Welcome to the Wis. Dept. of Health Services Privacy Training

1
Welcome to the Wis. Dept. of Health Services
Privacy Training

• HIPAA Privacy and
• State Confidentiality Laws
• Awareness

2
Why Are You Being Asked to Take This Training?

• You work in a position within DHS that requires
  you to take HIPAA training because you work with
  protected health information (PHI)
• The HIPAA Privacy Rule requires covered entities
  to train its workforce on the HIPAA policies and
  those specific HIPAA-required procedures that may
  affect the work you do for DHS
• All DHS employees need to safeguard confidential
  information

3
Published Horrors

• Here is why the Privacy Rule is important as
  you can see by some examples provided of recent
  improper disclosures
• In the biggest loss ever of personal information
  compiled by state government, a computer disk
  containing data on 2.9 million Georgians has been
  lost in shipping. State officials, who blame
  Dallas-based Affiliated Computer Services for the
  lost CD, said it contained names, Social Security
  numbers, birth dates and addresses of people on
  Medicaid and PeachCare for Kids, but no medical
  information. (04/07)

4
Published Horrors

• Data of all American veterans who were discharged
  since 1975 including names, Social Security
  numbers, dates of birth and in many cases phone
  numbers and addresses, were stolen from a VA
  employee's home. Theft of the laptop and computer
  storage device included data of 26.5 million
  veterans. (5/06)
• Note The employee was later dismissed.

5
DHS Commitment to Privacy

• Preserve the privacy of all clients and employees
• Guard the confidentiality of health and
  confidential information
• Maintain the integrity of all recorded
  information
• Ensure reasonable safeguards of all electronic
  information

6
What is HIPAA? (Health Insurance Portability and
Accountability Act 1996)

• Protects the privacy and security of a clients
  health information
• The HIPAA Privacy Rule is the first enforceable,
  federally-mandated, comprehensive set of privacy
  rights and responsibilities
• The Rule demands that healthcare providers and
  organizations (health plans) paying for
  healthcare have policies and processes which
  apply reasonable safeguards to health information
• Provides for electronic and physical security of
  a patients health information

7
What is HIPAA? (Health Insurance Portability and
Accountability Act 1996)

• Prevents health care fraud and abuse
• Guarantees health coverage when job changes
• Administrative Simplification
• Establishes national standards for
• Electronic (EDI) transactions
• Security and privacy of health care information
• Identifiers such as provider, payer and employer
  improved efficiency of processing health care
  information

8
State Confidentiality Laws

• Wisconsin has enjoyed strong laws and
  regulations protecting citizens health
  information. But in many other states, their
  states laws were either much less stringent than
  ours or were not enforced. The Privacy Rule is
  not intended to replace Wisconsin or other states
  laws. The Privacy Rule doesnt override state
  laws or policies providing more privacy. The Rule
  is intended to establish minimum standards of
  privacy protection. If a state law, regulation,
  or an agencys policies are more stringent than
  HIPAA, the more stringent safeguards prevail.

9
Privacy Wisconsin Laws

• Wisconsins confidentiality laws
• Are similar to HIPAA in several ways
• Will preempt or override HIPAA if Wisconsin laws
  are more stringent (i.e., give clients more
  rights or protections)
• HIPAA provides floor but not ceiling more
  stringent state laws not pre-empted
• Wisconsins identity theft laws (Wis. Stat.
  895.507)
• Require that individuals be notified if security
  of their confidential information has been
  breached

10
Wisconsin Confidentiality Laws
11
What does Wis. Stat. 146.82 Cover?

• Protects the confidentiality of patient health
  care records and provides
• Requirements for informed consent to release
  information from patient health care records
• Exceptions that permit release of information
  without written informed consent

12
What does Wis. Stat. 51.30 HFS 92 Cover?

• Protects the confidentiality of all records that
  are created in the course of providing services
  to individuals for mental health services,
  developmental disabilities, alcoholism or drug
  dependence and provides
• Requirements for informed consent to release
  information from treatment records
• Exceptions that permit release of information
  without written informed consent
• Requirements for access by the clients, parents,
  guardians, and etc.
• Processes and penalties for violations of the law
• HFS 92 further operationalizes s. 51.30

13
What Does Wis. Stat. 252.15 Cover?

• Restricts use of test results for HIV
• Written consent is needed to disclose a persons
  test results

