HIPAA 101HIPAA 101Basic Privacy and Security Basic Privacy and Security

HIPAA TrainingHIPAA Training

This This HIPAAHIPAA Training Program Training Program will help you understandwill help you understand

What.…..is HIPAA? How…....does HIPAA affect you and your job?Where…...can you get help with HIPAA?How ……you can protect CCSC patients’CCSC patients’ confidential and sensitive information and your own personalyour own personal information in any formatHow ……to understand the risks when using and storing electronic informationHow ……to reduce those risks

What Is Health Insurance Portability What Is Health Insurance Portability and Accountability Act and Accountability Act HIPAAHIPAA??

Protect the privacy of a patient’s personal and health information.

Provide for the physical and electronic security of personal health information.

Simplify billing and other transactions with Standardized Code Sets and Transactions

Specify new rights of patients to approve access/use of their medical information

HIPAA is a Federal law enacted to:

Do the HIPAA laws apply to Do the HIPAA laws apply to youyou??

The Health Insurance Portability & Accountability

Act (HIPAA) requires that CCSC train allall members

of its workforce about the Clinic’s HIPAA Policies

and specific procedures required by HIPAA that

may affect the work you do for the CCSC.

What are the HIPAAWhat are the HIPAA requirementsrequirements??

To protect the privacy and security of an individual’s Protected Health Information (PHI)

To require the use of “minimal necessary”

To extend the rights of individuals over the use of their protected health information

WhatWhat Patient Information Must We Patient Information Must We Protect?Protect?

We must protect an individual’s personal and health information that…

Is created, received, or maintained by a health care provider or health planIs written, spoken, or electronicAnd, includes at least one of the 18 personal identifiers in association with health information

Health Information with identifiers = Protected Health Information (PHI)

Examples of Examples of PProtected rotected HHealth ealth IInformation (PHI, ePHI)nformation (PHI, ePHI)

Name, address, birth date, phone and fax numbers, e-mail address, social security numbers, and other unique numbersBilling records, claim data, referral authorizationsMedical records, diagnosis, treatments, x-rays, photos, prescriptions, laboratory, and any other test resultsResearch recordsPatient can be identified from health information All formats including verbal, written, electronic

specifically allows…specifically allows…The clinic to create, use, and share a person’s protected health information for healthcare operations such as:

TreatmentPaymentOperations, including teaching, Medical staff activities, disclosures required by law and governmental reporting

But only if CCSC ensures that each patient receives a copy of the CCSC

In order for CCSC Healthcare Provider to In order for CCSC Healthcare Provider to use or disclose use or disclose PHIPHI

The Clinic must give each patient a Notice of Privacy Notice of Privacy PracticesPractices that:

Describes how the Clinic may use and disclose the patient’s protected health information (PHI) andAdvises the patient of his/her privacy rights

The Clinic must attempt to obtain a patient’s signature acknowledging receipt of the Notice, EXCEPT in emergency situations. If a signature is not obtained, the Clinic must document the reason it was not.

But,But, for purposes other than for purposes other than treatment, payment, operationstreatment, payment, operations……

The clinic must obtain authorization and use The clinic must obtain authorization and use only the minimum necessary:only the minimum necessary:

Patient Authorization - allows for CCSC to disclose information for other purposes (§164.508)Minimum necessary applies to all uses and disclosures (§164.502(b), §164.514(d))

With All of the State and Federal Laws, With All of the State and Federal Laws, what Patient Information Must Be what Patient Information Must Be

Protected? Protected? Keep it simple:All personal and health information that exists for every individual in any form:

Written

Spoken

Electronic

This includes HIPAA protected health information and confidential information under State laws.

3/6/03

To the patient, it’s To the patient, it’s allall confidential confidential informationinformation

Patient Personal InformationPatient Financial InformationPatient Medical InformationWritten, Spoken, Electronic PHI

I do not provide Patient Care…I do not provide Patient Care…do I Need Trainingdo I Need Training??I do not use or have contact with I do not use or have contact with Patient health or financial Patient health or financial information…information…do I Need Trainingdo I Need Training??And……..And……..

Isn’t this just an IT Problem?Isn’t this just an IT Problem?

Why Me?Why Me?

Who Uses Who Uses PHI PHI at CCSC?at CCSC?Anyone who works with or may see health, financial, or confidential information with HIPAA PHI identifiersEveryone who uses a computer or electronic device which stores and/or transmits informationSuch as:

– CCSC employees– CCSC Volunteers– CCSC students who work with patients– CCSC board members– Almost Everyone – at one time or another!

Why is protecting Why is protecting privacy and securityprivacy and security

important?important?

We all want our privacy protected! It’s the right thing to do! HIPAA and Ohio laws require

us to protect a person’s privacy! CCSC requires everyone to follow

the Clinic’s privacy and security policies!

WhenWhen should you: should you:

– Look at PHI?

– Use PHI?

– Share PHI?

HIPAA Scenario #1HIPAA Scenario #1I volunteer at the reception desk of CCSC. A friend of mine asks me if I knew any of the patients coming to clinic.

Should you give your friend this information?

HIPAA Scenario #2HIPAA Scenario #2

I am a file clerk. While opening lab reports, I saw my friend’s daughter’s pregnancy test results. Her pregnancy test was positive! That night at a holiday party, I saw her and her mother, and congratulated her on her pregnancy. Later I heard that my friend did not know about the pregnancy. I was the first person to tell her!

Did I do the right thing?

Ask yourself these questions Ask yourself these questions ——Did you need to read the lab results to do your job?

Is it your job to provide a patient’s mother with her health information—even if the individual is a friend or fellow employee?

Is it your job to let other people know an individual’s test results?How would you feel if this had happened to you?

