HIPAA Privacy Training Confidentiality...2018/07/26 · HIPAA Covered Records PHI includes PII coming from HIPAA-covered units: • Ambulatory Health Services • Public Health Laboratory

Confidentiality TrainingCity of Philadelphia Health and Human Services

Personally Identifiable Information Training for the HHS Data

Exchange Project

What is Health and Human Services (HHS)?

Office of the Deputy Managing Director for

Health and Human Services

Department of Behavioral Health and Intellectual disAbilityServices (DBHIDS)

Philadelphia Department of Public

Health (PDPH)

Department of Human Services (DHS)

Office of Community Empowerment and Opportunity (CEO)

Office of Homeless Services (OHS)

IntroModule

1Module

2Module

3Module

4

Agencies that can give and receive data.

What you will learn:

• Philosophy for sharing personally identifiable information (PII).

• Different types of PII.

• Approved methods for sharing PII.

• Practice procedures to safeguard PII.

• Consequences and penalties of misusing PII.

IntroModule

1Module

2Module

3Module

4

Overview of Training

Module 1

Types of PII and Legal

Requirements

Module 2

Eligible PII and Submitting Project

Descriptions

Module 3

Administrative and Security

Requirements

Module 4

Conclusion

IntroModule

1Module

2Module

3Module

4

Module 1: Types of Personally Identifiable Information (PII) and their Legal Requirements

Types of PII:

1. Child Welfare Records

2. Homelessness Data

3. Public Health Registries and Vital Statistics

4. Pathology and Medical Examiner Case Files

5. Medical and Laboratory Patient Records

6. Health Plan Claims Data

7. Behavioral Health Treatment Records

8. Criminal and Juvenile Justice Information

Module 1: Types of personally identifiable information (PII) and their Legal Requirements

IntroModule

1Module

2Module

3Module

4

Child Welfare Records: Child Protective Services Law (CPSL)

Purpose of Child Protective Services Law:

• Encourage reporting of child abuse.

• Establish procedures to investigate child abuse.

• Establish procedures to protect children.

• Provision of services for children well-being.

• Preserve, stabilize, and protect family life.


IntroModule

1Module

2Module

3Module

4


Exceptions where HHS can share data:

• Multidisciplinary team members assigned to case.

• Providing voluntary or court-ordered services.

• Treating physician suspecting child abuse victim.

• City Mayor reviewing agency competence.

• Mandated reporter (limited types of information).


IntroModule

1Module

2Module

3Module

4


Data Sharing for Department of Health Services:

• DHS can share with other agencies.

• Those agencies must serve DHS families.

• Those services must stabilize families.


IntroModule

1Module

2Module

3Module

4

Questions for Module 1

Jane is an OHS case worker who would like to request access to DHS information

about her client. She may have access to this information if:

A) She is a multidisciplinary team member who thinks that having the data would help

her better understand her clients.

B) She is a duly authorized person providing voluntary services and is curious about

the client’s past.

C) She is a duly authorized person providing voluntary services and the data would be

used for the purpose of stabilizing the family or preventing further abuse.


IntroModule

1Module

2Module

3Module

4


Jane is an OHS case worker who would like to request access to DHS information

about her client. She may have access to this information if:

A) She is a multidisciplinary team member who thinks that having the data would help

her better understand her clients.

B) She is a duly authorized person providing voluntary services and is curious about

the client’s past.

C) She is a duly authorized person providing voluntary services and the data

would be used for the purpose of stabilizing the family or preventing further

abuse.


IntroModule

1Module

2Module

3Module

4

Homeless Management Information System (HMIS)

CHO may disclose homeless service data:

1. To provide or coordinate services.

2. To pay or reimburse for services.

3. For administrative functions.

4. To create de-identifiable PII.


IntroModule

1Module

2Module

3Module

4

Homeless Management Information System (HMIS)

OHS may disclose PII:

1. When required by law.

2. To prevent harm.

3. If victim of abuse, neglect or domestic violence.

4. For academic research.

5. For law enforcement purpose to law enforcement official.


IntroModule

1Module

2Module

3Module

4


Tom is a case worker at OHS who wants to connect his client with behavioral health services at

the shelter where the client is staying. He would want to send his name, address, and case

notes about observed behavior. What is his next step?

