Mountain States Health Alliance | Bringing Loving Care to Health Care 1
HIPAA Privacy and Security Training
for Researchers
Version April 2017
Course Objectives
Mountain States Health Alliance | Bringing Loving Care to Health Care 2
This learning course covers HIPAA, HITECH, and MSHA
Privacy and Security Program.
Acronyms and Terms
HIPAA and HITECH Overview (HIPAA Privacy Rule and security
Rule)
Requirements of the Law
The concept of protected health information (PHI)
Permitted and Prohibited uses and disclosures of PHI
MSHA Policies & Procedures
HIPAA applied to real-life situations
Specifics for research
Definitions and Terms
Mountain States Health Alliance | Bringing Loving Care to Health Care 3
ARRA: American Recovery and Reinvestment Act, commonly referred
to as the Stimulus or The Recovery Act.
Breach: Improper access, use, or disclosure of Protected Health
Information.
Business Associate (BA): A person or company that accesses PHI
because of its relationship with a covered entity. The HIPAA
responsibilities of the BA are outlined in a business associate agreement
between the BA(or company of employment) and the covered entity. A
company that types/transcribes medical reports for a hospital or
physician office is one example.
Covered Entity (CE): Health plan, Health care clearinghouses, and
Health care providers who conduct certain financial and administrative
transactions electronically. MSHA is a covered entity.
Definitions and Terms
Mountain States Health Alliance | Bringing Loving Care to Health Care 4
Protected Health Information (PHI): Individually identifiable health
information in any form, oral and recorded, that relates to past,
present, or future physical or mental health or condition of an
individual, including demographic information.
Disclosure: The release, transfer, provision of access to, or divulging
in any manner of information outside the entity who holds the
information.
DHHS: Department of Health and Human Services
HIPAA: Health Insurance Portability and Accountability Act. The
HIPAA Security Rule was implemented in 2005.
HITECH: Health Information Technology for Economic and Clinical
Health Act a 2009 provision of the American Reinvestment and
Recovery Act (ARRA).
Definitions and Terms
Mountain States Health Alliance | Bringing Loving Care to Health Care 5
Minimum necessary: Use, access, and disclosure of PHI by a
covered entity or business associate are limited to the minimum
amount of information necessary to accomplish the required task.
Office of Civil Rights (OCR): Entity of DHHS responsible for enforcing
the HIPAA privacy and security rules.
Privacy officer: Designated individual by a covered entity to oversee
HIPAA Privacy Regulation compliance. You may contact MSHA HIPAA
Officer , if any questions.
De-identified information: PHI which has been sufficiently “stripped”
of identifying information (obtain list of 18 PHI identifiers) so that the
person to who it belongs can no longer be identified.
https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html
Privacy Laws and Regulations
Mountain States Health Alliance | Bringing Loving Care to Health Care 6
There are many federal and state laws regarding Privacy of patient
information. One such federal law is the Health Insurance
Portability & Accountability Act of 1996 (HIPAA).
HIPAA sets forth regulations or improved efficiency in healthcare
delivery by patient information; requiring health identifiers; and
creating Privacy standards.
HIPAA brought about two rules:
Privacy Rule – compliance date of April 2003
Security Rule – compliance date of April 2005
What are ARRA and HITECH?
Mountain States Health Alliance | Bringing Loving Care to Health Care 7
American Recovery and Reinvestment Act (ARRA), Public Law
111-5 is an economic stimulus package which was signed into law
on February 17, 2009.
Health Information Technology for Economic and Clinical Health
(HITECH) Act is the part the of ARRA law that deals with many of
the health information communication and technology provisions
including Subpart D – Privacy. In January of 2013, the Department
of Health and Human Services issued the “Final Rule”
implementing HITECH’s statutory amendments to HIPAA.
Enforcement of HIPAA
Mountain States Health Alliance | Bringing Loving Care to Health Care 8
The Department of Health and Human Services (DHHS) is a
department of the federal government that has overall responsibility for
implementing and enforcing HIPAA.
Office of Civil Rights (OCR) is responsible for implementing and
enforcing the Privacy and Security Rules.
