HIPAA

Health Insurance Portability

and

Accountability Act

1996

What is HIPAA?

HIPAA is a federal law that gives a member rights over

their health information and sets rules and limits on

who can look at and received protected health

information. These laws affect:

Doctors Public Health and Welfare

Nurses Activities

Pharmacists Your Family

Other Medical Providers You!

Insurance Personnel

HMO Staff Members Examples of PHI: Information created

and received by UCP relating to our

members care

Policy: Use and Disclosure of Protected Health Information

What is PHI?

Protected Health Information (PHI) is individually

identifiable health information created or received by UCP.

When a person’s identity and the individual’s health

information are linked together, it has the potential to

become PHI.

Policy: Use and Disclosure of Protected Health Information

• What Information is considered PHI?

Name

Address

Zip Code

Age

Gender

Blood Pressure

Drug Name

Doctor’s Name

Doctor’s Specialty

Diagnosis codes: Diagnosis codes are

codes used by medical providers to

identify a sign, symptom or condition

Procedure codes: Procedures codes

indicate the actions the medical

provider is taking in reference to a

medical condition.

Prescription codes: Prescription codes

or National Drug Codes (NDC) are

alphanumeric codes used by pharmacies

to indicate the type of drugs that are

being dispensed.

Policy: Use and Disclosure of Protected Health Information

How we may be exposed to PHI in our daily work:

Medical or health records

Computer screens

Paper documents, memos, faxes, files

Case files or reports

Telephone conversations

Case management meetings

Conversations with co-workers and members

Assessments

Casual conversations in the hallway or break room

Policy: Use and Disclosure of Protected Health Information

Some ways PHI can be compromised:

• Sending unencrypted emails

• Leaving information on desks

• Sending faxes without cover pages

• Leaving faxes and items on the printer

• Leaving files out in the open

• Sharing passwords with others

• Allowing access to your work area

• Positioning computer monitors so that others

can see the screen in public areas.

HIPAA standards apply only to:

• Health care providers including doctors, clinics,

hospitals, dentists, nursing homes and pharmacies.

• Health plans

• Health care clearinghouses: translates data

between health plans and providers.

• Anyone contracted with the State of Arizona to provide

services through Division of Developmental

Disabilities

Who are Covered Entities?

What is a Business Associate?

• Business Associate (BA) is a person or entity

that performs certain functions or activities that

involve the use or disclosure of PHI on behalf of,

or provides services to, UCP.

• A member of UCP’s workforce is not a business associate.

Use and Disclosure of PHI Related to Health Care

The following may share PHI with one another without

patient authorization to conduct business on behalf of UCP:

• Care providers may share medical info with the

individual and other people the individual would like to

be involved in his/her care (i.e., family members, friends,

etc.). If possible, care providers should obtain the

individual’s permission.

• UCP may disclose a decedent’s PHI to family members

and others involved in the care of the individual.

Use and Disclosure of PHI Related to Healthcare

• UCP may disclose PHI for the treatment activities of a

health care provider.

• UCP may disclose PHI to another covered entity or a

health care provider for the payment activities of the

entity that receives the information.

You Decide

Mary, a UCP employee, is having some lunch in the

common area lunch room. Another UCP staff member

comes in and Mary asks “how did Johnny’s treatment go

today?” Johnny’s therapist goes into great detail on the

tremendous progress he’s made and the new techniques

she is using. Upon hearing this exciting news, Mary is

thrilled! There are several other people in the lunch room at this time, including parents and visitors.

Is this a violation of HIPAA?

Why is Confidentiality So Important to UCP?

Our members need to trust us before they will feel

comfortable enough to share any personal

information with us. In order for us to provide

quality care, we must have this information. They

must know that whatever they tell us will be kept

private and limited to those who need the

information for treatment, payment and health care

options.

Minimum Necessary

When using, disclosing or requesting PHI, staff

shall make reasonable efforts to limit PHI to

the minimum necessary to accomplish

the intended purposes of the use,

disclosure or request.

What is Minimum Necessary?

In order to comply with HIPAA, we need to think about just

what specific information is required to meet a request.

Additionally, the Minimum Necessary principle requires that

an organization designate the category of personnel who

must access health information to perform their job, the

extent of the information that will be accessed, and any

other conditions that pertain to the use or disclosure of

health information by that category of personnel.

Minimum NecessaryExceptions

HIPAA allows us to access or disclose information if it is….

