Privacy & Information Security Training. For Health Science Workforce Members
|
|
- Michael Cross
- 7 years ago
- Views:
Transcription
1 Privacy & Information Security Training For Health Science Workforce Members Privacy Program, 4/6/2015
2 Objectives Understand what information must be protected under state and federal privacy laws Understand your role in maintaining privacy and security of protected health information (PHI) Understand patient rights regarding access, use and disclosure of medical information Understand your role with adhering to data security standards and responsibility for reporting incidents Understand the consequences for non-compliance This training module satisfies Federal laws which mandate workforce privacy / security training at the time of hire and UC policy for annual privacy training. 2
3 Who must complete privacy / security training at UCSD? Anyone who works with or may see health, financial, or confidential information with personal identifiers Anyone who uses a computer or electronic device to store and/or transmit personal or health information Such as: Medical Center / Medical Group / Health Science employees Schools of Medicine / Pharmacy employees Health professions students and trainees Campus staff who work in clinical areas Volunteers (including Volunteer Clinical Faculty) Students who work in patient care areas Research staff and investigators Accounting, Payroll and Benefits staff Other independent contractors with access to UC s personal / health information who assist UCSD employees with their job 3
4 Federal and State laws Privacy & Security Laws The following list is not inclusive of all federal and state privacy laws.
5 Federal Privacy Laws Law HIPAA HITECH GINA PCI FERPA Description Health Insurance Portability and Accountability Act of 1996 to make health insurance more efficient and portable; establishes privacy rights, standards to protect privacy and information security. HIPAA s laws also address Code Sets and Transaction Standards. Health Information Technology for Economic and Clinical Health (HITECH, 2013) implements enforcement and oversight of HIPAA, privacy enhancements and added false claims and penalties. Genetic Information Nondiscrimination Act of 2008 (GINA) protects job applicants, current and former employees and trainees from discrimination based on their genetic information. Payment Card Industry Standards address credit card data security. Family Educational Rights & Privacy Act protects the privacy of student education records.
6 California Privacy Laws Law Confidentiality of Medical Information Act (CMIA) Personally Identifiable Information (PII) (AB1298, SB541) Information Practice Act (IPA) Description CMIA prohibits disclosure of medical information without prior authorization unless permitted by law. Medical Information means any individually identifiable information in the possession of or derived from a provider of health care regarding a patient s medical history, mental or physical condition, or treatment. [Cal. Civil Code 56.05(g)), 56.10] Data Protection / Breach Notification. Prevent unlawful or unauthorized access to protected information and breach notification to individuals of any reasonable suspicion of a compromise of that protection. [Cal. Civil Code ] Limits the collection, maintenance, and distribution of personal information by state agencies. Right to review your personal information in state agency records. [Cal.Civ.Code ]
7 Personal Identity Information (PII) Definition PII is a category of sensitive information that includes an individual s name (first name or initial and last name) in combination with any one or more of the following: Social Security number (SSN). Drivers license number or State-issued Identification Card number. Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password such as expiration date or mother s maiden name that could permit access to an individual s financial account. Medical information (any information regarding an individual s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional) Health insurance information (an individual s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual s application and claims history, including any appeals records) If this information is stored electronically, it must be protected from unauthorized access. Best practice: Encrypt PII data.