MSHA Corporate Audit and Compliance Services department is
responsible for monitoring and assessing MSHA compliance with
HIPAA.
Potential Penalties:
Civil
Criminal
Federal lawsuit
Loss of professional license
Employer corrective action including termination
Criminal Liability
Mountain States Health Alliance | Bringing Loving Care to Health Care 9
§13409 of the American Recovery and Reinvestment Act:
Clarified that employees of covered entities may be held
criminally liable for obtaining or disclosing individually
identifiable health information maintained by covered entities
without authorization.
Who?
Individuals who "knowingly" obtain or disclose individually
identifiable health information in violation of HIPAA
What?
A fine of from $50,000 up to $250,000 and
Imprisonment from one year up to ten years
Privacy Rule: Administrative
Requirements
Mountain States Health Alliance | Bringing Loving Care to Health Care 10
The Privacy Rule contains many other requirements that MSHA must
comply with such as:
Business Associate Contracts:Under certain conditions, MSHA is required to maintain legal contracts with business
partners whose activity may involve the use or disclosure of individually identifiable
health information.
MSHA Legal Counsel should be consulted regarding contracts when patient
information is involved.
De-Identification of PHI: Under certain scenarios, information can be used or disclosed if de-identified. Refer to
MSHA policy De-Identification of Protected Health Information IM-900-006 for details.
Minimum Necessary: When using or disclosing PHI or when requesting PHI, a reasonable effort must be made
to limit the PHI to the minimum necessary to accomplish the intended purpose of the use,
disclosure, or request. Refer to MSHA policy IM-900-014 Minimum Necessary Use and
Disclosure of Protected Health Information for details.
Privacy and Security Rule
Mountain States Health Alliance | Bringing Loving Care to Health Care 11
The Privacy Rule is intended to protect the privacy of an
individual’s health information; regardless of whether the
information is written, spoken, or stored in a computer.
The Security Rule provides protection of all health information that
is housed or transmitted electronically.
Privacy Rule
Mountain States Health Alliance | Bringing Loving Care to Health Care 12
MSHA follows the Privacy Rule which describes many ways how
organization may use or disclose a patient’s protected health
information including:
To the Individual; To Others Involved in the Individuals Care
For Treatment, Payment, or Health Care Operations (“TPO”)
When an authorization from the patient is required
Within the Facility Directory
Disclosure of PHI when required by law; For Public Health or
Health Oversight
Law Enforcement Purposes; Research Purposes; For Organ
Donation; For Workers’ Compensation; others
For Disclosures about Victims of Abuse, Neglect, Domestic
Violence
Treatment, Payment and Health Care
Operations (TPO)
Mountain States Health Alliance | Bringing Loving Care to Health Care 13
HIPAA permits use and disclosure of PHI for TPO:
Treatment: the provision, coordination or management of care and services,
including the coordination by provider with a third party; consultation between
health care providers; or referral from one provider to another.
Payment: activities to obtain or provide reimbursement for services; Billing,
claims management, collection activities; Review for medical necessity;
Utilization review, pre-certification and pre-authorization of services; Disclosure
to consumer reporting agencies; others.
Health Care Operations: operating activities such as Conducting quality
improvement activities; Reviewing competence of health care professionals:
Underwriting, premium rating, etc.; Medical review, legal services,
auditing; Business planning/development; others.
Disclosures for “TPO” purposes do not require a provider to obtain authorization
from the patient.
Privacy Rule: Permitted Uses and
Disclosures
Mountain States Health Alliance | Bringing Loving Care to Health Care 14
While the Privacy Rules describes many ways that permit MSHA to
use and disclosure patient information… BEFORE using or
discloses any patient information… you must refer to MSHA policy
IM-900-019 Release, Use, and Disclosure of Patient Information
and MR-900-055 Release of Medical Records for the Purpose of
Research for details.
No MSHA team member or researcher shall disclose information
without first knowing:
To whom they are disclosing the information
Whether the recipient is authorized to receive the information
Whether the requested information is appropriate for the content
and purpose of the request
Whether applicable content of this policy has been addressed in
the process of disclosing the information.
