HIPAA training provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) and requirements for protecting patient health information. Key points include:
- HIPAA aims to standardize electronic health data exchange and protect privacy/security of patient information.
- It regulates use and disclosure of protected health information and sets penalties for violations.
- Covered entities like health plans and providers must follow HIPAA rules regarding privacy, security, breach notification and other standards when handling patient information.
- Protected health information includes identifiable health data and must be kept confidential and secured as required by HIPAA.
Agenda
• Discuss how to handle patient communications
• Explain the issues involved with using Social Media
• Discuss how Social Media can work under HIPAA
• Identify guidance from HHS on patient communications
• Show what’s needed in a Social Media Policy
• Show the process that must be used in the event of breach
• Preparing for enforcement and auditing
• Learn how to approach compliance
This document provides an overview and training on HIPAA privacy and security requirements. It covers topics such as who needs HIPAA training, examples of privacy breaches, guidelines for securing protected health information (PHI), and considerations for emailing and accessing PHI. It also summarizes key aspects of the HITECH Act regarding breach notification requirements and penalties. The training is meant to educate staff on properly handling PHI to avoid violations and protect patient privacy.
This training module covers HIPAA privacy and security rules for protecting protected health information (PHI). It addresses recognizing situations where PHI could be mishandled, practical ways to protect privacy and security of sensitive information, and that employees will be held responsible for improperly handling PHI. The module covers forms of PHI, examples of PHI, HIPAA privacy and security rules, covered entities' duty to protect PHI, and consequences for violations.
While researchers are technically not covered by HIPAA, it still is important to protect patient's Protected Health Information(PHI). This is a presentation I did for the Society of Clinical Research Associates (SOCRA)
Hipaa journal com - HIPAA compliance guideFelipe Prado
The document provides an overview of HIPAA compliance guidelines. It discusses the background and objectives of HIPAA legislation over time, including the original 1996 act and subsequent additions through 2013. Key points covered include the HIPAA Privacy and Security Rules, Enforcement Rule, Breach Notification Rule, and the goals of initiatives like HITECH and Meaningful Use to incentivize electronic health records and expand coverage. The document aims to help healthcare organizations understand and implement the necessary administrative, physical, and technical safeguards to protect patient information as required by HIPAA.
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA). It discusses the objectives of HIPAA, which are to improve portability and continuity of health insurance, prevent healthcare fraud and abuse, and simplify administration of health insurance. It outlines the key areas covered by HIPAA: insurance portability, fraud enforcement, and administrative simplification. The document also discusses HIPAA regulations around protected health information, privacy laws, audits of access to medical records, and penalties for non-compliance.
PowerPoint presentation from the Human Subjects Research Committee at the University of North Alabama,
in Florence, AL, concerning HIPAA policies and procedures.
Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.
Agenda
• Discuss how to handle patient communications
• Explain the issues involved with using Social Media
• Discuss how Social Media can work under HIPAA
• Identify guidance from HHS on patient communications
• Show what’s needed in a Social Media Policy
• Show the process that must be used in the event of breach
• Preparing for enforcement and auditing
• Learn how to approach compliance
This document provides an overview and training on HIPAA privacy and security requirements. It covers topics such as who needs HIPAA training, examples of privacy breaches, guidelines for securing protected health information (PHI), and considerations for emailing and accessing PHI. It also summarizes key aspects of the HITECH Act regarding breach notification requirements and penalties. The training is meant to educate staff on properly handling PHI to avoid violations and protect patient privacy.
This training module covers HIPAA privacy and security rules for protecting protected health information (PHI). It addresses recognizing situations where PHI could be mishandled, practical ways to protect privacy and security of sensitive information, and that employees will be held responsible for improperly handling PHI. The module covers forms of PHI, examples of PHI, HIPAA privacy and security rules, covered entities' duty to protect PHI, and consequences for violations.
While researchers are technically not covered by HIPAA, it still is important to protect patient's Protected Health Information(PHI). This is a presentation I did for the Society of Clinical Research Associates (SOCRA)
Hipaa journal com - HIPAA compliance guideFelipe Prado
The document provides an overview of HIPAA compliance guidelines. It discusses the background and objectives of HIPAA legislation over time, including the original 1996 act and subsequent additions through 2013. Key points covered include the HIPAA Privacy and Security Rules, Enforcement Rule, Breach Notification Rule, and the goals of initiatives like HITECH and Meaningful Use to incentivize electronic health records and expand coverage. The document aims to help healthcare organizations understand and implement the necessary administrative, physical, and technical safeguards to protect patient information as required by HIPAA.
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA). It discusses the objectives of HIPAA, which are to improve portability and continuity of health insurance, prevent healthcare fraud and abuse, and simplify administration of health insurance. It outlines the key areas covered by HIPAA: insurance portability, fraud enforcement, and administrative simplification. The document also discusses HIPAA regulations around protected health information, privacy laws, audits of access to medical records, and penalties for non-compliance.
PowerPoint presentation from the Human Subjects Research Committee at the University of North Alabama,
in Florence, AL, concerning HIPAA policies and procedures.
Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.
This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
The document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA). It describes HIPAA's purpose of providing continuous health insurance coverage and reducing healthcare costs. It also outlines HIPAA's main components, compliance requirements, and rules regarding privacy of protected health information and security of electronic health data. Key entities covered by HIPAA include healthcare providers, health plans, and clearinghouses that handle personal health information. Examples of HIPAA breaches include stolen devices containing patient data and sending information to the wrong individual.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
This document provides an overview of HIPAA compliance requirements. It discusses the Health Insurance Portability and Accountability Act (HIPAA), which established national standards for protecting sensitive patient health information. It also discusses the HITECH Act, which strengthened HIPAA and incentivized adoption of electronic health records. Key aspects of HIPAA covered include privacy rules, security rules, breach notification requirements, penalties for noncompliance, and definitions of protected health information and covered entities. The document also provides an overview of 42 CFR Part 2 regulations regarding confidentiality of substance abuse treatment records.
