HIPAA Privacy and Security

Similar documents
Patient Privacy and HIPAA/HITECH

HIPAA Privacy & Security Training for Clinicians

HIPAA Compliance for Students

HIPAA Training for Hospice Staff and Volunteers

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

PHI- Protected Health Information

Annual Compliance Training. HITECH/HIPAA Refresher

2014 Core Training 1

HIPAA and Health Information Privacy and Security

HIPAA Orientation. Health Insurance Portability and Accountability Act

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

HIPAA and You The Basics

HIPAA Training for Staff and Volunteers

The Basics of HIPAA Privacy and Security and HITECH

HIPAA 101: Privacy and Security Basics

HIPAA Education Level One For Volunteers & Observers

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Statement of Policy. Reason for Policy

University of Cincinnati Limited HIPAA Glossary

HIPAA Privacy for Caregivers

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Target Audience: All Non-Management CHS Employees, Students, Volunteers, and Physicians

HIPAA Compliance Annual Mandatory Education

HIPAA ephi Security Guidance for Researchers

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA: Bigger and More Annoying

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Contents

Are you in the correct place?

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

An Introduction on How to Better Protect Your Computer and Sensitive Data

Clinician s Guide to HIPAA Privacy. I. Introduction What is HIPAA? Health Information Privacy Protected Health Information

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

A Privacy and Information Security Guide for UCLA Workforce. HIPAA and California Privacy Laws

HIPAA Security Education. Updated May 2016

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

HIPAA and Privacy Policy Training

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

OCR/HHS HIPAA/HITECH Audit Preparation

Protecting Patient Privacy It s Everyone s Responsibility

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

HIPAA Privacy and Security

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

8.03 Health Insurance Portability and Accountability Act (HIPAA)

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

HIPAA Security Training Manual

Department of Health and Human Services Policy ADMN 004, Attachment A

HIPAA PRIVACY SELF-STUDY MATERIALS

NC DPH: Computer Security Basic Awareness Training

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

HIPAA OVERVIEW ETSU 1

HIPAA PRIVACY OVERVIEW

PROTECTING PATIENT PRIVACY and INFORMATION SECURITY

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

HIPAA Training for the MDAA Preceptorship Program. Health Insurance Portability and Accountability Act

Annual HIPAA Security & Information Security Competency

HIPAA (Health Insurance Portability and Accountability Act) Awareness Training for Volunteers and Interns

HIPAA Privacy & Security Rules

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

HIPAA PRIVACY POLICIES & PROCEDURES. Department of Behavioral Health and Developmental Services DBHHDS GENERAL AWARENESS TRAINING

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

M E M O R A N D U M. Definitions

MCCP Online Orientation

SELF-LEARNING MODULE (SLM) 2012 HIPAA Education Privacy Basics and Intermediate Modules

Topics. What are privacy and security all about? How can I protect confidential information? What should I do if I see a problem?

Procedure Title: TennDent HIPAA Security Awareness and Training

HIPAA Security Alert

Transcription:

HIPAA Privacy and Security Course ID: 1020 - Credit Hours: 2 Author(s) Kevin Arnold, RN, BSN Accreditation KLA Education Services LLC is accredited by the State of California Board of Registered Nursing, Provider # CEP16145. Disclosures Clinical Specialist, Bard Access Systems IVTAGS, LLC - Owner Audience All health care workers. HIPAA Privacy and Security addresses federal laws and guidelines for protecting and maintaining Protected Health Information. Course Objectives After completion of this lesson, participants will be able to: 1. List 5 examples of protected health information (PHI). 2. List 3 Patient s rights. 3. List 3 examples uses of PHI. 4. List 3 example HIPAA violations. 5. Describe the consequences of HIPAA violations. 6. List 3 patient s right. 7. List 3 threats to PHI security. 1

Federal Law HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA Privacy Protection for the privacy of Protected Health Information (PHI) effective HIPAA Security Protection for the security of electronic Protected Health Information 2