HIPAA Identifiers
If the information includes any of the identifiers below of the patient or the patient’srelative, household member, or employer the information is considered identifiableand subject to the HIPAA Rules.
1. Names2. All geographic subdivisions smaller thanstate3. All dates related to an individual, includingDOB, admission date, discharge date,death date, and all ages over 894. Telephone numbers5. Vehicle identifiers and serial numbersincluding license plate numbers6. Fax numbers7. Device identifiers and serial numbers8. Email addresses
9.URLs10. IP addresses11. Social Security Numbers12. Medical Record Numbers13. Biometric identifiers, including finger andvoice prints14. Health plan beneficiary numbers15. Full-face photographs16. Account numbers17. Any other unique or identifyingcharacteristic, number or code18. Certificate or license numbers
Mountain States Health Alliance | Bringing Loving Care to Health Care 15
PHI Receiving Special Protections
Mountain States Health Alliance | Bringing Loving Care to Health Care 16
The HIPAA Rules recognize certain categories of PHI
as “ultrasensitive” and require special protections of
such information.
Mental and Behavioral Health records
Psychotherapy Notes
STD testing
HPV testing
Alcohol or Drug abuse records
Genetic Testing
Privacy Rule: Authorizations
Mountain States Health Alliance | Bringing Loving Care to Health Care 17
There are many reasons including research that information about a
patient is used within MSHA or disclosed outside of MSHA.
Generally, an authorization is not required to use or disclose patient
information to carry out Treatment, Payment, or Health Care Operations
(“TPO”). Other exceptions may apply.
MSHA also discloses patient information as required by law or as required
reporting; which do not require patient authorization. Examples include:
Birth data to the TN Dept of Vital Statistics
Cancer data to the State Tumor Registry
Data to Protective Services Agencies(for victims of crime, abuse, or
neglect)
Many others
HIPAA and Research Data
Mountain States Health Alliance | Bringing Loving Care to Health Care 18
The HIPAA Rules regulate how protected health information may be
obtained and used for research purposes.
This is true whether the PHI is completely identifiable or partially de-
identified in a limited data set.
In order to use PHI for research purposes appropriate
HIPAA documentation must be obtained, including either:
1. Individual patient authorization; or
2. Approved waiver of authorization from the IRB
MSHA utilizes service of ETSU IRB; therefore, HIPAA requirements
for accessing and using PHI for research can be found on the
University’s IRB website:http://www.etsu.edu/irb/policies/procedures.aspx
Notice Of Privacy Practice (NPP)
Mountain States Health Alliance | Bringing Loving Care to Health Care 19
Notice of Privacy Practices is a requirement of HIPAA and the
NPP describes how MSHA uses, discloses a patient’s
information and how the patient can access information.The NPP must be:
Given to each patient at time of registration
Posted in registration areas
Signed Acknowledgement of receipt must be obtained from the patient
Posted on MSHA website
Access the MSHA NPP by using the link below
https://www.mountainstateshealth.com/notice-privacy-
practices
In research: HIPAA information must be presented as free
standing form or be included in Informed Consent Form (ICF). If no
direct contact with patient, then HIPAA Waiver can be requested from
IRB.
Patient Rights
Mountain States Health Alliance | Bringing Loving Care to Health Care 20
A patient has the right to: Access his/her record (research record not included)
Receive a notice (notice of privacy practices) that tells you how your health
information may be used and shared.
Request restrictions/confidential communications about the use and
disclosure of their PHI.Restriction for Out-of-Pocket Payments: Patient may restrict disclosure of protected
health information to a health plan when the patient has paid out-of-pocket in full for the
services. Refer to MSHA IM-900-019 Request for Restriction of the Use and/or
Disclosure of Patient PHI.
Request to amend specific portions of their record.MSHA may deny the amendment, but must have a procedure available for the patient
to request the amendment. Refer to MSHA policy IM-900-005 Corrections/Amendments
to the Medical Record.
Request a copy of the accounting of disclosures.MSHA is required to keep a history of when and to whom information was disclosed
about a patient for purposes other than treatment, payment or health care operations.
