HIPAA training provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) and requirements for protecting patient health information. Key points include: - HIPAA aims to standardize electronic health data exchange and protect privacy/security of patient information. - It regulates use and disclosure of protected health information and sets penalties for violations. - Covered entities like health plans and providers must follow HIPAA rules regarding privacy, security, breach notification and other standards when handling patient information. - Protected health information includes identifiable health data and must be kept confidential and secured as required by HIPAA.

1. 1
HIPAA Training – New Staff
December 12, 2018
What is HIPAA?
• Health Insurance Portability and
Accountability Act
• Created to improve efficiency and effectiveness of
healthcare systems by standardizing the electronic
exchange of clinical and administrative data.
• Attempts to improve security in the electronic age.
• Goal is to safeguard the confidentiality of health information
& protect the integrity of health data while ensuring the
availability of care.
1
2

2. 2
• Public Law 104-191 (1996)
• Overseen by Department of Health & Human Services
(HHS) and enforced by Office for Civil Rights (OCR)
• Regulations on:
– Privacy of health information
– Security of health information
– Notification of breaches of confidentiality
– Penalties for violating HIPAA
What is HIPAA?
HITECH
• Health Information Technology for Economic
and Clinical Health Act (HITECH)
• Included in the American Recovery and
Reinvestment Act (ARRA) of 2009
– Contains incentives related to healthcare
technology in general and specific incentives
designed to accelerate the adoption of electronic
health records
– Meaningful Use
– Added “teeth” to HIPAA
3
4

3. 3
HIPAA is constantly changing
Omnibus Rule (2013) included:
• Notice of Privacy Practices (NPP)
– Must be given to all clients
• Business Associate (BA) Agreements
– BAs now just as responsible and accountable
• Policies and Procedures
• Training Requirements
• Audits
Security and Privacy Rules
• According to the Department of Health and Human
Services, the HIPAA Security Rule outlines national
standards designed to protect individual’s electronic
PHI (ePHI).
• The HIPAA Privacy Rule set a national standard for
the protection of certain health information that
addresses the use and disclosure of PHI and
standards for privacy rights for patients to understand
and control how their health information is used.
5
6

4. 4
Environment
• Physical security: locks on doors and file
cabinets.
• Is there a networked printer or fax machine
that is out in the open?
• Awareness of who is allowed into the area
with PHI.
• How is your computer monitor positioned?
• What paper charts/forms are left out on your
desk?
Think HIPAA’s No Big Deal?
• $2.4 Million plus a
Corrective Action Plan
– Appropriate notice to Law
Enforcement of patient
involved in possible medical
identity fraud
– Inappropriate release of
the story, including the
patient’s identity, in a press
release!
7
8

5. 5
HIPAA: Federal vs State
HIPAA (any provision, requirement,
standard or implementation specification
of HIPAA) shall supersede any contrary
Provision of State law.
Unless
The state law is more stringent than the
HIPAA requirement.
Covered Entities (CE)
• Health Plans: A plan that provides or pays the
cost of medical care. Includes Medicaid,
Medicare and self-funded plans.
• Providers: A provider of medial or health services
such as SNFs, home health, hospitals, physician
clinics, etc., that transmit in electronic form.
• Clearinghouses: Process health information from
a non-standard content into standard data
elements or to a standard transaction. Examples
are billing services, health information systems.
9
10

6. 6
Business Associates
• Business Associates are entities that
perform services for or on behalf of a CE
involving PHI.
• Must have a Business Associate
Agreement (BAA).
• A CE can be the business ssociate of
another CE.
Business Associate Agreements
BAAs must contain specific privacy provisions:
– Permitted uses and disclosures of PHI.
– Appropriate safeguards for records.
– How to report unauthorized disclosures to CE.
– PHI available for inspection, amendment, accounting.
– Books and records available for inspection by DHHS.
– Destroy/return PHI at termination of contract.
– Material breach by associate is grounds for termination.
– Require all subcontractor and agents to comply with terms of
BAA.
11
12