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
The majority of changes to HIPAA have been introduced and strengthened by the recent passage of the HITECH and Omni-bus rules.
ControlCase HIPAA Compliance as a Service (CaaS)
is an Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC.
HIPAA establishes rules to protect patient privacy and confidentiality. It regulates protected health information (PHI), which is essentially any information about a patient's healthcare, identity, or payment. PHI includes details like names, addresses, medical conditions, and treatments. Healthcare workers can access and use PHI for treatment, payment, and operations, and may disclose it as required by law. However, workers should only access the minimum necessary information needed to do their jobs and must protect electronic PHI, following rules for devices, email, and internet use. Violations of privacy policies can result in penalties.
HIPAA establishes standards to protect private health information and electronic health information. It covers protected health information, which is individually identifiable health information that is created or received by a covered entity. HIPAA applies to forms, spoken communication, emails, faxes and other media. It gives patients rights over their private health information and requires covered entities to have security measures, compliance policies, and penalties for violations or noncompliance.
This document provides an overview of HIPAA basics and privacy regulations for employees and volunteers at CCFI. It defines what HIPAA is, including the Privacy and Security Rules. The Privacy Rule protects individuals' health care data, while the Security Rule controls confidentiality, storage, and access of data. Electronic data exchange standards are also outlined. Examples of protected health information under HIPAA are provided, as are common HIPAA terminology and how to protect patient information through secure practices. The importance of compliance is emphasized for reputation, trust, safety, serving clients better, and avoiding legal and funding issues.
The document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) including what information it protects, the entities it covers, and requirements for things like privacy practices, consent, and authorization. Central Michigan University is described as a "hybrid entity" under HIPAA, with some departments fully covered and others only indirectly affected. The presentation aims to familiarize staff with HIPAA regulations and the university's policies and procedures for protecting health information.
The new HIPAA Omnibus rule becomes/became effective on September 23, 2013. The consequences for violation are significant. Do you know how to handle a HIPAA breach?
This webinar focuses on what you need to do in the event of a HIPAA breach including:
• Mandatory notices to patients
• Notification to governmental agencies
• Getting your own “house in order” as the government will be requesting policies, training logs, etc.
• What to do when social security numbers are disclosed
• Should you get insurance for HIPAA breaches
• Should you offer credit monitoring for impacted patients
Panelists:
Claudia Hinrichsen, The Health Law Partners
Bob Grant, The Compliancy Group
Moderator:
Marc Haskelson, President, The Compliancy Group LLC.
While this presentation offers a rudimentary understanding of HIPAA as it relates to PHRs, its primary objective is to highlight key aspects of PHR privacy policies provided by non-covered entities (Microsoft & Google) and argue that HIPAA, after significant amendments, should be extended to them.
The document discusses how the Health Insurance Portability and Accountability Act (HIPAA) affects law enforcement. HIPAA established standards to protect the privacy and security of health information. It changed how hospitals can release information to law enforcement and requires proper documentation or consent. Criminal justice personnel should be familiar with HIPAA regulations regarding the release of patient information, communicable diseases, mental health, and their presence at hospitals. HIPAA provides penalties for non-compliance such as fines and imprisonment. Overall, the document outlines how HIPAA regulates how law enforcement handles health information.
The document summarizes the key aspects of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. It defines protected health information (PHI) as any individually identifiable health information and lists the 18 identifiers that must be removed. It outlines how PHI should only be used and accessed when necessary to perform one's job and secured electronically or physically. Examples of privacy breaches are provided as well as an overview of a Notice of Privacy Practices.
The HIPAA Security Rule establishes national security standards for protecting electronic protected health information. It requires covered entities like healthcare providers, health plans, and healthcare clearinghouses to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic protected health information. Specifically, covered entities must ensure the confidentiality, integrity and availability of electronic protected health information, protect against reasonably anticipated threats to its security or integrity, and ensure compliance by their workforce. The Security Rule aims to protect individuals’ health information while allowing new healthcare technologies.
HIPAA Audit Implementation discusses the need to implement HIPAA audits to ensure compliance. HIPAA establishes privacy and security provisions for protected health information. It requires covered entities like healthcare providers and their business associates to implement controls to secure patient data and mitigate the risk of breaches. Noncompliance can result in civil penalties up to $1.5 million per year or criminal penalties of up to 10 years in prison.
HIPAA consent is the state of being in alignment with guidelines et by Health Insurance Portability and Accountability Act of 1996 passed by the congress.
The document discusses the Health Insurance Portability and Accountability Act (HIPAA). It provides information on the legislative act that established HIPAA, the administrative simplification rules enforced by the Office for Civil Rights, and covered entities that must comply with HIPAA. It also summarizes key aspects of HIPAA regulations including protected health information, use and disclosure limitations, notice requirements, penalties for violations, and examples of HIPAA violation cases.
Geek Sync | Keep your Healthcare Databases Secure and CompliantIDERA Software
This document provides an overview of healthcare data privacy regulations and compliance. It discusses key regulations like HIPAA, the types of entities covered, and penalties for violations. Specific examples of notable HIPAA violations from 2018 are also summarized, including large fines against organizations for data breaches exposing millions of patient records. The costs of data breaches are increasing, with the average breach costing over $3 million in 2018. Overall, the document outlines the importance of securing healthcare databases and staying compliant with regulations to avoid penalties and protect sensitive patient information.