Refer to MSHA policy IM-900-002 Accounting of Disclosures of Protected Health
Information.
Privacy and Security Program
Mountain States Health Alliance | Bringing Loving Care to Health Care 21
Additional HIPAA Administrative Requirements:
MSHA must provide education to work force on the policies and
procedures.
MSHA may not intimidate, threaten, coerce, discriminate against,
or take other retaliatory action against anyone who makes a
complaint.
Team members must promptly report all HIPAA concerns. Review
IM-900-026 Reporting of Potential or Actual Breaches of Patient
Protected Health Information
Remember, just because you have the ability to access a
record does not mean you are authorized under the law to
do so. You are only authorized to access protected health
to access protected health information when necessary to perform
your job!
De-identified Data (in research)
Mountain States Health Alliance | Bringing Loving Care to Health Care 22
The HIPAA Rules do not restrict the use or disclosure of de-identified health
information, because the information is not considered PHI if it is de-identified.
The primary purpose of HIPAA is to protect the privacy of the individual when it
comes to their health information. If the individual cannot be identified, the risk to
the individual’s privacy is minimal.
Two Methods to Achieve De-identification:
“Safe Harbor” Method 1. Removal of all 18 HIPAA identifiers; and
2. The covered entity possesses no actual
knowledge that the remaining information could be
used to identify the individual.
“Expert Determination” Method 1.Expert determines that the risk is very small that
the information could be used, alone or in
combination with other reasonably available
information, to identify the individual; and
2. Expert documents the methods and risk results
of the analysis that justify such determination
Information is de-identified and no longer considered PHI. HIPAA restrictions do not apply!
Privacy and Security Program
Mountain States Health Alliance | Bringing Loving Care to Health Care 23
MSHA must reasonably safeguard PHI from intentional or unintentional
use or disclosure:
Work force must reasonably safeguard PHI to limit incidental
uses or disclosures
MSHA must apply sanctions when there is failure to comply with
the privacy policies and procedures.
MSHA work force members needing access to their own or a
family members medical record should contact Medical Records
department per policy IM-900-024 Team Member Access to
Their Own or Family Members Medical Record Protected Health
Information (PHI).
MSHA must implement policies and procedures with respect to
PHI that are designed to comply with the HIPAA Rules. Review
MSHA policy IM-900-018 Privacy and Security Program.
Privacy and Security Program
Mountain States Health Alliance | Bringing Loving Care to Health Care 24
Handling Work of Someone You Know
You are expected to maintain the confidentiality of patient information.
You may have access to and become knowledgeable about
information of individuals who is known to you, such as, current and
previous family members, friends, and co-workers.
You should not access patient information that may place you or the
patient in a compromising position or present a conflict of interest.
Steps for work force member to take, when possible: Contact Supervisor/Manager to request the work be re-assigned.
If a Supervisor/Manager is not readily available, then ask, as appropriate,
another co-worker to complete the necessary work.
If no other co-worker is available, and a Supervisor/Manager is not readily
available, proceed with completing the work to insure that patient care is not
compromised.
Notify a Supervisor/Manager of the occurrence.
Refer to policy IM-900-028 Handling of Work of Someone You Know
Where is PHI in a Healthcare
Organization?
Verbal Conversations
Paper Documents and Reports
Computers and Technology
Consider where
electronic PHI may
be stored…
Emails
Files saved on a
computer/laptop/tablet
Shared network drives
Flash drives/USB
DVD’s/CD’s
Cloud storage
HIPAA Knowledge Check
Mountain States Health Alliance | Bringing Loving Care to Health Care 26
When entering a patient treatment area to discuss the patient’s medical
condition, lab results, or treatment and the patient has visitors in the
room the caregiver should courteously ask the visitor(s) to please step
out of the room for a minute.
o True
o False
Answer: True. As caregivers it is our responsibility to be the patient’s
ambassador and ensure the patient has given us authorization to
disclose their PHI with family, friends, and others.
Patient Information Inquiries
Mountain States Health Alliance | Bringing Loving Care to Health Care 27
It is the practice of MSHA to release information to the media in the
same manner as the release to the general public; however, all
requests for information from the media must be directed to the
Department of Marketing / Public Relations.
