1

HIPAA Privacy & Security Training

Module

What we want to accomplish

Understand HIPAA Privacy Rule Understand who it applies to Discuss PHI

Define PHI Identify how and when it is used and disclosed Identify the right amount of PHI to use or disclose

Talk about patient rights under HIPAA Understand a breach Review responsibilities and safeguards

2

What is HIPAA?

3

Health Insurance Portability and Accountability Act of 1996 Federal law Comprised of Five Sections

Administrative Simplification Electronic Transactions and

Code Sets Rule Privacy Rule Security Rule

Privacy Rule v. Security Rule

Privacy Rule identifies what information is to be protected and outlines the individual’s rights to control access to their health information

Security Rule defines how to protect protected health information in electronic form, called ePHI

4

Education

5

The education that you are receiving today will focus on learning what responsibilities you have in order to ensure Elmcroft complies with HIPAA Privacy and HIPAA Security Regulations. The following topics will be covered:

Electronic Protected Health Information Electronic Protected Health Information

User IdentityUser Identity

Password ManagementPassword Management

Appropriate Use of Computing Devices Appropriate Use of Computing Devices

Security PoliciesSecurity Policies

Security Officer Security Officer

Reporting Security Concerns Reporting Security Concerns

Protected Health Information Protected Health Information

Minimum NecessaryMinimum Necessary

Patient RightsPatient Rights

Notice of Privacy Practices Notice of Privacy Practices

Privacy PoliciesPrivacy Policies

Privacy Officer Privacy Officer

Reporting Privacy Concerns Reporting Privacy Concerns

HIPAA PRIVACY HIPAA SECURITY

6

HIPPA Privacy Officer

Maintains appropriate measures to guard against unauthorized access to PHI.

Ensures compliance through adequate training programs and periodic audits.

Maintains HIPAA policies and procedures.

Other important rules

HITECH Act of 2009 – Health Information Technology for Economic and Clinical Health Act Breach Notification Rule

HIPAA Omnibus Rule Changed the Breach Notification Rule

Don’t forget about state law!

8

What is the Privacy Rule?

Personal health information must be safeguarded by organizations and the individuals who work there

Patients have rights to gain access to their medical records and restrict who sees their health information

Organizations must train their workforce on the privacy requirements

Organizations must appoint an individual to be responsible for seeing that privacy procedures are adopted and followed

Punishes individuals and organizations that fail to keep patient information confidential

9

Who is Covered?

Health Plans

Healthcare Clearinghouses

Healthcare Providers that conduct standard transactions in electronic form that involve PHIKnown as “Covered Entities”

10

Business Associates (BA)

11

Individual or Organization that performs duties or business functions on behalf of the Covered Entity using Protected Health Information (PHI) Law firm Pharmacist consultant Medical Director Record Storage Company

Prior to disclosing PHI to the BA, the Covered Entity is required to have a written agreement with the BA that specifies the safeguards on the PHI used or disclosed by the BA

What is Protected Health Information (PHI)?

Individually identifiable health information

That relates to an individual’s past, present or future health care, or

That relates to health care services provided to the patient, or

That relates to payment for care

Created or received by a Covered Entity or Business Associate

In any form: paper, electronic or oral

12

Individual Identifiers of PHI

13

Name Address Telephone No. Finger or voice prints Social security number Vehicle/device serial no. Health plan number Certificate/license No. Account Number

Names of relatives Names of employers Fax number Birth date/admission &

discharge dates Photographic images/X-

rays Medical record number Account Number Email, IP address, web URL

Notice of Privacy Practices (NPP)

Notice of Privacy Practice (NPP) describes how PHI may be used and disclosed by a Covered Entity.

NPP explains how an individual can get access to information and how to make a complaint to the Covered Entity.

NPP for health care providers must be: Distributed at the first instance of

service, Posted at the service site, Posted on the website if one exists.

All employees should be aware of the NPP. 14

When does HIPAA allow use or disclosure of PHI?

