2. 2
Every Diversido employee/contractor must know:
1. What is HIPAA
2. What information is protected by HIPAA
3. What violations of HIPAA can be
4. What sanctions will be applied to violators
5. What document must be signed under the HIPAA
3. HIPAA -
3
Health Insurance Portability and Accountability
Act, a federal law of USA, 1996.
HIPAA Definitions
4. 4
Purpose of HIPAA:
● to modernize the flow of healthcare information,
● to protect from fraud and theft Personally Identifiable Information
maintained by the healthcare and healthcare insurance industries,
● administrative simplification for electronic health care transactions -
code sets, unique health identifiers.
HIPAA includes HIPAA Privacy rule and HIPAA Security rule.
5. HIPAA Privacy rule
5
focuses on protections for PHI (Protected Health
Information) from a people standpoint using
training, contracts, policies and procedures, etc.
6. HIPAA Security rule
6
focuses on protections specifically for ePHI
(electronic protected health information). It is a
federal minimum floor of information technology
standards and protections (firewalls, password
policies, antivirus, encryption, etc.)
7. 7
The Security rule applies only to ePHI,
while the Privacy Rule applies to PHI
which may be in electronic, oral, and
paper form.
8. Personally Identifiable Information (PII)
8
any information that can be used to identify,
contact, or locate an individual, either alone or
combined with other easily accessible sources
(name, fingerprints, email, telephone, social
security number)
9. Protected Health Information (PHI)
9
Individually Identifiable Health Information that is
transmitted and maintained in electronic media or
in any other form or medium.
11. 11
Individually Identifiable Health Information (1/4)
● Contains identifiers of the patient, relatives, employers, or
household members such as the following:
○ Names.
○ Geographic subdivisions smaller than a State, including street
address, city, county, precinct, zip code (except for the initial 3
digits of a zip code if, according to the current publicly
available data from the Bureaus of the Census all zip codes
with the same 3 initial digits contains more than 20,000
people)
… next slide
12. 12
Individually Identifiable Health Information (2/4)
○ All elements of dates (except year) directly related to an
individual, including birth date, admission date, discharge
date, date of death, all ages over 89 and all elements of dates
indicative of such age, except that such ages and elements
may be aggregated into a single category of age 90 or older.
○ Telephone numbers.
○ Fax numbers.
○ Email addresses.
○ Social security numbers.
○ Medical record numbers.
… next slide
13. 13
Individually Identifiable Health Information (3/4)
○ Health plan beneficiary numbers.
○ Account numbers.
○ Certificate/license numbers.
○ Vehicle identifiers and serial numbers, including license plate
numbers.
○ Device identifiers and serial numbers.
○ Biometric identifiers, including finger and voice prints.
○ Full face photographic images and any comparable images.
○ Any other unique identifying number, characteristic, or code.
14. 14
Individually Identifiable Health Information (4/4)
● Is created or received by a health care provider, health plan,
employer, or health care clearinghouse.
● Relates to the past, present, or future physical or mental health or
condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision
of health care to an individual.
● That identifies the individual.
● With respect to which there is a reasonable basis to believe the
information can be used to identify the individual.
15. 15
Business Associate Agreement
legal document under HIPAA legally attest to the
client providing PHI that covered entity is HIPAA
compliant and agrees to abide by HIPAA. After
signing the contract, covered entity is under the legal
fines and penalties of HIPAA.
17. 17
HIPAA in Diversido
● HIPAA Privacy Policy - Diversido: http://bit.ly/37XNLw6
● HIPAA Security Policy - Diversido: http://bit.ly/2LiX0gA
● HIPAA Sanction Policy - Diversido: http://bit.ly/382Xrp2
● HIPAA Compliance - Audit checklist: http://bit.ly/2Rgvd4c
(is applicable to a project and a company)
18. 18
HIPAA in Diversido
The main principles of work with HIPAA covered projects:
1. Role-based access to PHI
2.Increased security requirements to production
3.Responsibility to report known HIPAA risks or
violations
19. 19
HIPAA in Diversido
Recommendations for employees/ contractors:
1. Don’t copy any ePHI to the personal computer.
2. Use a password protection for personal computer access.
3. Don’t share Diversido testing devices with third parties.
4. Activate Windows Defender on personal computer (for Windows
users).
5. Use Bitwarden for passwords management: http://bit.ly/2qeVrZN.
6. All access information must be removed from workstations after the
work on the project completion.
7. Computer hard drives and device memory are recommended to be
removed without the ability to recover information before selling or
transferring their used workstations for recycling.