• Used for treatment purposes

• Required by law

• Made to the individual

• Made to the secretary of HHS (Health and Human

Services) for enforcement purposes

• Made for compliance with applicable federal regulations

The 18 Identifiers of PHI

• Member names

• Geographic subdivisions

(smaller than state)

• Telephone numbers

• Fax numbers

• Social Security numbers

• Vehicle identifiers

• E-mail addresses

• Web URLs & IP addresses

• Dates (except year)

• Names of relatives

• Full face photographs or images

• Healthcare record numbers

• Account numbers

• Biometric identifiers

(fingerprints or voiceprints)

• Device identifiers

• Health plan beneficiary numbers

• Certificate/license numbers

• Any other unique number, code,

or characteristic that can be

linked to an individual.

De-Identification of PHI

De-identifying PHI means removal of certain

identifiers so that the individual’s PHI may no

longer be identified.

• Application of statistical method or

• Stripping of listed identifiers such as:

Names

Geographic subdivisions < state

Social security numbers

PHI Exclusions

• Protected health information (PHI) excludes individually

identifiable health information of a person who has been

deceased for more than fifty (50) years.

• Protected Health Information (PHI) excludes education

records covered by the Family Educational Rights and

Privacy Act (FERPA) and employment records held by

UCP in its role as employer.

Policy: Accounting of Disclosures of PHI

UCP, upon written request, shall provide members with a

list of individuals/organizations to which their PHI has been

disclosed for the six (6) years preceding the request for an

accounting or, with respect to certain disclosures of PHI

made through UCP’s electronic health record (EHR) for the

three (3) years preceding the request for an accounting.

Policy: Patient’s Rights to Access PHI

It is the policy of UCP that individuals have the right to

request access to inspect and/or obtain a copy of their PHI,

for as long as the PHI is maintained by UCP.

UCP will act on requests for access within 30 days of

receipt, or within 60 days if there is an unavoidable delay

and if, within 30 days of receipt, the requester is given

written notice of the reasons for the delay and the date on

which UCP will complete action on the request.

Policy: Amendment of PHI

A patient has the right to request that UCP amend

his/her PHI maintained in the Designated Record

Set for as long as the PHI is maintained. UCP shall

respond to a request for amendment of PHI in

accordance with the HIPAA Privacy Rule.

Policy: Transporting Protected Health Information

All PHI in paper or electronic form must be

transported or stored in a secure manner to

safeguard it against improper disclosure

and/or loss.

Policy: Facsimile Transmissions of PHI

• UCP shall use facsimile (fax) transmissions in a manner

that will safeguard private and confidential information to

the extent possible.

• Department administration shall determine what

information entrusted to their department is private

and/or confidential and shall communicate methods of

protecting that information.

Policy: Vendors

• Vendors/sales reps play an important role as providers of

information and services to UCP.

• Departments shall not provide vendors access to any

confidential information, including PHI and proprietary

info, unless the info is necessary to perform services on

behalf of UCP.

Policy: Breach Notification Compliance Plan

A breach is the unauthorized acquisition, access or use of PHI in a

manner not permitted under the HIPAA Privacy Rule and that

compromises the security or privacy of the PHI.

All UCP workforce members and agents are responsible for

reporting an actual or suspected breach of PHI to the Privacy Officer

as soon as possible.

Business Associates of UCP are also required to report breaches of

PHI to UCP in accordance with the timeframe specified in the

applicable Business Associate Agreement.

The Privacy Officer will receive, document and investigate all actual

or reasonably suspected breaches of PHI in a timely manner, in

accordance with this policy.

Policy: Mitigation of Improper Disclosures

UCP will mitigate, to the extent practicable,

any harmful effect that becomes known to it

as a result of use or disclosure of PHI in

violation of UCP’s policies and procedures or applicable law.

Policy: Training of Workforce Members on Privacy Policies and Procedures

It is UCP’s policy to implement certain human resource

requirements to protect against the wrongful use of

disclosure of PHI. UCP will accomplish this by:

Training all members of its workforce

Apply sanctions against members of its workforce

Policy: Review and Resolution of Complaints

It is UCP’s policy to comply with applicable rules requiring it to

effectively receive, investigate and resolve complaints regarding UCP’s

privacy practices.

Complaints to UCP: UCP shall provide the individual with an

Information Privacy Complaint Form, which will be given immediately to

the Privacy Officer.