Permitted by law Treatment Payment Health Care Operations Public interest and public

benefit Permission by the

resident/patient Authorization

15

Incidental Uses and Disclosures

Incidental use or disclosure Occurs as a by-product of a permissible

use or disclosure using reasonable safeguards

Cannot be reasonably prevented Must use reasonable safeguards

Example: A visitor catches a glimpse of the information on a nursing station whiteboard as a nurse is adding information to it

16

Accidental Uses and Disclosures

Accidental use or disclosure Potential breach Attempt to retrieve it, or limit

exposure or risk to the information Report the incident immediately

Example: A nursing assistant is faxing lab results to a resident’s doctor but uses the wrong fax number and sends it to a garage

17

Minimum Necessary

Uses, disclosures, and requests of PHI limited to the “minimum necessary to accomplish the intended purpose.” Example: An insurance company requests a

patient’s medical record for billing purposes. Only the information pertaining to a specific bill should be sent.

Minimum necessary does not apply when PHI is used or disclosed: For treatment purposes, To the individual, When you obtained an authorization, When required by law.

18

Need to know

Determine the information you need to know to do your job

Access information only if you have a need to know it

Example: a nurse needs to know PHI to provide care for the patients on his/her unit, but not for the patients that are on another unit.

19

Patient Rights

Receive a Notice of Privacy Practices

Right to Access Right to an Accounting of

Disclosures Restriction of Use of PHI Confidential

Communications Request Amendment File Complaint (Covered

Entity and Office of Civil Rights)

20

What would you do?

A co-worker gets called away from the med cart. He makes sure the drawers are locked, but walks away leaving the MAR sheet uncovered and able to be viewed by the general public.

A professionally dressed visitor walks into the nurses station and states that she is the daughter of Mr. Taylor, a resident in room 16, and that she wants to review his medical record.

You notice a list of names and current medications in the trash can.

21

Disclosure that must be tracked

Patients have the right to receive an Accounting of Disclosures of PHI made by a Covered Entity for the six (6) years prior to the request.

The following disclosures need to be tracked: Required by law (i.e. reports of abuse to a public health

authority) Required for public health activities (i.e. reporting of

disease) For health oversight activities (i.e. audits by an oversight

agency) Reports of abuse (i.e. to the police, medical staff) For law enforcement purposes (i.e. to identify the

perpetrator of a crime) To the coroner (i.e. for identifying a deceased person) To avert a threat of serious injury (i.e. disclosure to a

person who can prevent the threat or to law enforcement) Unlawful or unauthorized disclosure (i.e. inadvertent

disclosures) 22

23

What is a breach?

An impermissible use or disclosure that compromises the security or privacy of the PHI.

A breach is presumed unless the Covered Entity or Business Associate can demonstrate there is a low probability the PHI was compromised based on a risk assessment.

24

Examples of Possible Breaches

Throwing PHI in the trash or dumpster (without being shredded);

Sharing PHI with those who do not have a need to know;

Posting another person’s PHI on your Facebook page;

Faxing a document containing PHI to the wrong fax number;

PHI that has been lost or stolen.

25

What if a breach occurred?

Report incidents to your supervisor as soon as they occur or are discovered

LPO investigates to determine if the incident is a breach

26

Breach Notification

A breach requires notification within a required time from the date the breach was discovered or should have been discovered: Individual, within 60 days HHS – OCR, within 60 days if > 500

individuals involved HHS – OCR, annually within 60 days of the

end of the calendar year if < 500 individuals Media, within 60 days if more than 500

individuals involved

27

OCR Audits / Investigations

Permanent audits in planning stage

Complaints can trigger an investigation

A breach can trigger an investigation

28

Penalties for Non-Compliance

Individual can be responsible, not just the Covered Entity or Business Associate Civil Money Penalties

Violation but you did not know or could not have known $100 per violation with annual maximum of

$25,000 for repeat violations Violation due to reasonable cause and

not due to willful neglect $1,000 per violation with an annual

maximum of $100,000 for repeat violations Violation due to willful neglect but

corrected within required time period $10,000 per violation with annual maximum

of $250,000 for repeat violations Violation due to willful neglect and not

corrected $50,000 per violation with annual maximum

of $1.5 million 29

Penalties, cont.

