SlideShare ist ein Scribd-Unternehmen logo

UNA HIPAA Training 8-13

•Als PPTX, PDF herunterladen•
•
U
University of North Alabama - Academic Affairs

PowerPoint presentation from the Human Subjects Research Committee at the University of North Alabama, in Florence, AL, concerning HIPAA policies and procedures.

BildungTechnologieGesundheit & Medizin
1 von 68
HIPAA Privacy and Security Training for Employees Compliance Is Everyone‟s Job 1
Topics to Cover • General HIPAA Privacy and Security Overview • HIPAA Privacy • ARRA of 2009: HIPAA Breach Notification Rules and Procedures • HIPAA Security • Questions/Acknowledgment of Training 2
What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation which addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers. The portions that are important for our purposes are those that deal with protecting the privacy and security of health data, which HIPAA calls Protected Health Information or PHI. 3
Question 1 HIPAA addresses a. Privacy b. Security c. Both A and B 4
Correct Answer c: HIPAA establishes requirements for both the privacy and security of PHI. Privacy refers to the confidentiality of protected information. Security addresses the safe keeping of both paper and electronic (computer-based) records. 5
Applicability of HIPAA to UNA • HIPAA Applies to: - Departments that have signed Business Associate Agreements - Group Health Insurance/Flexible Spending Plan/EAP - UNA Administrative Departments supporting above entities (such as Business Affairs, Information Technology Services) - Research Involving PHI from a HIPAA covered entity • Does not apply to Student Health Center, Counseling Centers, Athletic Department Health Records 6
What is Protected Health Information? (PHI) • Any information, transmitted or maintained in any medium, including demographic information; • Created/received by covered entity or business associate; • Relates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare; and • Can be used to identify the patient 7
Type of Data Protected by HIPAA • Written documentation and all paper records • Spoken and verbal information including voice mail messages • Electronic databases and any electronic information, including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic device • Photographic images • Audio and Video Recordings 8
Question 2 Jenny, a pediatric nurse, needs to report lab results to the mother of a 3 year old child who is sitting in the waiting room. She sticks her head in the waiting room door and says, “Good news. The lab results are normal.” Is this a privacy breach? a. Yes b. No 9
Correct Answer a: Yes, unless no one else was in the waiting room. The nurse should have asked the mother to step out into the hallway or taken other steps to be certain that no one else would overhear the conversation. 10
To De-Identify Patient Information You Must Remove All 18 Identifiers: • Names • Geographic subdivisions smaller than state (address, city, county, zip) • All elements of DATES (except year) including DOB, admission, discharge, death ages over 89, dates indicative of age • Telephone, fax, SSN#s, VIN, license plate #s • Medical record#, account#, health plan beneficiary# • Certificate/license #s • Email address, IP address, URLs • Biometric identifiers, including finger & voice prints • Device identifiers and serial numbers • Full face photographic and comparable images • Any other unique identifying#, characteristic or code 11
Question 3 Photographs are considered PHI. a. True b. False 12
Correct Answer a: Photographs as well as video and audio recordings are protected under HIPAA regulations. 13
Department of Justice-Imposed Criminal Penalties for Employee • Wrongfully Accessing or Disclosing PHI: Fines up to $50,000 and up to 1 Year in Prison • Obtaining PHI Under False Pretenses: Fines up to $100,000 and up to 5 Years in Prison • Wrongfully Using PHI for a Commercial Activity: Fines up to $250,000 and up to 10 Years in Prison • HIPAA criminal and civil fines and penalties can be enforced against INDIVIDUALS as well as covered entities who obtain the information illegally 14
Federal-Imposed Civil Penalties • Tier A: Did not realize violated and would have handled differently: - Minimum per violation: $100 (each name in a data set can be a violation); Maximum per calendar year: $25,000 • Tier B: Violations due to reasonable cause, but not willful neglect: - Minimum per violation: $1,000; Maximum per calendar year $50,000 • Tier C: Violations due to willful neglect that organization corrected: - Minimum per violation: $10,000; Maximum per calendar year $250,000 • Tier D: Violations due to willful neglect that organization did not correct - Minimum per violation: $50,000; Maximum per calendar year: $1.5 Million • HHS is now required to investigate and impose civil penalties where violations are due to willful neglect • Feds have 6 years from occurrence to initiate civil penalty action • State attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulations • Civil Penalties now apply to Business Associates 15
Question 4 An individual convicted of HIPAA violation might be subject to a. Fine b. Jail term c. Both A and B 16
Correct Answer c: HIPAA is federal legislation. Sanctions for violators can include both fines and incarceration. 17
Breach and Sanction Information In the Office of Civil Rights annual report to Congress: • 9/23/09 - 12/31/09 – 45 breach reports involving 2.4 million individuals • 1/1/10 – 12/31/10 – 207 breach reports involving 5.4 million individuals • Four general causes (individuals affected): 1. Theft of electronic or paper records (2,979,121) 2. Loss of electronic medical or paper records (1,156,847) 3. Intentional unauthorized access to, use, or disclosure (1,006,393) 4. Human error (78,663) 18
Breach and Sanction Information January 16, 2009 the Department of Health and Human Services reached an agreement with DVS Pharmacy, Inc. (CVS) to settle potential violations of the Privacy Rule. CVS agreed to $2.25 million and to implement a detailed Corrective Action Plan to ensure that its workforce members appropriately dispose of PHI, such as labels from prescription bottles and old prescriptions. 19
Breach and Sanction Information On July 27, 2010, the Department of Health and Human Services (HHS) reached an agreement with Rite Aid Corporation and its 40 affiliated entities (Rite Aid) to settle potential violations of the Privacy Rule. Rite Aid agreed to pay $1 million and to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing PHI on pill bottle labels and other health information. 20
Breach and Sanction Information July 6, 2011 the Department of Health and Human Services (HHS) entered into its third largest settlement for potential HIPAA privacy and security rule violations, reaching a resolution agreement of $865,500 with the University of California at Los Angeles Health System (UCLAHS) associated with 2 complaints of intentional unauthorized access to/use/disclosure of PHI. 21
HIPAA Permitted Uses and Disclosures of PHI • A covered entity can always use and disclose PHI for any purpose if it gets the person‟s signed HIPAA-valid authorization • Only designated, HIPAA trained personnel, are permitted to approve disclosure of PHI per the person‟s HIPAA-valid authorization • For a complete list of permitted uses and disclosures of PHI, see your entity‟s notice of health information practices 22
HIPAA Permitted Uses and Disclosures of PHI • The HIPAA Privacy Rule states that PHI may be used and disclosed to facilitate treatment, payment, and healthcare operations (TPO) which means: - PHI may be disclosed to other providers for treatment - PHI may be disclosed to other covered entities for payment - PHI may be disclosed to other covered entities that have a relationship with the patient for certain healthcare operations such as quality improvement, credentialing, and compliance - PHI may be disclosed to individuals involved in a patient’s care or payment for care unless the patient objects 23
