hipaa privacy & security training...hipaa security rule safeguards turn computer monitors away...

26
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information

Upload: others

Post on 05-Jul-2020

8 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

HIPAA Privacy & Security Training Privacy and Security of Protected Health Information

Page 2: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Course Competencies: This training module addresses the essential elements of

maintaining the HIPAA Privacy and Security of sensitive information and protected health information (PHI) within The Orthopaedic & Fracture Clinic.

During this course you will learn: About the Health Insurance Portability and Accountability (“HIPAA”)

Privacy and Security Rules;

How to recognize situations in which confidential and protected health information can be mishandled;

About practical ways to protect the privacy and security of PHI;

And that employees will be held responsible if they improperly handle confidential or protected health information.

Page 3: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Understanding Provider

Responsibilities Under HIPAA The Health Insurance Portability and Accountability Act (HIPAA)

Rules provide federal protections for patient health information and give patients an array of rights with respect to that information. This suite of regulations includes the Privacy Rule, which protects

the privacy of individually identifiable health information;

And the Security Rule, which sets national standards for the security of electronic Protected Health Information (ePHI).

Whether patient health information is on a computer, in an Electronic Health Record (EHR), on paper, or in other media, providers have responsibilities for safeguarding the information by meeting the requirements of the Rules.

Page 4: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Why Do Privacy and Security

Matter? To reap the promise of digital health information to achieve better health

outcomes, smarter spending, and healthier people, providers and individuals alike must trust that an individual’s health information is private and secure.

When patients trust you and health information technology enough to share their health information, you will have a more complete picture of patients’ overall health.

In addition, when breaches of health information occur, they can have serious consequences for your organization, including reputational and financial harm or harm to your patients.

Poor privacy and security practices heighten the vulnerability of patient information in your health information system, increasing the risk of successful cyber-attack.

Page 5: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

The HIPAA Privacy Rule The Privacy Rule establishes national standards to protect

individuals’ medical records and other personal health

information.

The Rule requires appropriate safeguards to protect the privacy of

personal health information. It sets limits and conditions on the uses

and disclosures that may be made of such information without patient

authorization.

The Rule also gives patients rights over their health information,

including rights to examine and obtain a copy of their health records,

and to request corrections.

Page 6: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Informing Patients about How We Use

or Disclose Their Health Information A Covered Entity (CE) must post and distribute a Notice of Privacy Practices (NPP).

The notice must describe the ways in which the CE may use and disclose PHI.

The notice must state the CE’s duties to protect privacy, provide an NPP, and abide

by the terms of the current notice.

The notice must describe individuals’ rights, including the right to complain to the

U.S. Department of Health and Human Services (HHS) and to the CE if they believe

their privacy rights have been violated.

The notice must include a point of contact for further information and for making

complaints to the CE.

When a patient signs an acknowledgement that they received the Notice of Privacy

Practices, this is not a substitute for the HIPAA Release of Information

authorization/consent form.

The patient still needs to sign and give authorization for disclosure of their PHI in certain

situations.

Page 7: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

HIPAA Permitted Disclosures of

PHI: Disclosure to the individual/personal representative (parent/guardian)

Disclosure for treatment, payment, and health care operations

Disclosures required by state or federal law

Disclosures to Business Associates

Disclosures as authorized by the patient

Disclosure to Family/Friends when authorized per the patient or when it is in the best interest of the patient

Public Health Activities

To public health authority

To report child abuse/neglect

To FDA

Law Enforcement Purposes

Abuse, Neglect, and Domestic Violence

Judicial and Administrative Proceedings

If you are unsure whether a disclosure is permitted talk to the Compliance Officer or Privacy Officer .

