hipaa & security awareness training
DESCRIPTION
HIPAA & Security Awareness Training. Annual Mandatory Education. Objectives. Define the Health Insurance Portability and Accountability Act (HIPAA) Describe patient rights and protections under the HIPAA Privacy Rule - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/1.jpg)
HIPAA &Security Awareness Training
Annual Mandatory Education
![Page 2: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/2.jpg)
Objectives Define the Health Insurance Portability and
Accountability Act (HIPAA)
Describe patient rights and protections under the HIPAA Privacy Rule
Identify good practices for treatment of patient information under the HIPAA Privacy and Security Rules
Identify appropriate physical safeguards to assist in the protection of electronic patient information
![Page 3: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/3.jpg)
Introduction
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is an enacted Federal Law created by President Bill Clinton and enforced by the Department of Health and Human Services to address patient information in relation to:
• Privacy and Confidentiality of Patient Information
• Security of Electronic Protected Health Information
• Transactions and Code Sets
![Page 4: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/4.jpg)
The Rules Address the Need To:
Standardize the format of health care data across the industry
Standardize rules for treatment of health care data
Share health care data among providers
![Page 5: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/5.jpg)
Evolve from paper to electronic records thereby reducing the cost of maintaining health care data
Establish rules that grant rights to patients’ own health care information
Protect patient information from unauthorized use and disclosure
The Rules Address the Need To:
![Page 6: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/6.jpg)
Protected Health Information
Names Addresses Employers Relatives Names Telephone, cell or
fax numbers Email Addresses Social Security
Number Medical Record
Number
Member or Account Number
Certificate Numbers Voiceprints Fingerprints Photos Codes Any other
characteristic that may identify a person or a combination of information
![Page 7: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/7.jpg)
Patient Privacy Rights
Notice of Privacy Practices
File Complaints
Request restrictions on uses and disclosures
Request confidential communication
![Page 8: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/8.jpg)
Request access to PHI for inspection and copying
Request amendments
Request accounting of disclosures
All rights apply to all patients, living or deceased
Patient Privacy Rights
![Page 9: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/9.jpg)
Question #1
Which is not a benefit of the HIPAA Rules?
A.Standardize rules for the treatment of health information
B.Reduce health care costs
C.Prevent data from being shared among current care providers
D.Protect patient information from unauthorized use and disclosure
![Page 10: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/10.jpg)
Question #2
A.Request restrictions on uses and disclosures
B.Request an accounting of all disclosures
C.Request confidential communications
D.Request that certain data is stricken from their medical record
Which is not a patient right under the HIPAA Rules?
![Page 11: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/11.jpg)
Use and Disclosure
PaymentHealth Care Operations
Three kinds of use or disclosure that need NO prior authorization are:
Treatment
![Page 12: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/12.jpg)
Authorization
Obtained for any reason other than treatment, payment, health care operations
Specific in how the information will be used, by whom and for how long
Right to revoke authorizations at any time
All requests that require authorization must go to Medical Records for review
![Page 13: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/13.jpg)
Minimum Necessary Standard
In circumstances other than treatment, including payment and health care
operations, only the minimum amount of information necessary for the task or purpose
should be released.
This is called the “Minimum Necessary Standard”
![Page 14: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/14.jpg)
Known Individuals
Family, friends or well known figures
Cannot access for personal reasons
Only access what you need to do your job
![Page 15: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/15.jpg)
Personal Representatives
May have legal authority to act on behalf of a patient
May have a court-appointed document
Family member or friend providing care
Treated no differently than the patient with respect to HIPAA
![Page 16: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/16.jpg)
Question #3
Authorization is needed to disclose patient information to another care provider currently caring for a patient.
A.True
B.False
![Page 17: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/17.jpg)
Question #4
When patient information is requested for reasons other than treatment, payment or health care operations, to which department should the request be forwarded?
A. Information Technology Department
B. Medical Records
C. Patient Accounting
D. Access Department
![Page 18: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/18.jpg)
Privacy Rule
Privacy and confidentiality are an essential part of CHPC’s policies and procedures. Our privacy policies apply to Protected Health Information in three forms.
WrittenVerbal
Electronic
![Page 19: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/19.jpg)
Best Practices for Written PHI
Medical Records Keep locked in a secure area
Always sign out and sign in
Cover with a Confidentiality Statement page
When traveling keep secure in car or on person
![Page 20: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/20.jpg)
Best Practices for Written PHI File Cabinets, Whiteboards, etc.