Minimum Necessary Standard • When HIPAA permits use or disclosure of PHI, a covered entity must use or disclose only the minimum necessary PHI required to accomplish the purpose of the use or disclosure • The only exceptions to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons: - Treatment - Purposes for which an authorization is signed - Disclosures required by law - Sharing information to the patient about himself/herself 24
What HIPAA Did Not Change • Family and friends can still pick up prescriptions for sick people • Physicians and Nurses do not have to whisper • State laws still govern the disclosure of minor‟s health information to parents (a minor is under the age of 19 in Alabama) 25
Other Privacy Safeguards • Avoid conversations involving PHI in public or common areas such as hallways or elevators • Keep documents containing PHI in locked cabinets or locked rooms when not in use • During work hours, place written materials in secure areas that are not in view or easily accessed by unauthorized persons • Do not leave materials containing PHI on desks or counters, in conference rooms, or in public areas • Do not remove PHI in any form from the designated work site unless authorized to do so by management • Never take photographs in patient care areas 26
Question 6 TPO stands for: a. Therapy, patient, outcome b. Treatment, payment, operation c. Training participation, organization 27
Correct Answer b: Treatment, payment, operation. Once the Acknowledgement of Health Information Practices has been signed by the patient, PHI can be disclosed as necessary to complete treatment, bill for services, and manage healthcare operations. 28
Question 7 PHI can never be released for any reason except TPO (treatment, payment, operations). a. True b. False 29
Correct Answer b: False. PHI can be released for reasons other than TPO if additional release forms have been signed by the patient. 30
Question 8 Charlie works at a medical center and is responsible for entering billing data into the computer system. He looks at his mother-in-law‟s medical records, because he is concerned that she has not been fully honest with her family about some recent health problems. Since he has been HIPAA trained, is this a breach of privacy? a. Yes b. No 31
Correct Answer a: Yes. Although Charlie has been HIPAA trained, his access is based on the minimum necessary requirement to complete his job. He does not need to access health records to enter billing data. Unless his mother-in-law has given permission, in writing, for him to access her records, this action was a violation of Privacy Policies. 32
Business Associate Agreements • Are required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity‟s PHI • Binds the third party individual or vendor to the HIPAA regulations when performing the contracted services • Must be approved in accordance with appropriate UNA policies and procedures Individual employees are NOT authorized to sign contracts on behalf of UNA. 33
HIPAA Put New Requirements on Research • If you work for a Health Care Provider under HIPAA, do not release PHI for research unless: - The patient has signed a valid HIPAA authorization, or - The HSC (UNA‟s IRB) has approved a waiver of authorization; or - The IRB agrees that an exception applies Information regarding HIPAA and Research is available through the Office of Sponsored Programs 34
American Recovery and Reinvestment Act of 2009 (ARRA) • Expanded privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) • One new requirement is that we must notify affected individuals and federal officials when a breach or potential breach of privacy has occurred • The following slides discuss our obligation under these rules 35
Question 9 ________ requires that individuals and federal officials be notified when a breach or potential breach of PHI Privacy or Security regulations has occurred a. HIPAA b. AARA 36
Correct Answer b: AARA, or the American Recovery and Reinvestment Act of 2009, expanded HIPAA to establish regulations for notification of a breach or potential breach of PHI. 37
First Federal Definition of Breach • AARA provides the first federal definition of a Breach: - The unauthorized acquisition, access, use or disclosure of unsecured PHI which compromises the security or privacy of the information - Exceptions: » Unintentional acquisition, access or use of PHI by an employee or individual acting under the authority of a covered entity » Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity to another person authorized to access PHI at the covered entity » Unauthorized disclosures in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information 38
Secured PHI • ARRA further identified the information to which the breach notification provisions apply. It defined “unsecured protected health information” as PHI that is not secured through the use of a technology or methodology that renders it unusable, unreadable, or indecipherable and that is developed or endorsed by the American National Standards Institute • Therefore, for breaches involving the misuse, loss, or inappropriate disclosure of paper or electronic data, there are some “home free” methods under which the loss would indicate no harm done” - Paper secured by use of crosscut shredder (or destroyed) - Electronic data-encrypted data files and/or transmissions 39
Encryption • Security Rules require Covered Entity/Business Associate to consider implementing encryption as a method for safe guarding Electronic Protected Health Information (PHI) • If you choose to encrypt, then not required to notify in event of breach 40
What Constitutes a Breach? • A breach could result from many activities. Some examples are: - Failing to log off when leaving a workstation - Unauthorized access to PHI - Sharing confidential information, including passwords - Having patient-related conversations in public settings - Improper disposal of confidential materials in any form - Copying or removing PHI from the appropriate area • Why? - Curiosity…about a co-worker or friend - Laziness…so shared sign-on to information systems - Compassion…the desire to help someone - Greed or malicious intent…for personal gain 41
Question 10 Bill, a billing employee, receives and opens an email containing PHI which a nurse, Nancy, mistakenly sent to him. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email, and deletes it. Was this a breach of PHI? a. Yes b. No 42
Correct Answer b: No. Bill unintentionally accessed PHI that he was not authorized to access. However, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI. This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule. 43
Question 11 Rhonda is a receptionist for a covered entity, and, due to her work responsibilities, she is not authorized to access PHI. Rhonda decides to look through patient files to learn about a friend‟s last visit to the doctor. Does Rhonda‟s action constitute a breach? a. Yes b. No 44
Correct Answer a: Yes. Rhonda accessed PHI without a work- related need to know. This access was not unintentional, done in good faith, or within the scope of her job for the covered entity. 45
Question 12 Rob, a research assistant, wanted to get ahead on some statistical work, so he copied the information from 240 research participants to his thumb drive. The information included PHI, and the thumb drive was not encrypted. On his way home to continue his work, he stopped by the store to get some snack. When he returned to his car, he found it had been broken into. Missing were his GPS dozens of CDs, and his book bag containing the thumb drive. Does this event constitute a breach? a. Yes b. No 46
Correct Answer a: Yes. Unsecured PHI was stolen because the thumb drive was unencrypted. Actually, Rob violate many policies: • Removed confidential information from the unit without approval • Used his personal portable computing device for business without senior management approval • Copied confidential information to a portable computing device without senior management approval • Used a portable computing device that was not encrypted 47
