HIPAA Compliance Email

Michela Desmond, MDAna Turbin, RNJann Barham, Office ManagerJana Barham, BillingSonya Steadham, ReceptionJoyce Cook, LVN

Protected Health Information and Electronic Protected Health Information

Safeguarding ePHI

ABCDEFGHIJKLMNOPQRSTUVWXYZ

This facility provides psychiatric care for the treatment of veterans and post traumatic stress disorder.

Services are provided face to face and through electronic transmission.

Reimbursement is through federal funding, state funding, private pay insurance and pro bono.

Michela Desmond, MD

Certified by The American Board of Psychiatry and Neurology ABCDEFGHIJKLMNOPQRSTUVWXYZ



The HIPAA Privacy Rule protects the privacy of individually identifiable health information.

Sanctions are required by HIPAA in the event of violations.

HIPAA PRIVACY RULE

Lee Ann TorransABCDEFGHIJKLMN

OPQRSTUVWXYZ

Covered entities must designate a privacy official responsible for developing and implementing policies and procedures. Our office manager is our HIPAA Privacy Officer.HIPAA requires not only that our policies be created and communicated to staff but employees must also sign documents indicating they understand and will adhere to the policies.


Information created, received, used or maintained by a HIPAA covered entity is included.

The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

HIPAA covers both ePHI and PHI (protected health information).

HIPAA SECURITY RULE


OPQRSTUVWXYZ

The HIPAA Security Rule sets national standards for the security of electronic protected health information (e-PHI).


Protecting patient healthcare information is important for the patient, our facility and legal compliance.

Understanding the broad scope of issues health care providers face and why we engage in these activities will help you support and improve our service.

It is everyone’s duty to not only observe our policies but to contribute to enhancing our policies to better address issues of protecting health information of our patients by both this office and our business associates.

By understanding the scope of our duties you can better contribute and participate in the protection of health information.

ePHI and PHI Review


OPQRSTUVWXYZ


The HIPAA Security Rule requires covered providers to implement security measures, which help protect patients’ privacy by creating the conditions for protected health information to be available but not be improperly used or disclosed. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

What is a Breach?

Lee Ann Torrans

The “Breach Notification Rule” requires covered providers to promptly notify individuals and the Secretary of the HHS of the loss, theft, or certain other impermissible uses or disclosures of unsecured PHI. Health care providers must also promptly notify the Secretary of HHS if there is any breach of unsecured protected health information if the breach affects 500 or more individuals, and notify the media if the breach affects more than 500 individuals of a State or jurisdiction.ABCDEFGHIJKLMN

OPQRSTUVWXYZ


Business Associates Healthcare Providers

Who Is a Covered Provider?

Lee Ann Torrans

State Law Expands Definition - Review Your State



Breaches of unsecured PHI that affect 500 or more individuals are publicly reported on the OCR website.

We are required to notify the media if the breach affects more than 500 individuals of a state or jurisdiction.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is responsible for administering and enforcing the HIPAA Privacy and Security Rules and conducts associated complaint investigations, compliance reviews, and audits. OCR may impose fines on covered providers for failure to comply with the HIPAA Rules.

State Attorneys General may also enforce provisions of the HIPAA Rules.

Breach Occurrence?

Lee Ann Torrans


Risk analysis and risk management serve as tools to assist in the development of a covered entity’s strategy to protect the confidentiality, integrity, and availability of ePHI.

Your feedback and contribution to any potential risk or threat to the security of ePHI is crucial for success. Always bring concerns to our HIPAA Privacy Officer, our office manager.

We are required as a covered entity to have a sanction policy that reinforces our security policies and procedures.

The Information System Activity Review implementation specification requires us to promote a continual awareness of any information system activity that could suggest a security incident.

Organizational Standards

Lee Ann Torrans


The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”“Implement policies and procedures to prevent, detect, contain and correct security violations.”

Risk analysisRisk management

Security Management

Lee Ann Torrans

Sanction policyInformation system activity


“Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under [the Information Access Management standard], and to prevent those workforce members who do not have access under [the Information Access Management standard] from obtaining access to electronic protected health information.”The Authorization and/or Supervision implementation specification provides the necessary checks and balances to ensure that all members of the workforce have appropriate or limited access to EPHI.

Isolating Health Care Clearinghouse Functions

Access Authorization

Work Force Security

Lee Ann Torrans

Access Establishment and Modification


“Implement policies and procedures for authorizing access to electronic protected health.”

The Information Access Management implementation specifications are closely related to the implementation specifications under the Workforce Security standard.

Isolating Health Care Clearinghouse Functions

Access Authorization

Information Access

Lee Ann Torrans

Access Establishment and Modification Managing


“Implement policies and procedures to address security incidents.”

Create contingency plans in the event of software / hardware failure or natural disaster.

“Implement procedures for periodic testing and revision of contingency plans.”

“Assess the relative criticality of specific applications and data in support of other contingency plan components.”

Security Plans

Lee Ann Torrans

“Evaluation: On-going evaluation of security measures is the best way to ensure all EPHI is adequately protected.”


“Implement a security awareness and training program for all members of its workforce including management.”

Security Reminders

Protection from Malicious Software

Log-in Monitoring

Security Awareness Training

Lee Ann Torrans

Password Management

We are required to have periodic training for all new employees and associates


Internet and eMail Use

Lee Ann Torrans

Complex passwords are an effective safeguard against unauthorized access of PHI.

HIPAA Security Rule requires that covered entities establish guidelines for creating passwords and changing them during periodic change cycles.

Password policies require passwords to be changed every 90 days

Passwords must have a length of 8 characters containing a mix of upper- and lowercase letters, special characters, and numbers. Never share passwords with co-workers or write them down and leave them in areas that are visible and accessible to others.


ePHI Electronic Transmission

Lee Ann Torrans

No patient images may be forwarded.