8 Protected Health Information (PHI) Definition PHI is any personal or health information UCSD creates or maintains in the course of providing treatment, obtaining payment for services, or while engaged in health care operations including teaching and research activities. Examples of PHI include: Medical records, test results, treatment plans, appointment reminders Billing records, referral authorizations, health insurance information Name, address, social security number and Photographs and images To view a complete list of 18 PHI identifiers, 8
9 To the patient: All Information is Confidential! Patient Personal Information Patient Financial Information Patient Medical Information Written, Spoken, Electronic PHI Patient Information may be accessed, used, viewed or disclosed only to do your job. 9
10 Requirements before PHI is Used or Disclosed In order for UCSD to use or disclose PHI: The University must give each patient a Notice of Privacy Practices that: Describes how the University may use and disclose the patient s protected health information (PHI) and Advises the patient of his/her privacy rights The University must attempt to obtain a patient s signature acknowledging receipt of the Notice, except in emergency situations. If a signature is not obtained, the University must document the reason. The University must provide privacy / security training to its workforce. To view UC San Diego Health System s Notice of Privacy Practices, 10
11 Access to Protected Health Information (PHI) Patient information is confidential and shall not be accessed or viewed other than for the sole purpose of performing employment duties and responsibilities Accessing a medical record, including your own or that of a family member or friend, without a work purpose is a violation of UCSD policy UCSD monitors electronic access to PHI to assure compliance Violations are subject to disciplinary action up to and including termination as well as individual fines. Patients may request access to their medical record via MyUCSDChart or by contacting Health Information Services (Medical Records) for a copy of their record. 11
12 You may Look at a patient s PHI only if you need to do so for your job Use a patient s PHI only if you need to do so for your job Disclose a patient s PHI to others only when it is necessary for others to do their job You must Limit your access, use and disclosure of PHI to the minimum necessary information needed to perform your job. 12
13 PHI may be Used and Disclosed for T.P.O. Treatment We may use and disclose medical information about a patient to health system doctors, nurses, technicians, students or providers who are involved in the patient s care Payment We may use and disclose medical information about the patient so that the treatment and services received may be billed and payment may be collected subject to the minimum necessary standard Operations We may use and disclose medical information for teaching, medical staff peer review, legal purposes, internal auditing, to conduct customer service surveys, and general business management subject to the minimum necessary standard 13
14 Other Permitted Uses and Disclosures To avert serious threat to health and safety For organ and tissue procurement, reimplantation, or banking purposes To military command authorities about armed forces patients To workers compensation programs For public health disclosures For government oversight activities To law enforcement, for certain activities To coroners, medical examiners and funeral directors For national security and intelligence activities To correctional institutions about inmates For certain legal proceedings, lawsuits and other legal activities To business associates with a written business associate agreement (BAA) 14
15 Other Permitted Uses & Disclosures of PHI Appointment reminders but take care to avoid leaving messages on voic or answering machines which disclose sensitive information. To provide treatment alternatives To provide limited information about patients (inpatient directory) To assist other individuals involved in the patient s care (e.g., family, friends, etc.), if determined to be in the patient s best interest. For disaster relief efforts For research with UCSD HRPP / IRB approval and subject consent For fundraising with opt-out notices and limited to certain demographic information. Honor patient requests to opt-out of donation solicitations. To business associates (third parties) who provide a service involving access to PHI data with a signed UC Business Associate Agreement 15
16 Business Associate Agreements (BAA) How to obtain a BAA Notify Health System Purchasing or the Contracting Office if the thirdparty needs access to or use of UCSD s PHI Generally, the UC approved BAA template must be used. BAA contracts may only be executed by individuals with signature authority, e.g., Purchasing, Contracting. A BAA agreement is typically signed as a separate agreement to the purchase order, MOU, or other contractual agreements. Prior to the release of PHI to a third party, ensure that: BAA has been fully executed (signed) by authorized signers. Check Purchasing s site: HIPAA Security risk assessment : Documented and any issues addressed.