Responsibility to Report • When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together…immediately, cooperatively, efficiently, carefully, and confidentially • If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please let your organization‟s privacy and/or security officer know immediately • It is much better to investigate and discover not breach than to wait and later discover that something DID happen 48
Question 13 If you suspect that there has been a breach of HIPAA Policies in your workplace, you should report your suspicions to: a. University Police b. University Office of Legal Counsel c. HIPAA Privacy or Security Office assigned to your workplace 49
Correct Answer c: The HIPAA Privacy or Security Officer for your workplace should be notified of any possible breach of HIPAA Policies. The employee who reports such suspicions is protected from any repercussions for making his/her concerns known to the HIPAA Officer. 50
Security Standards – General Rules • HIPAA security standards ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (PHI – Protected Health Information) by and with all facilities. • Protect against any reasonably anticipated threats or hazards to the security or integrity or such information • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted 51
Rules for Access • Access to computer systems and information is based on your work duties and responsibilities • Access privileges are limited to only the minimum necessary information you need to do your work • Access to an information system does not automatically mean that you are authorized to view or use all the data in that system • Different levels of access for personnel to PHI is intentional • If job duties change, clearance levels for access to PHI is reevaluated • Access is eliminated if employee is terminated • Accessing PHI for which you are not cleared or for which there is no job-related purpose will subject you to sanctions 52
Question 14 Once employees have completed HIPAA training, their access to PHI is: a. Unlimited b. Based on work duties and responsibilities c. Limited to the minimum necessary information to complete required work d. Both B and C 53
Correct Answer d: Access to PHI is based on need-to-know which is determined by the employee‟s duties and responsibilities. The employee should access the minimum PHI necessary to complete the required task. 54
Rules for Protecting Information • Do not allow unauthorized persons into restricted areas where access to PHI could occur • Arrange computer screens so they are not visible to unauthorized persons and/or patients; use security screens in areas accessible to public • Log in with password, log off prior to leaving work area, and do not leave computer unattended • Do not duplicate, transmit, or store PHI without appropriate authorization • Storage of PHI on unencrypted removable devices (Disk/CD/DVD/Thumb Drives) is prohibited without prior authorization 55
Encryption of PHI • Encryption is generally necessary to protect information outside of Banner • Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization • Use of any personally owned laptops, desktops or other mobile devices (non-UA equipment) for accessing PHI requires appropriate authorization 56
Password Management • Do not allow coworkers to use your computer without logging off your user account • Do not share passwords or reuse expired passwords • Do not use passwords that can easily guessed (dictionary words, pets‟ name, birthday, etc.) • Choose new passwords when they must be reset • Should not be written down, but if writing down the password is required, must be stored in a secured location • Disable passwords or delete accounts when employees leave • Passwords: - Should be minimum 8 characters long and changed periodically - Include 3 of 4 data types (upper/lower case, numeric, special characters) - Good password scheme is critical – R0llt!de (example, don‟t use) 57
Question 15 Is it acceptable to share your computer password with your fellow employees if they have received HIPAA training? a. Yes b. No 58
Correct Answer b: No. You should not share your computer password. 59
Protection from Malicious Software • Malicious software can be thought of as any virus, work, malware, adware, etc. • As a result of an unauthorized infiltration, PHI and other data can be damaged or destroyed • Notify Information Technology Services immediately if you believe your computer has been compromised or infected with a virus – do not continue using computer until resolved • The University provides standard, managed anti-virus and other security software • Do not disable anti-virus or other security software on individual workstations • Any personal devices used for access to PHI must have appropriate anti-virus software • Do not open e-mail or attachments from an unknown, suspicious, or untrustworthy source or if the subject line is questionable or unexpected – DELETE THEM IMMEDIATELY 60
Rules for Disposal of Computer Equipment • Only authorized employees should dispose of PHI in accordance with retention policies. • Documents containing PHI or other sensitive information must be shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding. • All questions concerning media reallocation and disposal should be directed to Director of Sponsored Programs; IT systems representatives are responsible for sanitization and destruction methods. • Media, such as CDs, disks, or thumb drives containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying. • „Sanitize‟ means to eliminate confidential or sensitive information from computer/electronic media be either overwriting the data or magnetically erasing data from the media. • If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction. • Note: Deleting a file does not actually remove the data from the media. Formatting does not constitute sanitizing the media. 61
Use of Technology • Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization. • Email, Internet use, fax and telephones are to be used for business purposes. • Fax of PHI should only be done when the recipient can be reliably identified; verify fax number and recipient before transmitting. • No PHI is to leave the facility in any format without prior approval. • Where technically feasible, email should be avoided when communicating unencrypted sensitive PHI – follow your organization‟s email policy for PHI. • No PHI is permitted on any social networking sites (Twitter, Facebook, MySpace, etc.) • No PHI is permitted in texting or chat platforms (AOL, MSN, cell phones) 62
Question 16 Your office computer is being replaced. You should: a. Delete all files that might contain sensitive information b. Have the computer sent to surplus for secure storage c. Contact Information Technology Services to initiate steps to sanitize the computer 63
Correct Answer c: Contact your Information Technology Services. Deleting files from a hard drive will not permanently remove the files from the computer. Computers should not be taken to surplus until the have been sanitized. Not all used computers go to surplus. Some are reassigned for further use. 64
Reporting Security Incidents • Notify Information Technology Services of any unusual or suspicious incident • Security incidents include the following: - Theft of or damage to equipment - Unauthorized use of a password - Unauthorized use of a system - Violations of standards or policy - Computer hacking attempts - Malicious software - Security weaknesses - Breaches to patient, employee, or student privacy 65
Contacts and References • Point of Contact – Director, Office of Sponsored Programs • Other References - Privacy: www.hhs.gov/ocr/hipaa - Security: www.cms.gov/Regulations-and-Guidance/HIPAA- Administrative-Simplification/HIPAAGenInfo/Privacyand SecurityStandards.html 66
Training Certification • Please complete the Training Certificate and email scanned copy to the Office of Sponsored Programs. 67
Training Certificate The University of North Alabama Completion of HIPAA Training Certificate of Completion HIPAA Privacy and Security Training ________________________________ Name ________________________________ Date 68