The document provides an overview of ITC's policies for protecting confidential patient information in accordance with HIPAA regulations. It defines protected health information (PHI) and outlines requirements for limiting access to and safeguarding PHI. Employees are responsible for keeping PHI private and secure, reporting any breaches, and knowing the penalties for violating privacy laws.
The document discusses HIPAA privacy and security requirements. It defines what protected health information (PHI) is and explains that the Privacy Rule establishes regulations for use and disclosure of PHI. Covered entities like health plans, providers, and clearinghouses must comply with HIPAA and face penalties for violations. The Security Rule also requires administrative, physical and technical safeguards to protect electronic PHI. The document reviews examples of PHI and provides guidance on complying with HIPAA privacy standards.
This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
The document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA). It describes HIPAA's purpose of providing continuous health insurance coverage and reducing healthcare costs. It also outlines HIPAA's main components, compliance requirements, and rules regarding privacy of protected health information and security of electronic health data. Key entities covered by HIPAA include healthcare providers, health plans, and clearinghouses that handle personal health information. Examples of HIPAA breaches include stolen devices containing patient data and sending information to the wrong individual.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
This document provides an overview of HIPAA compliance requirements. It discusses the Health Insurance Portability and Accountability Act (HIPAA), which established national standards for protecting sensitive patient health information. It also discusses the HITECH Act, which strengthened HIPAA and incentivized adoption of electronic health records. Key aspects of HIPAA covered include privacy rules, security rules, breach notification requirements, penalties for noncompliance, and definitions of protected health information and covered entities. The document also provides an overview of 42 CFR Part 2 regulations regarding confidentiality of substance abuse treatment records.
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
The majority of changes to HIPAA have been introduced and strengthened by the recent passage of the HITECH and Omni-bus rules.
ControlCase HIPAA Compliance as a Service (CaaS)
is an Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC.
HIPAA establishes rules to protect patient privacy and confidentiality. It regulates protected health information (PHI), which is essentially any information about a patient's healthcare, identity, or payment. PHI includes details like names, addresses, medical conditions, and treatments. Healthcare workers can access and use PHI for treatment, payment, and operations, and may disclose it as required by law. However, workers should only access the minimum necessary information needed to do their jobs and must protect electronic PHI, following rules for devices, email, and internet use. Violations of privacy policies can result in penalties.
HIPAA establishes standards to protect private health information and electronic health information. It covers protected health information, which is individually identifiable health information that is created or received by a covered entity. HIPAA applies to forms, spoken communication, emails, faxes and other media. It gives patients rights over their private health information and requires covered entities to have security measures, compliance policies, and penalties for violations or noncompliance.
This document provides an overview of HIPAA basics and privacy regulations for employees and volunteers at CCFI. It defines what HIPAA is, including the Privacy and Security Rules. The Privacy Rule protects individuals' health care data, while the Security Rule controls confidentiality, storage, and access of data. Electronic data exchange standards are also outlined. Examples of protected health information under HIPAA are provided, as are common HIPAA terminology and how to protect patient information through secure practices. The importance of compliance is emphasized for reputation, trust, safety, serving clients better, and avoiding legal and funding issues.
The document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) including what information it protects, the entities it covers, and requirements for things like privacy practices, consent, and authorization. Central Michigan University is described as a "hybrid entity" under HIPAA, with some departments fully covered and others only indirectly affected. The presentation aims to familiarize staff with HIPAA regulations and the university's policies and procedures for protecting health information.
The new HIPAA Omnibus rule becomes/became effective on September 23, 2013. The consequences for violation are significant. Do you know how to handle a HIPAA breach?
This webinar focuses on what you need to do in the event of a HIPAA breach including:
• Mandatory notices to patients
• Notification to governmental agencies
• Getting your own “house in order” as the government will be requesting policies, training logs, etc.
• What to do when social security numbers are disclosed
• Should you get insurance for HIPAA breaches
• Should you offer credit monitoring for impacted patients
Panelists:
Claudia Hinrichsen, The Health Law Partners
Bob Grant, The Compliancy Group
Moderator:
Marc Haskelson, President, The Compliancy Group LLC.
While this presentation offers a rudimentary understanding of HIPAA as it relates to PHRs, its primary objective is to highlight key aspects of PHR privacy policies provided by non-covered entities (Microsoft & Google) and argue that HIPAA, after significant amendments, should be extended to them.
The document discusses how the Health Insurance Portability and Accountability Act (HIPAA) affects law enforcement. HIPAA established standards to protect the privacy and security of health information. It changed how hospitals can release information to law enforcement and requires proper documentation or consent. Criminal justice personnel should be familiar with HIPAA regulations regarding the release of patient information, communicable diseases, mental health, and their presence at hospitals. HIPAA provides penalties for non-compliance such as fines and imprisonment. Overall, the document outlines how HIPAA regulates how law enforcement handles health information.
The document summarizes the key aspects of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. It defines protected health information (PHI) as any individually identifiable health information and lists the 18 identifiers that must be removed. It outlines how PHI should only be used and accessed when necessary to perform one's job and secured electronically or physically. Examples of privacy breaches are provided as well as an overview of a Notice of Privacy Practices.
The HIPAA Security Rule establishes national security standards for protecting electronic protected health information. It requires covered entities like healthcare providers, health plans, and healthcare clearinghouses to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic protected health information. Specifically, covered entities must ensure the confidentiality, integrity and availability of electronic protected health information, protect against reasonably anticipated threats to its security or integrity, and ensure compliance by their workforce. The Security Rule aims to protect individuals’ health information while allowing new healthcare technologies.
