1 / 42

HIPAA 101 Basic Privacy and Security HIPAA Training

HIPAA 101 Basic Privacy and Security HIPAA Training. This HIPAA Training Program will help you understand. What. …..is HIPAA? How …....does HIPAA affect you and your job? Where…... can you get help with HIPAA?

drago
Download Presentation

HIPAA 101 Basic Privacy and Security HIPAA Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA 101 Basic Privacy and Security HIPAA Training

  2. This HIPAA Training Program will help you understand • What.…..is HIPAA? • How…....does HIPAA affect you and your job? • Where…...can you get help with HIPAA? • How ……you canprotect CCSC patients’confidential and sensitive information and your own personal information in any format • How……to understand the risks when using and storing electronic information • How ……to reduce those risks

  3. What Is Health Insurance Portability and Accountability Act  HIPAA? • Protect the privacy of a patient’s personal and health information. • Provide for the physical and electronic security of personal health information. • Simplify billing and other transactions with Standardized Code Sets and Transactions • Specify new rights of patients to approve access/use of their medical information HIPAA is a Federal law enacted to:

  4. Do the HIPAA laws apply to you? The Health Insurance Portability & Accountability Act (HIPAA) requiresthat CCSC train allmembers of its workforce about the Clinic’s HIPAA Policies and specific procedures required by HIPAA that may affect the work you do for the CCSC.

  5. What are the HIPAArequirements? • To protect the privacyandsecurity of an individual’s Protected Health Information (PHI) • To require the use of “minimal necessary” • To extend the rights of individuals over the use of their protected health information

  6. What Patient Information Must We Protect? We must protect an individual’s personal and health information that… • Is created, received, or maintained by a health care provider or health plan • Is written, spoken, or electronic • And, includes at least one of the 18 personal identifiers in association with health information • Health Information with identifiers = Protected Health Information (PHI)

  7. Examples of Protected Health Information (PHI, ePHI) • Name, address, birth date, phone and fax numbers, e-mail address, social security numbers, and other unique numbers • Billing records, claim data, referral authorizations • Medical records, diagnosis, treatments, x-rays, photos, prescriptions, laboratory, and any other test results • Research records • Patient can be identified from health information • All formats including verbal, written, electronic

  8. specifically allows… HIPAA The clinic to create, use, and share a person’s protected health information for healthcare operations such as: • Treatment • Payment • Operations, including teaching, Medical staff activities, disclosures required by law and governmental reporting But only if CCSC ensures that each patient receives a copy of the CCSC Notice of Privacy Practices

  9. In order for CCSC Healthcare Provider to use or disclose PHI • The Clinic must give each patient a Notice of Privacy Practices that: • Describes how the Clinic may use and disclose the patient’s protected health information (PHI) and • Advises the patient of his/her privacy rights • The Clinic must attempt to obtain a patient’s signature acknowledging receipt of the Notice, EXCEPT in emergency situations. If a signature is not obtained, the Clinic must document the reason it was not.

  10. But, for purposes other than treatment, payment, operations… The clinic must obtain authorization and use only the minimum necessary: • Patient Authorization - allows for CCSC to disclose information for other purposes (§164.508) • Minimum necessary applies to all uses and disclosures (§164.502(b), §164.514(d))

  11. With All of the State and Federal Laws, what Patient Information Must Be Protected? Keep it simple: All personal and health information that exists for every individual in any form: • Written • Spoken • Electronic This includes HIPAA protected health information and confidential information under State laws. 3/6/03

  12. To the patient, it’s allconfidential information • Patient Personal Information • Patient FinancialInformation • Patient MedicalInformation • Written, Spoken, ElectronicPHI

  13. I do not provide Patient Care…do I Need Training?I do not use or have contact with Patient health or financial information…do I Need Training?And……..Isn’t this just an IT Problem? Why Me?

  14. Who Uses PHI at CCSC? • Anyonewho works with or may see health, financial, or confidential information with HIPAA PHI identifiers • Everyonewho uses a computer or electronic device which stores and/or transmits information • Such as: • CCSC employees • CCSC Volunteers • CCSC students who work with patients • CCSC board members • Almost Everyone– at one time or another!

  15. Why is protecting privacy and security important? • We all want our privacy protected! • It’s the right thing to do! • HIPAA and Ohio laws require us to protect a person’s privacy! • CCSC requires everyone to follow the Clinic’s privacy and security policies!

  16. When should you: • Look at PHI? • Use PHI? • Share PHI?

  17. HIPAA Scenario #1 I volunteer at the reception desk of CCSC. A friend of mine asks me if I knew any of the patients coming to clinic. Should you give your friend this information?

  18. HIPAA Scenario #2 I am a file clerk. While opening lab reports, I saw my friend’s daughter’s pregnancy test results. Her pregnancy test was positive! That night at a holiday party, I saw her and her mother, and congratulated her on her pregnancy. Later I heard that my friend did not know about the pregnancy. I was the first person to tell her! Did I do the right thing?