Criminal Penalties Knowingly committed the offence

Up to $50,000.00 Up to one year in prison

Committed under false pretenses $100,000 Up to five years in prison

Committed for financial gain or malicious harm $250,000 Up to ten years in prison

30

Headlines, Reported Breaches

Southwest General Health Center Notified 480 patients that a binder containing

their personal and health information had gone missing

Phoenix Cardiac Surgery Appointments were available to the public

on internet-based calendar Paid $100,000 to settle claims of lack of

HIPAA safeguards and agreed to take corrective action to implement policies and procedures to safeguard PHI of its patients

Nursing Assistant in Florida sentenced for HIPAA crime Former nursing assistant of assisted living

facility in sentenced to 3 years in prison for stealing and selling patient information

Ordered to pay $12,000 in penalties

UCLA School of Medicine Researcher terminated and in retaliation

accessed the medical records of his superior and his co-workers and the patient records of celebrities, a total of 323 times

Sentenced to 4 years in prison

31

General Safeguards

Protect the privacy and security of our residents’ highly confidential information: medical, financial or other data When you talk about it When you fax it When you store it When you use it When you disclose it When you dispose of it

Remember minimum necessary and access only the amount of PHI necessary to do your job and only when you have a need to know

32

General Safeguards, cont.

Confidential verbal conversations should be conducted away from others who do not have a need to know.

Never use or disclose confidential information for any personal purpose or out of curiosity, or allow others to do so.

Documents containing PHI should not be left in open areas or on desks where it can easily be seen or stolen by passerby.

33

General Safeguards, cont.

Dispose of resident information by shredding or storing in lock containers for destruction. Do not throw in the trash!

Keep information you hear about a resident to yourself. Share only with those who have a need to know.

Use reasonable safeguards to keep resident information from being accessible by others who do not have a need to know.

34

General Safeguards, cont.

Notify security if you see an unescorted visitor in a private area. Computer screens where PHI is viewed

should be turned away from the view of visitors.

Any fraudulent attempts by an unauthorized person to obtain PHI must be reported to the supervisor and the LPO.

35

36

HIPAA Security Rule Security Rule defines how to

protect protected health information in electronic form, called ePHI

37

HIPAA: Security Rule Four Requirements of Security:

Ensures confidentiality, integrity, and availability of electronic PHI.

Protects against possible threats and hazards to the information. Hackers, viruses, natural disasters or system failures.

Protects against unauthorized uses or disclosures. Ensures compliance by the workforce through security regulations and policies/procedures.

Three Components of Security: Administrative Safeguards Physical Safeguards Technical Safeguards

HIPAA: Security RuleAdministrative Safeguards:

Documentation kept for 6 years. Internal system audits minimize security violations.

Logins, file accesses, and or security incidents. Information access management:

Access to PHI based on what is needed to preform the job. Once computer access is requested, it will take 48-72

hours to implement due to complexity of security system. Security awareness and training:

Security updates, incident reporting, log-in, and password management.

Security incidents will be reported if suspected or if there is an actual breach.

HIPAA: Security Rule

Physical Safeguards:

Safeguard the facility and equipment, from unauthorized physical access, tampering, and theft. Workstations positioned so monitor screens/ keyboards are

not directly visible to unauthorized persons. Use of privacy screens when applicable. Physical access to the server room limited to key personnel.

Workstation use and security. Log on as themselves. Log off prior to leaving the workstation, Inspect the last logon information, report any discrepancies. Comply with all applicable password policies and procedures. Close files not in use.

HIPAA: Security Rule

Technical Safeguards: Access controls:

User password setup is for one-time use initially. Allowing the individual to choose their own unique password for future access.

User passwords reset every 180 days. All passwords must consist of at least eight (8) alphanumeric characters

(numbers and letters). Passwords cannot be reused until after three (3) different generations

have been used. Six (6) failed logon attempts will cause the user account to be locked out.