14
2008 State Confidentiality Law Changes Wis.
Stat. 51.30

• Changes effective October 1, 2008
• Additions to the listing of elements to be
  exchanged without the patients consent was
  expanded to include diagnostics and symptoms
• Removal of the within a related health care
  entity (s. 51.30(4)(b)8G) so that health care
  information can be shared with any provider who
  is involved in the patient's care and needs the
  information to treat the patient

15
2008 State Confidentiality Law Changes Wis.
Stat. 146

• Changes effective April 1, 2008
• Eliminates the requirement to document all
  disclosures. Health care providers will still be
  required to document disclosures as required by
  HIPAA.
• Allows general health information to be exchanged
  with any health care provider who is involved
  with the patients care. In the past, Chapter
  146 of Wisconsin law prohibited health care
  providers who received general patient health
  care information from providers outside their
  institution from disclosing the same information
  to a subsequent provider.

16
2008 State Confidentiality Law Changes Wis.
Stat. 146 (continued)

• Allow health care providers to disclose health
  information to a patients family, friend or
  another person identified by the patient and is
  involved in the patients care
• If the patient provides informal permission to do
  so
• If the patient is not able to grant informal
  permission, a health care provider is permitted
  to use his or her professional judgment to
  determine whether disclosing the information is
  in the best interests of the patient and the
  patient would otherwise allow such a disclosure

NOTE DHS doesnt generally deal with this
provision except for the institutions.
17
Why Comply with HIPAA State Confidentiality
Laws?

• Its the law!
• Public expectations that well maintain
  confidentiality of information
• Imposes severe penalties for non-compliance
• Potential withholding of federal Medicaid and
  Medicare funds
• Possible litigation
• Public relations and business risk issues

18
Terms You Should Know

• To understand HIPAA, there are some important
  terms you must know
• They are
• Covered Entity
• Hybrid Entity
• Health Care Component
• Protected Health Information
• Individually Identifiable
• Information

19
Covered Entity

• HIPAA's regulations directly cover three basic
  groups of individual or corporate entities
• Health Care Provider means a provider of medical
  or health services, and entities who furnishes,
  bills, or is paid for health care in the normal
  course of business
• Health Plan means any individual or group that
  provides or pays for the cost of medical care,
  including employee benefit plans
• Healthcare Clearinghouse means an entity that
  either processes or facilitates the processing of
  health information

20
Hybrid Entity

• A Hybrid Entity is
• A single legal entity whose business activities
  include both non-covered and covered functions
  (i.e., as a provider or health plan)
• The hybrid entity is the covered entity
• DHS is a hybrid entity
• The hybrid entity is responsible for ensuring
  that its health care components comply with the
  rules

21
Health Care Component

• A health care component is a component of a
  covered entity that performs covered functions
  that qualify the component as a Health Care
  Provider, Health Plan or Health Care
  Clearinghouse
• DHS is made up of health care components (often
  called covered health care components)

22
What is DHS Responsibility as a Hybrid Entity?

• Identify its covered health care components
• Identify components that act as a business
  associate to covered health care components
• Erect firewalls between covered and non-covered
  components
• Ensure compliance with HIPAA by covered components

23
Who is Covered in DHS?

• Health Care Providers
• Mendota MH Inst.
• Winnebago MH Inst.
• Sand Ridge
• WI Resource Center
• N. WI Center
• Central WI Center
• S. WI Center

24
Who is Covered in DHS?

• Health Plans
• BadgerCare/Plus
• Chronic Disease Program
• Medicaid
• Senior Care
• WI Well-Woman Program
• WI Partnership/PACE Programs
• Family Care

• Healthy Start
• Medical Assistance Purchase Plan
• Community Options Program Waiver
• Community Integration Programs II, 1A 1B
• Brain Injury Waiver Program
• Childrens Long-Term Support Waiver Program

25
What is Protected Health Information (PHI)?

• Name
• Address (geographic subdivisions smaller than a
  State)
• Street address
• City
• County
• Zip code/equivalent geocodes
• E-mail address
• Dates (except years)
• Birth date
• Admission/discharge dates
• Telephone numbers
• Fax numbers
• Social security number
• Medical record number

• Health plan beneficiary number
• Account number
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including
  license plate numbers
• Device identifiers and serial numbers
• URLs
• IP Addresses
• Biometric identifiers
• Full face photographic images
• Any other unique identifier or codes
• Note These are the data elements that need
  to be removed in order for the data to be
  considered de-identified.