If requested for research, then permission to release must be
granted by Director of research department
General Public: When a visitor or caller requests information about a
patient, unless the patient has opted out of the facility directory,
generally only the following can be provided:
Patient Name
Patient Location
Patient Condition
The caller MUST ask for the patient by name
Review policy CM-500-005 Release of Patient Information to the Media.
Patient Information Inquiries
Mountain States Health Alliance | Bringing Loving Care to Health Care 28
At the time of registration, a patient may request that no information
be released. Review IM-900-021Request for Restriction of the Use
and/or Disclosure of Patient Protected Health Information.
Exemption: agreement to participate in research study
Information about patients under substance abuse care is more
restrictive.
In the event of a disaster, existing disaster protocols should be
followed.
MSHA has a VIP (Very Important Partner) program available for
patients who are admitted as an inpatient. Review P&P PC-600-143
Very Important Partner (VIP) Program.
MSHA Policy and Procedures
Mountain States Health Alliance | Bringing Loving Care to Health Care 29
Policy IM-900-007 Disposal of Documents Containing Patient
Information addresses proper disposal of PHI.
Paper Documents should be shredded.
-If an outside shredding service is utilized, it should be the
MSHA approved shredding vendor.
-The Materials Management Department of the facility should
be contacted for information about the shredding service.
Magnetic Media should be destructed using bulk erasure.
CDs/Platters should be pulverized or broken up.
Facility records must be destroyed in a manner that ensures
the confidentiality of the records and renders the PHI no longer
recognizable.
Balancing Privacy With Adoption of
Technology
Mountain States Health Alliance | Bringing Loving Care to Health Care 30
Access to PHI
Researchers and work force members should not access their own
PHI or that of a family member or someone they know.
Researchers should only access the records identify as part of the
research study.
Photographs of patients is considered PHI.
Photography includes photographs, still images, videotape
recordings, digital or any other image method.
- All patient photographs are the property of MSHA and are to be filed in the
patient’s medical record.
- The use of personal equipment including cellular phone cameras to photograph
patients is strictly prohibited.
Review P&P PCA-600-011 Photography of Patients.
Whereas, the HIPAA Privacy Rule deals with Protected Health
Information (PHI) in general, the HIPAA Security Rule (SR) deals
with electronic Protected Health Information (ePHI), which is
essentially a subset of what the HIPAA Privacy Rule
encompasses.
The Security Rule specifies a series of:
Administrative Safeguards
Physical Safeguards
Technical Safeguards
That covered entities are to use to assure the confidentiality,
integrity, and availability of e-PHI.
HIPAA Security Rule
31
Specifically, covered entities must:
Ensure the confidentiality, integrity, and availability of all
e-PHI they create, receive, maintain or transmit;
Identify and protect against reasonably anticipated
threats to the security or integrity of the information;
Protect against reasonably anticipated, impermissible
uses or disclosures; and
Ensure compliance by their workforce
HIPAA Security Rule
32
Actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI.
In general, these safeguards require MSHA to:
Maintain processes to address management of security,
including:
Risk analysis
Disciplinary policies
System activity review
Identify an individual who is responsible for overseeing
compliance with the HIPAA Security Rule.
At MSHA, this person is HIPAA Compliance Officer in the
Corporate Audit and Compliance Services Department.
Administrative Safeguards
33
MSHA must:
Implement policies/procedures addressing access to electronic PHI.
Provide training on security processes and practices.
Implement policies/procedures to address security incidents/violations.
Establish policies/procedures for contingency plans, data backup, disaster recovery, etc.
Develop processes to perform periodic evaluations of security processes.
Include security requirements in appropriate contracts.
Administrative Safeguards
(continued)
34
HIPAA Security Rule requires a covered entity to implement technology, policies and procedures to properly address:
Access Control: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Audit Controls: A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls: A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Transmission Security: A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Technical Safeguards
35
General safeguards at MSHA:
Implement policies and procedures to allow access only to those who have the right to such access.
This includes assigning unique user passwords for identifying and tracking user identity.
