HIPAA Compliance Reminder for Covered Entities

1. A covered entity can be any of the following:•A health care provider who transmits any health information electronically in connection with standard financial or administrative transactions;•A health plan;•A health care clearinghouse; or•A Medicare Prescription Drug Plan sponsor. Covered Entity All covered entities must comply with HIPAA.DMAS, as a health plan, is a covered entity. March 22, 2019 1

2. Types of Protected Health Information (PHI) Post this reminder nearby your computer 2

3. Any email that contains or includes protected health information (PHI) MUST be sent using encryption. To encrypt an email, use the “Virtru” secure email button in Gmail. If you are missing the “Virtru” button, contact the VITA Customer Care Center (VCCC) at: 866-637-8482 or vccc@vita.virginia.gov

4. REPORTING A SUSPECTED PRIVACY ISSUE: To report a suspected privacy issue, ask staff in the Office of Compliance and Security for the Privacy Investigation Reporting Form. Complete and submit it to the HIPAAprivacy@dmas.virginia.gov mailbox. The form will be reviewed by the DMAS Privacy Officer with follow up as needed to determine if a “breach” occurred or not. Remember, under the 2013 HIPAA Omnibus Rules, an issue is considered a “breach” until it is determined through a formal 4-step risk assessment that it is not. If you need more information, please see the form itself. March 22, 2019