HIPAA Audit Implementation discusses the need to implement HIPAA audits to ensure compliance. HIPAA establishes privacy and security provisions for protected health information. It requires covered entities like healthcare providers and their business associates to implement controls to secure patient data and mitigate the risk of breaches. Noncompliance can result in civil penalties up to $1.5 million per year or criminal penalties of up to 10 years in prison.
HIPAA consent is the state of being in alignment with guidelines et by Health Insurance Portability and Accountability Act of 1996 passed by the congress.
The document discusses the Health Insurance Portability and Accountability Act (HIPAA). It provides information on the legislative act that established HIPAA, the administrative simplification rules enforced by the Office for Civil Rights, and covered entities that must comply with HIPAA. It also summarizes key aspects of HIPAA regulations including protected health information, use and disclosure limitations, notice requirements, penalties for violations, and examples of HIPAA violation cases.
Geek Sync | Keep your Healthcare Databases Secure and CompliantIDERA Software
This document provides an overview of healthcare data privacy regulations and compliance. It discusses key regulations like HIPAA, the types of entities covered, and penalties for violations. Specific examples of notable HIPAA violations from 2018 are also summarized, including large fines against organizations for data breaches exposing millions of patient records. The costs of data breaches are increasing, with the average breach costing over $3 million in 2018. Overall, the document outlines the importance of securing healthcare databases and staying compliant with regulations to avoid penalties and protect sensitive patient information.
The document provides an overview of ITC's policies for protecting confidential patient information in accordance with HIPAA regulations. It defines protected health information (PHI) and outlines requirements for limiting access to and safeguarding PHI. Employees are responsible for keeping PHI private and secure, reporting any breaches, and knowing the penalties for violating privacy laws.
The document discusses HIPAA privacy and security requirements. It defines what protected health information (PHI) is and explains that the Privacy Rule establishes regulations for use and disclosure of PHI. Covered entities like health plans, providers, and clearinghouses must comply with HIPAA and face penalties for violations. The Security Rule also requires administrative, physical and technical safeguards to protect electronic PHI. The document reviews examples of PHI and provides guidance on complying with HIPAA privacy standards.
HIPAA establishes standards to protect sensitive patient health information. It covers identifiable health information held by covered entities, including demographic information, medical records, insurance forms, and billing information. HIPAA applies to both electronic and paper records. It gives patients rights over their protected health information and sets security standards for covered entities to safely store, use and transmit patient data. Covered entities must implement safeguards like access controls, disposal protocols and encryption and are subject to penalties for noncompliance.
This document provides a summary of a training presentation on HIPAA privacy and security requirements for students, job shadows, and residents at Springfield Clinic. It includes an overview of key aspects of HIPAA including patient rights, requirements for covered entities like Springfield Clinic, and responsibilities for protecting patient privacy and securing protected health information. Breach prevention, response procedures for potential breaches, and sanctions for privacy violations are also summarized. The training aims to educate trainees on their confidentiality responsibilities regarding patient information.
health insurance portability and accountability act.pptxamartya2087
This document discusses new requirements for clinical studies under HIPAA. It provides an overview of HIPAA, including its goals of ensuring portability of health insurance and protecting privacy and security of patient health information. Key points include that HIPAA establishes standards for privacy of health information, electronic data interchange, and security of electronic protected health information. It also outlines requirements for clinical studies regarding informed consent, authorization of use or disclosure of protected health information, and institutional or privacy board review and waivers.
This document outlines the goals and policies of a confidentiality training program. It aims to educate employees on HIPAA privacy rules, limiting disclosure of protected health information without patient authorization to treatment, payment and healthcare operations. The training reviews expectations that employees maintain strict patient confidentiality, sign confidentiality agreements, and report any privacy violations. Technical safeguards like automatic log offs, password changes and encrypted transmission are also implemented to protect electronic protected health information.
This document summarizes the key aspects of the Health Insurance Portability and Accountability Act (HIPAA) regulations regarding patient privacy and the handling of protected health information. It notes that HIPAA was passed as a federal law in 1996 and outlines regulations to protect individuals' health information privacy and ensure security of electronic personal data transfers. The document then discusses how health information is used by various medical professionals and entities involved in patient care and lists some examples. It also provides an overview of the objectives of HIPAA, patients' rights to their information, and consequences for violations.
This document provides an overview of HIPAA privacy and security requirements for USA as a hybrid covered entity. It discusses how PHI is defined and must be protected in all forms. Only authorized access is allowed and breaches must be reported. Penalties for improper access, use or disclosure of PHI can include civil and criminal penalties. The security rule focuses on safeguarding the confidentiality, integrity and availability of PHI through technical, administrative and physical safeguards.
This document provides an annual training on HIPAA privacy and security requirements for employees of UA Health Care entities. It discusses what HIPAA is and what protected health information is. It covers topics like minimum necessary standards, patient rights, breaches, business associate agreements, and security rules. Employees who do not follow HIPAA rules could face sanctions from UA. The training emphasizes promptly reporting any potential privacy or security issues.
Marc etienne week1 discussion2 presentationMarcEtienne6
The document discusses HIPAA training requirements for healthcare providers and staff. It explains that the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to establish privacy standards for protected health information (PHI) and requires covered entities like healthcare providers to provide annual HIPAA training and certification to their workforce. Unauthorized disclosure of PHI is considered a HIPAA violation which can result in civil penalties such as fines or criminal penalties like imprisonment depending on the nature and intent of the violation.
This presentation discusses how to comply with HIPAA and HITECH privacy laws. Learn key terms such as Protected Health Information, the Privacy Rule and the Security Rule as well as major changes brought by HIPAA and HITECH.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.
Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.