HIPAA allows patients to waive using HIPAA encrypted transmission of patient information. The Information Privacy Officer must forward and receive the signed waiver before this process may begin.

Skype, owned my Microsoft is NOT HIPAA compliant. It can never be used. Drop Box must have specific BA HIPAA compliant agreements. Both require waivers.

Without a patient waiver approved by our Security Officer only our designated email service and text service can be used.


Phishing Emails

Lee Ann Torrans

Display name do not trust – look at actual senders email address and source

Phishers often ‘steal’ and reuse legitimate logos

Phishing can introduce malicious software by opening suspicious e-mail attachments, e-mail from unfamiliar senders, and hoax e-mail. Contact the office manager before you open suspicious email.

Downloading – our system will not allow you to download any thing to your computer that is not on our own servers. This includes not only the internet but diskettes, CD’s, or DVD’s.


Protections from Malicious Software

Lee Ann Torrans

Malicious software refers to viruses, worms, Trojan horses and backdoor programs

Virus scans and protection are run three times a day on individual computers and our entire system.

Phishing can introduce malicious software by opening suspicious e-mail attachments, e-mail from unfamiliar senders, and hoax e-mail. Contact the office manager before you open suspicious email.

Downloading – our system will not allow you to download any thing to your computer that is not on our own servers. This includes not only the internet but diskettes, CD’s, or DVD’s.


Workstation and Info Access

Lee Ann Torrans

Our clear-screen policy means your must either log off or lock your computer when you are away from your desk to ensure that the information on the computer is protected from unauthorized access.

We use a keyboard shortcuts that allow you to quickly lock your computer:Control - LO

Users will be locked out after three attempts to login with an incorrect password.

Screen savers which lock are set to automatically turn on after two minutes of no use or computer inactivity.


Control Access

Lee Ann Torrans

Both the HIPAA Privacy Rule and the Security Rule limit the uses and disclosures of PHI to the "minimum necessary." This means that access to PHI should be authorized only when it's appropriate based on the employee's role. Covered entities must also implement technical policies and procedures that allow only authorized personnel to access e-PHI.

Access to PHI should be authorized only when it's appropriate based on the employee's role

Our technical policies provide access to specific categories of information by specific job functions.

Only authorized personnel can access specific e-PHI.


Lock Up

Lee Ann Torrans

Our clear-screen policy means your must either log off or lock your computer when you are away from your desk to ensure that the information on the computer is protected from unauthorized access.

We use a keyboard shortcuts that allow you to quickly lock your computer:Control - LO

Users will be locked out after three attempts to login with an incorrect password.

Screen savers which lock are set to automatically turn on after two minutes of no use or computer inactivity.

Lee Ann Torrans

BreachesFines

Report to OCR

Report to MediaOver 500

Consequence

No Internal Sanctions for Violations

No HIPAA Education Programs

Sharing Passwords

Using another person’s workstation

Unlawful Actions

Examples of HIPAA Violations


OPQRSTUVWXYZ

Lee Ann Torrans

ePHIEncrypton

EmployeeViolations

Breaches

−Do not text or email ePHI outside of our encrypted system −Patient waiver of encryption must be approved by security

officer / office manager

−Sharing Passwords−Sending medical records via email not directed through

encrypted system

−Losing laptop with unencrypted ePHI−Placing PHI on portable device of any kind that is not encrypted

violates company protocol


Examples of Violations

Lee Ann Torrans

Protection of health information

Safeguards for patients from staff and from business associates

Responsible and Accountable

ProtectPatientPrivacy

PHI

ePHI

Business Associates

Lee Ann Torrans

TWO POLICIES

Encrypted Email: Our email system has encryption protocols enabled for a high level of secured transmission between our email system and patients. Complete message can be encrypted by typing [encrypt] in the subject line. Make sure there is a space before or after [encrypt] for the subject line The [encrypt] text will be stripped from the email during processing. This is the only email system which accessible on our system and the only one that may be used for our medical practice.

Unsolicited Receipt of PHI: If you have received inappropriate or misdirected PHI please follow these steps as required under our HIPAA Compliance program; Reply to the sender of the material that a PHI request was not made; delete or properly dispose of the PHI and notify the project office manager that this event has occurred. Do not open or retain the unsolicited PHI.

Lee Ann Torrans

Each workstation or class of workstations have a define purpose and authorization to access EPHI.

Purposes and functions are authorized for workstations and

Workstations cannot be used for unauthorized purposes or to perform unauthorized functions.

report any unauthorized activity at a workstation

Do not to share passwords with others, except to assure business continuity

Suspected misuse of user IDs or passwords should promptly reported

Workstations accessing EPHI are located in physically secure areas and display screens are positioned or protected, in order to minimize the risk of access by unauthorized individuals and prevent unauthorized viewing of EPHI.

Locking software should be activated upon leaving workstations unattended for a period which exceeds five minutes.

Log off from their workstations when shift is complete.

Take reasonable and appropriate steps to ensure that workstations removed from facilities are protected with security controls equivalent to on-site workstations

Workstation Policies

Lee Ann Torrans

Quizin

Notes Below

Quizin

Notes Below

Lee Ann Torrans

References:

Brodnick, M., Rinehart-Thompson, L., Reynolds, R. (2012). Fundamentals of Law for Health Informatics and Information Management 2nd ed. Edition. Chicago, Il: AHIMA Press.

Amatayakul, K. (2013). Electronic Health Records: A Practical Guide for Professionals and Organizations 5th Edition. Chicago, Il: AHIMA Press.

Castro, A. (2013). Principles of Healthcare Reimbursement 4th Edition. Chicago, Il: AHIMA Press.