A) Check if a project description for this work exists, and if not, complete a project description.

B) Ask Law to draft an MOU because this type of activity is not covered under the current

agreement.

C) Do nothing. This type of data is not allowed to be shared.


IntroModule

1Module

2Module

3Module

4


Tom is a case worker at OHS who wants to connect his client with behavioral health services at

the shelter where the client is staying. He would want to send his name, address, and case

notes about observed behavior. What is his next step?

A) Check if a project description for this work exists, and if not, complete a project

description.

B) Ask Law to draft an MOU because this type of activity is not covered under the current

agreement.

C) Do nothing. This type of data is not allowed to be shared.


IntroModule

1Module

2Module

3Module

4

Module 2: Public Health Registries and Vital Statistics

When to use of Vital Statistics data:

• Reporting on improvement of birth outcomes.

• Needs assessment and program evaluation.

• Identifying high-risk or special-needs populations.

• Measuring intervention outcomes and securing funding.

• Developing an integrated data system.

Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description

IntroModule

1Module

2Module

3Module

4

Immunization Data

Permitted uses of immunization data:

1. Assisting providers/social service agencies.

2. Preventing duplicate immunizations.

3. Providing documentation of patient immunization.

4. Helping schools determine student immunization status.

5. Providing third-party payments for immunizations (e.g. MCO).

6. Planning and evaluation public health functions.


IntroModule

1Module

2Module

3Module

4

HIPAA Covered Records

PHI includes PII coming from HIPAA-covered units:

• Ambulatory Health Services

• Public Health Laboratory

• STD Control Program

• Philadelphia Nursing Home

• Office of Behavioral Health and Intellectual disAbility Services

City HIPAA Privacy and Security Basics training

• https://dbhids.org/hipaa-privacy-and-security-basics-storyline-output/


IntroModule

1Module

2Module

3Module

4

Types of Personally Identifiable Information Eligible for the Data Exchange Project

Minimum Necessary Standards. Ask yourself:

• Do I need to know this information to do my job?

• Would de-identified data be sufficient?

• Why is this person requesting information?

• How much information do they need?


IntroModule

1Module

2Module

3Module

4


When a provider requests PII from an HHS agency staff member or office, HHS

agencies must verify that they are requesting only the minimum necessary amount of

information? True or False?

True

False


IntroModule

1Module

2Module

3Module

4


When a provider requests PII from an HHS agency staff member or office, HHS

agencies must verify that they are requesting only the minimum necessary amount of

information? True or False?

True

False


IntroModule

1Module

2Module

3Module

4

What Personally Identifiable Information Am I Allowed to Share?

Agencies can share PII for two purposes:

1. Treatment and service planning.

2. Assist disclosing agency with policy, planning, and operations.


IntroModule

1Module

2Module

3Module

4


Identifiable data to not share for treatment and service planning:

• Data from DBHIDS Outreach workers.

Identifiable data to not share for policy, planning, and operations:

• DHS data on households investigated but not receiving services.

• Mental health treatment data.

• HIV-related data.


IntroModule

1Module

2Module

3Module

4


This data may never be shared:

• DHS reporter data.

• Drug and alcohol treatment information.

• Medical records.

• Clinical laboratory records.


IntroModule

1Module

2Module

3Module

4


Which of the following activities is prohibited?

A) Sharing identifiable CEO tax data for treatment and service planning.

B) Sharing identifiable HIV-related data for treatment and service planning.

C) Sharing de-identified information on active DHS clients for policy, planning, and operations.

D) Sharing identifiable mental health treatment information for policy, planning, and operations.


IntroModule

1Module

2Module

3Module

4


Which of the following activities is prohibited?

A) Sharing identifiable CEO tax data for treatment and service planning.

B) Sharing identifiable HIV-related data for treatment and service planning.

C) Sharing de-identified information on active DHS clients for policy, planning, and operations.

D) Sharing identifiable mental health treatment information for policy, planning, and

operations.


IntroModule

1Module

2Module

3Module

4

How Do I Request and Receive Approval From a Sister Agency to Use Their Personally Identifiable Information?