This document provides an overview of key rules and regulations under HIPAA regarding the privacy and security of protected health information (PHI). It discusses the Privacy Rule, Security Rule, Transaction and Code Sets Rule, Enforcement Rule, and how the HITECH Act expanded the scope and penalties of HIPAA. The rules establish national standards to protect individuals' medical records, require safeguards for PHI, and give patients rights over their health information. The Security Rule addresses electronic PHI and technical, physical and administrative safeguards. The HITECH Act strengthened HIPAA enforcement and increased penalties for violations.
This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) for employees at Central Michigan University who have access to protected health information (PHI). It explains that HIPAA training is required to familiarize employees with regulations, policies, and procedures regarding PHI to ensure compliance. Key points covered include what information is considered PHI and protected under HIPAA, who is subject to HIPAA requirements, how PHI may be used and disclosed, and safeguards for handling PHI. Non-compliance with HIPAA can result in penalties including disciplinary action, civil penalties up to $1.5 million per violation, and criminal penalties up to $250,000 and imprisonment.
The document discusses new guidelines around patient confidentiality and HIPAA compliance. It outlines new rights for patients, tighter definitions of violations, and increased emphasis on audits, sanctions, and fines for non-compliance. Any healthcare provider that electronically stores or transmits medical records must comply with HIPAA regulations, which help ensure privacy and consistent standards for documentation and handling of medical information. The document provides guidance on proper use, disclosure, and safeguarding of protected health information.
The document discusses new guidelines around patient confidentiality and HIPAA compliance. It outlines new rights for patients, tighter definitions of violations, and increased emphasis on audits, sanctions, and fines for non-compliance. Any healthcare provider that electronically stores or transmits medical records must comply with HIPAA regulations, which help ensure privacy and consistent standards for documentation and handling of medical information. The document provides guidance on proper use, disclosure, and safeguarding of protected health information.
The document discusses new guidelines around patient confidentiality and HIPAA compliance. It outlines new rights for patients, tighter definitions of violations, and increased emphasis on audits, sanctions, and fines for non-compliance. Any healthcare provider that electronically stores or transmits medical records must comply with HIPAA regulations, which help ensure privacy and consistent standards for documentation and handling of medical information. The document provides guidance on proper use, disclosure, and safeguarding of protected health information.
This document provides an overview of the HIPAA guidelines for protecting patient confidentiality and handling protected health information. It discusses the new omnibus rule which tightens the definition of violations and increases emphasis on compliance, audits, and penalties. It outlines the rules for minimum necessary disclosure of PHI, only using PHI for treatment, payment and operations, and getting patient consent for other uses. Steps for safeguarding PHI include not removing it from the office, using caution when faxing, keeping workstations secure, and asking if unsure.
HIPAA is a national law that establishes standards to protect patient privacy and the confidentiality of patient health information. It applies to covered entities like health plans, providers, and clearinghouses, as well as their business associates. PHI, or protected health information, refers to individually identifiable patient information. HIPAA restricts the use and disclosure of PHI to treatment, payment, and healthcare operations. Covered entities must implement safeguards to secure PHI and provide patient rights and protections. Violations of HIPAA can result in penalties including fines and imprisonment.
This document provides an overview of HIPAA privacy rules for healthcare workers. It explains that HIPAA establishes minimum standards to protect patient privacy and confidentiality. Protected health information (PHI) refers to any information about a patient's healthcare, treatment or payment that can be used to identify them. PHI includes names, addresses, medical details, and other personal information. Healthcare workers can access and use PHI for treatment, payment or operations, and may disclose it as required by law or for other priorities like research. Workers must follow rules for electronic PHI and use the minimum necessary standard for disclosures. Violations of privacy rules can result in penalties.
Similar to Hipaa training new_staff_december 2018 - compatibility mode (20)
AHMR is an interdisciplinary peer-reviewed online journal created to encourage and facilitate the study of all aspects (socio-economic, political, legislative and developmental) of Human Mobility in Africa. Through the publication of original research, policy discussions and evidence research papers AHMR provides a comprehensive forum devoted exclusively to the analysis of contemporaneous trends, migration patterns and some of the most important migration-related issues.
United Nations World Oceans Day 2024; June 8th " Awaken new dephts".Christina Parmionova
The program will expand our perspectives and appreciation for our blue planet, build new foundations for our relationship to the ocean, and ignite a wave of action toward necessary change.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...OECDregions
Preliminary findings from OECD field visits for the project: Enhancing EU Mining Regional Ecosystems to Support the Green Transition and Secure Mineral Raw Materials Supply.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Food safety, prepare for the unexpected - So what can be done in order to be ready to address food safety, food Consumers, food producers and manufacturers, food transporters, food businesses, food retailers can ...
Combined Illegal, Unregulated and Unreported (IUU) Vessel List.Christina Parmionova
The best available, up-to-date information on all fishing and related vessels that appear on the illegal, unregulated, and unreported (IUU) fishing vessel lists published by Regional Fisheries Management Organisations (RFMOs) and related organisations. The aim of the site is to improve the effectiveness of the original IUU lists as a tool for a wide variety of stakeholders to better understand and combat illegal fishing and broader fisheries crime.
To date, the following regional organisations maintain or share lists of vessels that have been found to carry out or support IUU fishing within their own or adjacent convention areas and/or species of competence:
Commission for the Conservation of Antarctic Marine Living Resources (CCAMLR)
Commission for the Conservation of Southern Bluefin Tuna (CCSBT)
General Fisheries Commission for the Mediterranean (GFCM)
Inter-American Tropical Tuna Commission (IATTC)
International Commission for the Conservation of Atlantic Tunas (ICCAT)
Indian Ocean Tuna Commission (IOTC)
Northwest Atlantic Fisheries Organisation (NAFO)
North East Atlantic Fisheries Commission (NEAFC)
North Pacific Fisheries Commission (NPFC)
South East Atlantic Fisheries Organisation (SEAFO)
South Pacific Regional Fisheries Management Organisation (SPRFMO)
Southern Indian Ocean Fisheries Agreement (SIOFA)
Western and Central Pacific Fisheries Commission (WCPFC)
The Combined IUU Fishing Vessel List merges all these sources into one list that provides a single reference point to identify whether a vessel is currently IUU listed. Vessels that have been IUU listed in the past and subsequently delisted (for example because of a change in ownership, or because the vessel is no longer in service) are also retained on the site, so that the site contains a full historic record of IUU listed fishing vessels.