26
Individually Identifiable Health Information

• Any information, including demographic
  information collected from an individual, that
• a) Is created or received by a health care
  provider, health plan, employer, or health care
  clearinghouse and
• b) Relates to the past, present, or future
  physical or mental health or condition of an
  individual, the provision of health care to an
  individual, or the past, present, or future
  payment of the provision of health care to an
  individual, and
• (i) Identifies the individual, or
• (ii) With respect to which there is a reasonable
  basis to believe that the information can be used
  to identify the individual

27
Privacy Rule Objectives

• Give individuals more control over their health
  information
• Set boundaries on the use and disclosure of their
  health information
• Establish appropriate safeguards for all people
  who participate or are involved with the
  provision of health care to ensure they honor
  individuals rights to privacy of their PHI
• Hold violators accountable through civil and
  criminal penalties

28
When is it Covered?

• Let me count the ways
• When you use it
• When you disclose it
• When you store it
• When you see it on your computer
• When it is lying on your desk
• When you share it with another health care
  provider
• When you share it with a contracted service
  provider
• When you are talking about it face to face
• When you are talking about it over the phone

29
What is Not Covered?

• De-identified health information
• Information that is de-identified is no longer
  considered to be protected health information,
  and is thus exempt from the other provisions of
  the Privacy HIPAA regulation

30
What is Not Covered? (Continued)

• Means of de-identifying
• Removal of certain identifiers (18 elements) -
  removal of the 18 elements doesnt mean the data
  is considered de-identified. There also must be
  no reasonable basis that the individual may no
  longer be identified.
• Otherwise eliminating, concealing, or completely
  redacting

31
Minimum Necessary Standard

• Who has access to PHI and the need-to-know
  principle
• A covered entity must make reasonable efforts to
  limit the use or disclosure of, and requests for
  PHI to a minimum amount necessary to accomplish
  the intended purpose

32
Minimum Necessary Standard (Continued)

• Does not apply if disclosure is needed
• For treatment (except for s. 51.30 treatment
  record information)
• Pursuant to a clients authorization
• Disclosed to client (clients own information)
• Health oversight activities
• To HHS Secretary (federal)
• As required by law

33
Minimum Necessary Standard (Continued)

• When using, disclosing, or requesting Protected
  Health Information, make reasonable efforts to
  limit PHI to minimum necessary to accomplish
  the purpose
• Do not disclose more than is necessary
• Only share on a need to know basis, even within
  the Department
• Can you de-identify the information and still
  accomplish the purpose?
• Never send the entire medical record unless
  absolutely necessary

34
Uses Disclosures
35
Basic Rule

• A Covered Entity may not use or disclose PHI in
  any form except as authorized by patient or as
  permitted by the regulations
• Prior Rule State law generally governed the
  confidentiality of medical information
• Preemption HIPAA now preempts state
  confidentiality laws unless state laws are
  stricter

36
Use vs. Disclosure

• Use the sharing, employment, application,
  utilization, examination, or analysis of
  Protected Health Information (PHI) within the
  covered health care component that maintains the
  PHI
• Disclosure the release, transfer, provision of
  access to, or divulging in any other manner of
  PHI outside the covered health care component
  holding the information

37
Uses and Disclosures for Treatment, Payment
Health Care Operations (TPO)
38
Treatment

• Provision, coordination or management of health
  care and related services by a health care
  provider
• Coordination and management of health care by a
  health care provider with a third party (e.g.,
  HMOs)
• Consultations among health care providers
• Referrals of patients from one health care
  provider to another

39
Payment

• Activities by a health plan to obtain premiums or
  fulfill obligations for coverage and the
  provision of benefits (e.g., Medicaid
  eligibility)
• Activities by either a provider or a health plan
  to obtain or provide reimbursement (e.g.,
  Medicaid payment of claims provider filing of
  claims)

40
Health Care Operations

• Health care operations support treatment and
  payment activities
• Limited to our operations
• Examples of health care operations
• Quality Improvement
• Review provider qualifications performance
• Medical review, legal audit services
• Business planning development
• Business management general administration

41
Other Permitted Uses Disclosures

• Covered health care components may use or
  disclose PHI without a consent or authorization
  when the use or disclosure comes within one of
  the listed exceptions
• Required by law
• Activities involving public health
• Adult abuse, neglect or domestic violence
• Child abuse or neglect
• Health oversight activities
• Judicial and administrative proceedings (follow
  both state and HIPAA)

42
Other Permitted Uses Disclosures (Continued)

• Law enforcement (follow both state and HIPAA)
• Decedents
• Organ transplants
• Avert serious threat to health or safety
• Other specialized government functions
• Workers Compensation
• Research purposes

43
When are Authorizations Needed?

• For disclosures of PHI for specified purposes
  other than Treatment, Payment, or Health Care
  Operations that are not otherwise allowed under
  the regulations
• For disclosures to third parties specified by the
  client
• For medical research
• For marketing by third party
• To use or disclose psychotherapy notes (also
  required by Wis. Stat. 51.30)

44
Individual Privacy Rights
45
Client Rights Golden Rule

• We should treat health information about others
  as we would want others to treat health
  information about us.
• Privacy has always meant that health information
  must be kept confidential.

