2. DISCLOSURE:
•This presentation include the protocol for
training employees on patient privacy and
confidentiality.
•This is not a training manual for employees
but a guide as to what managers should be
instructing and training their employees on
3. REQUIREMENTS
• Section 164.530 of the HIPPA rule states a covered entity must
train all employees on the policies & procedures regarding
Protected Health Information (PHI) in order for the employees to
to fulfill their job duties with the organization
• Section 164.308 states a covered entity should implement specific
training on security awareness including security reminders,
protection from malicious software, log in monitoring and
password management.
4. WHAT IS PHI
PHI is individually identifiable health
information that is maintained by a
covered entity regarding an
individual’s health status, provision
of care or payment for health care.
5. WHO SHOULD BE TRAINED?
• All employees, volunteers and trainees of a covered entity must be
trained on all privacy policies and procedures as necessary and
appropriate to carry out the scope of their employment or
function within the organization
6. WHAT TO TEACH
• All policies & procedures related to PHI including but not limited to:
• Routine security updates
• Procedures for detecting & reporting malicious software
• Procedures for monitoring log ins
• Procedures for creating & safeguarding passwords
7. IMPLEMENT LEVELS OF TRAINING
• Level 1 training should include universal privacy & confidentiality
training topics
• Level 2 raining should include specific topics in relation to a
specific job position such as employees working with psych
patients, drug & alcohol rehab, etc. This includes accessing
information on a need to know basis
8. LEVEL 1 TRAINING
• General HIPAA & confidentiality
• Patient rights
• Workstation Security
• Reporting suspected breaches
• Sanctions
• E-mails, faxes
• Complaints
• Social Media
• Reporting privacy & security breaches
• Non-retaliatory policy
9. SOCIAL MEDIA
• Zero tolerance policy for :
• Discussing patients, even in general terms
• If you wouldn't say it in a crowded elevator, don’t post it online
• Posting negative thoughts or ideas on social media, it reflects
poorly on you and your employer
• Never post photos of patients, their rooms, or their belongings
11. LEVEL 2 TRAINING
• Accessing organizational directories
• Accessing employee protected information
• Access to psych records
• Photography
• De-identification of PHI
• Social Media
12. FINAL THOUGHT
If the information you have
an urge to look at does not
pertain to your specific
job….Don’t look.....