Empfohlen

Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011darichardson
 
HIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamHIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamAtlantic Training, LLC.
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
Hipaa101 updated
Hipaa101 updatedHipaa101 updated
Hipaa101 updatedkkurapat
 
Hippa training for healthcare employees
Hippa training for healthcare employeesHippa training for healthcare employees
Hippa training for healthcare employeesaminahallen
 

Empfohlen

Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011darichardson
 
HIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamHIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamAtlantic Training, LLC.
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
Hipaa101 updated
Hipaa101 updatedHipaa101 updated
Hipaa101 updatedkkurapat
 
Hippa training for healthcare employees
Hippa training for healthcare employeesHippa training for healthcare employees
Hippa training for healthcare employeesaminahallen
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio PresentationLisa Shannon, RN, BSN, JD.
 
HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training MDManagement
 
Hipaa slideshow
Hipaa slideshowHipaa slideshow
Hipaa slideshowheronimus92
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)bholmes
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAAMargery Lynn
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
Hippa powerpoint 92613
Hippa powerpoint 92613Hippa powerpoint 92613
Hippa powerpoint 92613Ravinia Hayes-Cozier
 
HIPAA
HIPAAHIPAA
HIPAAkgriffin62
 
Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Lance King
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
Hippa privacy and security awareness
Hippa privacy and security awarenessHippa privacy and security awareness
Hippa privacy and security awarenessCharles Taft
 
Hipaa ppt june 6 2014
Hipaa ppt june 6 2014Hipaa ppt june 6 2014
Hipaa ppt june 6 2014Lyndon Godsall
 
Hippa laws
Hippa lawsHippa laws
Hippa lawsBecky Bauer
 
Hipaa
HipaaHipaa
Hipaateammayco
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12O2 TESTING SERVICES
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research TrainingCynthia Holland
 
Hipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility modeHipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility moderobint2125
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?TriageLogic
 

Weitere ähnliche Inhalte

Was ist angesagt?

Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training MDManagement
 
Hipaa slideshow
Hipaa slideshowHipaa slideshow
Hipaa slideshowheronimus92
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)bholmes
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAAMargery Lynn
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Lance King
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
Hippa privacy and security awareness
Hippa privacy and security awarenessHippa privacy and security awareness
Hippa privacy and security awarenessCharles Taft
 
Hipaa ppt june 6 2014
Hipaa ppt june 6 2014Hipaa ppt june 6 2014
Hipaa ppt june 6 2014Lyndon Godsall
 
Hippa laws
Hippa lawsHippa laws
Hippa lawsBecky Bauer
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12O2 TESTING SERVICES
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research TrainingCynthia Holland
 

Was ist angesagt? (20)

Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio Presentation
 
HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training
 
Hipaa slideshow
Hipaa slideshowHipaa slideshow
Hipaa slideshow
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAA
 
HIPAA
HIPAAHIPAA
HIPAA
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of Compliance
 
Hippa powerpoint 92613
Hippa powerpoint 92613Hippa powerpoint 92613
Hippa powerpoint 92613
 
HIPAA
HIPAAHIPAA
HIPAA
 
Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippa
 
Hippa privacy and security awareness
Hippa privacy and security awarenessHippa privacy and security awareness
Hippa privacy and security awareness
 
