hipaa privacy & security training...hipaa security rule safeguards turn computer monitors away...
TRANSCRIPT
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information
Course Competencies: This training module addresses the essential elements of
maintaining the HIPAA Privacy and Security of sensitive information and protected health information (PHI) within The Orthopaedic & Fracture Clinic.
During this course you will learn: About the Health Insurance Portability and Accountability (“HIPAA”)
Privacy and Security Rules;
How to recognize situations in which confidential and protected health information can be mishandled;
About practical ways to protect the privacy and security of PHI;
And that employees will be held responsible if they improperly handle confidential or protected health information.
Understanding Provider
Responsibilities Under HIPAA The Health Insurance Portability and Accountability Act (HIPAA)
Rules provide federal protections for patient health information and give patients an array of rights with respect to that information. This suite of regulations includes the Privacy Rule, which protects
the privacy of individually identifiable health information;
And the Security Rule, which sets national standards for the security of electronic Protected Health Information (ePHI).
Whether patient health information is on a computer, in an Electronic Health Record (EHR), on paper, or in other media, providers have responsibilities for safeguarding the information by meeting the requirements of the Rules.
Why Do Privacy and Security
Matter? To reap the promise of digital health information to achieve better health
outcomes, smarter spending, and healthier people, providers and individuals alike must trust that an individual’s health information is private and secure.
When patients trust you and health information technology enough to share their health information, you will have a more complete picture of patients’ overall health.
In addition, when breaches of health information occur, they can have serious consequences for your organization, including reputational and financial harm or harm to your patients.
Poor privacy and security practices heighten the vulnerability of patient information in your health information system, increasing the risk of successful cyber-attack.
The HIPAA Privacy Rule The Privacy Rule establishes national standards to protect
individuals’ medical records and other personal health
information.
The Rule requires appropriate safeguards to protect the privacy of
personal health information. It sets limits and conditions on the uses
and disclosures that may be made of such information without patient
authorization.
The Rule also gives patients rights over their health information,
including rights to examine and obtain a copy of their health records,
and to request corrections.
Informing Patients about How We Use
or Disclose Their Health Information A Covered Entity (CE) must post and distribute a Notice of Privacy Practices (NPP).
The notice must describe the ways in which the CE may use and disclose PHI.
The notice must state the CE’s duties to protect privacy, provide an NPP, and abide
by the terms of the current notice.
The notice must describe individuals’ rights, including the right to complain to the
U.S. Department of Health and Human Services (HHS) and to the CE if they believe
their privacy rights have been violated.
The notice must include a point of contact for further information and for making
complaints to the CE.
When a patient signs an acknowledgement that they received the Notice of Privacy
Practices, this is not a substitute for the HIPAA Release of Information
authorization/consent form.
The patient still needs to sign and give authorization for disclosure of their PHI in certain
situations.
HIPAA Permitted Disclosures of
PHI: Disclosure to the individual/personal representative (parent/guardian)
Disclosure for treatment, payment, and health care operations
Disclosures required by state or federal law
Disclosures to Business Associates
Disclosures as authorized by the patient
Disclosure to Family/Friends when authorized per the patient or when it is in the best interest of the patient
Public Health Activities
To public health authority
To report child abuse/neglect
To FDA
Law Enforcement Purposes
Abuse, Neglect, and Domestic Violence
Judicial and Administrative Proceedings
If you are unsure whether a disclosure is permitted talk to the Compliance Officer or Privacy Officer .
HIPAA Incidental Disclosures: Incidental uses and disclosures are defined as secondary uses or
disclosures that:
Are permitted by HIPAA
Cannot be reasonably prevented
Are limited in nature
Occur as a by-product of an otherwise permissible use or disclosure
Reasonable Safeguards and Minimum Necessary Standards are in place
Example – A doctor can confer at a nurse’s station without fear of being in violation of the rule if overheard by a passerby. And, provided reasonable safeguards and appropriate minimum necessary standards are in place.
Minimum Necessary Standard PHI should not be accessed or disclosed when it is not necessary to satisfy a
particular purpose or carry out a function.
The Minimum Necessary Standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.
Minimum Necessary Standard does not apply to the following:
Disclosures to or requests made by a healthcare provider for treatment purposes
Uses and disclosures by or to a patient for their own PHI
Disclosures made under a valid authorization
Disclosures to public officials when disclosure is required by law and the official represents that the information requested is the minimum required for the purpose
Patients’ Rights and Your
Responsibilities
As a health care provider, you have responsibilities to
patients under the HIPAA Privacy Rule including:
Responding to their requests for access;
Amendments;
Accounting of disclosures;
Restrictions on uses and disclosures of their health information,
and confidential communications.
HIPAA Privacy Rule Safeguards Close doors when discussing treatment & procedures
Avoid discussion about individuals in public places
Secure storage and transportation of PHI
Keep posted or written information away from public access
Do not leave detailed voice messages unless approved by
the individual
The HIPAA Security Rule The Security Rule establishes a national set of minimum security standards for
protecting all ePHI that a Covered Entity (CE) and Business Associate (BA) create, receive, maintain, or transmit.
The Security Rule concentrates on safeguarding PHI by focusing on the confidentiality, integrity, and availability of PHI. Confidentiality means that data or information is not made available or disclosed to
unauthorized persons or processes.
Integrity means that data or information has not been altered or destroyed in an unauthorized manner.
Availability means that data or information is accessible and useable upon demand only by an authorized person.
These Security Rule safeguards can help health care providers avoid some of the common security gaps that could lead to cyber-attack intrusions and data loss.