46
Individual Privacy Rights

• Individuals (including you) have the right to
• Request to access to their PHI
• Request amendments to their PHI
• Receive an accounting of disclosures of PHI
• Request restrictions on who sees their PHI
• Request confidential communications
• Receive a Notice of Privacy Practices
• File a complaint without fear of retaliation

47
Right to Access

• Client has a right to inspect and copy own
  protected health information in a designated
  record set maintained by its covered entity and
  its business associates
• Right lasts as long as covered entity maintains
  PHI

48
Designated Record Set

• This is information used to make decisions about
  individuals. An individuals access to their PHI
  is limited to the PHI in the designated record
  set.
• For Providers, this includes
• Medical records
• Billing records
• For Health Plans, this includes
• Enrollment, payment, and claims records
• Check with your privacy officer for guidance
  on how to proceed with a request of an
  individuals access to their designated record
  set.

49
Denial of Access (With Opportunity to Review)

• Denial of a clients access to his/her designated
  record set with opportunity for review when in
  the opinion of a licensed health care
  professional that
• Information would endanger life or safety of
  patient or others
• References to others is reasonably likely to
  cause substantial harm to that other person
• Request was made by the clients personal
  representative and access would likely cause
  substantial harm to the client or others
• Check with your supervisor or privacy officer if
  unsure how to handle a denial of access request.

50
Denial of Access (Without Opportunity for Review)

• Denial of a clients access to his/her designated
  record set without opportunity for review
• Psychotherapy notes (Wis. Stat. 51.30 more
  stringent)
• Information compiled for civil, criminal or
  administrative actions
• Inmate request that would jeopardize health or
  safety of inmate or others
• Research that includes treatment
• Information obtained from an anonymous source
  under a promise of confidentiality
• Check with your supervisor or privacy officer if
  unsure how to handle a denial of access request.

51
Amendments to PHI

• Clients have a right to amend any element of
  protected health information (PHI) in the
  designated record sets, for as long as that
  information is maintained by the covered entity
• Entities are not obligated to amend if they
  determine that another entity was the creator of
  information at issue, unless the individual
  provides a reasonable basis to believe that the
  originator is no longer available to act on the
  request

52
Amendments to PHI (Continued)

• In amending a record, the information at issue is
  not deleted. Additional notes are added to
  describe the amendment.
• If an amendment is made, the covered entity must
  make a reasonable attempt to notify those with
  incorrect or incomplete information

53
Accounting of Disclosures

• Covered entities must account per clients
  request, for each non-excepted disclosure made
  during the previous six years
• Accounting must include
• Disclosure date
• Name and address of receiving person or entity
• Brief description of information disclosed
• The accounting must be provided within 60 days of
  request
• Rights last as long as records as maintained

54
Accounting of Disclosures Excepted Disclosures

• A covered entity need not document the following
  disclosures
• For treatment, payment or health care operations
• To individual
• Prior to Privacy Rule compliance date 4/14/03
• To law enforcement, correctional institutions or
  for national security
• Common examples of accounting of disclosures
  requiring documentation
• Public health
• Inadvertent/inappropriate disclosure of PHI

55
Restrictions on PHI

• A covered entity may permit a client to request
  restriction on use or disclosure for
• Treatment, payment, or health care operations
• To relatives or others involved in the care of
• A covered entity is not required to agree, but if
  agrees
• The covered entity must comply with restriction
  until expired

56
Confidential Communications

• Clients right to confidential communications by
  alternative means or at alternative locations
• Should a client be concerned about receiving
  information about their health treatment or
  payment at home, they have the right to request
  that they be contacted only in a specified manner
  such as
• Being called only at work
• Sending communications to another address

This request should be honored if there is any
indication that the disclosure of this
information could endanger the client.
57
Receive a Notice of Privacy Practices