Keep cabinets locked
Place in secure area and/or behind locked doors
Keep the general public or those who have no need to know out of the secure areas
Don’t allow whiteboards to face windows or open doors
![Page 21: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/21.jpg)
Best Practices for Written PHI
Desks and Loose Papers Never leave desks with PHI unattended
Dispose of unnecessary paper PHI in recycle bins
Don’t bring paper PHI into general areas
Clean desk policy applies
![Page 22: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/22.jpg)
Best Practices for Written PHI
Copiers, Printer and Fax Machines Located in secure areas Pick up print and copy jobs
immediately Use coversheets with Confidentiality
Statements on all faxes Call recipient of fax to confirm they
received Check fax machines frequently for
PHI
![Page 23: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/23.jpg)
Best Practices for Written PHI
Staff Mailboxes Must be either located in secure area or
must NOT contain PHI
Check frequently
![Page 24: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/24.jpg)
Question #5
A. Double check the fax number before you send the fax
B. Use a cover sheet with a confidentiality statement
C. Call the recipient to make sure they received it
D. Never send faxes with PHI because it is not secure
Which is not a best practice when using fax machines to send or receive PHI?
![Page 25: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/25.jpg)
Question #6
Where should written PHI be disposed of when it is no longer needed?
A. Turn it in to Medical Records
B. Trashcans
C. Shredders
D. Recycle Bins
![Page 26: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/26.jpg)
Best Practices for Verbal PHI
Conversations
Need to know
Hold in private areas at all times
Never in public areas
Incidental disclosures
![Page 27: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/27.jpg)
Best Practices for Verbal PHI
Telephones and Voicemails Hold conversations in a secure
area, not public areas or within earshot of the public
Try to ensure the person on the other end is the person who should be receiving the PHI
Never leave PHI on a voicemail
![Page 28: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/28.jpg)
Question #7
Which is a secure area for holding conversations containing patient information?
A. Cubicles in the team area
B. Hallways
C. Around the nursing station
D. In the restrooms
![Page 29: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/29.jpg)
The Security Rule
Administrative Safeguards – Policies and Procedures
Technical Safeguards – Restricting access to data transmitted over the network
Physical Safeguards – Physical computer and network facilities
The Security Rule only applies to PHI in an electronic format whereas the Privacy Rule applies to PHI in any format.
The Security Rule has three types of safeguards:
![Page 30: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/30.jpg)
Facility Security Plan Badges must be worn at all times
Visitors must sign in and remain in non-PHI areas
Reception areas control who enters the facility
Reception areas are only open doors, all others remain locked when not in use
![Page 31: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/31.jpg)
Security button to access areas
Security cameras
Alarm System
Facility Security Plan
![Page 32: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/32.jpg)
Workstation Use Equipment and access determined by job
description and supervisor
Use for business purposes only
May not leave workstation unattended while logged in
May not attach any peripheral device
Only organization-issued software and hardware may be used
![Page 33: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/33.jpg)
Workstation Use
Position monitors so they cannot be seen though doors, windows or in high-traffic areas
Computers and other technology may only be used by the person to whom the equipment it was issued
Never share passwords or log another person in
![Page 34: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/34.jpg)
Information Security
All information on the network belongs to CHPC
May not send and receive files from home
May not email PHI or transmit PHI unless encrypted
![Page 35: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/35.jpg)
Technology Accountability
You are responsible for the security and care of company issued hardware resources
Equipment and software may not be removed from the premises without permission from IT
Turn in all equipment upon termination of employment
![Page 36: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/36.jpg)
Internet Usage
Business purposes only
No downloads
No streaming video or audio
Internet usage is monitored
![Page 37: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/37.jpg)
Email Etiquette
Email is an official communication tool
Don’t use email for sensitive issues that should be discussed face-to-face
NO PHI IS SENT VIA EMAIL OUTSIDE OUR ORGANIZATION
Email usage is monitored
![Page 38: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/38.jpg)
Question #8
Which of the following is not a good workstation use practice?
A.Logging out when you step away from your computer
B.Using the workstation to research medications or medical conditions
C.Using an external drive such as a thumb or jump drive with my workstation
D.Being cognizant of who can view my computer’s monitor
![Page 39: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/39.jpg)
Questions #9
Emails containing PHI may be sent to my co-worker internally, if they have a need to know, but may never be sent outside the network.
A.True
B.False
![Page 40: HIPAA & Security Awareness Training](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56814f59550346895dbd06e3/html5/thumbnails/40.jpg)
Thank you
Amy Smith
Privacy/Security Officer
989-2076
Sue Zogaria
Privacy Officer
(Alternate)
989-2113
Gordon Grieble
Security Officer
(Alternate)
989-2085