Protects the privacy and security of a patient s health information. Provides for electronic and physical security of a patient s health information. 3

HIPAA Privacy 4

Sample Protected Health Information (PHI) Name Address (any part) Name of employer Date of admission, birth Date of discharge, death Telephone and Fax numbers Electronic (email) addresses Social Security Number Medical Records Health Plan Beneficiary Info Account number Medical record number Any vehicle ID number Photographic Images Medical Hx or Tx IP (internet protocol) # Web URL Certificate / Licenses # Finger prints Any identifying data 5

Do not access information unless it is needed to do your job. Do not share information with colleagues unless they need it to do their job. 6

Examples Treatment of patient Direct patient care Coordination of care Consultations Referrals to health care providers 7

Examples Operations Administrative activities Quality improvement Compliance Competency Training 8

Examples Payment of health care bills Includes any activities required to bill and collect for health care services. 9

Examples Disclosures required by law Public Health and other governmental reporting 10

Method of PHI Communication Verbal Paper Electronic 11

Verbal Communication When talking make sure you are: Sharing with someone who needs PHI for their job. Speaking where others can not hear. Giving only the minimum PHI necessary 12

Paper Communication Nursing services may release a copy of a patients medical record to health care personnel transporting a patient to another health care facility. Physicians and Nurses may release some information to a patient 13

Paper Communication Typically releasing PHI is left to medical records departments. Dispose of PHI properly (shred) 14

Paper Communication Limit faxing to emergent situations Always include a cover sheet with a confidentiality notice Use secure fax locations Faxes sent to inadvertent locations should be reported 15

Paper Communication PHI should not be left on counters, in conference room, or anywhere it may be accessible to the public or staff that do not need to know the information. 16

Protecting Electronic PHI Ensure data is encrypted Encryption assures PHI is unreadable to anyone but authorized devices. Create strong passwords Secure computers and other devices Avoid discussion on blogs/threads Often contain malware, phishing software 17

Protecting Electronic PHI Malware is software designed to harm your computer (viruses, worms, spyware) Phishing is unwanted email or web site requests for confidential information Avoid suspicious emails 18

Protecting Electronic PHI Avoid storage of PHI on Cloud servers. Cloud servers store information over the internet (Dropbox, TheBox, Google Drive, Apple icloud) 19

Example Violations A medical chart left open at a nursing station A lost medical record PHI on a thumb drive that was lost and not password protected A PowerPoint presentation containing PHI given to a department of 20 employees with out proper authorization from the patient. 20

Example Violations Informing a patient s family member of a patient medical diagnosis with out proper authorization. A physician and nurse discussing a case in the elevator with others present A smart phone containing PHI left on the counter with no pass word protection in place PHI on a computer left open and unattended 21

Reporting If you are aware or suspect a violation, report it to the appropriate supervisor or privacy officer. Failure to report is a violation. 22

Consequences $100 per violation, $25,000 for an identical violation within one year $50,000 for wrongful disclosure $100,000 and/or 5 years in prison for wrongful violation for obtaining PHI under false pretenses $250,000 and/or 10 years in prison if committed with intent to sell or transfer for commercial advantage, personal gain, or malicious harm, includes obtaining or disclosing. 23

Contacting Patients Before contacting a patient, make sure the patient does not have an approved request for an alternative method or location for communications. You should NOT leave PHI on answering machines, voice mails 24

Appointment reminders made by telephone must be limited to: Patient s Name Caller s Name Location Contacting Patients Date and Time of appointment A call back number for further questions Do not disclose other details. 25

Patient s Rights The right to request restriction of PHI uses & disclosures The right to request alternative forms of communications The right to access and copy patient s PHI The right to an accounting of the disclosures of PHI The right to request amendments to information 26

Patient's Right to Opt Out Patients may opt out at the time of admission and at any time. His/her information will not be shared with outside callers or visitors The patient is not included in the patient list maintained by the Hospital telephone operators If a patient opts out of the patient list, callers or visitors should be told, I have no information available on that person. All patients admitted to a Psychiatry service are typically automatically opted out. 27