Complete project description

form to access PII:

• Summarize agency’s intended

use

• Define staff levels.


IntroModule

1Module

2Module

3Module

4

How Do I Request and Receive Approval From a Sister Agency to Use Their Personally Identifiable Information?

Executive director of sister agency approves form.

• Review happens within 5 days of submission.

• Contact James Moore for approval if longer.

• James Moore, Director of Data Management Office: [email protected]


IntroModule

1Module

2Module

3Module

4

Next Steps

• Contact Data Management Office to retrieve data -- Mark van Doren,

[email protected]

• Record retention policy for each agency:

o DHS – 10 years

o PDPH – Medical Examiner Office’s, retained for

20 years.

o OHS – 7 years

o CEO – 7 years

o DBHIDS - 6 years


IntroModule

1Module

2Module

3Module

4

Project Description Form

The project description form:

I. General Information

II. Data Requested and Purpose for Data

Sharing

III. Titles with Access to Data

IV. Cohort, Time Period, and Data Elements

V. Data Security

VI. Signature Certifying Approval


IntroModule

1Module

2Module

3Module

4

Project Description Form: Section I - General Information

Outline the basic parameters of your request.

Indicate if project is new or recurring.

• If new, delete data after project ends.

• If recurring, can maintain data afterwards.

• But must recertify project description biannually.


IntroModule

1Module

2Module

3Module

4

Project Description Form: Section I: General Information

• Next: name, title, and contact information.

• Project purpose: who, what, where, when, and why.

• Last: start and end dates for your projects.


IntroModule

1Module

2Module

3Module

4

Project Description Form: Section I: General Information


IntroModule

1Module

2Module

3Module

4

Project Description Form: Sections II & III: Data Requested & Purpose for Sharing and Titles with Access to Data

Section II

• Use Section I to guide data selection.

• Must have legally permissible “purpose for requesting the data.”

• Must justify each data set requested.


IntroModule

1Module

2Module

3Module

4


Who to contact regarding dataset questions:

CEO – Carolyn Brown, [email protected]

DHS – Liza Rodriguez, [email protected]

OHS – Michele Mangan, [email protected]

PDPH – Raynard Washington, [email protected]

DBHIDS – Daniel Paolini, [email protected]

Who to contact regarding form questions:

DMO – James Moore, [email protected]


IntroModule

1Module

2Module

3Module

4


Designate staff levels that will review data:

• First see if form titles parallel agency hierarchy.

• Otherwise, consider titles as staff tiers.

• If category is missing, contact DMO. Mark Van Doren, [email protected]


IntroModule

1Module

2Module

3Module

4



IntroModule

1Module

2Module

3Module

4

Project Description Form: Section IV: Cohort, Time Period, & Data Elements

Section IV describes population of interest.

Then select variables to further scope data:

• Client identifiers

• System identifiers

• Demographics

• Client characteristics

• Service detail

• Client contacts, events, and encounters


IntroModule

1Module

2Module

3Module

4

Project Description Form: Section IV: Cohort, Time Period, & Data Elements


IntroModule

1Module

2Module

3Module

4

Project Description Form: Sections V and VI: Data Security, Signature Certifying Data Security Compliance, and Signature

Approving Project

Project description form includes two certifications:

• In Section V

o Relevant staff completed this training.

o Relevant staff can properly manage data.

• In Section VI

o Department commissioner will execute the form.

o They agree to comply with data security protocol.


IntroModule

1Module

2Module

3Module

4

Project Description Form: Sections V and VI: Data Security, Signature Certifying Data Security Compliance, and Signature

Approving Project


IntroModule

1Module

2Module

3Module

4

Data Attribute List

Finally, identify the variables you need:

• Define variable via data attribute list.

• For support, contact DMO:

o Mark Van Doren, [email protected]


IntroModule

1Module

2Module

3Module

4

Data Attribute List


IntroModule

1Module

2Module

3Module

4


When completing a project description form, staff are required to do all of the following except:

A) Designate start and end dates for their project.

B) List the Law Department attorney that has reviewed and approved the completed project

description form.

C) Select specific source data like “street outreach” and “lead exposure.”

