HIPAA: Privacy/Info Security...Health Insurance Portability & Accountability Act – Instruction Session I completed the instruction session on the Health Insurance Portability & Accountability

HIPAA:

Privacy/Info Security

Jeff Jones

HIPAA Privacy Officer

HIPAA Information Security Officer

KY Region

KCTCS is an equal opportunity employer and educational institution.

Protected Health

Information(PHI)

Disclosure & Use

Authorization Form

Minimum Necessary

Patient Notice

Privacy Officer

Security Awareness

Security Training

Information Security

Officer

Security Mistakes

Penalties

What you should know…

Discussion Topics


What Does HIPAA Do?

Imposes new restrictions on the use and disclosure of PHI.

Gives patients greater access to their medical records.

Gives patients greater protection of their medical records.


What is PHI?

Protected Health Information: Individually Identifiable Health Information (IIHI)

relating to the past, present or future health condition of the individual and is transmitted or maintained in any form (electronically, orally or on paper).

Examples: Name, address, dates of service, date of birth, social security number, etc.


What is Disclosure and Use?

Use: Shared, examined, applied or analyzed

within an entity that holds the information.

Disclosure: Released, transferred, or made

accessible to anyone outside the entity

holding the information.


When Can PHI be Used/Disclosed?

PHI can be use or disclosed for:

Treatment, Payment, Healthcare Operations

With authorization from the individual

Disclosure to the patient

Incidental uses


When is Authorization Required?

Generally speaking, for uses other than:

Treatment

Payment

Hospital Operations


What is an Authorization Form?

An authorization is a written document,

signed by the patient, that specifically allows

the covered entity to disclose PHI with

patient’s permission.


When is Authorization Not Required?

To maintain a patient directory

To inform family members of patient location, general condition, or death

Public health activities

Coroners, medical examiners, funeral directors, organ donations

To avert a serious threat to health and safety


What is “Minimum Necessary”?

Make sure the least amount of health

information is shared to accomplish the

task.

Identify those who regularly access PHI and

the types of PHI necessary for proper TPO

of the patient.


What is the Notice of Privacy Practices?

The Patient Notice is a required document that outlines the common uses of PHI.

Must contain patient’s rights and the covered entity’s legal duties.

Must be made available in print.

Must be displayed at the site of service and posted on a web site.


Security Awareness: What is it?

Recognizing what types of security issues may arise in the workplace; and

Knowing what actions to take in the event of a security breach.


Security Awareness/Training

The HIPAA Security Rule requires that everyone in the workforce is trained.

Members of the workforce include volunteers!!!


What’s a Person to do?

Always Report Anything Unusual.

Notify your supervisor if you suspect a security incident.

Never share your user ID or password with anyone.


Top 10 Workplace Security Mistakes

1. Hidden under the keyboard – Keeping a computer password on a yellow post-it note.

2. I’ll do it my way – Not listening to or following security procedures.

3. On, gone, not locked – Walking away from the computer, leaving it unlocked or not turned off.

4. Gee, what’s in this attachment – Unknown email attachments can cripple by carrying viruses.

5. Weak passwords – Passwords based on information easily accessible to others.


Top 10 Workplace Security Mistakes

6. Loose lips – Talking in public about things you shouldn’t.

7. Laptops with legs – Laptops left unsecured and unattended are vulnerable to theft.

8. Law enforcement – Managers and supervisors need to ensure ongoing compliance.

9. The threat within – Statistically, most security breaches originate inside the organization.

10. Update now – Security updates don’t do any good unless they are loaded on your computer.


How do We Comply?

HIPAA requires that we assign a “Privacy Officer” and “Information Security Officer”

This person will be responsible for overseeing all privacy policies and procedures.

This person will be the contact person for receiving complaints.

Institute a training program for Volunteers.


What if We Don’t Comply?

Civil penalties from $100 to $25,000

Criminal penalties up to $250,000 and 10

years in prison


Remember:

It’s all about protecting patient’s right to

privacy and security.

Put yourself in the patient’s place.

Summary


Please print out this page, sign and date it, then turn it into your instructor.

Health Insurance Portability & Accountability Act – Instruction Session

I completed the instruction session on the Health Insurance Portability & Accountability Act (HIPAA) on ______________________.

I understand the privacy and confidentiality policies of the clinical facilities I will be attending for my clinical experiences. I know the condition information terminology, the policies regarding “privacy patients” and the disclosure of protected information. I also know the “safeguards” to confidentiality and the penalties for violation of HIPAA.

Signature___________________________Date___________________


Documents

HIPAA: Privacy/Info Security...Health Insurance Portability & Accountability Act – Instruction Session I completed the instruction session on the Health Insurance Portability & Accountability