7. 7
Protected Health Information (PHI)
PHI is health information collected from an individual,
created or received by a covered entity and
• Relating to the past, present or future physical or mental
health or condition of an individual; or the past, present, or
future payment for the provision of health care to an
individual; and
• That identifies the individual or with respect to which there
is a reasonable basis to believe the information can be
used to identify the individual.
• Can be maintained in an electronic or any other form, and
excludes educational records and employment records.
Examples of Documents with PHI
• Medical charts
• Problem logs
• Photographs and videotapes
• Communications between health care
professionals
• Billing records
• Health plan claims records
• Health insurance policy number
13
14

8. 8
What is Protected by HIPAA?
• Health information protected if it directly or
indirectly identifies an individual
– Direct identifiers: individual’s name, SSN,
driver’s license numbers
– Indirect identifiers: information about an
individual that can be matched with other
available information to identify the individual.
What is Protected by HIPAA?
• If any direct or indirect identifiers are present,
the information is PHI and subject to HIPAA
protection.
• Information can be “de-identified” – but the
Privacy Officer must review to ensure all direct
and indirect identifiers have been properly
removed.
15
16

9. 9
Direct and Indirect Identifiers
1. Name
2. Geographic subdivisions smaller than a State
- Street Address
- City
- County
- Precinct
- Zip Code & their equivalent geocodes,
except for the initial three digits
3. Dates, except year
- Birth date
- Admission date
- Discharge date
- Date of death
4. Telephone numbers
5. Fax number
Direct and Indirect Identifiers
6. E-Mail Address
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web universal resource locations (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable data
18. Any other unique identifying number, characteristic, or code
17
18

10. 10
Think HIPAA’s No Big Deal?
• Don’t let anyone ‘monkey’
with your computer or
network!
• A physician attempted to
deactivate a personally
owned computer which
opened up a network firewall,
allowing internet access to
PHI
• New York Presbyterian
Hospital & Columbia
University paid $4.8Million
for that failure
How HIPAA Protects PHI
• Limits who may use or disclose PHI.
• Limits the purposes for which PHI may be used
or disclosed.
• Limits the amount of information that may be
used or disclosed (Minimum Necessary rule).
• Requires use of safeguards over how PHI is
used, stored and disclosed.
19
20

11. 11
Who May Use PHI?
• Workforce members trained on HIPAA
privacy.
– You are only given access to PHI if you need
it in order to perform your job.
– You must agree to protect the confidentiality
of the information.
– You are subject to discipline if you violate
CIBHS privacy policies and procedures.
How May PHI May Used?
• General Rule:
– Workforce members may use or disclose PHI
only for permitted uses without an individual’s
specific written authorization.
21
22

12. 12
Permitted Uses For PHI
• “TPO”
– Treatment
– Payment
– Health care operations
• Specified public policy exceptions (public health and law
enforcement)
• Any other use requires individual written
authorization
Safeguarding PHI
• People consider health information
their most confidential information, and
we must protect it accordingly.
– Do not access PHI that you do not need
– Do not discuss PHI with individuals who do not
need to know it.
– Do not provide PHI to anyone not authorized to
receive it
• Misuse of PHI can result in discipline, legal
penalties and loss of trust.
23
24

13. 13
Value of Medical Information
• Medical information can be worth ten times more than
credit card numbers on the deep web. Fraudsters can
use this data to create fake IDs to buy medical
equipment or drugs, or combine a patient number with a
false provider number and file fictional claims with
insurers.
• Consumers often discover their credentials have been
stolen a long time after fraudsters have used their
personal medical ID to impersonate them and obtain
health services.
Be HIPAA Aware -
Know who’s around you!
• Don’t discuss PHI where you can be
easily overheard.
• Keep discussion of PHI to a minimum.
• Limit PHI on whiteboards, chart
holders, view boxes or limit the ability
to view them.
• Position monitors so others cannot
view them.
HIPAA Hotline 214-456-4444
J Podleski, CCEP, CHRC, CHPC, CHC
25
26

