. Department of Justice-Imposed
Criminal Penalties for Employee
• Wrongfully Accessing or Disclosing PHI: Fines up
to $50,000 and up to 1 Year in Prison
• Obtaining PHI Under False Pretenses: Fines up to
$100,000 and up to 5 Years in Prison
• Wrongfully Using PHI for a Commercial Activity:
Fines up to $250,000 and up to 10 Years in
Prison
• HIPAA criminal and civil fines and penalties can
be enforced against INDIVIDUALS as well as
covered entities who obtain the information
illegally
14

15. Federal-Imposed Civil Penalties
• Tier A: Did not realize violated and would have handled differently:
- Minimum per violation: $100 (each name in a data set can be a violation);
Maximum per calendar year: $25,000
• Tier B: Violations due to reasonable cause, but not willful neglect:
- Minimum per violation: $1,000; Maximum per calendar year $50,000
• Tier C: Violations due to willful neglect that organization corrected:
- Minimum per violation: $10,000; Maximum per calendar year $250,000
• Tier D: Violations due to willful neglect that organization did not
correct
- Minimum per violation: $50,000; Maximum per calendar year: $1.5 Million
• HHS is now required to investigate and impose civil penalties
where violations are due to willful neglect
• Feds have 6 years from occurrence to initiate civil penalty action
• State attorneys general can pursue civil cases against
INDIVIDUALS who violate the HIPAA privacy and security
regulations
• Civil Penalties now apply to Business Associates
15

16. Question 4
An individual convicted of HIPAA violation might be
subject to
a. Fine
b. Jail term
c. Both A and B
16

17. Correct Answer
c: HIPAA is federal legislation. Sanctions for
violators can include both fines and incarceration.
17

18. Breach and Sanction Information
In the Office of Civil Rights annual report to
Congress:
• 9/23/09 - 12/31/09 – 45 breach reports involving
2.4 million individuals
• 1/1/10 – 12/31/10 – 207 breach reports involving
5.4 million individuals
• Four general causes (individuals affected):
1. Theft of electronic or paper records (2,979,121)
2. Loss of electronic medical or paper records
(1,156,847)
3. Intentional unauthorized access to, use, or disclosure
(1,006,393)
4. Human error (78,663)
18

19. Breach and Sanction Information
January 16, 2009 the Department of Health and
Human Services reached an agreement with DVS
Pharmacy, Inc. (CVS) to settle potential violations
of the Privacy Rule. CVS agreed to $2.25 million
and to implement a detailed Corrective Action Plan
to ensure that its workforce members appropriately
dispose of PHI, such as labels from prescription
bottles and old prescriptions.
19

20. Breach and Sanction Information
On July 27, 2010, the Department of Health and
Human Services (HHS) reached an agreement with
Rite Aid Corporation and its 40 affiliated entities
(Rite Aid) to settle potential violations of the Privacy
Rule. Rite Aid agreed to pay $1 million and to take
corrective action to improve policies and
procedures to safeguard the privacy of its
customers when disposing PHI on pill bottle labels
and other health information.
20

21. Breach and Sanction Information
July 6, 2011 the Department of Health and Human
Services (HHS) entered into its third largest
settlement for potential HIPAA privacy and security
rule violations, reaching a resolution agreement of
$865,500 with the University of California at Los
Angeles Health System (UCLAHS) associated with
2 complaints of intentional unauthorized access
to/use/disclosure of PHI.
21

22. HIPAA Permitted Uses and
Disclosures of PHI
• A covered entity can always use and disclose PHI
for any purpose if it gets the person‟s signed
HIPAA-valid authorization
• Only designated, HIPAA trained personnel, are
permitted to approve disclosure of PHI per the
person‟s HIPAA-valid authorization
• For a complete list of permitted uses and
disclosures of PHI, see your entity‟s notice of
health information practices
22