Hipaa ppt june 6 2014
Hipaa ppt june 6 2014Hipaa ppt june 6 2014
Hipaa ppt june 6 2014
 
Hippa laws
Hippa lawsHippa laws
Hippa laws
 
Hipaa
HipaaHipaa
Hipaa
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training
 

Ă„hnlich wie UNA HIPAA Training 8-13

Hipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility modeHipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility moderobint2125
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?TriageLogic
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inserviceKelly Snyder
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 Meg Oser
 
Hipaa101 training2020
Hipaa101 training2020Hipaa101 training2020
Hipaa101 training2020VicHaight
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy PracticesSpringfield Clinic
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Xiaoming Zeng
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law TestSachiko Hurst
 
Hipaa basics.pp2
Hipaa basics.pp2Hipaa basics.pp2
Hipaa basics.pp2martykoepke
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
Hipaa training
Hipaa trainingHipaa training
Hipaa trainingschmoikel987
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarcEtienne6
 
2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptxFariida Osman
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
Healthcare IT: Security Risks & Regulations
Healthcare IT: Security Risks & RegulationsHealthcare IT: Security Risks & Regulations
Healthcare IT: Security Risks & RegulationsCHIPS Technology Group
 
Hipaa conf
Hipaa confHipaa conf
Hipaa confcqpate
 

Ă„hnlich wie UNA HIPAA Training 8-13 (20)

Hipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility modeHipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility mode
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inservice
 
Dustin HIPAA
Dustin HIPAADustin HIPAA
Dustin HIPAA
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017
 
Hipaa101 training2020
Hipaa101 training2020Hipaa101 training2020
Hipaa101 training2020
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy Practices
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
 
Health Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability ActHealth Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability Act
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law Test
 
Hipaa basics.pp2
Hipaa basics.pp2Hipaa basics.pp2
Hipaa basics.pp2
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
 
Hipaa training
Hipaa trainingHipaa training
Hipaa training
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentation
 
2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx2018-HIPAA-Renewal-Training.pptx
2018-HIPAA-Renewal-Training.pptx
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for Researchers
 
Healthcare IT: Security Risks & Regulations
Healthcare IT: Security Risks & RegulationsHealthcare IT: Security Risks & Regulations
Healthcare IT: Security Risks & Regulations
 
Hipaa conf
Hipaa confHipaa conf
Hipaa conf
 
Hipaa privacy rule
Hipaa privacy ruleHipaa privacy rule
Hipaa privacy rule
 

KĂĽrzlich hochgeladen

Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Dr. Mazin Mohamed alkathiri
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...anjaliyadav012327
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 đź’ž Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 đź’ž Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 đź’ž Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 đź’ž Full Nigh...Pooja Nehwal
 

KĂĽrzlich hochgeladen (20)

Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 đź’ž Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 đź’ž Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 đź’ž Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 đź’ž Full Nigh...
 