Implement mechanisms that record system activity/audits.
Implement processes to protect electronic PHI against improper destruction.
In order to insure security of username and password MSHA users should not use MSHA password on any personal sites.
This helps to minimize our exposure to inappropriate third party unknown access to your account.
Technical Safeguards
36
Use of Personal Devices
Use of personal devices to access work applications and work files is
not recommended.
When a personal device is used to access work applications or work
files the device the workforce member is responsible for ensuring the
device has up-to-date operating systems, anti-virus and anti-
malware software.
Remote Access
Access to MSHA computer systems is limited to workforce members
who have appropriate work reason and requires approval by appropriate
MSHA leaders.
Workforce members with remote access are responsible for complying
with all MSHA HIPAA Privacy and Security policies.
Students generally are not granted remote access.
Technical Safeguards
37
38
Passwords
Passwords are considered a technical safeguard.
You are responsible for your user ID and passwords and will be held
accountable for any access or actions taken using your login ID.
Do not share your password.
Do not leave a computer you are logged on to unattended.
Do not let others access PHI while you are logged on to
the computer or application.
Do not use your MSHA password on any third party
websites.
** Review MSHA policy IM-900-004 Computer Access Codes
Management.**
39
MSHA Electronic Communication
MSHA has many ways of communicating electronically. It is the Workforce
members responsibility to keep PHI confidential.
Electronic Mail Always us secure eMail method if you are sending patient information
to a non-MSHA email address.
Type [securemail] in the subject line. Never include patient
information in the subject line even when sending the email to a
MSHA email address.
FAX Verify all FAX numbers before faxing any patient information.
Routinely check auto-fax numbers. Keep faxing to a minimum.
Use approved MSHA fax cover sheet with disclaimer.
Lync When using Lync be thoughtful about what is presented and who the
recipient(s) may be.
Vocerao Be aware of your surroundings and comply with Vocera policies.
40
Safeguarding ePHI
The use of USB (flash, thumb, jump) drives, CD’s is discouraged if
PHI is involved.
If, your job duties require you to distribute or store ePHI
on any electronic media per policy you must:
Obtain approval from your Director, IT Security, and
Compliance.
Encrypted and/or password protected.
Laptop computers, and other mobile devices which are used to
access ePHI should be encrypted.
41
Social Media and Recording PHI
Using social media to share patient information is prohibited per policy.
This includes media such as Facebook, Twitter, Instagram, etc.
Texting of patient information is prohibited unless;
Using a MSHA approved secure texting methodology is used and;
Department leader has approved the operational process of
texting.
Photography or videoing of patients requires an IT approved secure
solution and must have department head approval.
The use of personal equipment including cellular phone cameras to
photograph patients is prohibited per policy.
**Review P&P HR-200-117 Conduct of MSHA Using Social Media **
Phishing/Spear Phishing/Malware
Phishing Emails
Phishing is the attempt to acquire sensitive information such as
usernames and passwords.
More advanced types of these attacks are called “Spear-phishing”.
Spear-phishing attacks can capture financial data, even credit card
details, by masquerading as a trustworthy entity (CEO, CFO, COO,
etc.) in emails and may also contain links to websites that are
infected with various forms of malware, including ransomware.
If you receive a suspicious email, do not click on any embedded
link on this message and promptly report to IS Help Desk.
42
Steps to Avoid Ransomware
Do not reply to or visit any websites within any unexpected
e-mail (especially from an unfamiliar sender).
Hold the pointer over any link to see the real website it is
connected to before clicking on a link.
Limit any web browsing and use to official business
websites only.
If the text within an e-mail requires or has pressure to
conduct immediate action by the user, it is likely fraudulent.
Never reset a password from an unsolicited e-mail link. If
you receive an e-mail that tells you to do so, visit the known
primary site directly.
Never use the same password for your work and personal
log-ins.
43
Facility Access and Control: A covered entity must limit physical
access to its facilities while ensuring that authorized access is
allowed.
Workstation and Device Security: A covered entity must implement
policies and procedures to:
Specify proper use of and access to workstations and electronic
media.