D) Have their department’s commissioner sign the project description.


IntroModule

1Module

2Module

3Module

4


When completing a project description form, staff are required to do all of the following except:

A) Designate start and end dates for their project.

B) List the Law Department attorney that has reviewed and approved the completed

project description form.

C) Select specific source data like “street outreach” and “lead exposure.”

D) Have their department’s commissioner sign the project description.


IntroModule

1Module

2Module

3Module

4

Module 3: Administrative and Security Requirements for Protecting PII

Administrative Requirements:

• Adopt security policies and practices.

• Designate privacy and security liaisons.

• Verify employees completed training requirements.

• Report privacy and security incidents.

Module 3: Administrative and Security Requirements

IntroModule

1Module

2Module

3Module

4

Incident Reporting

Report misuse or theft to supervisor within 24 hour.

“Incident” is any acquisition, access, use, or disclosure of PII not permitted by:

A. The HIPAA Rules or other privacy laws.

B. An applicable MOU with a sister agency.

C. City privacy policies and procedures.

D. Unit-specific privacy policies, procedures, or protocols.


IntroModule

1Module

2Module

3Module

4

Global HHS Security Safeguards

HHS Security consists of:

• Administrative, physical and technical controls.

These allow agencies to ensure:

• Confidentiality

• Integrity

• Availability


IntroModule

1Module

2Module

3Module

4

What can you do to ensure PII is safeguarded?

Data Storage Practices:

• Never store confidential data on external devices.

• Never store confidential data on personal devices.

• Avoid storing on City laptops unless necessary.

• If stored on laptop, ensure laptop is encrypted.


IntroModule

1Module

2Module

3Module

4


Username and Password Practices:

• Follow City-approved password and login policies.

• Use strong passwords.

• Change passwords more frequently than required.

• Never write passwords down.

• Never share usernames or passwords with others.


IntroModule

1Module

2Module

3Module

4


Workstation and Email Practices:

• Ensure PII files are locked at your workstation.

• Do not install non-HHS agency-approved software.

• Do not open emails from unknown senders.

• Do not attach confidential data to unencrypted emails.


IntroModule

1Module

2Module

3Module

4


General Practices:

• Know your agency’s security policies.

• This includes incident reporting.

• Know your Information Privacy Officers.

• Ensure identifiable data is accessed for approved purposes.

• Store files on secure servers.


IntroModule

1Module

2Module

3Module

4

Questions for Module 3Calvin in working at his desk when he receives an email from his supervisor. His supervisor explains

that she needs to borrow his user name and password briefly to verify an individual’s billing

information and she has forgotten her password. Calvin writes down this information and provides it

to his supervisor. He tells her to shred the paper with this information when finished because he uses

the same password for all his logins, and wouldn’t want this information intercepted.

Has Calvin done anything wrong in this example?

A) No, Calvin is authorized to provide this information to supervisors, just not to other coworkers.

B) Yes, Calvin is not authorized to share his user name and password with anyone.

C) Yes, Calvin should under no circumstances write down user name and password information.

D) Yes, Calvin should use a unique password and should change this password frequently.

E) Answers #2, #3, and #4 are all correct.


IntroModule

1Module

2Module

3Module

4

Questions for Module 3Calvin in working at his desk when he receives an email from his supervisor. His supervisor explains

that she needs to borrow his user name and password briefly to verify an individual’s billing

information and she has forgotten her password. Calvin writes down this information and provides it

to his supervisor. He tells her to shred the paper with this information when finished because he uses

the same password for all his logins, and wouldn’t want this information intercepted.

Has Calvin done anything wrong in this example?

A) No, Calvin is authorized to provide this information to supervisors, just not to other coworkers.

B) Yes, Calvin is not authorized to share his user name and password with anyone.

C) Yes, Calvin should under no circumstances write down user name and password information.

D) Yes, Calvin should use a unique password and should change this password frequently.

E) Answers #2, #3, and #4 are all correct.


IntroModule

1Module

2Module

3Module

4

Additional Safe Practices - Paper Document Disposal

To dispose documents containing PII:

• Shred papers immediately.

• Store securely until you can shred papers.

• Most agencies provide secure shred bins.