What is okay? Typical Approved Disclosure to the Public The patient s location The patient s general condition stable, serious, or critical 28

Question? When Mr. Thomas is admitted, he signs a General Consent for treatment and does not choose to opt out of any areas. He calls her nurse upset because he just received a phone call from someone he did not want to know he was in the hospital. Should this person s information have been disclosed? 29

Answer Since Mr. Thomas did not choose to opt out of the patient directory, callers inquiring about him by name would receive confirmation of his admission and general information about his condition. 30

Question? A patient drops by the nursing station as he is being discharged to get a copy of his medical records. Michelle, a business associate, accesses the patient s medical record and prints a complete copy for the patient to take with him. Should Michelle have given the patient a copy of his medical record? 31

Answer NO, Michelle should have advised the patient to obtain a copy from the medical records office. 32

Question? Kathy calls a patient to remind them about and appointment. Hi, this is Kathy calling for James Henderson to remind you about your appointment tomorrow morning at 9:00AM. You may call me back at 555-1234 with any questions. Was this message appropriate? 33

Answer Yes, Kathy did not identify the clinic or any sensitive medical information only the necessary data for the appointment. 34

Question? Jack answers a phone call asking about the health status of Mrs. Owens. Jack looks up but does not see Mrs. Owens on the patient on the unit s roster. Jack knows Mrs. Owens is doing fine and about to be discharged from listening to the morning report. Jack tell the caller he can t say medial details, but she is doing okay. Was this the appropriate response? 35

Answer NO, Jack should have known a patient not listed on the roster was a no information patient. Many patients opt out and do not want it known they are in the hospital. Jack should have said I m sorry but I have no information on that person. 36

Question You are an RN working in the MICU. One of your best friend s wife is in an auto accident and gets admitted to the Emergency Department. Your friend calls you to see if you look up her chart and make sure you agree with the treatment she is being given. What can you do to help? 37

Answer You are only allowed to view information needed to do your job. Since you are not caring for this patient, you may not look up the chart or ask someone else to access it on your behalf. 38

HIPAA Security 39

Electronic Security of PHI Computer-based patient health information that is used, created, stored, received or transmitted. Information in an electronic medical record, patient billing information, digital images, etc. Ensure confidentiality (no disclosure) of PHI. Ensure integrity (no alteration) of PHI. 40

Usernames and Passwords Never share your username or password Never use someone else s username or password Change passwords often or per facility protocol 41

Email Use encryption Avoid use of personal email accounts 42

Work Areas Log off or lock work stations when unattended Make use of auto-lock features when possible Use screen savers or security screen protectors possible 43

Threats Suspicious emails From names you do not recognize Phishing links Attachments 44

Threats Remote Access Trojans Remote uses may access your computer without your permission or with out you knowing May steal PHI from your computer 45

Threats Worms Viruses that take advantage of network security holes and spread throughout an internal network of computers 46

Threats Spyware Virus software that can monitor your computer usage and collect data to an external location. Often causes multiple out of control pop up advertisements. 47

Threats Keystroke Loggers Virus software that can record every keystroke on you computer and collected to an external location. Often serve as an attempt to record usernames and passwords. 48

Anti-Threat Measures Help to keep anti-virus software up to date Use of internet firewalls is recommended 49

Avoid long term storage of PHI on portable devices such as: USB storage devices Laptops ipads Smart phones PDAs Portable Devices Destroy PHI when it is no longer needed. 50

References American Recovery and Reinvestment Act of 2009, Title XIII Health Information Technology for Economic and Clinical Health, Subtitle D, Privacy Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals Health Insurance Portability and Accountability Act of 1996 (HIPAA) NIST SP 800-30, Risk Management Guide for Information Technology System OCR website: Summary of HIPAA Privacy Rule OCR website: Summary of HIPAA Security Rule 51

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information