17 The Sale of PHI is Prohibited! with certain exceptions Sale of PHI means a disclosure of PHI where the covered entity (UCSD) or BA directly or indirectly receives remuneration from (or on behalf of) the recipient of the PHI in exchange for the PHI unless the disclosure is for one of the following eight purposes. Example of exceptions: For public health purposes For research where the remuneration received is a reasonable costbased fee to cover the cost to prepare and transmit the PHI For treatment and payment purposes Required by law De-identified data which is not PHI
18 All Other Uses of PHI Require the Patient s Written Authorization HIPAA has very specific requirements for the written authorization. It must: Describe the PHI to be released Identify who may release the PHI Identify who may receive the PHI Describe the purposes of the disclosure Identify when the authorization expires (date) Be signed and dated by the patient / patient representative Generally a HIPAA authorization expires one year from the signature date unless indicated otherwise. 18
19 Examples of Circumstances when Patient Authorization is Required Medical Records: For the use and disclosure of medical information or records when that information is being provided / sent to someone other than the patient. Disclosure of PHI to the employer, lawyer, accountant requires the patient s written authorization. Fundraising For the use and disclosure of a patient s PHI, other than limited demographic information and name of treating department / doctor. Media Communications: For the use and disclosure of PHI to the media or news releases Marketing and Other Products: For the use and disclosure of a patient s PHI to pharmaceutical or medical device companies, non-profit organizations, etc. 19
20 Authorization Form for Release of PHI Available from: (form D818) 20
21 HIPAA: Patient Specific Privacy Rights Right to request restriction of PHI uses and disclosures. Restrictions should not be granted by faculty or staff without consulting the Privacy Officer. Right to request confidential forms of communications (e.g., mail to the P.O. Box not street address, no messages on answering machines, etc). Right to access and receive a copy of their medical record. Right to receive an accounting of the disclosures of their PHI. Right to request amendments to their medical record. Right to request NO disclosure to payers regarding services paidin-full at the time of service with written notice. Right to avoid unwanted fundraising solicitations. 21
22 Good Computing & Data Practices Information Security
23 Federal / State Privacy & Security Laws Require Providers of health care to implement administrative, physical and technical safeguards to: Ensure the confidentiality and privacy of medical information Protect against reasonably anticipated threats or unauthorized uses or disclosures of PHI (45 CFR ) Safeguard patient medical information from unauthorized or unlawful access, use or disclosure Implement policies and procedures to prevent, detect, contain, and correct security violations (45 CFR ) 23
24 Privacy / Security: Safeguards & Reminders Keep office(s) secured Encrypt (AES-256) and password protect your computer and portable media. Use strong, complex passwords or passphrase. Backup your electronic information Run anti-virus, anti-spam, anti-spyware software Keep laptops, disks, back-up tapes, USBs secure encrypted & locked up! Lock your computer session: Windows key + L Report privacy complaints & security incidents and respond to incident reports promptly! Do not leave computers or patient papers or research records in your car (even if locked). Risk of theft! 24
25 Good Computing Practices: Don t open, forward, or reply to suspicious s Don t open suspicious attachments or click on unknown website addresses Don t download unknown or unsolicited programs Encrypt attachments or send securely (request a secure link). Verify addresses and delete unnecessary identifiers from the message prior to sending Delete spam Remember: Reputable businesses will not ask you for your SSN or password or credit card number via ! If you receive an requesting this information, do not reply to it. To avoid phishing scams, DELETE the message without responding to it. 25
26 Good Computing Practices: Passwords Use cryptic passwords that can t be easily guessed Avoid using a dictionary word or a person s name Use long passwords (more than 8 characters), mixed upper and lower case, symbols and numbers or a passphrase. Protect your passwords -- don t write them down Never share your passwords 26
27 Good Computing Practices: Workstation Security Physically secure your area and data when unattended Secure your files and portable equipment--including memory / USB sticks Secure laptop computers with a lockdown cable Never share your access code, card or key Lock your screen or log-off from restricted systems promptly 27
28 Good Computing Practices: Portable Device Security Don t keep confidential data on portable devices, unless it is absolutely necessary Encrypt laptops and other portable media containing personally identifiable information Back-up data on portable devices to a secure UCSD server Erase (sanitize) devices before disposal or recycling Password protect smart-phones. Activate function find my device, if available Encryption is a process that renders electronic information unusable, unreadable or indecipherable. HITECH standards recommend using AES-256 FIPS approved encryption methods. Learn more at Guidance to Protect Data tificationrule/brguidance.html 28
29 Other Good Practices: Data Management & Paper Records Know where PHI / restricted data is stored Redact (mask) unneeded identifiers & sensitive data Lock-up paper records with sensitive information Use fax cover sheets, verify the fax number and documents to be faxed -- prior to sending. Report misdirected faxes. Do not leave patient records or other documents with sensitive information in your car even if it is locked! Check conference rooms after meetings and move sensitive information to a secure area Destroy confidential data which is no longer needed Cross-shred (confetti) or use secure locked shred-bins Avoid leaving sensitive information on voic or answering machines where other residents may hear the message. 29
30 Breach Definition, Timely Notification, Policies, Sanctions, Penalties Breach Notification
31 What is a Breach? General Definition & Examples A breach is the unauthorized access to, viewing of, use or disclosure of personal confidential information that violates state or federal privacy laws -- paper, verbal and/or electronic information could be deliberately, or unintentional, accidental. Exception for secured data meeting certain criteria, such as encryption or confetti shredded materials. Examples: Hacked or compromised computer or network Misdirected fax Misaddressed or envelope Misdirected documents (e.g., released in error to someone else) Snooping (unauthorized access to or viewing or restricted information) Web-posting of restricted information (YouTube, PDFs, PPTs, XLS files) Lost or stolen devices, e.g., laptops, CDs, USB drives
32 Report Privacy & Security Breaches UC policy states that any unauthorized access, use (including viewing) or disclosure of a patient s personal or health information is a violation of law and must be immediately reported. 32
33 Breach Notification Privacy Office Tel: In the event of a breach, notify the UCSD Privacy Office promptly! Preferably the same day that you become aware of an incident The Privacy Office will provide assistance with incident investigation, risk assessment and breach notification procedures to the affected individuals and other regulatory agencies. State & Federal laws require breach notices to individuals.