• If unsure whether shredder is secure, contact your supervisor.


IntroModule

1Module

2Module

3Module

4

Printing confidential information:

• Do not print hard copies unless necessary.

• If necessary, use a secure pin to print.

• Pick up documents immediately after printing.


IntroModule

1Module

2Module

3Module

4

Additional Safe Practices - Printers

Workstation: Desktops

• If you are in a public area:

o Do not store data on your desktop.

• Only store files being “processed.”

• Return files to secure location at end of day.

• Delete remaining copies in non-secure locations.


IntroModule

1Module

2Module

3Module

4

Additional Safe Practices - Workstations


IntroModule

1Module

2Module

3Module

4

Additional Safe Practices - Workstations

Workstation : Shoulder Surfing

• Turn monitor away from traffic and sight lines.

• Do not take screenshots.

• Do not photograph your monitor.

• Do not transcribe information unless necessary.

Secure Email

• Use encryption when sending PII over email.

• Report emails sent without encryption.

o Must report incident within 24 hours.

• Do not auto-forward emails to avoid breaches.


IntroModule

1Module

2Module

3Module

4

Additional Safe Practices - Secure Emails

Additional Safe Practices- Secure Emails


IntroModule

1Module

2Module

3Module

4

How do you send secured

emails?

• Add the keywords to

subject line

• [Secure Delivery] or

[Secure]

• Must be in square

brackets

Additional Safe Practices - Encrypted Emails

How do you receive encrypted email?

• If your email system is compatible:

o “Secure Delivery” email is same as normal email.

• Only difference:

o Keywords [Secure Delivery] in subject line.

• User can view the message immediately.


IntroModule

1Module

2Module

3Module

4



IntroModule

1Module

2Module

3Module

4



• Instructions to send secure

emails available:

o www.phila.gov/hhs/

IntroModule

1Module

2Module

3Module

4

Secure File Transfer Protocol (sFTP) Introduction

Secure File Transfer Protocol (sFTP)

• Data from CARES is transferred securely.

• Method is Secure File Transfer Protocol.

• Transfers data from CARES server to recipient computer.

• Ensures confidential data is kept confidential.


IntroModule

1Module

2Module

3Module

4

Secure File Transfer Protocol (sFTP) Introduction

Secure File Transfer

• sFTP uses SSH to transfer files.

• Requires login before data can be transferred.

• sFTP solutions allow for remote operations:

o Directory listings, file uploading, file downloading, etc.

• Files automatically delete after 7 days.


IntroModule

1Module

2Module

3Module

4

Secure File Transfer Protocol (sFTP) Steps

Complete the sFTP Request Form

• Submit a new request form:

o For every new folder accessed.

• Under justification description write that:

o You want to upload, download files and create new

folders.

• Include directory address to requested folder.


IntroModule

1Module

2Module

3Module

4



IntroModule

1Module

2Module

3Module

4

• Submit a ticket

to get access.

• Send request

form as

attachment.



IntroModule

1Module

2Module

3Module

4

• Wait for OIT to create

your account.

• OIT will send your

username and

password.


https://secure-ftp.phila.gov/EFTClient/Account/Login.htm


IntroModule

1Module

2Module

3Module

4

• Log in to sFTP

Server.

• Use username and

password sent by

OIT.

https://secure-ftp.phila.gov/EFTClient/Account/Login.htm



IntroModule

1Module

2Module

3Module

4

• What the main

screen looks like.

• Arrows point to

following buttons:

o File upload

o Folder upload

o New folder



IntroModule

1Module

2Module

3Module

4

• Click “File Upload” button.

• Browse directory.

• Click file you want to upload.

• Click “Open” button.

• This uploads file to “File Upload”

folder.



IntroModule

1Module

2Module

3Module

4

To upload folder:

• Click “Folder

upload” button

on main screen.

• Select folder

you want to

upload.

• Click “OK.”



IntroModule

1Module

2Module

3Module

4

To download a file:

• Click the folder

icon.

• Click file(s) you

want to

download.

• Click download

button.

Module 3 continued: Accessing Requested HIPAA Covered Data Over P3

• P3 allows you to view PII from another agency.