• We must provide a copy of our Notice of Privacy
  Practices to our clients
• Providers at the time of the patients first
  visit
• Health plan at the time of enrollment and every
  three years, beginning after the implementation
  of HIPAA in 2003 (e.g., 2006, 2009 and etc)
• This notice describes the uses and disclosures of
  protected health information that may be made by
  the covered entity, and of the individuals
  rights and the covered entitys legal duties with
  respect to protected health information

58
Right to File a Complaint

• Who may complain?
• Individuals
• Whistleblowers
• Complain about what?
• Privacy policies
• Misuse of PHI
• Denial of access to PHI or amendments to PHI

59
Right to File a Complaint (Continued)

• Who do they complain to?
• Covered entitys Department Privacy Officer
• HHS Secretary (Office of Civil Rights - Federal)
• No retaliation for complaints

60
Business Associate
61
Business Associate

• Business Associate An individual or entity who
  on behalf of DHS
• Performs or assists in performing functions or
  activities involving the use or disclosure of PHI
  or
• Provides certain services to DHS which include
  use or disclosure of PHI by DHS
• Activities must be related to treatment, payment
  or health care operations

62
Business Associate Relationship Tests

• Performs function or activity on a covered
  entitys behalf that involves either creating or
  receiving PHI for or from a covered entity
• Examples of functions includes consulting or
  administrative (or legal, actuarial, accounting,
  data aggregation, management or financial)
  services

63
Business Associate Obligations

• Contracts with a Business Associate require that
  the Business Associate
• Not use or further disclose PHI other than as
• Permitted in the contract or
• As required by law
• Use appropriate security safeguards
• Report any improper use or disclosure of which it
  becomes aware of to the covered entity
• Ensure its agents (including subcontractors)
  agree to the same restrictions as in the contract
• Make available to Federal HHS its internal
  practices and books relating to the use and
  disclosure of PHI.

64
Privacy Security Incidents
65
How Much is Enough? How Much is too Much?

• There are three types of problem disclosures
• Incidental
• Accidental
• Intentional

66
Incidental Disclosures

• If reasonable steps are taken to safeguard a
  clients information and a visitor happens to
  overhear or see PHI that you are using, you will
  not be liable for that disclosure
• Incidental disclosures are going to happeneven
  in the best of circumstances
• An incidental disclosure is not a privacy
  incident. This is not an accountable disclosure.

67
Reasonable Safeguards to Avoid Incidental
Disclosures

• Keep your voice low
• Discuss in a private area as possible in the
  circumstances
• Do not leave PHI or information where others can
  see or access them

68
Reasonable Safeguards to Avoid Incidental
Disclosures (Continued)

• Cover papers and shield computer screens in
  public areas to make them secure as possible.
  Dont allow unauthorized individuals (i.e.,
  visitors, friends, or family members) to view
  your computer screen as you access PHI or other
  confidential information.
• When using a computer, if you need to walk away,
  you should ALWAYS
• Log off OR
• Lock the computer screen (Ctrl-Alt-Del and select
  lock)

69
Reasonable Safeguards to Avoid Incidental
Disclosures (Continued)

• Dont leave documents containing PHI unattended
  in fax machines, printers, or copiers
• When disposing of confidential data, either shred
  or put in locked recycling bin for destruction

70
Accidental Disclosures

• Mistakes happen. If you disclose PHI or
  confidential information to an unauthorized
  person or if you breach the security of
  confidential data
• Acknowledge the mistake and notify your
  supervisor and the Privacy Officer immediately
• Learn from the error, revise procedures to
  prevent from happening again
• Assist in correcting the error only if you are
  instructed to. Dont cover up or try to make
  right by yourself
• Accidental disclosures are Privacy Incidents and
  must be reported to your Privacy Officer
  immediately! This is an accountable disclosure.

71
Examples of Accidental Disclosures

• Sending an email to the wrong person
• Emails sent out externally are not secure unless
  encrypted or secured (more information on this
  later)
• Sending a fax to the wrong number
• Disclosing data to someone who didnt have the
  right to receive it
• Sending information to the wrong address
• Loss of a file containing confidential
  information

72
Intentional Disclosures

• If you ignore the rules and carelessly or
  deliberately use or disclose protected health or
  confidential information, you can expect
• DHS disciplinary action
• Civil and/or criminal charges
• If youre not sure about a use or disclosure,
  check with your supervisor or the Privacy Officer.