34 Penalties & Sanctions Corrective Actions: If an incident represents a violation of policy or of state / federal laws, the University will apply corrective and disciplinary actions and other sanctions in accordance with UC policy up to and including dismissal -- termination of employment. State / Federal Privacy Penalties: Office for Civil Rights (OCR) and the State may assess fines and civil penalties against health care providers, BAAs, individuals Penalties range from $2,500 - $250,000 per occurrence (or higher), depending on the circumstances. Repeat violations and violations for financial gain are assessed higher penalties. Violations may also be reported to the licensing board California law permits civil suits against the individual 34
35 Privacy Policies UC San Diego Health System s policies Refer to the MCP web-site (intra-net), Privacy & Information Security: MCP 1-25, MCP 210.1, Minimum Network Security Standards (Blink) Notice of Privacy Practices: Privacy Forms: (intra-net) Authorization for Release of PHI, Designation of Personal Representative, Request for Record Amendment / Addendum, Fax Cover Sheet, Consent Form, UC HIPAA Policies
36 Report Privacy & Security Breaches All breaches must be reported immediately: Health System Information Security Health Sciences Privacy Office University of California Hot Line (or internally: 3-HELP) Callers may be confidential or ask to remain anonymous. Hot Line is staffed 24/7. 36
37 Summary State and Federal privacy laws require that personally identifiable information including protected health information (PHI) must be protected. As a University of California workforce member, you are responsible to protect the privacy and security of information entrusted to you. Follow safeguards to prevent unauthorized viewing of PHI, or the loss or theft of information. Understand and respect patient privacy rights. Call the Privacy Office if you have questions. Understand your responsibility to promptly report incidents. There are consequences for violations and non-compliance. 37
38 Questions? Kimberly Gillespie, Esq., Chief Compliance / Privacy Officer kgillespie@ucsd.edu or Ken Wottge, Information Security Officer, kwottge@ucsd.edu
39 Confidentiality Statement Web-link The protection to UCSD Health of health Sciences and Confidentiality other confidential Agreement, information is a right protected by law and enforced by fines, criminal penalties as well as UCSD policy. Safeguarding confidential information is a fundamental obligation for all employees, clinical faculty, house staff, students and volunteers. I understand and acknowledge that: 1. I shall protect the privacy and security of confidential information at all times, both during and after my employment with the University of California has terminated. 2. I agree to (a) access, use, or view confidential information to the minimum extent necessary for my assigned duties; and (b) disclose such information only to persons authorized to receive it. 3. I understand that UCSD tracks all user IDs used to access electronic records. Those IDs enable discovery of inappropriate access to EITHER patient records or employee records. 4. Inappropriate access and unauthorized release of protected information will result in disciplinary action, up to and including termination of employment, and will result in a report to authorities charged with professional licensing, enforcement of privacy laws and prosecution of criminal acts. The Office of Health Information Integrity (OHII) may levy penalties to individuals or providers of healthcare of $2,500 - $25,000 per violation. 5. User IDs and passwords cannot be shared. Inappropriate use of my ID (whether by me or anyone else) is my responsibility and exposes me to severe consequences. 39 Print Name: / Date:
40 Certification of Training I have read the UCSD Privacy / Security training materials and confidentiality statement and agree to abide by UCSD policy and Federal / State privacy and information security laws. Print name: Department name: / UCSD Employee number: <if known> Non-UCSD workforce member ID: Indicate the 2-digit birth month (MM) and last 4 letters of your last name. 40
HIPAA Privacy & Security Rules
HIPAA Privacy & Security Rules HITECH Act Applicability If you are part of any of the HIPAA Affected Areas, this training is required under the IU HIPAA Privacy and Security Compliance Plan pursuant to
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationBy the end of this course you will demonstrate:
1 By the end of this course you will demonstrate: 1. that HIPAA privacy rules protect privacy and security of confidential information. 2. your responsibility for use and protection of protected health