14. 14
Safeguarding PHI
• Follow safe practices for your computer system
ID and password.
– Use strong passwords—see your Privacy
Officer for guidelines.
– Keep your user ID and password confidential
and secure.
– Do not allow anyone else to access the
computer system under your ID!
– Any access that happens under your
credentials belongs to you!
HIPAA Hints
• Papers with PHI should NEVER
go in the trash!
• Do not unnecessarily print or copy
PHI.
• Shredding is the right way to
dispose of them.
• Have an office shredder or take
your papers to the nearest Shred-
It container at least daily!
• Don’t keep papers in another
container – they might end up in
the trash by mistake.
27
28

15. 15
Safeguarding PHI
• Only access electronic PHI from a
workstation approved for HIPAA or PHI
access.
• Only save electronic PHI to a HIPAA-
designated server.
• Do not leave computer station unattended
without locking it first.
• Do not engage in risky practices with
computers used to access PHI
How to be a good HIPAA fairy
• Think about patient
privacy first
• Report unusual activity
to your supervisor and
the Privacy Officer
• Never guess about ‘the
right way’ -- check with
your supervisor or the
Privacy Office
29
30

16. 16
Basic Requirements for CEs
• Notify patients of their rights and how their PHI will
be used.
• Adopt and implement Privacy Policies and
Procedures, including sanctions for violations.
• Train workforce to understand and follow the
P&P’s.
• Designate individuals to be responsible for
compliance.
• Secure PHI so it’s not available to those who don’t
need to know.
• Provide a way for complaints to be made
concerning Privacy violations.
Minimum Necessary Standard
• Role based access
– Assure that individuals only have access to the
information needed to do their job.
• Disclosures
– Disclose only the minimal necessary to meet the
purpose of the disclosure
– Does not apply to disclosures made
• With an authorization
• To a provider for treatment
• To the subject of the information
• To the Secretary of DHHS
• As required by law
• As required to comply with the regulations
31
32

17. 17
Patient Rights under HIPAA
• To see their medical record & obtain a copy
• Request amendments to their medical record
• Request disclosure restrictions
• To receive a Notice of Privacy Practices
• To have an accounting of disclosures
• To authorize disclosures
• Timely notification of any breaches
Breach
Breach Definition
An impermissible use or disclosure under the
Privacy Rule of PHI is presumed to be a breach
unless the covered entity or business associate,
as applicable, demonstrates that there is a low
probability that the PHI has been compromised
Breaches of more than 500 patient records must
be reported to the news media and are posted
on the Wall of Shame.
33
34

18. 18
Wall of Shame
https://ocrportal.hhs.gov/ocr/breach/breach_
report.jsf
Think HIPAA’s No Big Deal?
HIPAA Hotline 214-456-4444
Anthem Pays OCR $16 Million in Record HIPAA Settlement Following
Largest U.S. Health Data Breach in History
Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil
Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and
Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data
breach in history and exposed the electronic protected health information of almost 79 million people.
The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.
On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29,
2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted
cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat
attack. After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear
phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened
the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the
cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical
identification numbers, addresses, dates of birth, email addresses, and employment information.
In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an
enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify
and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to
prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.
35
36

19. 19
Breach Notification
• Following a breach of unsecured PHI, notification must be
provided to the affected individual, the Secretary of DHHS,
and in certain circumstances, to the media.
• Breach is based on risk assessment.
• Business Associates must notify the Covered Entity of a
breach.
• Provided without unreasonable delay, no later than 60 days
following the discovery of the breach.
– CA requires a 15 day maximum
• If you believe a HIPAA breach has occurred, you should
immediately report it to the Privacy Officer and your
supervisor.
OCR Enforcement Highlights
(As of May 2017)
• Number of complaints – 156,874
• Resolved – 154,777 (98%)
• Complaints Investigated – 36,423
• No violations – 11,256
• Referred to DOJ – 620
• Ineligible for OCR enforcement – 96,807
37
38

20. 20
Why should we care about the
HIPAA rules?
CIBHS
• Disciplinary action up to and including termination of
employment
Civil Penalties
• Up to $1.5 million per year per violation
Criminal Penalties
• Up to $250,000, imprisonment of up to ten years, or both
Penalty Descriptions
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising
reasonable diligence would not have known)
that he/she violated HIPAA
$100 per violation, with an annual maximum
of $25,000 for repeat violations (Note:
maximum that can be imposed by State
Attorneys General regardless of the type of
violation)
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation due to reasonable cause and
not due to willful neglect
$1,000 per violation, with an annual
maximum of $100,000 for repeat violations
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation due to willful neglect but
violation is corrected within the required
time period
$10,000 per violation, with an annual
maximum of $250,000 for repeat violations
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation is due to willful neglect and
is not corrected
$50,000 per violation, with an annual
maximum of $1.5 million
$50,000 per violation, with an annual
maximum of $1.5 million
39
40