The account is locked out for (30) minutes and then reset. Computer Desktops automatically lock after 17 minutes of inactivity. Citrix sessions automatically close after 30 minutes of inactivity. CareVoyant sessions automatically close at different intervals depending

on place within the program. CareTracker sessions automatically close at different intervals depending

on place within the program

HIPPA Security Officer

* Maintains appropriate security measures to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards.

* Oversees and/or performs on-going security monitoring of organization information systems.

* Ensures compliance through adequate training programs and periodic security audits.

* Ensures security standards comply with statutory and regulatory requirements.

* Maintains HIPAA security policies and procedures.

Who is responsible for HIPAA?

EVERYONE at Elmcroft:

* Support Center Staff:* IT Staff:

* Implement safeguards for the computer systems.

* Local Privacy Officer:* Clinical Staff and Physicians:

* Create and access the majority of resident information.

* Managers and Supervisors: * Develop and implement policies and procedures that relate to security and

ensure their staff are trained properly.

* Clerical Staff: * Create and access resident information.

* Volunteers:* Have access to resident information in various settings

* Vendors and Contractors* May have access to resident information

Tips for HIPAA Security Compliance

Log on and off the network appropriately. Never let others use your ID or work under your ID. Do NOT disable anti-virus software or install

unapproved software. Never introduce new hardware or media.

E-mail may be, but is not always, a secure form of data transmission. Do NOT e-mail PHI unless using encrypted means.

Use caution in opening e-mail files from unknown sources.

Do NOT access non-permitted information or give non-permitted information to unauthorized employees.

Be aware of, and report, security threats to the Security Officer.

Tips for HIPAA Security Compliance

Passwords must be treated as sensitive and confidential information.

Never share your password with anyone for any reason.

Passwords should not be written down, stored electronically, or published.

Be sure to change initial passwords, password resets and default passwords first time you log in.

Use different passwords for your different accounts.

Create passwords that are not common, avoid common keyboard sequences, do not contain personal information, such as

pets, birthdays or kid’s names.

Tips for HIPAA Security Compliance

Tips for HIPAA Security Compliance

Protect sensitive information on lists and reports with social security numbers (SSNs).

Limit access to lists and reports with SSNs to those who specifically need SSNs for official business.

Never store SSNs or use lists with SSNs on laptops or home computers.

Save and store sensitive information only on Elmcroft servers managed by IT staff.

Tips for HIPAA Security Compliance

Never copy sensitive data to CDs, disks, or portable storage devices.

Do not store lists with sensitive information on the Web (Dropbox, Google+, Etc.).

Lock printed materials with sensitive data in drawers or cabinets when you leave at night.

When done with printed sensitive material, shred them.

Tips for HIPAA Security Compliance

Remove sensitive materials from printer right away.

If problem with printer, turn off printer to remove sensitive material from printer’s memory.

Personally deliver sensitive materials to recipient or distribute information electronically using the email system.

Arrange for shared electronic files that requires user ID and password.

What do we do?

Complete initial and annual HIPAA training

Read the Notice of Privacy Practices (NPP)

Understand how HIPAA regulations impact your job function and responsibility

Check with your supervisor if you are uncertain

Ask for additional training if required

It is our responsibility to ensure confidentiality of our

residents’ health information.

50

General Rule for HIPAA

What happen

s at work,

stays at work!

51

OR…..

52

Questions

Resources

Susan Dawson, Privacy OfficerElmcroft Senior Living

9510 Ormsby Station Road, Suite 101Louisville, KY 40223

Office: 502.753.6000E-Mail: hipaa@elmcroft.com

53

Your Local Privacy/Security Officer (Administrator/Executive Director)

Bob Dooley, VP Information Systems

Elmcroft Senior Living9510 Ormsby Station Road, Suite 101

Louisville, KY 40223

Office:  502.714.7435

E-Mail:  hipaa@elmcroft.com

Bob Dooley, VP Information SystemsElmcroft Senior Living

9510 Ormsby Station Road, Suite 101Louisville, KY 40223

Office: 502.714.7435E-Mail: hipaa@elmcroft.com