More informationHIPAA and Privacy Policy Training
HIPAA and Privacy Policy Training July 2015 1 This training addresses the requirements for maintaining the privacy of confidential information received from HFS and DHS (the Agencies). During this training
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationNC DPH: Computer Security Basic Awareness Training
NC DPH: Computer Security Basic Awareness Training Introduction and Training Objective Our roles in the Division of Public Health (DPH) require us to utilize our computer resources in a manner that protects
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationHealth Information Privacy Refresher Training. March 2013
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
More informationHIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N
HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N 1 COURSE OVERVIEW This course is broken down into 4 modules: Module 1: HIPAA Omnibus Rule - What you need to know to remain
More informationAPPLETREE PEDIATRICS, PA NOTICE OF PRIVACY PRACTICES
APPLETREE PEDIATRICS, PA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
More informationSOUTHLAKE DERMATOLOGY 1170 N. Carroll Ave. Southlake, TX 76092 www.southlakedermatology.com Main 817-251-6500 Fax 817-442-0550
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. EFFECTIVE September 15, 2014 This Notice of
More informationACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer
ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you
More informationHIPAA In The Workplace. What Every Employee Should Know and Remember
HIPAA In The Workplace What Every Employee Should Know and Remember What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 Portable Accountable Rules for Privacy Rules for Security
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationHIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc hipaa@unityhealthcare.org 202-667-0016 - HIPAA Hotline
HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc hipaa@unityhealthcare.org 202-667-0016 - HIPAA Hotline Self-Study Module Requirements Read all program slides and complete test. Complete
More informationHIPAA Notice of Privacy Practices
HIPAA Notice of Privacy Practices Date of Last Revision: 09/20/2013 Effective Date: Immediately THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS
More informationHIPAA Privacy Policy & Notice of Privacy Practices
HIPAA Privacy Policy & Notice of Privacy Practices 1. PURPOSE 1 The purpose of this policy is to comply with patient personal health information security rights and privacy regulations as outlined in the
More informationHFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY
HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY Illinois Department of Healthcare and Family Services Training Outline: Training Goals What is the HIPAA Security Rule? What is the HFS Identity
More informationPage 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;
Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014
More informationPHI- Protected Health Information
HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson
More informationA Privacy and Information Security Guide for UCLA Workforce. HIPAA and California Privacy Laws
A Privacy and Information Security Guide for UCLA Workforce HIPAA and California Privacy Laws A Privacy and Information Security Guide for UCLA Workforce HIPAA and California Privacy Laws Table of Contents
More informationNORTHSTAR DERMATOLOGY, PA NOTICE OF PRIVACY PRACTICES
NORTHSTAR DERMATOLOGY, PA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT
More informationUNITED CEREBRAL PALSY OF NORTHWEST MISSOURI NOTICE OF PRIVACY PRACTICES EFFECTIVE DATE: OCTOBER 22, 2014
UNITED CEREBRAL PALSY OF NORTHWEST MISSOURI NOTICE OF PRIVACY PRACTICES EFFECTIVE DATE: OCTOBER 22, 2014 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN
More informationHIPAA Training for Staff and Volunteers
HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help
More information2014 Core Training 1
2014 Core Training 1 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationNOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable
NOTICE OF PRIVACY PRACTICES TEMPLATE Sections highlighted in yellow are optional sections, depending on if applicable Original Date: ##/##/#### Revised per HIPAA Omnibus Rule ##/##/#### Revised Date Implementation:
More informationHIPAA Training Study Guide July 2015 June 2016
Contents HIPAA Overview... 2 Who must comply?... 2 Privacy Standard... 3 Protected Health Information (PHI)... 3 Minimum Necessary Rule... 4 Requests for PHI... 5 Acceptable PHI Releases... 5 Special Circumstances...