Unlike the IUU lists published on individual RFMO websites, which may update vessel details infrequently or not at all, the Combined IUU Fishing Vessel List is kept up to date with the best available information regarding changes to vessel identity, flag state, ownership, location, and operations.
Combined Illegal, Unregulated and Unreported (IUU) Vessel List.
Hipaa training new_staff_december 2018 - compatibility mode
1. 1
HIPAA Training – New Staff
December 12, 2018
What is HIPAA?
• Health Insurance Portability and
Accountability Act
• Created to improve efficiency and effectiveness of
healthcare systems by standardizing the electronic
exchange of clinical and administrative data.
• Attempts to improve security in the electronic age.
• Goal is to safeguard the confidentiality of health information
& protect the integrity of health data while ensuring the
availability of care.
1
2
2. 2
• Public Law 104-191 (1996)
• Overseen by Department of Health & Human Services
(HHS) and enforced by Office for Civil Rights (OCR)
• Regulations on:
– Privacy of health information
– Security of health information
– Notification of breaches of confidentiality
– Penalties for violating HIPAA
What is HIPAA?
HITECH
• Health Information Technology for Economic
and Clinical Health Act (HITECH)
• Included in the American Recovery and
Reinvestment Act (ARRA) of 2009
– Contains incentives related to healthcare
technology in general and specific incentives
designed to accelerate the adoption of electronic
health records
– Meaningful Use
– Added “teeth” to HIPAA
3
4
3. 3
HIPAA is constantly changing
Omnibus Rule (2013) included:
• Notice of Privacy Practices (NPP)
– Must be given to all clients
• Business Associate (BA) Agreements
– BAs now just as responsible and accountable
• Policies and Procedures
• Training Requirements
• Audits
Security and Privacy Rules
• According to the Department of Health and Human
Services, the HIPAA Security Rule outlines national
standards designed to protect individual’s electronic
PHI (ePHI).
• The HIPAA Privacy Rule set a national standard for
the protection of certain health information that
addresses the use and disclosure of PHI and
standards for privacy rights for patients to understand
and control how their health information is used.
5
6
4. 4
Environment
• Physical security: locks on doors and file
cabinets.
• Is there a networked printer or fax machine
that is out in the open?
• Awareness of who is allowed into the area
with PHI.
• How is your computer monitor positioned?
• What paper charts/forms are left out on your
desk?
Think HIPAA’s No Big Deal?
• $2.4 Million plus a
Corrective Action Plan
– Appropriate notice to Law
Enforcement of patient
involved in possible medical
identity fraud
– Inappropriate release of
the story, including the
patient’s identity, in a press
release!
7
8
5. 5
HIPAA: Federal vs State
HIPAA (any provision, requirement,
standard or implementation specification
of HIPAA) shall supersede any contrary
Provision of State law.
Unless
The state law is more stringent than the
HIPAA requirement.
Covered Entities (CE)
• Health Plans: A plan that provides or pays the
cost of medical care. Includes Medicaid,
Medicare and self-funded plans.
• Providers: A provider of medial or health services
such as SNFs, home health, hospitals, physician
clinics, etc., that transmit in electronic form.
• Clearinghouses: Process health information from
a non-standard content into standard data
elements or to a standard transaction. Examples
are billing services, health information systems.
9
10
6. 6
Business Associates
• Business Associates are entities that
perform services for or on behalf of a CE
involving PHI.
• Must have a Business Associate
Agreement (BAA).
• A CE can be the business ssociate of
another CE.
Business Associate Agreements
BAAs must contain specific privacy provisions:
– Permitted uses and disclosures of PHI.
– Appropriate safeguards for records.
– How to report unauthorized disclosures to CE.
– PHI available for inspection, amendment, accounting.
– Books and records available for inspection by DHHS.
– Destroy/return PHI at termination of contract.
– Material breach by associate is grounds for termination.
– Require all subcontractor and agents to comply with terms of
BAA.
11
12
7. 7
Protected Health Information (PHI)
PHI is health information collected from an individual,
created or received by a covered entity and
• Relating to the past, present or future physical or mental
health or condition of an individual; or the past, present, or
future payment for the provision of health care to an
individual; and
• That identifies the individual or with respect to which there
is a reasonable basis to believe the information can be
used to identify the individual.
• Can be maintained in an electronic or any other form, and
excludes educational records and employment records.
Examples of Documents with PHI
• Medical charts
• Problem logs
• Photographs and videotapes
• Communications between health care
professionals
• Billing records
• Health plan claims records
• Health insurance policy number
13
14
8. 8
What is Protected by HIPAA?
• Health information protected if it directly or
indirectly identifies an individual
– Direct identifiers: individual’s name, SSN,
driver’s license numbers
– Indirect identifiers: information about an
individual that can be matched with other
available information to identify the individual.
What is Protected by HIPAA?
• If any direct or indirect identifiers are present,
the information is PHI and subject to HIPAA
protection.
• Information can be “de-identified” – but the
Privacy Officer must review to ensure all direct
and indirect identifiers have been properly
removed.