UNA HIPAA Training 8-13

  • 1. HIPAA Privacy and Security Training for Employees Compliance Is Everyone‟s Job 1
  • 2. Topics to Cover • General HIPAA Privacy and Security Overview • HIPAA Privacy • ARRA of 2009: HIPAA Breach Notification Rules and Procedures • HIPAA Security • Questions/Acknowledgment of Training 2
  • 3. What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation which addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers. The portions that are important for our purposes are those that deal with protecting the privacy and security of health data, which HIPAA calls Protected Health Information or PHI. 3
  • 4. Question 1 HIPAA addresses a. Privacy b. Security c. Both A and B 4
  • 5. Correct Answer c: HIPAA establishes requirements for both the privacy and security of PHI. Privacy refers to the confidentiality of protected information. Security addresses the safe keeping of both paper and electronic (computer-based) records. 5
  • 6. Applicability of HIPAA to UNA • HIPAA Applies to: - Departments that have signed Business Associate Agreements - Group Health Insurance/Flexible Spending Plan/EAP - UNA Administrative Departments supporting above entities (such as Business Affairs, Information Technology Services) - Research Involving PHI from a HIPAA covered entity • Does not apply to Student Health Center, Counseling Centers, Athletic Department Health Records 6
  • 7. What is Protected Health Information? (PHI) • Any information, transmitted or maintained in any medium, including demographic information; • Created/received by covered entity or business associate; • Relates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare; and • Can be used to identify the patient 7
  • 8. Type of Data Protected by HIPAA • Written documentation and all paper records • Spoken and verbal information including voice mail messages • Electronic databases and any electronic information, including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic device • Photographic images • Audio and Video Recordings 8
  • 9. Question 2 Jenny, a pediatric nurse, needs to report lab results to the mother of a 3 year old child who is sitting in the waiting room. She sticks her head in the waiting room door and says, “Good news. The lab results are normal.” Is this a privacy breach? a. Yes b. No 9
  • 10. Correct Answer a: Yes, unless no one else was in the waiting room. The nurse should have asked the mother to step out into the hallway or taken other steps to be certain that no one else would overhear the conversation. 10
  • 11. To De-Identify Patient Information You Must Remove All 18 Identifiers: • Names • Geographic subdivisions smaller than state (address, city, county, zip) • All elements of DATES (except year) including DOB, admission, discharge, death ages over 89, dates indicative of age • Telephone, fax, SSN#s, VIN, license plate #s • Medical record#, account#, health plan beneficiary# • Certificate/license #s • Email address, IP address, URLs • Biometric identifiers, including finger & voice prints • Device identifiers and serial numbers • Full face photographic and comparable images • Any other unique identifying#, characteristic or code 11
  • 12. Question 3 Photographs are considered PHI. a. True b. False 12
  • 13. Correct Answer a: Photographs as well as video and audio recordings are protected under HIPAA regulations. 13
  • 14. Department of Justice-Imposed Criminal Penalties for Employee • Wrongfully Accessing or Disclosing PHI: Fines up to $50,000 and up to 1 Year in Prison • Obtaining PHI Under False Pretenses: Fines up to $100,000 and up to 5 Years in Prison • Wrongfully Using PHI for a Commercial Activity: Fines up to $250,000 and up to 10 Years in Prison • HIPAA criminal and civil fines and penalties can be enforced against INDIVIDUALS as well as covered entities who obtain the information illegally 14
  • 15. Federal-Imposed Civil Penalties • Tier A: Did not realize violated and would have handled differently: - Minimum per violation: $100 (each name in a data set can be a violation); Maximum per calendar year: $25,000 • Tier B: Violations due to reasonable cause, but not willful neglect: - Minimum per violation: $1,000; Maximum per calendar year $50,000 • Tier C: Violations due to willful neglect that organization corrected: - Minimum per violation: $10,000; Maximum per calendar year $250,000 • Tier D: Violations due to willful neglect that organization did not correct - Minimum per violation: $50,000; Maximum per calendar year: $1.5 Million • HHS is now required to investigate and impose civil penalties where violations are due to willful neglect • Feds have 6 years from occurrence to initiate civil penalty action • State attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulations • Civil Penalties now apply to Business Associates 15
  • 16. Question 4 An individual convicted of HIPAA violation might be subject to a. Fine b. Jail term c. Both A and B 16
  • 17. Correct Answer c: HIPAA is federal legislation. Sanctions for violators can include both fines and incarceration. 17
  • 18. Breach and Sanction Information In the Office of Civil Rights annual report to Congress: • 9/23/09 - 12/31/09 – 45 breach reports involving 2.4 million individuals • 1/1/10 – 12/31/10 – 207 breach reports involving 5.4 million individuals • Four general causes (individuals affected): 1. Theft of electronic or paper records (2,979,121) 2. Loss of electronic medical or paper records (1,156,847) 3. Intentional unauthorized access to, use, or disclosure (1,006,393) 4. Human error (78,663) 18
  • 19. Breach and Sanction Information January 16, 2009 the Department of Health and Human Services reached an agreement with DVS Pharmacy, Inc. (CVS) to settle potential violations of the Privacy Rule. CVS agreed to $2.25 million and to implement a detailed Corrective Action Plan to ensure that its workforce members appropriately dispose of PHI, such as labels from prescription bottles and old prescriptions. 19
  • 20. Breach and Sanction Information On July 27, 2010, the Department of Health and Human Services (HHS) reached an agreement with Rite Aid Corporation and its 40 affiliated entities (Rite Aid) to settle potential violations of the Privacy Rule. Rite Aid agreed to pay $1 million and to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing PHI on pill bottle labels and other health information. 20
  • 21. Breach and Sanction Information July 6, 2011 the Department of Health and Human Services (HHS) entered into its third largest settlement for potential HIPAA privacy and security rule violations, reaching a resolution agreement of $865,500 with the University of California at Los Angeles Health System (UCLAHS) associated with 2 complaints of intentional unauthorized access to/use/disclosure of PHI. 21
  • 22. HIPAA Permitted Uses and Disclosures of PHI • A covered entity can always use and disclose PHI for any purpose if it gets the person‟s signed HIPAA-valid authorization • Only designated, HIPAA trained personnel, are permitted to approve disclosure of PHI per the person‟s HIPAA-valid authorization • For a complete list of permitted uses and disclosures of PHI, see your entity‟s notice of health information practices 22
  • 23. HIPAA Permitted Uses and Disclosures of PHI • The HIPAA Privacy Rule states that PHI may be used and disclosed to facilitate treatment, payment, and healthcare operations (TPO) which means: - PHI may be disclosed to other providers for treatment - PHI may be disclosed to other covered entities for payment - PHI may be disclosed to other covered entities that have a relationship with the patient for certain healthcare operations such as quality improvement, credentialing, and compliance - PHI may be disclosed to individuals involved in a patient’s care or payment for care unless the patient objects 23
  • 24. Minimum Necessary Standard • When HIPAA permits use or disclosure of PHI, a covered entity must use or disclose only the minimum necessary PHI required to accomplish the purpose of the use or disclosure • The only exceptions to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons: - Treatment - Purposes for which an authorization is signed - Disclosures required by law - Sharing information to the patient about himself/herself 24