More informationHIPAA Privacy & Security Training for Clinicians
HIPAA Privacy & Security Training for Clinicians Agenda This training will cover the following information: Overview of Privacy Rule and Security Rules Using and disclosing Protected Health Information
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
More informationGuide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR
Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific
More informationGONZABA MEDICAL GROUP PATIENT REGISTRATION FORM
GONZABA MEDICAL GROUP PATIENT REGISTRATION FORM DATE: CHART#: GUARANTOR INFORMATION LAST NAME: FIRST NAME: MI: ADDRESS: HOME PHONE: ADDRESS: CITY/STATE: ZIP CODE: **************************************************************************************
More informationDALLAS ALLERGY & ASTHMA CENTER
DALLAS ALLERGY & ASTHMA CENTER Gary N. Gross, MD Michael E. Ruff, MD 5499 Glen Lakes Dr., Suite 100 Dallas, TX 75231 Dania A. Wierzbicki, MD Phone: (214) 691-1330 Jane Zepeda, PA-C FAX: (214) 691-6405
More informationStatement of Policy. Reason for Policy
Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions
More informationInformation with a person who is involved in your medical care or payment for your care, such as your family or a
Notice of Privacy Practices Effective Date: September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
More informationHIPAA Notice of Privacy Practices Effective Date: 09/23/13
HIPAA Notice of Privacy Practices Effective Date: 09/23/13 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
More informationHIPAA Notice of Privacy Practices HAND & MICROSURGERY ASSOCIATES, INC.
HIPAA Notice of Privacy Practices HAND & MICROSURGERY ASSOCIATES, INC. THIS NOTICE OF PRIVACY PRACTICES (THE NOTICE ) DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN
More informationDepartment of Health and Human Services Policy ADMN 004, Attachment A
WASHINGTON COUNTY Department of Health and Human Services Policy ADMN 004, Attachment A HHS Confidentiality Agreement Including HIPAA (Health Information Portability and Accessibility Act of 1996) OREGON
More informationAnnual Compliance Training. HITECH/HIPAA Refresher
Annual Compliance Training HITECH/HIPAA Refresher January 2015 Sisters of Charity of Leavenworth Health System, Inc. All rights reserved. 1 Annual Refresher Training Welcome to the SCL Health System Compliance
More informationGuadalupe Regional Medical Center
Guadalupe Regional Medical Center Health Insurance Portability & Accountability Act (HIPAA) By Debby Hernandez, Compliance/HIPAA Officer HIPAA Privacy & Security Training Module 1 This module will address
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES The Pain Treatment Center, Inc. d/b/a Stone Road Surgery Center THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS
More informationSOUTH CAROLINA PUBLIC EMPLOYEE BENEFIT AUTHORITY (PEBA) NOTICE OF PRIVACY PRACTICES
SOUTH CAROLINA PUBLIC EMPLOYEE BENEFIT AUTHORITY (PEBA) NOTICE OF PRIVACY PRACTICES Effective April 14, 2003 Revised September 23, 2013 This notice describes how medical information about you may be used
More informationIF YOU HAVE ANY QUESTIONS ABOUT THIS NOTICE OR IF YOU NEED MORE INFORMATION, PLEASE CONTACT OUR PRIVACY OFFICER:
NOTICE OF PRIVACY PRACTICES COMPLETE EYE CARE THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED OR DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHIPPA Goes HITECH. Data Protection for Agents
HIPPA Goes HITECH Data Protection for Agents For agent information only. this material should not be distributed to the public or used in any solicitation. 13-0127 Course objectives Agents will be able
More informationNOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION PLEASE REVIEW IT CAREFULLY. DEFINITIONS PROTECTED HEALTH INFORMATION (PHI):
More informationNotice of Privacy Practices
Notice of Privacy Practices Pueblo Radiology Medical Group, Inc. Pueblo Radiology Associates, Inc. Central Coast Radiology Associates, Inc. Santa Barbara Women s Imaging Center Effective Date: September
More informationHIPAA Compliance. 2013 Annual Mandatory Education
HIPAA Compliance 2013 Annual Mandatory Education What is HIPAA? Health Insurance Portability and Accountability Act Federal Law enacted in 1996 that mandates adoption of Privacy protections for health
More informationNotice of Health Information Privacy Practices Radiology Associates of Norwood, Inc.