Do not look at, read, use or tell others about an individual’s

information (PHI) unless it is a part of your job.

UseUse only if necessary to perform job duties

UseUse the minimum necessary to perform you job

FollowFollow CCSC CCSC policies and procedures for information confidentiality and security. (see notice of privacy practices)

Remember Remember ——

HIPAA HIPAA ViolationsViolations Can Carry Penalties-- Can Carry Penalties--

• Criminal Penalties– $50,000 - $250,000 fines– Jail Terms up to10 years

• Civil Monetary Penalties– $100 - $25,000/yr fines– more $ if multiple year

violations

• Fines & Penalties – Violation of State Law

How Can How Can You You Protect Patient Information: Protect Patient Information: PHI / ePHI /ConfidentialPHI / ePHI /Confidential

Verbal Awareness Written Paper / Hard Copy Protections Safe Computing SkillsReporting Suspected Security Incidents

Patients can be Patients can be concerned concerned about…about…

• Being asked to state out loud certain types of confidential or personal information

• Overhearing conversations about PHI by staff performing their job duties

• Being asked about their private information in a “loud voice” in public areas, e.g.– In clinics, waiting rooms, service areas– In hallways, in elevators, on shuttles, on streets

Protecting Privacy:Protecting Privacy: Verbal Verbal ExchangesExchanges

Patients may see normal clinical operations as violating their privacy (incidental disclosure)

Ask yourself-”What if it were my information being discussed in this place or in this manner?”

Incidental disclosures and HIPAAIncidental disclosures and HIPAA

“Incidental”: a use or disclosure that cannot reasonably be prevented, is limited in nature and occurs as a by-product of an otherwise permitted use or disclosure. (§164.502(c)(1)(iii)

Example: calling out a patient’s name in the waiting room; sign in sheets in clinic.

Incidental disclosures and HIPAAIncidental disclosures and HIPAA

Incidental uses and disclosures are permitted, so long as reasonable safeguards are used to protect PHI and minimum necessary standards are applied.Commonly misunderstood by patients!

Information can be Information can be lostlost…… Physically lost…

Paper copies, films, tapes, devicesLost anywhere at anytime-streets, restrooms,shuttles, coffee houses, left on top of car when driving away from UCSF…

Misdirected to outside world…Mislabeled mail, wrong fax number, wrong phone numberWrong email address, misplaced on UCSF intranetNot using secured emailVerbal release of information without patient approval

We need to We need to protectprotect the entire the entire lifecycle of informationlifecycle of information

Intake/creation of PHIStorage of PHIDestruction of PHIFor any format of PHI

Do you know where you left your Do you know where you left your paperwork?paperwork?

Shredding Shredding binsbins work best when papers are put inside the bins. If it’s outside the bin, it’s …

Daily gossipDaily trashPublic

Information can also be lost or Information can also be lost or stolenstolen electronicallyelectronically

Lost/stolen laptops, PDAs, cell phonesLost/stolen zip disks, CDs, floppies Unprotected systems were hackedEmail sent to the wrong address or wrong person (faxes have same issues)User not logged off of system

Be awareBe aware that ePHI is everywhere that ePHI is everywhere

““10” Good Computer Security Practices 10” Good Computer Security Practices for protecting restricted datafor protecting restricted data

““Good Computing Practices”Good Computing Practices” 10 Safeguards for Users10 Safeguards for Users

1. Passwords

2. Lock Your Screen

3. Workstation Security

4. Portable Device

5. Data Management

6. Anti Virus

7. Computer Security

8. Email

9. Safe Internet Use

10.Reporting Security Incidents / Breach

Good Computing Practices Good Computing Practices #1 Passwords#1 Passwords

Use cryptic passwords that can’t be easily guessed and protect your passwords - don’t write them down and don’t share them!

Good Computing Practices Good Computing Practices #2 Workstation Security#2 Workstation Security

Physically secure your area and data when unattended

Secure your files and portable equipment - including memory sticks.

Secure laptop computers with a lockdown cable.

Never share your access code, card, or key (e.g. Axiom card)

Good Computing Practices Good Computing Practices #3 Computer Security#3 Computer Security

Don’t install unknown or unsolicited programs on your computer.

Good Computing Practices Good Computing Practices #4 Safe Internet Use#4 Safe Internet Use

Accessing any site on the internet could be tracked back to your name and location.

Accessing sites with questionable content often results in spam or release of viruses.

And it bears repeating…Don’t download unknown or unsolicited programs!

Practice safe internet usePractice safe internet use

Good Computing Practices Good Computing Practices #5 Reporting Security Incidents/ Breach#5 Reporting Security Incidents/ BreachHow to Reporting Security Incidents/ How to Reporting Security Incidents/ Breach?Breach?Report lost or stolen laptops, blackberries, PDAs, cell phones, flash drives, etc…

Loss or theft of any computing device MUST be reported immediately to the

CCSC executive director

Good Computing Practices Good Computing Practices #6 Reporting Security Incidents/ Breach#6 Reporting Security Incidents/ Breach cont’d… cont’d…

Immediately report anything unusual, suspected security incidents, or breaches to the executive director. This also goes for loss/theft of PHI in hardcopy format (paper, films etc).

HIPAA Security RemindersHIPAA Security Reminders

Password Required

Send Email Securely

Password protect your computer

Run Anti-virus & Anti-spam software,

Anti-spyware

Keep disks locked upKeep office secured

THANK YOU!THANK YOU!

THANKS FOR VOLUNTEERING AND ALSO FOR COMPLETING THE CCSC HIPAA TRAINING.

PLEASE SIGN THE ACKNOWLEDGEMENT OF COMPLETION AND RETURN TO TERESA DITMER.