• It’s how you will view requested HIPAA covered data.


IntroModule

1Module

2Module

3Module

4

Overview of How to Access Requested HIPAA Covered Data Over P3

1. Confirm that you have a city domain.

2. Contact P3 Administrator (DMO).

3. Connect to P3 Server.

4. Request a New Certificate.

5. Open the project data set(s).


IntroModule

1Module

2Module

3Module

4

1. Confirm that You have a City Domain

• Must have a city domain account.

• If do not have a CITY domain account:

o Request one from Data Management Office:

▪ James Moore, [email protected] OR

▪ Mark Van Doren, [email protected]


IntroModule

1Module

2Module

3Module

4

2. Contact P3 Administrator (DMO)

• After project user(s) request a New Certificate:

o Send email to the P3 Administrator, [email protected].

o Include project name in the email.

• P3 admin will create project folder.

• Specified users will receive access to the folder.

• Folder location will be emailed to users.


IntroModule

1Module

2Module

3Module

4

3. Connect to P3 Server

Remote Desktop Connection.

Step 1. Open Remote Desktop

Connection.

• Select Start Button.

• Scroll right and find Windows

Accessories.

• Click on Remote Desktop Connection.


IntroModule

1Module

2Module

3Module

4

Step 2. Connect to server.

• Type: “MDO10VPFILP301”


3. Connect to P3 Server

IntroModule

1Module

2Module

3Module

4

Step 3. Enter credentials.

• In User Name, type your city account:

o CITY\Firstname.Lastname

• In Password, type city account

password.

• Select Ok.

• Then select OK again.

3. Connect to P3 Server via Remote Desktop Connection


IntroModule

1Module

2Module

3Module

4

4. Request a New P3 Certificate

A certificate confirms that you are you.

• The certificate allows files decryption.

• You only need to request a certificate once.


IntroModule

1Module

2Module

3Module

4


Step 1

Click MMC icon on the desktop.


IntroModule

1Module

2Module

3Module

4

Step 2. After the Console opens:

• Go to the menu File.

• Add or Remove Snap Ins.

• Choose Certificates and press Add >.

• Press Ok.

• Then select Finish, and click OK.



IntroModule

1Module

2Module

3Module

4

Step 3:

• Expand certificates.

• Right click on personal.

• Then All tasks then Request

New Certificates.



IntroModule

1Module

2Module

3Module

4

Step 4:

• Click Next twice

• Click box that says: P3 Basic EFS.

• Then click Enroll.

• Click Finish.



IntroModule

1Module

2Module

3Module

4

• Project folder will be created for each project.

• Located on the (E:) drive.

• Contains all applicable project result sets.

• Can open data in Excel or Textpad 8.

• When done:

o Exit the app and disconnect from P3 server.

5. Opening the Project Data Set(s) Associated with a Project


IntroModule

1Module

2Module

3Module

4

Documentation, Guides and Video ShowingHow to Use Remote Desktop:

If you need help using Remote Desktop:

• Refer to the HHS Confidentially Training handbook.

• Provides links to useful resources.

• Broken down by Windows 10, 8.1, 8, and 7.


IntroModule

1Module

2Module

3Module

4

Faxing Identifiable Information

• Only fax if other mediums:

o Fail needs of immediate client care.

• Include confidentiality notice on cover page.

• Double check/confirm fax number.

• Store fax machines in secure areas.

• Designate someone to distribute incoming faxes.


IntroModule

1Module

2Module

3Module

4

Verbal Communication

Calls from clients or providers:

• Confirm the identity of the individual speaking.

• Determine whether discussing PII is appropriate.

Leaving messages on answering machine:

• Do not speak about PII on messages.


IntroModule

1Module

2Module

3Module

4


Phone Conversations / Meetings:

• Avoid others overhearing confidential information.

• Avoid discussing information in public areas.

• Do not repeatedly use clients’ names.

• When discussing PII in meetings, close the door.


IntroModule

1Module

2Module

3Module

4


Gossip:

• Gossip can lead to potential lawsuits.

• Never discuss confidential information for non-business reasons.

• Only discuss with employees that “need to know.”

Social Media:

• Never post PII to social media.