  19. Ask yourself these questions — • Did you need to read the lab results to do your job? • Is it your job to provide a patient’s mother with her health information—even if the individual is a friend or fellow employee? • Is it your job to let other people know an individual’s test results? • How would you feel if this had happened to you? Do not look at, read, use or tell others about an individual’s information (PHI) unless it is a part of your job.

  20. Remember — Useonly if necessary to perform job duties Usethe minimum necessary to perform you job Follow CCSC policies and procedures for information confidentiality and security. (see notice of privacy practices)

  21. HIPAA Violations Can Carry Penalties-- • Criminal Penalties • $50,000 - $250,000 fines • Jail Terms up to10 years • Civil Monetary Penalties • $100 - $25,000/yr fines • more $ if multiple year violations • Fines & Penalties – Violation of State Law

  22. How Can You Protect Patient Information: PHI / ePHI /Confidential • Verbal Awareness • Written Paper / Hard Copy Protections • Safe Computing Skills • Reporting Suspected Security Incidents

  23. Patients can be concerned about… • Being asked to state out loud certain types of confidential or personal information • Overhearing conversations about PHI by staff performing their job duties • Being asked about their private information in a “loud voice” in public areas, e.g. • In clinics, waiting rooms, service areas • In hallways, in elevators, on shuttles, on streets

  24. Protecting Privacy: Verbal Exchanges • Patients may see normal clinical operations as violating their privacy (incidental disclosure) • Ask yourself-”What if it were my information being discussed in this place or in this manner?”

  25. Incidental disclosures and HIPAA • “Incidental”: a use or disclosure that cannot reasonably be prevented, is limited in nature and occurs as a by-product of an otherwise permitted use or disclosure. (§164.502(c)(1)(iii) • Example: calling out a patient’s name in the waiting room; sign in sheets in clinic.

  26. Incidental disclosures and HIPAA • Incidental uses and disclosures are permitted, so long as reasonable safeguards are used to protect PHI and minimum necessary standards are applied. • Commonly misunderstood by patients!

  27. Information can be lost… • Physically lost… • Paper copies, films, tapes, devices • Lost anywhere at anytime-streets, restrooms, • shuttles, coffee houses, left on top of car • when driving away from UCSF… • Misdirected to outside world… • Mislabeled mail, wrong fax number, wrong phone number • Wrong email address, misplaced on UCSF intranet • Not using secured email • Verbal release of information without patient approval

  28. We need to protect the entire lifecycle of information • Intake/creation of PHI • Storage of PHI • Destruction of PHI • For any format of PHI

  29. Do you know where you left your paperwork?

  30. Shredding binswork best when papers are put inside the bins. If it’s outside the bin, it’s … Daily gossip Daily trash Public

  31. Information can also be lost or stolenelectronically • Lost/stolen laptops, PDAs, cell phones • Lost/stolen zip disks, CDs, floppies • Unprotected systems were hacked • Email sent to the wrong address or wrong person (faxes have same issues) • User not logged off of system

  32. Be aware that ePHI is everywhere

  33. “10” Good Computer Security Practices for protecting restricted data

  34. Passwords Lock Your Screen Workstation Security Portable Device Data Management Anti Virus Computer Security Email Safe Internet Use Reporting Security Incidents / Breach “Good Computing Practices”10 Safeguards for Users

  35. Good Computing Practices #1 Passwords Use cryptic passwords that can’tbe easily guessed and protectyour passwords - don’t writethem down and don’t share them!

  36. Good Computing Practices #2 Workstation Security Physically secure your area and data when unattended • Secure your files and portable equipment - including memory sticks. • Secure laptop computers with a lockdown cable. • Never share your access code, card, or key (e.g. Axiom card)

  37. Good Computing Practices #3 Computer Security Don’t install unknown or unsolicited programs on your computer.

  38. Good Computing Practices #4 Safe Internet Use • Accessing any site on the internet could be tracked back to your name and location. • Accessing sites with questionable content often results in spam or release of viruses. • And it bears repeating… Don’t download unknown or unsolicited programs! Practice safe internet use

  39. Good Computing Practices #5 Reporting Security Incidents/ Breach How to Reporting Security Incidents/ Breach? Report lost or stolen laptops, blackberries, PDAs, cell phones, flash drives, etc… Loss or theft of any computing device MUST be reported immediately to the CCSC executive director

  40. Good Computing Practices #6 Reporting Security Incidents/ Breach cont’d… • Immediately report anything unusual, suspected security incidents, or breaches to the executive director. • This also goes for loss/theft of PHI in hardcopy format (paper, films etc).

  41. HIPAA Security Reminders Send Email Securely Password Required Password protect your computer Run Anti-virus & Anti-spam software, Anti-spyware Keep disks locked up Keep office secured

  42. THANK YOU! THANKS FOR VOLUNTEERING AND ALSO FOR COMPLETING THE CCSC HIPAA TRAINING. PLEASE SIGN THE ACKNOWLEDGEMENT OF COMPLETION AND RETURN TO TERESA DITMER.

More Related