23. HIPAA Permitted Uses and
Disclosures of PHI
• The HIPAA Privacy Rule states that PHI may be
used and disclosed to facilitate treatment,
payment, and healthcare operations (TPO)
which means:
- PHI may be disclosed to other providers for treatment
- PHI may be disclosed to other covered entities for
payment
- PHI may be disclosed to other covered entities that
have a relationship with the patient for certain
healthcare operations such as quality improvement,
credentialing, and compliance
- PHI may be disclosed to individuals involved in a
patient’s care or payment for care unless the patient
objects
23

24. Minimum Necessary Standard
• When HIPAA permits use or disclosure of PHI, a
covered entity must use or disclose only the
minimum necessary PHI required to accomplish
the purpose of the use or disclosure
• The only exceptions to the minimum necessary
standard are those times when a covered entity is
disclosing PHI for the following reasons:
- Treatment
- Purposes for which an authorization is signed
- Disclosures required by law
- Sharing information to the patient about himself/herself
24

25. What HIPAA Did Not Change
• Family and friends can still pick up prescriptions
for sick people
• Physicians and Nurses do not have to whisper
• State laws still govern the disclosure of minor‟s
health information to parents (a minor is under the
age of 19 in Alabama)
25

26. Other Privacy Safeguards
• Avoid conversations involving PHI in public or
common areas such as hallways or elevators
• Keep documents containing PHI in locked cabinets or
locked rooms when not in use
• During work hours, place written materials in secure
areas that are not in view or easily accessed by
unauthorized persons
• Do not leave materials containing PHI on desks or
counters, in conference rooms, or in public areas
• Do not remove PHI in any form from the designated
work site unless authorized to do so by management
• Never take photographs in patient care areas
26

27. Question 6
TPO stands for:
a. Therapy, patient, outcome
b. Treatment, payment, operation
c. Training participation, organization
27

28. Correct Answer
b: Treatment, payment, operation. Once the
Acknowledgement of Health Information Practices
has been signed by the patient, PHI can be
disclosed as necessary to complete treatment, bill
for services, and manage healthcare operations.
28

29. Question 7
PHI can never be released for any reason except
TPO (treatment, payment, operations).
a. True
b. False
29

30. Correct Answer
b: False. PHI can be released for reasons other
than TPO if additional release forms have been
signed by the patient.
30

31. Question 8
Charlie works at a medical center and is
responsible for entering billing data into the
computer system. He looks at his mother-in-law‟s
medical records, because he is concerned that she
has not been fully honest with her family about
some recent health problems. Since he has been
HIPAA trained, is this a breach of privacy?
a. Yes
b. No
31

32. Correct Answer
a: Yes. Although Charlie has been HIPAA trained,
his access is based on the minimum necessary
requirement to complete his job. He does not need
to access health records to enter billing data.
Unless his mother-in-law has given permission, in
writing, for him to access her records, this action
was a violation of Privacy Policies.
32

33. Business Associate Agreements
• Are required before a covered entity can contract
with a third party individual or vendor
(subcontractor) to perform activities or functions
which will involve the use or disclosure of the
covered entity‟s PHI
• Binds the third party individual or vendor to the
HIPAA regulations when performing the
contracted services
• Must be approved in accordance with appropriate
UNA policies and procedures
Individual employees are NOT authorized to sign
contracts on behalf of UNA. 33

34. HIPAA Put New Requirements
on Research
• If you work for a Health Care Provider under
HIPAA, do not release PHI for research unless:
- The patient has signed a valid HIPAA
authorization, or
- The HSC (UNA‟s IRB) has approved a waiver of
authorization; or
- The IRB agrees that an exception applies
Information regarding HIPAA and Research is
available through the Office of Sponsored
Programs
34

35. American Recovery and
Reinvestment Act of 2009 (ARRA)
• Expanded privacy and security provisions of the
Health Insurance Portability and Accountability
Act of 1996 (HIPAA)
• One new requirement is that we must notify
affected individuals and federal officials when a
breach or potential breach of privacy has occurred
• The following slides discuss our obligation under
these rules
35