20. Offenses Gradation and Sanctions
Application
20
According to HIPAA Sanction Policy in Diversido there are
three levels of violations that require progressive sanctions
to be applied.
Depending on the seriousness of the violation, level 3 is the
most serious.
21. 21
Level 1: Unintentional breach
caused by lack of knowledge, of judgment, human error or carelessness
● Accessing information that you do not need to know to do your job.
● Sharing PHI with another employee without authorization.
● Copying PHI without authorization.
● Changing PHI without authorization.
● Discussing confidential information in a public area or in an area where the
public could overhear the conversation.
● Discussing confidential information with an unauthorized person.
● Leaving your computer unattended while you are logged into a PHI system.
● Failure to cooperate with the privacy officer.
● Misdirecting a document containing PHI (email, fax, etc).
22. 22
Level 1: Sanctions
may include, but are not limited to:
● Written and verbal reprimand.
● Retraining on HIPAA Awareness.
● Retraining on Diversido HIPAA Privacy and Security Policies and how
it impacts the said employee and said employee’s department.
● Retraining on the proper use of internal forms and HIPAA required
forms.
23. 23
Level 2: Deliberate or purposeful violation without
harmful intent and effects
● The second offense of any level 1 offense (does not have to be the same
offense).
● Sharing your personal access codes (username & password).
● Using another person’s personal access codes (username & password).
● Unauthorized use or disclosure of PHI to third parties.
● Failure to comply with policies and procedures already in place.
● Failure to comply with a team resolution or recommendation.
● Accessing the information of high profile people or celebrities.
24. 24
Level 2: Sanctions
may include, but are not limited to:
● Verbal and written reprimand.
● Retraining on HIPAA Awareness.
● Retraining on Diversido HIPAA Privacy and Security Policies and
how they impact the said employee/contractor and said
department.
● Retraining on the proper use of internal forms and HIPAA required
forms.
● Termination of employment.
25. 25
Level 3: Deliberate unauthorized disclosure of PHI
for malice or personal gain with harmful effects
● The third offense of any level 1 offense (does not have to be the
same offense).
● The second offense of any level 2 offense (does not have to be the
same offense).
● Obtaining PHI under false pretenses.
● Using and/or disclosing PHI for commercial advantage, personal
gain or malicious harm.
● Deliberately destroying or altering records with intent of
defrauding.
26. 26
Level 3: Sanctions
may include, but are not limited to:
● Termination of employment.
● A fine in the amount of monthly salary (non-payment of wages).
● Civil penalties as provided under HIPAA or other applicable.
Federal/State/Local law; or,
● Criminal penalties as provided under HIPAA or other applicable
Federal/State/Local law.
27. 27
Criminal sanctions in Ukraine
● Unlawful collection, storage, use, destruction, dissemination of confidential
information about a person or unlawful alteration of such information, except in
cases provided by other articles of this Code, -
○ are punishable by a fine of five hundred to one thousand non-taxable
minimum incomes, or correctional labor for a term up to two years, or arrest
for a term up to six months, or restraint of liberty for a term up to three
years.
● If the same actions are taken repeatedly, or if they caused significant harm to the
rights, freedoms and interests of a person protected by law, -
○ are punishable by arrest for a term of three to six months, or restraint of
liberty for a term of three to five years, or imprisonment for the same term.
Note. Significant damage in this article, if it is to inflict material damages, is
considered such damage, which is one hundred times more than the taxable
minimum income of citizens: https://urist-ua.net/.
28. 28
Criminal sanctions in the state of Delaware
● A person who wrongfully discloses individually identifiable health
information to another person shall be subject to a fine up to $50,000
and/or imprisonment of up to 1 year.
● If the disclosure is committed under false pretenses, the penalties are
increased to a fine of up to $100,000 and/or imprisonment up to 5 years.
● "If the offense is committed with intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal gain, or
malicious harm," a fine of up to $250,000 and/or imprisonment up to 10
years may be imposed. 42 U.S.C. § 1320d-6.
Note. HIPAA's privacy provisions do not preempt Delaware state
confidentiality laws; indeed, the HIPAA regulations will preempt only more
lenient state privacy laws: http://www.potteranderson.com/newsroom-
publications-115.html.
29. 29
What next
1. Every new Diversido employee/ contractor will be trained for
HIPAA Awareness.
2. All Diversido employees/ contractors will be retrained for
HIPAA annually.
3. HIPAA covered projects must be audited for HIPAA
compliance after every milestone completion.