15
16
9. 9
Direct and Indirect Identifiers
1. Name
2. Geographic subdivisions smaller than a State
- Street Address
- City
- County
- Precinct
- Zip Code & their equivalent geocodes,
except for the initial three digits
3. Dates, except year
- Birth date
- Admission date
- Discharge date
- Date of death
4. Telephone numbers
5. Fax number
Direct and Indirect Identifiers
6. E-Mail Address
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web universal resource locations (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable data
18. Any other unique identifying number, characteristic, or code
17
18
10. 10
Think HIPAA’s No Big Deal?
• Don’t let anyone ‘monkey’
with your computer or
network!
• A physician attempted to
deactivate a personally
owned computer which
opened up a network firewall,
allowing internet access to
PHI
• New York Presbyterian
Hospital & Columbia
University paid $4.8Million
for that failure
How HIPAA Protects PHI
• Limits who may use or disclose PHI.
• Limits the purposes for which PHI may be used
or disclosed.
• Limits the amount of information that may be
used or disclosed (Minimum Necessary rule).
• Requires use of safeguards over how PHI is
used, stored and disclosed.
19
20
11. 11
Who May Use PHI?
• Workforce members trained on HIPAA
privacy.
– You are only given access to PHI if you need
it in order to perform your job.
– You must agree to protect the confidentiality
of the information.
– You are subject to discipline if you violate
CIBHS privacy policies and procedures.
How May PHI May Used?
• General Rule:
– Workforce members may use or disclose PHI
only for permitted uses without an individual’s
specific written authorization.
21
22
12. 12
Permitted Uses For PHI
• “TPO”
– Treatment
– Payment
– Health care operations
• Specified public policy exceptions (public health and law
enforcement)
• Any other use requires individual written
authorization
Safeguarding PHI
• People consider health information
their most confidential information, and
we must protect it accordingly.
– Do not access PHI that you do not need
– Do not discuss PHI with individuals who do not
need to know it.
– Do not provide PHI to anyone not authorized to
receive it
• Misuse of PHI can result in discipline, legal
penalties and loss of trust.
23
24
13. 13
Value of Medical Information
• Medical information can be worth ten times more than
credit card numbers on the deep web. Fraudsters can
use this data to create fake IDs to buy medical
equipment or drugs, or combine a patient number with a
false provider number and file fictional claims with
insurers.
• Consumers often discover their credentials have been
stolen a long time after fraudsters have used their
personal medical ID to impersonate them and obtain
health services.
Be HIPAA Aware -
Know who’s around you!
• Don’t discuss PHI where you can be
easily overheard.
• Keep discussion of PHI to a minimum.
• Limit PHI on whiteboards, chart
holders, view boxes or limit the ability
to view them.
• Position monitors so others cannot
view them.
HIPAA Hotline 214-456-4444
J Podleski, CCEP, CHRC, CHPC, CHC
25
26
14. 14
Safeguarding PHI
• Follow safe practices for your computer system
ID and password.
– Use strong passwords—see your Privacy
Officer for guidelines.
– Keep your user ID and password confidential
and secure.
– Do not allow anyone else to access the
computer system under your ID!
– Any access that happens under your
credentials belongs to you!
HIPAA Hints
• Papers with PHI should NEVER
go in the trash!
• Do not unnecessarily print or copy
PHI.
• Shredding is the right way to
dispose of them.
• Have an office shredder or take
your papers to the nearest Shred-
It container at least daily!
• Don’t keep papers in another
container – they might end up in
the trash by mistake.
27
28
15. 15
Safeguarding PHI
• Only access electronic PHI from a
workstation approved for HIPAA or PHI
access.
• Only save electronic PHI to a HIPAA-
designated server.
• Do not leave computer station unattended
without locking it first.
• Do not engage in risky practices with
computers used to access PHI
How to be a good HIPAA fairy
• Think about patient
privacy first
• Report unusual activity
to your supervisor and
the Privacy Officer
• Never guess about ‘the
right way’ -- check with
your supervisor or the
Privacy Office
29
30
16. 16
Basic Requirements for CEs
• Notify patients of their rights and how their PHI will
be used.
• Adopt and implement Privacy Policies and
Procedures, including sanctions for violations.
• Train workforce to understand and follow the
P&P’s.
• Designate individuals to be responsible for
compliance.
• Secure PHI so it’s not available to those who don’t
need to know.
• Provide a way for complaints to be made
concerning Privacy violations.
Minimum Necessary Standard
• Role based access
– Assure that individuals only have access to the
information needed to do their job.
• Disclosures
– Disclose only the minimal necessary to meet the
purpose of the disclosure
– Does not apply to disclosures made
• With an authorization
• To a provider for treatment
• To the subject of the information
• To the Secretary of DHHS
• As required by law
• As required to comply with the regulations
31
32
17. 17
Patient Rights under HIPAA
• To see their medical record & obtain a copy
• Request amendments to their medical record
• Request disclosure restrictions
• To receive a Notice of Privacy Practices
• To have an accounting of disclosures
• To authorize disclosures
• Timely notification of any breaches
Breach
Breach Definition
An impermissible use or disclosure under the
Privacy Rule of PHI is presumed to be a breach
unless the covered entity or business associate,
as applicable, demonstrates that there is a low
probability that the PHI has been compromised
Breaches of more than 500 patient records must
be reported to the news media and are posted
on the Wall of Shame.
33
34
18. 18
Wall of Shame
https://ocrportal.hhs.gov/ocr/breach/breach_
report.jsf
Think HIPAA’s No Big Deal?
HIPAA Hotline 214-456-4444
Anthem Pays OCR $16 Million in Record HIPAA Settlement Following
Largest U.S. Health Data Breach in History
Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil
Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and
Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data
breach in history and exposed the electronic protected health information of almost 79 million people.