36. Question 9
________ requires that individuals and federal
officials be notified when a breach or potential
breach of PHI Privacy or Security regulations has
occurred
a. HIPAA
b. AARA
36

37. Correct Answer
b: AARA, or the American Recovery and
Reinvestment Act of 2009, expanded HIPAA to
establish regulations for notification of a breach or
potential breach of PHI.
37

38. First Federal Definition of Breach
• AARA provides the first federal definition of a
Breach:
- The unauthorized acquisition, access, use or disclosure
of unsecured PHI which compromises the security or
privacy of the information
- Exceptions:
» Unintentional acquisition, access or use of PHI by an
employee or individual acting under the authority of a
covered entity
» Inadvertent disclosure of PHI from one person authorized
to access PHI at a covered entity to another person
authorized to access PHI at the covered entity
» Unauthorized disclosures in which an unauthorized person
to whom PHI is disclosed would not reasonably have been
able to retain the information
38

39. Secured PHI
• ARRA further identified the information to which the
breach notification provisions apply. It defined
“unsecured protected health information” as PHI that is
not secured through the use of a technology or
methodology that renders it unusable, unreadable,
or indecipherable and that is developed or endorsed
by the American National Standards Institute
• Therefore, for breaches involving the misuse, loss, or
inappropriate disclosure of paper or electronic data,
there are some “home free” methods under which the
loss would indicate no harm done”
- Paper secured by use of crosscut shredder (or destroyed)
- Electronic data-encrypted data files and/or transmissions
39

40. Encryption
• Security Rules require Covered Entity/Business
Associate to consider implementing encryption as
a method for safe guarding Electronic Protected
Health Information (PHI)
• If you choose to encrypt, then not required to
notify in event of breach
40

41. What Constitutes a Breach?
• A breach could result from many activities. Some
examples are:
- Failing to log off when leaving a workstation
- Unauthorized access to PHI
- Sharing confidential information, including passwords
- Having patient-related conversations in public settings
- Improper disposal of confidential materials in any form
- Copying or removing PHI from the appropriate area
• Why?
- Curiosity…about a co-worker or friend
- Laziness…so shared sign-on to information systems
- Compassion…the desire to help someone
- Greed or malicious intent…for personal gain 41

42. Question 10
Bill, a billing employee, receives and opens an
email containing PHI which a
nurse, Nancy, mistakenly sent to him. Bill notices
that he is not the intended recipient, alerts Nancy to
the misdirected email, and deletes it.
Was this a breach of PHI?
a. Yes
b. No
42

43. Correct Answer
b: No. Bill unintentionally accessed PHI that he was
not authorized to access. However, he opened the
email within the scope of his job for the covered
entity. He did not further use or disclose the PHI.
This was not a breach of PHI as long as Bill did not
further use or disclose the information accessed in
a manner not permitted by the Privacy Rule.
43

44. Question 11
Rhonda is a receptionist for a covered
entity, and, due to her work responsibilities, she is
not authorized to access PHI. Rhonda decides to
look through patient files to learn about a friend‟s
last visit to the doctor.
Does Rhonda‟s action constitute a breach?
a. Yes
b. No
44

45. Correct Answer
a: Yes. Rhonda accessed PHI without a work-
related need to know. This access was not
unintentional, done in good faith, or within the
scope of her job for the covered entity.
45

46. Question 12
Rob, a research assistant, wanted to get ahead on
some statistical work, so he copied the information
from 240 research participants to his thumb drive.
The information included PHI, and the thumb drive
was not encrypted. On his way home to continue
his work, he stopped by the store to get some
snack. When he returned to his car, he found it had
been broken into. Missing were his GPS dozens of
CDs, and his book bag containing the thumb drive.
Does this event constitute a breach?
a. Yes
b. No
46

47. Correct Answer
a: Yes. Unsecured PHI was stolen because the
thumb drive was unencrypted.
Actually, Rob violate many policies:
• Removed confidential information from the unit
without approval
• Used his personal portable computing device for
business without senior management approval
• Copied confidential information to a portable
computing device without senior management
approval
• Used a portable computing device that was not
encrypted 47