Notice of Health Information Privacy Practices THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE
More informationHIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as
HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the
More informationNOTICE OF PRIVACY PRACTICES
Effective Date: September 23, 2013 THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. OUR PLEDGE
More informationHIPAA Training for Hospice Staff and Volunteers
HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you
More informationHIPAA Privacy. September 21, 2013
HIPAA Privacy September 21, 2013 HIPAA Privacy Workforce Training The Health Insurance Portability & Accountability Act (HIPAA) requires that the University train all workforce members (faculty, staff,
More informationOUR LADY OF THE LAKE, HOSPITAL INC. AND OUR LADY OF THE LAKE PHYSICIAN GROUP, LLC NOTICE OF PRIVACY PRACTICES
OUR LADY OF THE LAKE, HOSPITAL INC. AND OUR LADY OF THE LAKE PHYSICIAN GROUP, LLC NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU
More informationPrivacy & Security Standards to Protect Patient Information
Privacy & Security Standards to Protect Patient Information Health Insurance Portability & Accountability Act (HIPAA) 12/16/10 Topics An An Introduction to to HIPAA HIPAA Patient Rights Rights Routine
More informationHealth Insurance Portability and Accountability Act HIPAA Privacy Standards
Health Insurance Portability and Accountability Act HIPAA Privacy Standards Healthcare Provider Training Module Copyright 2003 University of California Click the arrow to start the YouTube video in a separate
More informationACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES
ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES I acknowledge that I have been provided a copy of Fiorillo Cosmetic and General Dentistry s Notice of Privacy Practices, which has an effective
More informationHIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012
HIPAA Privacy and Security Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 Goals and Objectives Course Goal: To introduce the staff of Munson Healthcare to the concepts
More informationHIPAA Education Level One For Volunteers & Observers
UK HealthCare HIPAA Education Page 1 September 1, 2009 HIPAA Education Level One For Volunteers & Observers ~ What does HIPAA stand for? H Health I Insurance P Portability A And Accountability A - Act
More informationHEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA
TRAINING MANUAL HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA Table of Contents INTRODUCTION 3 What is HIPAA? Privacy Security Transactions and Code Sets What is covered ADMINISTRATIVE
More information8.03 Health Insurance Portability and Accountability Act (HIPAA)
Human Resource/Miscellaneous Page 1 of 5 8.03 Health Insurance Portability and Accountability Act (HIPAA) Policy: It is the policy of Licking/Knox Goodwill Industries, Inc., to maintain the privacy of
More informationNOTICE OF PRIVACY PRACTICES ILLINOIS EYE CENTER
NOTICE OF PRIVACY PRACTICES ILLINOIS EYE CENTER THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED OR DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
More informationThe Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices
The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL
More informationFEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA
APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section
More informationHIPAA Privacy & Security Health Insurance Portability and Accountability Act
HIPAA Privacy & Security Health Insurance Portability and Accountability Act ASSOCIATE EDUCATION St. Elizabeth Medical Center Origin and Purpose of HIPAA In 2003, Congress enacted new rules that would
More informationMERCY HEALTH MEDICAL TRANSPORTATION SERVICES PRIVACY NOTICE Revised Notice Effective Date: September 23, 2013
MERCY HEALTH MEDICAL TRANSPORTATION SERVICES PRIVACY NOTICE Revised Notice Effective Date: September 23, 2013 THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU
More informationPolicy & Procedure AUTUMN RIDGE RESIDENTIAL CARE. March, 2013
AUTUMN RIDGE RESIDENTIAL CARE Policy & Procedure HIPAA / PRIVACY NOTICE OF PRIVACY PRACTICES FUNCTION NUMBER PRIOR ISSUE EFFECTIVE DATE March, 2013 PURPOSE To ensure that a Notice of Privacy Practices
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationDonna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS
Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information
More informationHow To Protect Your Privacy At A Clinic
NOTICE OF PRIVACY PRACTICES University HealthCare Alliance Effective Date: September 23, 2013 THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED. PLEASE REVIEW IT CAREFULLY.
