HIPAA Training for Staff and Volunteers

HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help safeguard the privacy and security of protected health information Agenda Brief background / history of HIPAA What is PHI HIPAA privacy requirements HIPAA security requirements HIPAA breach notification requirements? How you must help with compliance 1

HIPAA Overview / Background What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Covered Entities Health care providers Health Plans Business Associates Health care clearinghouses BA Subcontractors What is HIPAA? Health Insurance Portability and Accountability Act of 1996 What impacts employees? Privacy Rule Security Rule Breach Notification Rule 2

The Privacy Rule Protects health information from unauthorized uses and disclosures. Provides nation-wide minimum standards for the protection of the privacy of health information. Provides health care consumers with more rights and control over the uses and disclosures of their health information. The Security Rule Protects health information in electronic form from alteration, loss or destruction and from unauthorized access Security and privacy go hand in hand you can t have one without the other The Breach Notification Rule Requires notifying individuals, the media and the government when unsecured protected health information is compromised. 3

What does this have to do with you? There are certain things you must know and do to comply with HIPAA Compliance is everyone s responsibility There are significant penalties for not complying Compliance is required, it is not optional HIPAA is the law Protecting patient privacy is also the right thing to do Protected Health Information PHI The Heart of the Matter 4

PHI Protected Health Information: Is any information, in electronic, written or oral form, that relates to an individual s past, present or future health condition Some Examples of PHI Name Date of Birth Date of Admission Date of Death/Discharge Social Security Number Health Insurance Number Medical Record Number Vehicle ID/License# Phone Number Address In a Nutshell Protected Health Information is ANY INFORMATION that identifies an individual or for which there is a reasonable basis to believe the information could be used to identify an individual 5

Rule of Thumb If you think something might be protected health information -it probably is HIPAA Privacy Rule Requirements Essence of the Privacy Rule PHI may only be used or disclosed in ways permitted or required by the Privacy Rule For all other purposes the patient must sign an authorization form to allow the use or disclosure of his or her health information 6

Some of the requirements: Notice of Privacy Practices Privacy Official Honor patient privacy rights Minimum necessary requirements Provide safeguards for written, oral and electronic health information Train staff on their responsibilities Tells patients how their PHI is allowed to be used and disclosed Must be given to all patients before care is provided Notice of Privacy Practices Responsible for all matters related to privacy practices It is important to know the name of the Privacy Official where you work Privacy Official 7

Privacy Rights Their purpose is to give individuals more control over how their health information is used and disclosed Patients are informed of these rights and how to exercise them in the Notice of Privacy Practices Patient Privacy Rights To receive a copy of the Notice of Privacy Practices To lodge complaints To request restrictions on uses and disclosures To request communication in an alternative manner To request access to PHI To request amendment of PHI To request an accounting of disclosures of PHI To be notified if a breach occurs To opt-out of receiving fundraising communications To Receive a Copy of the Notice of Privacy Practices All patients have a right to know how their health information is used and disclosed 8

To Lodge a Complaint The Notice describes how patients can lodge complaints regarding privacy violations and how to contact the Privacy Official Request Restrictions on How PHI is Used or Disclosed Patients may request limits on how their PHI is used or disclosed Request Confidential Communications Patients may request that their health information be discussed in a certain manner or location 9

Request Access to PHI Patients may inspect it or have a copy of their clinical record All staff who document in clinical records should be aware of the fact that their documentation could be read or viewed by the patient/representative Request Amendment of PHI May request to amend (not alter) clinical records. If the patient believes there is a mistake, a notation will be made in the clinical record if the request for amendment is approved. Request for an Accounting of Disclosures Patients have a right to know to whom their PHI has been disclosed. 10

To Be Notified If A Breach Occurs Patients have a right to know when/if their protected health information has been compromised To Opt-Out of Receiving Fundraising Communications Patients have a right to refuse to receive fundraising communications The Minimum Necessary Standard Covered entities may not use, disclose or request more PHI than is absolutely necessary Employees may not have access to more PHI than necessary to perform their jobs Entire medical records may not be used, disclosed or requested unless it is specifically authorized to do so in policies and procedures 11

Overview of HIPAA Security Rule Requirements Essence of the Security Rule Electronic PHI (ephi) must not be lost, altered, or destroyed or accessed by anyone not authorized Electronic PHI (ephi) ephiincludes any medium used to store, access, transmit or receive PHI electronically: Laptops / desktops External hard drives, flash drives, CDs DVDs Magnetic tape or disks Smart phones, tablets Network servers, email, etc Data warehouses, Cloud providers 12

Three Types of Safeguards Administrative -operational requirements, administrative actions, and policies and procedures Physical-physical measures and policies and procedures needed to protect information systems and buildings from natural and environmental hazards and unauthorized access Technical-technology that can be used to protect ephi Security Awareness and Training Facility Access Controls Disposal and Back Up Procedures 13

What happens when the PHI of a patient is not protected as required by the Privacy and Security Rules? BREACH!!!!!!!! 14

Definition of a Breach The acquisition, access, use or disclosure of protected health information in a manner not permitted by the Privacy Rule which compromises the security or privacy of the protected health information. More on breaches Breaches only apply to unsecured protected health information. If protected health information is secured it can not be accessed by someone not authorized. Unsecured Protected Health Information Protected health information that has not been rendered unusable, unreadable or indecipherable 15

ENCRYPTION Only two approved ways to secure PHI DESTRUCTION Examples of Potential Breaches Lost or stolen laptop or desktop Misdirected fax or email Briefcase with patient documentation stolen from car Looking at PHI of neighbors/friends out of curiosity Lost or stolen flash drives What to do if you think a breach may have happened: Contact your supervisor or Privacy Official at once There are very specific risk assessment and notification requirements that must be met 16

Safeguarding PHI - How everyone can/must help PHI must be safeguarded from: Unauthorized use and disclosure Loss Destruction Unauthorized access Identify PHI Written Oral Electronic 17

Where is written PHI Clinical records File cabinets Reports Travel charts Fax machines Staff mailboxes Desks Whiteboards Trash / recycle bins IDG agendas Near shredders Copiers How to help Lock travel charts in the trunk of your car when not in use Only have the minimum amount of PHI necessary in travel charts Promptly shred PHI that is no longer needed Do not leave PHI unattended on your desk or in your work area More ways to help Lock file cabinets containing PHI when not in use Return clinical records promptly Locate fax machines, printers, copiers in secure areas Remove PHI from copiers, fax machines and printers as soon as possible 18

Where is oral PHI? When talking on the phone During meetings Over Lunch Anytime you talk about a patient with someone who is not providing care to the patient too. Protect Oral PHI Don t talk about patients in public places Don t talk about patients to anyonenot involved in the patient s care Do not use the phone in a patient s home to call other patients or discuss patients Only share the minimum amount of patient information necessary 19

Where is electronic PHI? Desktop computers Laptop computers Email and text messages On networks, servers, digital copiers On storage devices like flash drives, CDs, external hard drives Smart phones, tablets Data warehouses, Cloud storage Be careful with passwords Always keep laptops locked and protected when not in use and follow encryption policies/practic es 20

Do not include PHI in emails unless it is encrypted Do not leave computer screens with PHI unattended Follow privacy and security policies and procedures 21

THE HIPAA GOLDEN RULE Do unto the PHI of others as you would have them do unto yours. 22