Regarding the transfer, removal, disposal, and re-use of
electronic media, to ensure appropriate protection of electronic
protected health information (e-PHI).
In general, these safeguards require MSHA to protect electronic
information systems and related buildings and equipment from
natural and environmental hazards and unauthorized intrusion.
Physical Safeguards
44
Measures, policies and procedures to protect electronic
information systems and related buildings and equipment
from natural and environmental hazards and unauthorized
intrusion.
In general, these safeguards require MSHA to:
Implement policies and procedures to control access to
systems and facilities housing electronic PHI.
Implement policies and procedures to insure facility
security and appropriate functions of workstations.
Implement policies and procedures that govern controls
for devices and media.
Physical Safeguards (continued)
45
Protected Health Information (PHI) originals or copies should not be
taken outside of the organizations without MSHA approval.
This includes reports, lists, census, emails, excel and Word files,
etc.. that contain PHI.
PHI that is taken outside of any MSHA covered entity, as part of an
approved and valid healthcare operational reason should follow the
physical safeguards per MSHA policy on External Transport of Patient
Information.
Patient information (including screenshots that only contain a patient’s
name) should not be used in presentations.
**Review P&P IM-900-009 External Transport of Patient Information**
**Review P&P IM-900-020 Removal of Medical Records**
Physical Safeguards (continued)
46
47
Software and Vendor Services
The installation of software or hardware is prohibited without;
Approval by MSHA IS Dept.
Requests must be submitted per MSHA IT guidelines and are
subject to approval criteria.
New applications that will access, use, collect PHI or use the
internet must go through the organizations review and approval
process (i.e. ETAF) prior to initiating the purchase.
Utilization of a vendor to provide a software solution or staffing
resource requires:
Financial review/approval
ETAF review and approval
Contracts development and possibly a business associate
agreement.
48
Reporting Security Incidents or
Concerns
Report loss of any MSHA owned or managed device.
Report loss of any personal device which may contain any
patient information.
Immediately notify MSHA IS Help Desk or MSHA Corporate
Audit and Compliance Services Dept (CACS).
Examples of devices that may contain PHI are:
Computers (laptop’s, netbooks, iPads, desktop, etc..)
CD’s, USB flash drive, thumb drive, jump drive
Hard drive
Cell phones used for work
**Review P&P IM-900-026 Reporting Potential or Actual
Breaches of Patient Protected Health Information **
What Can you do?
Mountain States Health Alliance | Bringing Loving Care to Health Care 49
A Few Ways to protect patient information:
Access, use or disclose patient information only if involved in the
care of the patient. Never share passwords and logoff off or lock computers when
away!
BE ALERT to verbal discussions and surroundings. Make other
team members aware if you are hearing conversations that
should not be heard.
Provide privacy for patients during discussions; including asking
others to leave the room if necessary.
Be aware of access to patient information such as printouts,
computer screens, reports, etc.
Appropriately secure patient records when not in use.
Patient information should be placed in confidential shred-it
containers when discarding.
Be knowledgeable with MSHA policies, procedures and practices
relating to patient information.
Summary
Mountain States Health Alliance | Bringing Loving Care to Health Care 50
This course has provided an abbreviated overview of the
HIPAA:
Privacy Rule
Security Rule
HITECH
Principles practiced throughout MSHA.
All patient information, whether it is verbal, written or in any
computer system should be securely maintained for
confidentiality.
Everyone who comes into contact with patient information is
responsible for ensuring compliance with HIPAA.
Remember the “Need to Know” rule. Only access information
that you have a need to know to do your job.
Sanctions are applied for violation of privacy/security
regulations and organization policies.
Who to Contact for Questions?
Mountain States Health Alliance | Bringing Loving Care to Health Care 51
• Research Department 423-431-5647
• HIPAA Compliance Office 1-855-383-3401
Note: For purpose of research: Proof of completion of HIPAA
training will be required at the time of IRB & MSHA administrative
approval request submission. ETSU and MSHA employees may
complete an organizational HIPAA training(s).
Almost finished….
Please close this window. Print HIPAA training confirmation letter, sign and submit to 423-431-5685(fax) or e-mail to [email protected]