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationBERKELEY COLLEGE DATA SECURITY POLICY
BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data
More informationNOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA)
NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA) THIS NOTICE OF PRIVACY PRACTICES DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
More informationINFORMATION SECURITY & HIPAA COMPLIANCE MPCA
INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health
More informationEffective Date: March 23, 2016
AIG COMPANIES Effective Date: March 23, 2016 HIPAA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationPRIVACY AND INFORMATION SECURITY INCIDENT REPORTING
PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING PURPOSE The purpose of this policy is to describe the procedures by which Workforce members of UCLA Health System and David Geffen School of Medicine
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE
More informationHIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator
HIPAA Happenings in Hospital Systems Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Health Insurance Portability and Accountability Act of 1996 Title 1 Title II Title III Title IV Title
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationHIPAA PRIVACY OVERVIEW
HIPAA PRIVACY OVERVIEW OBJECTIVES At the completion of this course, the learner will be able to: Define the Purpose of HIPAA Define Business Associate Identify Patients Rights Understand the Consequences
More informationSCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationHIPAA NOTICE OF PRIVACY PRACTICES Woodlands Behavioral Healthcare Network (WBHN)
HIPAA NOTICE OF PRIVACY PRACTICES Woodlands Behavioral Healthcare Network (WBHN) Effective Date: 04/14/15 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN
More informationNotice of Privacy Practices
Notice of Privacy Practices This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This Notice of
More informationHarris County - Texas HIPAA Notice of Privacy Practices
Harris County - Texas HIPAA Notice of Privacy Practices Effective Date: September 23, 2013. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS
More informationCARING HOSPICE SERVICES NOTICE OF PRIVACY PRACTICES
Original effective date: 2003 Effective date of last Revision: July 17, 2013 CARING HOSPICE SERVICES NOTICE OF PRIVACY PRACTICES Caring Hospice Services of Connecticut Caring Hospice Services of New York
More informationLAWRENCE COUNTY MEMORIAL HOSPITAL Lawrenceville, Illinois. NOTICE OF PRIVACY PRACTICES Effective April 14, 2003 Revised May, 2013
LAWRENCE COUNTY MEMORIAL HOSPITAL Lawrenceville, Illinois NOTICE OF PRIVACY PRACTICES Effective April 14, 2003 Revised May, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU WILL BE USED AND
More informationHIPAA Privacy and Security
HIPAA Privacy and Security Course ID: 1020 - Credit Hours: 2 Author(s) Kevin Arnold, RN, BSN Accreditation KLA Education Services LLC is accredited by the State of California Board of Registered Nursing,
More informationNotice of Privacy Practices
Notice of Privacy Practices This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This practice uses
More informationNew Privacy Laws Impacting the Health Care Work Place
New Privacy Laws Impacting the Health Care Work Place Presented by Thomas E. Jeffry, Jr., Esq. Arent Fox LLP Washington, DC New York, NY Los Angeles, CA November 12 & 19, 2009 Overview 1. Overview of California
More informationH I P AA B U S I N E S S AS S O C I ATE AGREEMENT
H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Opticare of Utah, Inc. ( Covered Entity ), and,( Business Associate ).
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationCMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS
CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,
More informationTABLE OF CONTENTS. University of Northern Colorado
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES Effective Date: April 14, 2003 Revision Date: September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS
More informationNotice of Privacy Practices
Notice of Privacy Practices THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. About this notice
More information