The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.
On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29,
2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted
cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat
attack. After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear
phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened
the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the
cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical
identification numbers, addresses, dates of birth, email addresses, and employment information.
In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an
enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify
and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to
prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.
35
36
19. 19
Breach Notification
• Following a breach of unsecured PHI, notification must be
provided to the affected individual, the Secretary of DHHS,
and in certain circumstances, to the media.
• Breach is based on risk assessment.
• Business Associates must notify the Covered Entity of a
breach.
• Provided without unreasonable delay, no later than 60 days
following the discovery of the breach.
– CA requires a 15 day maximum
• If you believe a HIPAA breach has occurred, you should
immediately report it to the Privacy Officer and your
supervisor.
OCR Enforcement Highlights
(As of May 2017)
• Number of complaints – 156,874
• Resolved – 154,777 (98%)
• Complaints Investigated – 36,423
• No violations – 11,256
• Referred to DOJ – 620
• Ineligible for OCR enforcement – 96,807
37
38
20. 20
Why should we care about the
HIPAA rules?
CIBHS
• Disciplinary action up to and including termination of
employment
Civil Penalties
• Up to $1.5 million per year per violation
Criminal Penalties
• Up to $250,000, imprisonment of up to ten years, or both
Penalty Descriptions
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising
reasonable diligence would not have known)
that he/she violated HIPAA
$100 per violation, with an annual maximum
of $25,000 for repeat violations (Note:
maximum that can be imposed by State
Attorneys General regardless of the type of
violation)
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation due to reasonable cause and
not due to willful neglect
$1,000 per violation, with an annual
maximum of $100,000 for repeat violations
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation due to willful neglect but
violation is corrected within the required
time period
$10,000 per violation, with an annual
maximum of $250,000 for repeat violations
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation is due to willful neglect and
is not corrected
$50,000 per violation, with an annual
maximum of $1.5 million
$50,000 per violation, with an annual
maximum of $1.5 million
39
40
21. 21
42 CFR Part 2
42 CFR Part 2
42 CFR Part 2 are the federal regulations governing
the confidentiality of drug and alcohol abuse
treatment and prevention records.
• Privacy protections afforded to alcohol and drug
abuse patient records.
• Motivated by the understanding that stigma and fear
of prosecution might dissuade persons from seeking
treatment.
https://www.ecfr.gov/cgi-bin/text-
idx?SID=0f9b2a146b539944f00b5ec90117d296&mc=true&node=pt42.1.2&r
gn=div5
41
42
22. 22
Who is Covered?
• 42 CFR Part 2 applies to any individual or
entity that is federally assisted and
provides alcohol or drug abuse treatment
or referral for treatment (42 CFR § 2.11)
• Consider funding, treatment provided and
clinical licenses that are at the federal
level (DEA license)
Regulations
• Restrict the disclosure and use of alcohol
and drug client records
• Any information disclosed by a covered
program that “would identify a patient as
an alcohol or drug abuser”
• With limited exceptions, 42 CFR Part 2
requires client consent for disclosures of
PHI even for the purposes of TPO.
• Consent must be in writing
43
44
23. 23
Written Consent
The primary way in which patient substance abuse
information may be disclosed is with a patient’s
written consent. Substance abuse programs and
providers must give patients a written summary of
the federal laws and regulations that protect the
confidentiality of patient substance abuse records
and a description of the circumstances when the
patient’s information may be disclosed without
his/her consent.
Consent Forms
For all other disclosures,
consent must be obtained
using a written consent form.
A single consent form may
authorize disclosure to
multiple parties or for multiple
purposes. Consent forms
must contain specific
elements (see right column).
• Patient Name
• Agency making disclosure
• agency name of the person or agency to
which disclosure is made
• nature and amount of information to be
disclosed (minimum necessary),
• purpose of the disclosure (as specific as
possible),
• effective and expiration dates and event
or condition upon which the consent
expires
• language explaining the consent
process and may include a statement
about possible denial of services if not
signed for purposes of treatment,
payment or healthcare operations
• and signatures of client, authorized
representative and description of
authority to sign on the client’s behalf
45
46
24. 24
Exceptions-Always work with
Privacy Officer
• Program Communications
• To communicate with
Qualified Service
Organizations (QSO)
– Similar to other covered entities
or business associates
• Medical Emergencies
• Response to a crime against
program personnel or on
program premises
• Research activities
(approved by IRB)
• Audit and Evaluation
• Report suspected child
abuse or neglect
• Circumstances
involving certain minors
or incompetent patients
• Response to a valid
court order
• Cause of death
HIPAA and 42 CFR Part 2
• Substance use programs must comply with both
HIPAA 45 CFR and 42 CFR Part 2.
• If there is a conflict, the more stringent rule
applies.
• Addiction treatment providers fall under the
more stringent laws of 42 CFR, Part 2, in most
cases.
47
48
25. 25
Policies and Procedures
• Must be current and reference 45 CFR for
both privacy and security
• Agency must have an interconnected set
of polices, plans, procedures and security
roles assigned to have the end result be a
secure, compliant and auditable
environment
49
50
26. 26
Please complete the survey!
iPhone or iPad:
1. Open up the camera app on your iPhone or iPad
2. Hold the device’s camera up to the QR code
3. No need to hit the shutter button, your iOS device will automatically
recognize the QR code
4. Click the pop up window that appears and complete the survey
5. Make sure you have mobile signal or you’re connected to Wi‐Fi
Android:
For android
devices you
will need to
have a QR
code reader
app installed
on your
phone.
You can also
type in the
link below in
your browser
and
complete the
survey
51