IntroModule

1Module

2Module

3Module

4

Module 3 Question

Confidentiality Which activity poses the greatest confidentiality risk to HHS agencies?

A) Leaving client files unattended on your desktop;

B) Discussing a client's information outside of your job responsibilities;

C) Speaking loudly on the phone so that others overhear your conversation.


IntroModule

1Module

2Module

3Module

4

Module 3 Question

Confidentiality Which activity poses the greatest confidentiality risk to HHS agencies?

A) Leaving client files unattended on your desktop;

B) Discussing a client's information outside of your job responsibilities;

C) Speaking loudly on the phone so that others overhear your conversation.


IntroModule

1Module

2Module

3Module

4

Module 3 Question

Secure Emails How can HHS agency employees ensure that their emails are delivered securely?

A) Employees need to type [Secure] in the subject line.

B) Employees do not need to do anything differently. All emails are automatically sent securely.

C) Verify with the receiving organization that their email system supports encryption.

D) Call the intended email recipient to verify that the email arrived.


IntroModule

1Module

2Module

3Module

4

Module 3 Question

Secure Emails How can HHS agency employees ensure that their emails are delivered securely?

A) Employees need to type [Secure] in the subject line.

B) Employees do not need to do anything differently. All emails are automatically sent securely.

C) Verify with the receiving organization that their email system supports encryption.

D) Call the intended email recipient to verify that the email arrived.


IntroModule

1Module

2Module

3Module

4

Module 4: Conclusion

• Regulations can be both simple and complex

• As a general guide, remember to use:

o Common Sense.

o Courtesy and Respect.


IntroModule

1Module

2Module

3Module

4


Use common sense when viewing and sharing data.

• Think before speaking or before disclosing written information.

• Be mindful of your environment.

• If you think data is confidential, treat it as confidential.

• For questions, contact your Privacy Officer or Liaison.


IntroModule

1Module

2Module

3Module

4


Courtesy and respect are important.

• Handle data as if it was about you.

• Treat all clients with respect.

• Respect every client's right to confidentiality.


IntroModule

1Module

2Module

3Module

4

Module 4 Questions

You are responsible for data-entering critical incidents into the information system for

the Office of Homeless Services (OHS). You receive a report that your friend's son has

entered a homeless shelter. You and your friend, Robert, share many common friends

and you are sure that they do not know about this development. You are sure that

Robert could use some support during this difficult time. Should you:

A) Contact your mutual friends to let them know about the change in their housing

status.

B) Call Robert and ask him to sign an authorization permitting you to disclose the

information to friends.

C) Do not contact your friends. Contact Robert outside of your work but do not

disclose any of the information that you learned.


IntroModule

1Module

2Module

3Module

4

Module 4 Questions

You are responsible for data-entering critical incidents into the information system for

the Office of Homeless Services (OHS). You receive a report that your friend's son has

entered a homeless shelter. You and your friend, Robert, share many common friends

and you are sure that they do not know about this development. You are sure that

Robert could use some support during this difficult time. Should you:

A) Contact your mutual friends to let them know about the change in their housing

status.

B) Call Robert and ask him to sign an authorization permitting you to disclose the

information to friends.

C) Do not contact your friends. Contact Robert outside of your work but do not

disclose any of the information that you learned.


IntroModule

1Module

2Module

3Module

4

Module 4 Questions

True or false: if you regularly disclose information about certain diseases to a

government agency that tracks how many people in the city are infected with a

certain disease, an individual has a right to know when you make those disclosures

and who you make them to if they have the disease in question.

True

False


IntroModule

1Module

2Module

3Module

4

Module 4 Questions

True or false: if you regularly disclose information about certain diseases to a

government agency that tracks how many people in the city are infected with a

certain disease, an individual has a right to know when you make those disclosures

and who you make them to if they have the disease in question.

True

False


IntroModule

1Module

2Module

3Module

4

Thank you for taking the City of Philadelphia’s Health

and Human Services Confidentiality Training!

Documents

HIPAA Privacy Training Confidentiality...2018/07/26 · HIPAA Covered Records PHI includes PII coming from HIPAA-covered units: • Ambulatory Health Services • Public Health Laboratory