  • 25. What HIPAA Did Not Change • Family and friends can still pick up prescriptions for sick people • Physicians and Nurses do not have to whisper • State laws still govern the disclosure of minor‟s health information to parents (a minor is under the age of 19 in Alabama) 25
  • 26. Other Privacy Safeguards • Avoid conversations involving PHI in public or common areas such as hallways or elevators • Keep documents containing PHI in locked cabinets or locked rooms when not in use • During work hours, place written materials in secure areas that are not in view or easily accessed by unauthorized persons • Do not leave materials containing PHI on desks or counters, in conference rooms, or in public areas • Do not remove PHI in any form from the designated work site unless authorized to do so by management • Never take photographs in patient care areas 26
  • 27. Question 6 TPO stands for: a. Therapy, patient, outcome b. Treatment, payment, operation c. Training participation, organization 27
  • 28. Correct Answer b: Treatment, payment, operation. Once the Acknowledgement of Health Information Practices has been signed by the patient, PHI can be disclosed as necessary to complete treatment, bill for services, and manage healthcare operations. 28
  • 29. Question 7 PHI can never be released for any reason except TPO (treatment, payment, operations). a. True b. False 29
  • 30. Correct Answer b: False. PHI can be released for reasons other than TPO if additional release forms have been signed by the patient. 30
  • 31. Question 8 Charlie works at a medical center and is responsible for entering billing data into the computer system. He looks at his mother-in-law‟s medical records, because he is concerned that she has not been fully honest with her family about some recent health problems. Since he has been HIPAA trained, is this a breach of privacy? a. Yes b. No 31
  • 32. Correct Answer a: Yes. Although Charlie has been HIPAA trained, his access is based on the minimum necessary requirement to complete his job. He does not need to access health records to enter billing data. Unless his mother-in-law has given permission, in writing, for him to access her records, this action was a violation of Privacy Policies. 32
  • 33. Business Associate Agreements • Are required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity‟s PHI • Binds the third party individual or vendor to the HIPAA regulations when performing the contracted services • Must be approved in accordance with appropriate UNA policies and procedures Individual employees are NOT authorized to sign contracts on behalf of UNA. 33
  • 34. HIPAA Put New Requirements on Research • If you work for a Health Care Provider under HIPAA, do not release PHI for research unless: - The patient has signed a valid HIPAA authorization, or - The HSC (UNA‟s IRB) has approved a waiver of authorization; or - The IRB agrees that an exception applies Information regarding HIPAA and Research is available through the Office of Sponsored Programs 34
  • 35. American Recovery and Reinvestment Act of 2009 (ARRA) • Expanded privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) • One new requirement is that we must notify affected individuals and federal officials when a breach or potential breach of privacy has occurred • The following slides discuss our obligation under these rules 35
  • 36. Question 9 ________ requires that individuals and federal officials be notified when a breach or potential breach of PHI Privacy or Security regulations has occurred a. HIPAA b. AARA 36
  • 37. Correct Answer b: AARA, or the American Recovery and Reinvestment Act of 2009, expanded HIPAA to establish regulations for notification of a breach or potential breach of PHI. 37
  • 38. First Federal Definition of Breach • AARA provides the first federal definition of a Breach: - The unauthorized acquisition, access, use or disclosure of unsecured PHI which compromises the security or privacy of the information - Exceptions: » Unintentional acquisition, access or use of PHI by an employee or individual acting under the authority of a covered entity » Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity to another person authorized to access PHI at the covered entity » Unauthorized disclosures in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information 38
  • 39. Secured PHI • ARRA further identified the information to which the breach notification provisions apply. It defined “unsecured protected health information” as PHI that is not secured through the use of a technology or methodology that renders it unusable, unreadable, or indecipherable and that is developed or endorsed by the American National Standards Institute • Therefore, for breaches involving the misuse, loss, or inappropriate disclosure of paper or electronic data, there are some “home free” methods under which the loss would indicate no harm done” - Paper secured by use of crosscut shredder (or destroyed) - Electronic data-encrypted data files and/or transmissions 39
  • 40. Encryption • Security Rules require Covered Entity/Business Associate to consider implementing encryption as a method for safe guarding Electronic Protected Health Information (PHI) • If you choose to encrypt, then not required to notify in event of breach 40
  • 41. What Constitutes a Breach? • A breach could result from many activities. Some examples are: - Failing to log off when leaving a workstation - Unauthorized access to PHI - Sharing confidential information, including passwords - Having patient-related conversations in public settings - Improper disposal of confidential materials in any form - Copying or removing PHI from the appropriate area • Why? - Curiosity…about a co-worker or friend - Laziness…so shared sign-on to information systems - Compassion…the desire to help someone - Greed or malicious intent…for personal gain 41
  • 42. Question 10 Bill, a billing employee, receives and opens an email containing PHI which a nurse, Nancy, mistakenly sent to him. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email, and deletes it. Was this a breach of PHI? a. Yes b. No 42
  • 43. Correct Answer b: No. Bill unintentionally accessed PHI that he was not authorized to access. However, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI. This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule. 43
  • 44. Question 11 Rhonda is a receptionist for a covered entity, and, due to her work responsibilities, she is not authorized to access PHI. Rhonda decides to look through patient files to learn about a friend‟s last visit to the doctor. Does Rhonda‟s action constitute a breach? a. Yes b. No 44
  • 45. Correct Answer a: Yes. Rhonda accessed PHI without a work- related need to know. This access was not unintentional, done in good faith, or within the scope of her job for the covered entity. 45
  • 46. Question 12 Rob, a research assistant, wanted to get ahead on some statistical work, so he copied the information from 240 research participants to his thumb drive. The information included PHI, and the thumb drive was not encrypted. On his way home to continue his work, he stopped by the store to get some snack. When he returned to his car, he found it had been broken into. Missing were his GPS dozens of CDs, and his book bag containing the thumb drive. Does this event constitute a breach? a. Yes b. No 46
  • 47. Correct Answer a: Yes. Unsecured PHI was stolen because the thumb drive was unencrypted. Actually, Rob violate many policies: • Removed confidential information from the unit without approval • Used his personal portable computing device for business without senior management approval • Copied confidential information to a portable computing device without senior management approval • Used a portable computing device that was not encrypted 47