21. 21
42 CFR Part 2
42 CFR Part 2
 42 CFR Part 2 are the federal regulations governing
the confidentiality of drug and alcohol abuse
treatment and prevention records.
• Privacy protections afforded to alcohol and drug
abuse patient records.
• Motivated by the understanding that stigma and fear
of prosecution might dissuade persons from seeking
treatment.
https://www.ecfr.gov/cgi-bin/text-
idx?SID=0f9b2a146b539944f00b5ec90117d296&mc=true&node=pt42.1.2&r
gn=div5
41
42

22. 22
Who is Covered?
• 42 CFR Part 2 applies to any individual or
entity that is federally assisted and
provides alcohol or drug abuse treatment
or referral for treatment (42 CFR § 2.11)
• Consider funding, treatment provided and
clinical licenses that are at the federal
level (DEA license)
Regulations
• Restrict the disclosure and use of alcohol
and drug client records
• Any information disclosed by a covered
program that “would identify a patient as
an alcohol or drug abuser”
• With limited exceptions, 42 CFR Part 2
requires client consent for disclosures of
PHI even for the purposes of TPO.
• Consent must be in writing
43
44

23. 23
Written Consent
The primary way in which patient substance abuse
information may be disclosed is with a patient’s
written consent. Substance abuse programs and
providers must give patients a written summary of
the federal laws and regulations that protect the
confidentiality of patient substance abuse records
and a description of the circumstances when the
patient’s information may be disclosed without
his/her consent.
Consent Forms
For all other disclosures,
consent must be obtained
using a written consent form.
A single consent form may
authorize disclosure to
multiple parties or for multiple
purposes. Consent forms
must contain specific
elements (see right column).
• Patient Name
• Agency making disclosure
• agency name of the person or agency to
which disclosure is made
• nature and amount of information to be
disclosed (minimum necessary),
• purpose of the disclosure (as specific as
possible),
• effective and expiration dates and event
or condition upon which the consent
expires
• language explaining the consent
process and may include a statement
about possible denial of services if not
signed for purposes of treatment,
payment or healthcare operations
• and signatures of client, authorized
representative and description of
authority to sign on the client’s behalf
45
46

24. 24
Exceptions-Always work with
Privacy Officer
• Program Communications
• To communicate with
Qualified Service
Organizations (QSO)
– Similar to other covered entities
or business associates
• Medical Emergencies
• Response to a crime against
program personnel or on
program premises
• Research activities
(approved by IRB)
• Audit and Evaluation
• Report suspected child
abuse or neglect
• Circumstances
involving certain minors
or incompetent patients
• Response to a valid
court order
• Cause of death
HIPAA and 42 CFR Part 2
• Substance use programs must comply with both
HIPAA 45 CFR and 42 CFR Part 2.
• If there is a conflict, the more stringent rule
applies.
• Addiction treatment providers fall under the
more stringent laws of 42 CFR, Part 2, in most
cases.
47
48

25. 25
Policies and Procedures
• Must be current and reference 45 CFR for
both privacy and security
• Agency must have an interconnected set
of polices, plans, procedures and security
roles assigned to have the end result be a
secure, compliant and auditable
environment
49
50

26. 26
Please complete the survey!
iPhone or iPad:
1. Open up the camera app on your iPhone or iPad
2. Hold the device’s camera up to the QR code
3. No need to hit the shutter button, your iOS device will automatically
recognize the QR code
4. Click the pop up window that appears and complete the survey
5. Make sure you have mobile signal or you’re connected to Wi‐Fi
Android:
For android
devices you
will need to
have a QR
code reader
app installed
on your
phone.
You can also
type in the
link below in
your browser
and
complete the
survey
51