Safeguards can protect the people, information, technology, and facilities that health care providers depend on to carry out their primary mission: caring for their patients.
The Threat of Cyber Attacks Cybersecurity refers to ways to prevent, detect, and respond
to attacks against or unauthorized access against a computer system and its information.
It is important to have strong cybersecurity practices in place to protect patient information, organizational assets, your practice operations, and of course to comply with the HIPAA Security Rule.
The following slides will review common security threats and ways to mitigate these threats.
Viruses A computer virus is a major threat to the information system.
Viruses “infect” your computer by modifying how it operates and,
in many cases, destroying data.
Viruses spread to other machines by the actions of users, such
as opening infected email attachments.
Viruses can forward PHI to unauthorized persons by attaching
themselves to documents, which are then emailed by the virus.
Worms Worms are programs that can:
Run independently without user action;
Spread complete working versions of themselves onto other
computers on a network within seconds;
And quickly overwhelm computer resources with the potential for
data destruction as well as unauthorized disclosure of sensitive
information.
Spam and Phishing Spam is an unsolicited or “junk” electronic mail message,
regardless of content.
Spam usually takes the form of bulk advertising and may contain
viruses, spyware, inappropriate material, or “scams.”
Spam also clogs email systems.
Phishing is a particularly dangerous form of spam that seeks to
trick users into revealing sensitive information, such as
passwords.
Mitigating Cyber Threats Be Skeptical about emails!
Look at the email address - who sent it?
Take notice of the subject line - is it what you were expecting?
Most phishing emails try to trick you into clicking the link or button in the email.
If you question an email, please contact IT.
Thumb drives and removal memory: both of these can be dangerous.
OFC policy states you are not allowed to bring in any personal or unauthorized
software.
Viruses can travel from PC to PC with this kind of media.
Even if you believe the drive is safe, these viruses hide and you will unknowing
infect your pc and the network.
If you need a drive for a project, please see IT.
Email and Texting Increased online access and great demand by consumers for
near real-time communications has increased the threat of impermissible use or disclosures.
The Security Rule requires that when you send ePHI, you send it through a secure method and that you have a reasonable belief that it will be delivered to the intended recipient.
If you use email or text you should be careful to use a communications mechanism that allows you to implement the appropriate Security Rule safeguards, such as an email system that encrypts messages or requires a login.
HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen
Do not disclose usernames or passwords
Passwords should never be posted near work station
Never copy files containing PHI to a laptop or mobile device
PHI should never be stored on a C: drive
Log off when leaving your work station
Employee access audits throughout the year
Encryption
Laptops
Desktops
Phones
If something is not encrypted use extreme caution!
Breach Notification, HIPAA
Enforcement, and Other Laws and
Requirements Covered Entities (CEs) and Business Associates (BAs) that
fail to comply with Health Insurance Portability and
Accountability Act (HIPAA) Rules can receive civil and
criminal penalties.
Your good faith effort to be in compliance with the HIPAA
Rules is essential.
The Breach Notification Rule:
What to Do If You Have a Breach A breach is, generally, an impermissible use or disclosure
under the HIPAA Rule that compromises the security or
privacy of PHI.
When a breach of unsecured PHI occurs, the Rules require
your practice to notify affected individuals, the Secretary of
HHS, and, in some cases, the media.
If you can demonstrate through a risk assessment that there is a
low probability that the use or disclosure compromised
unsecured PHI, then breach notification is not necessary.
Employee Responsibilities The first line of defense in data security is the OFC employee.
Employees are responsible for the security of all data which may come to them in whatever format.
Avoid storing sensitive information on your C: Drive.
Access information only as necessary for your authorized job responsibilities.
Keep your passwords confidential.
Comply with the HIPAA Security and Privacy policies.
Report promptly to OFC’s Privacy Officer or Compliance Officer any concerns regarding unauthorized disclosure of PHI or other Sensitive Information.
Common HIPAA Rule Issues: It is never acceptable for an employee to look at PHI “just out of curiosity,” even if no
harm is intended (i.e., retrieving an address to send a ‘get well’ card).
Remember Minimum Necessary Standards
What patient information do you need to access in order to do your job?
Unauthorized Access is a prohibited practice
Do not access family & friends PHI unless authorized
Do not access co-workers PHI unless authorized
Accessing or reviewing birth dates or addresses of friends or relatives, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI.
Accessing or reviewing ANY patient’s record for any reason, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI.
Accessing or reviewing confidential information of another employee that is also an OFC patient, without a permissible purpose is unauthorized access of PHI.
HIPAA employee sanctions will be followed
Employee Sanctions Under HIPAA A CE is required by law to sanction employees who violate
HIPAA Privacy & Security Rules.
Any violations of HIPAA will be handled under the CE’s
discipline policy, similar to other employee discipline issues.
An employee who breaches the HIPAA Privacy or Security
Rule Policy is subject to formal disciplinary action, up to and
including termination.
HIPAA Privacy & Security Audits OFC audits all employees.
Please be diligent in accessing only records you are
authorized to do so.
This means only accessing a patient’s PHI that is needed for
your job function.
As an employee of a CE, your conduct will at all times be
compliant with HIPAA.
HIPAA Privacy & Security Rule
Questions: If you have any questions or concerns regarding the HIPAA
Privacy & Security Rules, please contact:
Privacy Officer (Bobbi Nawrocki) 386-6689 ( [email protected] )
Compliance Officer (Julie Morgan) 386-6651 ( [email protected] )
IT Director (Brad Nawrocki) 386-6593 ( [email protected] )