Page 8: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

HIPAA Incidental Disclosures: Incidental uses and disclosures are defined as secondary uses or

disclosures that:

Are permitted by HIPAA

Cannot be reasonably prevented

Are limited in nature

Occur as a by-product of an otherwise permissible use or disclosure

Reasonable Safeguards and Minimum Necessary Standards are in place

Example – A doctor can confer at a nurse’s station without fear of being in violation of the rule if overheard by a passerby. And, provided reasonable safeguards and appropriate minimum necessary standards are in place.

Page 9: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Minimum Necessary Standard PHI should not be accessed or disclosed when it is not necessary to satisfy a

particular purpose or carry out a function.

The Minimum Necessary Standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.

Minimum Necessary Standard does not apply to the following:

Disclosures to or requests made by a healthcare provider for treatment purposes

Uses and disclosures by or to a patient for their own PHI

Disclosures made under a valid authorization

Disclosures to public officials when disclosure is required by law and the official represents that the information requested is the minimum required for the purpose

Page 10: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Patients’ Rights and Your

Responsibilities

As a health care provider, you have responsibilities to

patients under the HIPAA Privacy Rule including:

Responding to their requests for access;

Amendments;

Accounting of disclosures;

Restrictions on uses and disclosures of their health information,

and confidential communications.

Page 11: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

HIPAA Privacy Rule Safeguards Close doors when discussing treatment & procedures

Avoid discussion about individuals in public places

Secure storage and transportation of PHI

Keep posted or written information away from public access

Do not leave detailed voice messages unless approved by

the individual

Page 12: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

The HIPAA Security Rule The Security Rule establishes a national set of minimum security standards for

protecting all ePHI that a Covered Entity (CE) and Business Associate (BA) create, receive, maintain, or transmit.

The Security Rule concentrates on safeguarding PHI by focusing on the confidentiality, integrity, and availability of PHI. Confidentiality means that data or information is not made available or disclosed to

unauthorized persons or processes.

Integrity means that data or information has not been altered or destroyed in an unauthorized manner.

Availability means that data or information is accessible and useable upon demand only by an authorized person.

These Security Rule safeguards can help health care providers avoid some of the common security gaps that could lead to cyber-attack intrusions and data loss.

Safeguards can protect the people, information, technology, and facilities that health care providers depend on to carry out their primary mission: caring for their patients.

Page 13: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

The Threat of Cyber Attacks Cybersecurity refers to ways to prevent, detect, and respond

to attacks against or unauthorized access against a computer system and its information.

It is important to have strong cybersecurity practices in place to protect patient information, organizational assets, your practice operations, and of course to comply with the HIPAA Security Rule.

The following slides will review common security threats and ways to mitigate these threats.

Page 14: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Viruses A computer virus is a major threat to the information system.

Viruses “infect” your computer by modifying how it operates and,

in many cases, destroying data.

Viruses spread to other machines by the actions of users, such

as opening infected email attachments.

Viruses can forward PHI to unauthorized persons by attaching

themselves to documents, which are then emailed by the virus.

Page 15: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Worms Worms are programs that can:

Run independently without user action;

Spread complete working versions of themselves onto other

computers on a network within seconds;

And quickly overwhelm computer resources with the potential for

data destruction as well as unauthorized disclosure of sensitive

information.

Page 16: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Spam and Phishing Spam is an unsolicited or “junk” electronic mail message,

regardless of content.

Spam usually takes the form of bulk advertising and may contain

viruses, spyware, inappropriate material, or “scams.”

Spam also clogs email systems.

Phishing is a particularly dangerous form of spam that seeks to

trick users into revealing sensitive information, such as

passwords.

Page 17: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Mitigating Cyber Threats Be Skeptical about emails!

Look at the email address - who sent it?

Take notice of the subject line - is it what you were expecting?

Most phishing emails try to trick you into clicking the link or button in the email.

If you question an email, please contact IT.

Thumb drives and removal memory: both of these can be dangerous.

OFC policy states you are not allowed to bring in any personal or unauthorized

software.

Viruses can travel from PC to PC with this kind of media.

Even if you believe the drive is safe, these viruses hide and you will unknowing

infect your pc and the network.