  • 48. Responsibility to Report • When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together…immediately, cooperatively, efficiently, carefully, and confidentially • If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please let your organization‟s privacy and/or security officer know immediately • It is much better to investigate and discover not breach than to wait and later discover that something DID happen 48
  • 49. Question 13 If you suspect that there has been a breach of HIPAA Policies in your workplace, you should report your suspicions to: a. University Police b. University Office of Legal Counsel c. HIPAA Privacy or Security Office assigned to your workplace 49
  • 50. Correct Answer c: The HIPAA Privacy or Security Officer for your workplace should be notified of any possible breach of HIPAA Policies. The employee who reports such suspicions is protected from any repercussions for making his/her concerns known to the HIPAA Officer. 50
  • 51. Security Standards – General Rules • HIPAA security standards ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (PHI – Protected Health Information) by and with all facilities. • Protect against any reasonably anticipated threats or hazards to the security or integrity or such information • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted 51
  • 52. Rules for Access • Access to computer systems and information is based on your work duties and responsibilities • Access privileges are limited to only the minimum necessary information you need to do your work • Access to an information system does not automatically mean that you are authorized to view or use all the data in that system • Different levels of access for personnel to PHI is intentional • If job duties change, clearance levels for access to PHI is reevaluated • Access is eliminated if employee is terminated • Accessing PHI for which you are not cleared or for which there is no job-related purpose will subject you to sanctions 52
  • 53. Question 14 Once employees have completed HIPAA training, their access to PHI is: a. Unlimited b. Based on work duties and responsibilities c. Limited to the minimum necessary information to complete required work d. Both B and C 53
  • 54. Correct Answer d: Access to PHI is based on need-to-know which is determined by the employee‟s duties and responsibilities. The employee should access the minimum PHI necessary to complete the required task. 54
  • 55. Rules for Protecting Information • Do not allow unauthorized persons into restricted areas where access to PHI could occur • Arrange computer screens so they are not visible to unauthorized persons and/or patients; use security screens in areas accessible to public • Log in with password, log off prior to leaving work area, and do not leave computer unattended • Do not duplicate, transmit, or store PHI without appropriate authorization • Storage of PHI on unencrypted removable devices (Disk/CD/DVD/Thumb Drives) is prohibited without prior authorization 55
  • 56. Encryption of PHI • Encryption is generally necessary to protect information outside of Banner • Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization • Use of any personally owned laptops, desktops or other mobile devices (non-UA equipment) for accessing PHI requires appropriate authorization 56
  • 57. Password Management • Do not allow coworkers to use your computer without logging off your user account • Do not share passwords or reuse expired passwords • Do not use passwords that can easily guessed (dictionary words, pets‟ name, birthday, etc.) • Choose new passwords when they must be reset • Should not be written down, but if writing down the password is required, must be stored in a secured location • Disable passwords or delete accounts when employees leave • Passwords: - Should be minimum 8 characters long and changed periodically - Include 3 of 4 data types (upper/lower case, numeric, special characters) - Good password scheme is critical – R0llt!de (example, don‟t use) 57
  • 58. Question 15 Is it acceptable to share your computer password with your fellow employees if they have received HIPAA training? a. Yes b. No 58
  • 59. Correct Answer b: No. You should not share your computer password. 59
  • 60. Protection from Malicious Software • Malicious software can be thought of as any virus, work, malware, adware, etc. • As a result of an unauthorized infiltration, PHI and other data can be damaged or destroyed • Notify Information Technology Services immediately if you believe your computer has been compromised or infected with a virus – do not continue using computer until resolved • The University provides standard, managed anti-virus and other security software • Do not disable anti-virus or other security software on individual workstations • Any personal devices used for access to PHI must have appropriate anti-virus software • Do not open e-mail or attachments from an unknown, suspicious, or untrustworthy source or if the subject line is questionable or unexpected – DELETE THEM IMMEDIATELY 60
  • 61. Rules for Disposal of Computer Equipment • Only authorized employees should dispose of PHI in accordance with retention policies. • Documents containing PHI or other sensitive information must be shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding. • All questions concerning media reallocation and disposal should be directed to Director of Sponsored Programs; IT systems representatives are responsible for sanitization and destruction methods. • Media, such as CDs, disks, or thumb drives containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying. • „Sanitize‟ means to eliminate confidential or sensitive information from computer/electronic media be either overwriting the data or magnetically erasing data from the media. • If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction. • Note: Deleting a file does not actually remove the data from the media. Formatting does not constitute sanitizing the media. 61
  • 62. Use of Technology • Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization. • Email, Internet use, fax and telephones are to be used for business purposes. • Fax of PHI should only be done when the recipient can be reliably identified; verify fax number and recipient before transmitting. • No PHI is to leave the facility in any format without prior approval. • Where technically feasible, email should be avoided when communicating unencrypted sensitive PHI – follow your organization‟s email policy for PHI. • No PHI is permitted on any social networking sites (Twitter, Facebook, MySpace, etc.) • No PHI is permitted in texting or chat platforms (AOL, MSN, cell phones) 62
  • 63. Question 16 Your office computer is being replaced. You should: a. Delete all files that might contain sensitive information b. Have the computer sent to surplus for secure storage c. Contact Information Technology Services to initiate steps to sanitize the computer 63
  • 64. Correct Answer c: Contact your Information Technology Services. Deleting files from a hard drive will not permanently remove the files from the computer. Computers should not be taken to surplus until the have been sanitized. Not all used computers go to surplus. Some are reassigned for further use. 64
  • 65. Reporting Security Incidents • Notify Information Technology Services of any unusual or suspicious incident • Security incidents include the following: - Theft of or damage to equipment - Unauthorized use of a password - Unauthorized use of a system - Violations of standards or policy - Computer hacking attempts - Malicious software - Security weaknesses - Breaches to patient, employee, or student privacy 65
  • 66. Contacts and References • Point of Contact – Director, Office of Sponsored Programs • Other References - Privacy: www.hhs.gov/ocr/hipaa - Security: www.cms.gov/Regulations-and-Guidance/HIPAA- Administrative-Simplification/HIPAAGenInfo/Privacyand SecurityStandards.html 66
  • 67. Training Certification • Please complete the Training Certificate and email scanned copy to the Office of Sponsored Programs. 67
  • 68. Training Certificate The University of North Alabama Completion of HIPAA Training Certificate of Completion HIPAA Privacy and Security Training ________________________________ Name ________________________________ Date 68