48. Responsibility to Report
• When receiving a privacy complaint, learning of a
suspected breach in privacy or security, or
noticing something is “just not right,” we must
work together…immediately, cooperatively,
efficiently, carefully, and confidentially
• If you notice, hear, see, or witness any activity
that you think might be a breach of privacy or
security, please let your organization‟s privacy
and/or security officer know immediately
• It is much better to investigate and discover not
breach than to wait and later discover that
something DID happen
48

49. Question 13
If you suspect that there has been a breach of
HIPAA Policies in your workplace, you should
report your suspicions to:
a. University Police
b. University Office of Legal Counsel
c. HIPAA Privacy or Security Office assigned to
your workplace
49

50. Correct Answer
c: The HIPAA Privacy or Security Officer for your
workplace should be notified of any possible breach
of HIPAA Policies. The employee who reports such
suspicions is protected from any repercussions for
making his/her concerns known to the HIPAA
Officer.
50

51. Security Standards – General
Rules
• HIPAA security standards ensure the
confidentiality, integrity, and availability of PHI
created, received, maintained, or transmitted
electronically (PHI – Protected Health Information)
by and with all facilities.
• Protect against any reasonably anticipated threats
or hazards to the security or integrity or such
information
• Protect against any reasonably anticipated uses
or disclosures of such information that are not
permitted
51

52. Rules for Access
• Access to computer systems and information is based on
your work duties and responsibilities
• Access privileges are limited to only the minimum
necessary information you need to do your work
• Access to an information system does not automatically
mean that you are authorized to view or use all the data in
that system
• Different levels of access for personnel to PHI is intentional
• If job duties change, clearance levels for access to PHI is
reevaluated
• Access is eliminated if employee is terminated
• Accessing PHI for which you are not cleared or for which
there is no job-related purpose will subject you to sanctions
52

53. Question 14
Once employees have completed HIPAA training,
their access to PHI is:
a. Unlimited
b. Based on work duties and responsibilities
c. Limited to the minimum necessary information
to complete required work
d. Both B and C
53

54. Correct Answer
d: Access to PHI is based on need-to-know which
is determined by the employee‟s duties and
responsibilities. The employee should access the
minimum PHI necessary to complete the required
task.
54

55. Rules for Protecting Information
• Do not allow unauthorized persons into restricted
areas where access to PHI could occur
• Arrange computer screens so they are not visible
to unauthorized persons and/or patients; use
security screens in areas accessible to public
• Log in with password, log off prior to leaving work
area, and do not leave computer unattended
• Do not duplicate, transmit, or store PHI without
appropriate authorization
• Storage of PHI on unencrypted removable
devices (Disk/CD/DVD/Thumb Drives) is
prohibited without prior authorization 55

56. Encryption of PHI
• Encryption is generally necessary to protect
information outside of Banner
• Use of other mobile media for accessing and
transporting PHI such as smart
phones, iPads, Netbooks, thumb
drives, CDs, DVDs, etc., presents a very high risk
of exposure and requires appropriate
authorization
• Use of any personally owned laptops, desktops or
other mobile devices (non-UA equipment) for
accessing PHI requires appropriate authorization
56

57. Password Management
• Do not allow coworkers to use your computer without logging
off your user account
• Do not share passwords or reuse expired passwords
• Do not use passwords that can easily guessed (dictionary
words, pets‟ name, birthday, etc.)
• Choose new passwords when they must be reset
• Should not be written down, but if writing down the password
is required, must be stored in a secured location
• Disable passwords or delete accounts when employees leave
• Passwords:
- Should be minimum 8 characters long and changed periodically
- Include 3 of 4 data types (upper/lower case, numeric, special
characters)
- Good password scheme is critical – R0llt!de (example, don‟t use)
57