If you need a drive for a project, please see IT.

Page 18: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Email and Texting Increased online access and great demand by consumers for

near real-time communications has increased the threat of impermissible use or disclosures.

The Security Rule requires that when you send ePHI, you send it through a secure method and that you have a reasonable belief that it will be delivered to the intended recipient.

If you use email or text you should be careful to use a communications mechanism that allows you to implement the appropriate Security Rule safeguards, such as an email system that encrypts messages or requires a login.

Page 19: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen

Do not disclose usernames or passwords

Passwords should never be posted near work station

Never copy files containing PHI to a laptop or mobile device

PHI should never be stored on a C: drive

Log off when leaving your work station

Employee access audits throughout the year

Encryption

Laptops

Desktops

Phones

If something is not encrypted use extreme caution!

Page 20: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Breach Notification, HIPAA

Enforcement, and Other Laws and

Requirements Covered Entities (CEs) and Business Associates (BAs) that

fail to comply with Health Insurance Portability and

Accountability Act (HIPAA) Rules can receive civil and

criminal penalties.

Your good faith effort to be in compliance with the HIPAA

Rules is essential.

Page 21: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

The Breach Notification Rule:

What to Do If You Have a Breach A breach is, generally, an impermissible use or disclosure

under the HIPAA Rule that compromises the security or

privacy of PHI.

When a breach of unsecured PHI occurs, the Rules require

your practice to notify affected individuals, the Secretary of

HHS, and, in some cases, the media.

If you can demonstrate through a risk assessment that there is a

low probability that the use or disclosure compromised

unsecured PHI, then breach notification is not necessary.

Page 22: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Employee Responsibilities The first line of defense in data security is the OFC employee.

Employees are responsible for the security of all data which may come to them in whatever format.

Avoid storing sensitive information on your C: Drive.

Access information only as necessary for your authorized job responsibilities.

Keep your passwords confidential.

Comply with the HIPAA Security and Privacy policies.

Report promptly to OFC’s Privacy Officer or Compliance Officer any concerns regarding unauthorized disclosure of PHI or other Sensitive Information.

Page 23: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Common HIPAA Rule Issues: It is never acceptable for an employee to look at PHI “just out of curiosity,” even if no

harm is intended (i.e., retrieving an address to send a ‘get well’ card).

Remember Minimum Necessary Standards

What patient information do you need to access in order to do your job?

Unauthorized Access is a prohibited practice

Do not access family & friends PHI unless authorized

Do not access co-workers PHI unless authorized

Accessing or reviewing birth dates or addresses of friends or relatives, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI.

Accessing or reviewing ANY patient’s record for any reason, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI.

Accessing or reviewing confidential information of another employee that is also an OFC patient, without a permissible purpose is unauthorized access of PHI.

HIPAA employee sanctions will be followed

Page 24: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

Employee Sanctions Under HIPAA A CE is required by law to sanction employees who violate

HIPAA Privacy & Security Rules.

Any violations of HIPAA will be handled under the CE’s

discipline policy, similar to other employee discipline issues.

An employee who breaches the HIPAA Privacy or Security

Rule Policy is subject to formal disciplinary action, up to and

including termination.

Page 25: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

HIPAA Privacy & Security Audits OFC audits all employees.

Please be diligent in accessing only records you are

authorized to do so.

This means only accessing a patient’s PHI that is needed for

your job function.

As an employee of a CE, your conduct will at all times be

compliant with HIPAA.

Page 26: HIPAA Privacy & Security Training...HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose

HIPAA Privacy & Security Rule

Questions: If you have any questions or concerns regarding the HIPAA

Privacy & Security Rules, please contact:

Privacy Officer (Bobbi Nawrocki) 386-6689 ( [email protected] )

Compliance Officer (Julie Morgan) 386-6651 ( [email protected] )

IT Director (Brad Nawrocki) 386-6593 ( [email protected] )