Complaint Investigation: UCP shall cooperate with an investigation of

UCP’s privacy practices by the United States Department of Health and

Human Services. The Privacy Officer shall coordinate UCP’s response

to such an investigation.

Contractual obligations vary by department. Check with your

supervisor for specific guidelines.

Things to Think About

How are you currently sharing PHI?

Who has access to your information?

With whom do you share info?

30

HIPAA & ITHealth Insurance Portability

and

Accountability Act and How

it Applies to UCP’s Technology

Accessing PHI

Do not look up patient information if it is not

needed for medical reasons - even if it’s for

birthdays, sending flowers, etc.

PHI should only be accessed in the name of

administering therapy and business needs.

31

Protecting PHI

• Do not download PHI onto UCP machines

unless absolutely necessary.

• Do not download new programs without

IT’s permission.

• Do not open suspicious email

attachments.

32

Mobile Devices

• Make sure these devices are secure outside of

UCP - this is your responsibility.

• If accessing PHI outside of UCP, make sure

other people are not looking at your screen.

33

Passwords and Logins

• Log in with your username and password.

• Do not log in with someone else’s username and

password.

• Do not enter data under someone else’s name.

• Do not share your password. Your profile is

meant to be accessed by you only.

• Change your password every 90 days.

34

In The Field and Office

Keep your monitor hidden from the public.

Do not print and forget. If you print PHI, go get the

information immediately.

35

Viruses!

• Report all errors from virus scanning programs.

• Do not open attachments which end in:

.exe

.zip

.bat

36

Unauthorized Users

• Promptly report the loss or theft of hardware. All UCP

workforce members are responsible for reporting an

actual or suspected breach of PHI to the UCP HIPAA

Privacy Officer as soon as possible.

• If a non-UCP employee needs to access the system,

contact IT.

37

Kitchen Sink

• Always lock your system after leaving your desk.

There is a way to make it automatically lock after

10 minutes. This is recommended.

• The UCP website does not contain PHI.

38

In Short…

PHI rules for technology can be simple to follow and must be enforced to protect our clients and therapists!

39

Let’s Review

1. HIPAA is a federal law that gives members rights over their health

information and sets rules and limits on who can look at and

receive this health information.

2. Protected Health Information is individually identifiable health

information created or received by UCP.

3. A Covered Entity is a health care provider, health plan, health care

clearinghouse or anyone contracted with the State of Arizona to

provide services through DDD.

4. A Business Associate is a person or entity that performs certain

functions or activities that involve the use or disclosure of PHI on

behalf of, or provides services to, UCP.

Let’s Review

5. UCP may disclose PHI for the treatment activities of a health care

provider, or to another covered entity or health care provider for

payment activities.

6. UCP shall enter into a Business Associate Agreement with outside

entities performing services on its behalf that require PHI to

perform the services.

7. Minimum necessary means staff must make reasonable efforts to

limit the use or disclosure of, and requests for, PHI to the minimum

amount necessary to accomplish the intended purpose.

8. De-Identification of PHI means removal of certain identifiers so that

the individual’s PHI may no longer be identified.

Let’s Review

9. Departments shall not provide vendors access to any confidential

information, including PHI and proprietary info, unless the

information is necessary to perform services on behalf of UCP.

10. It is the policy of UCP that individuals have the right to request

access to inspect and/or obtain a copy of their PHI, for as long as

the PHI is maintained by UCP.

11. UCP implements certain human resource requirements to protect

against the wrongful use of disclosure of PHI. UCP will accomplish

this by training all members of its workforce and apply sanctions,

including termination of employment.

Quiz Time

Please refer to the HIPAA Privacy & Security Quiz on the intranet under Training Opportunities and take the quiz. Print out the quiz, complete it and return to Melinda Campbell-Weber or Daniela Serrano by fax, email or mail.

Thank you!

Questions?

Carlos and Stephen can provide support for any and all IT questions. Thank you!

General Questions?

Please feel free to contact us with any questions or concern you may have.

E-mail: MWeber@ucpofcentralaz.org or DSerrano@ucpofcentralaz.org

Phone: 602-682-1871 or602-682-1807

44

This training material has been created for the exclusive use of UNITED CEREBRAL PALSY OF CENTRAL ARIZONA and may not be used for

any other purpose without the express written consent of UNITED CEREBRAL PALSY.