58. Question 15
Is it acceptable to share your computer password
with your fellow employees if they have received
HIPAA training?
a. Yes
b. No
58

59. Correct Answer
b: No. You should not share your computer
password.
59

60. Protection from Malicious Software
• Malicious software can be thought of as any
virus, work, malware, adware, etc.
• As a result of an unauthorized infiltration, PHI and other data
can be damaged or destroyed
• Notify Information Technology Services immediately if you
believe your computer has been compromised or infected with a
virus – do not continue using computer until resolved
• The University provides standard, managed anti-virus and other
security software
• Do not disable anti-virus or other security software on individual
workstations
• Any personal devices used for access to PHI must have
appropriate anti-virus software
• Do not open e-mail or attachments from an
unknown, suspicious, or untrustworthy source or if the subject
line is questionable or unexpected – DELETE THEM
IMMEDIATELY 60

61. Rules for Disposal of Computer
Equipment
• Only authorized employees should dispose of PHI in accordance with
retention policies.
• Documents containing PHI or other sensitive information must be
shredded when no longer needed. Shred immediately or place in
securely locked boxes or rooms to await shredding.
• All questions concerning media reallocation and disposal should be
directed to Director of Sponsored Programs; IT systems representatives
are responsible for sanitization and destruction methods.
• Media, such as CDs, disks, or thumb drives containing PHI/sensitive
information must be cleaned or sanitized before reallocating or
destroying.
• „Sanitize‟ means to eliminate confidential or sensitive information from
computer/electronic media be either overwriting the data or magnetically
erasing data from the media.
• If media are to be destroyed, then once they are sanitized, place them in
specially marked secure containers for destruction.
• Note: Deleting a file does not actually remove the data from the media.
Formatting does not constitute sanitizing the media. 61

62. Use of Technology
• Use of other mobile media for accessing and transporting PHI
such as smart phones, iPads, Netbooks, thumb drives, CDs,
DVDs, etc., presents a very high risk of exposure and requires
appropriate authorization.
• Email, Internet use, fax and telephones are to be used for
business purposes.
• Fax of PHI should only be done when the recipient can be reliably
identified; verify fax number and recipient before transmitting.
• No PHI is to leave the facility in any format without prior approval.
• Where technically feasible, email should be avoided when
communicating unencrypted sensitive PHI – follow your
organization‟s email policy for PHI.
• No PHI is permitted on any social networking sites (Twitter,
Facebook, MySpace, etc.)
• No PHI is permitted in texting or chat platforms (AOL, MSN, cell
phones) 62

63. Question 16
Your office computer is being replaced. You should:
a. Delete all files that might contain sensitive
information
b. Have the computer sent to surplus for secure
storage
c. Contact Information Technology Services to
initiate steps to sanitize the computer
63

64. Correct Answer
c: Contact your Information Technology Services.
Deleting files from a hard drive will not permanently
remove the files from the computer. Computers
should not be taken to surplus until the have been
sanitized. Not all used computers go to surplus.
Some are reassigned for further use.
64

65. Reporting Security Incidents
• Notify Information Technology Services of any unusual or
suspicious incident
• Security incidents include the following:
- Theft of or damage to equipment
- Unauthorized use of a password
- Unauthorized use of a system
- Violations of standards or policy
- Computer hacking attempts
- Malicious software
- Security weaknesses
- Breaches to patient, employee, or student privacy
65

66. Contacts and References
• Point of Contact – Director, Office of Sponsored Programs
• Other References
- Privacy: www.hhs.gov/ocr/hipaa
- Security: www.cms.gov/Regulations-and-Guidance/HIPAA-
Administrative-Simplification/HIPAAGenInfo/Privacyand
SecurityStandards.html
66

67. Training Certification
• Please complete the Training Certificate and
email scanned copy to the Office of Sponsored
Programs.
67

68. Training Certificate
The University of North Alabama
Completion of HIPAA Training
Certificate of Completion
HIPAA Privacy and Security Training
________________________________
Name
________________________________
Date
68