73
Examples of Intentional Violations

• Improper use of passwords sharing, posting or
  distributing personal password or account access
  information
• Allowing a co-worker to log-on with your password
  because it provides access to more or different
  security levels your co-worker doesnt have
• Attempting to learn or use another persons
  access information

74
Examples of Intentional Violations (Continued)

• Discussing PHI or confidential information in a
  public area or elevator
• Selling health or personal information or
  inappropriately providing to the news media
• Accessing information that you do not have a
  need to know for your job because of personal
  curiosity or as a favor to someone else

75
When to Report Privacy Security Violations?

• All accidental and intentional violations, known
  and suspected, must be reported immediately to
  your supervisor and privacy officer!
• So they can be investigated and managed
• So they can be prevented from happening again in
  the future
• So damages can be kept to a minimum
• To minimize your personal risk
• Incidental disclosures need not be reported,
  but if youre not sure, report anyway.

76
When to Report Privacy Security Violations?
(Continued)

• In some instances, management may have to notify
  affected parties of lost, stolen, or compromised
  data. If you learn of inappropriate disclosures
• Immediately notify your supervisor and your
  division Privacy Officer!

77
DHS Sanctions for Privacy and Information
Security Violations

• DHS considers it a serious incident anytime a
  privacy or security violation occurs
• HIPAA requires that we monitor information system
  activity which assists in identifying violations
  and that we document all incidents
• Disciplinary/corrective action ranges from
  training/counseling to termination

78
Imposing Compliance

• General Civil Penalty for Failure to Comply
• 100 per person per violation
• 25,000 fine per year for multiple violations
• Not to exceed 25,000 in one calendar year
• YOU can be personally liable

79
Imposing Compliance

• Criminal Penalties (Privacy) - Person who
  knowingly and wrongfully discloses individually
  identifiable health information is subject to
  fines and imprisonment
• Simple offense - Up to 50,000 /or 1 year
  imprisonment
• If committed under false pretenses - Up to
  100,000 /or 5 years imprisonment
• If committed with intent to sell, transfer, or
  use Individual Identifiable Health Information
  for commercial advantage, personal gain, or
  malicious harm - Up to 250,000 /or 10 years
  imprisonment
• Again, YOU can be personally liable

80
Enforcement Agency

• Federal Department of Health and Human Services
  (Office of Civil Rights) will
• Investigate complaints
• Enforce compliance
• Impose civil monetary penalties
• Department of Justice will
• Enforce criminal penalties
• Center for Medicare and Medicaid (CMS) will
• Oversee compliance with the Security Rule,
  Transaction Code Sets and Identifiers

81
Safeguarding PHI/Confidential Information is
Everyones Responsibility

• Protect it at all times
• Do not share it with anyone unless there is a
  need to know or is needed to accomplish your job
• Constantly monitor your actions If I do this,
  will I increase the risk of unauthorized access?
• Only access the minimum amount of PHI needed to
  do your job

82
What Can You Do to Safeguard Confidential
Information?

• Take all reasonable precautions to safeguard
  confidential information including
• Protecting your passwords
• Using strong passwords
• Practicing good email security do not send
  emails containing confidential information
  without protecting
• Preventing viruses
• Storing media securely
• Disposal of confidential paper and media in a
  secure manner
• Practicing good workstation etiquette

83
Protect Your Passwords

• You are responsible for actions taken under your
  user id and passwords
• The Post-It Note can undo the most elaborate
  security measures. Do not post, write or share
  your password with anyone!
• Protect your user id/password from fraudulent
  use, unethical behavior or irresponsible actions
  by others. In other words, dont let someone be
  you and use your user id/password for illegal
  purposes.

84
Passwords Guidance

• Guidelines for good passwords
• Six to eight characters or more
• Minimum of two alpha and one numeric, use of
  special characters is allowed
• Use upper and lower case
• Memorize your password (do not write down on
  paper and post near your computer)

TIP Use a pass-phrase to help you remember
your password such as MbcFi2yo (My brown cat,
Fluffy, is two years old).
85
Email Security

• Email sent over the Internet is unencrypted and
  not secure. Note Email sent to other DHFS email
  addresses is encrypted.
• Do not include confidential information in an
  email message unless it is encrypted. Unsure how
  to do this, contact your Security Officer.
• Confidential information can be sent in a
  password-protected Word document, attached to a
  message
• Use Tools, Options, Save and enter a Password to
  Save (Strong password!)
• Share password via phone or other means

86
Email Security (Continued)

• Confirm recipients addresses when sending
  confidential information to avoid misdirected
  emails DOUBLE-CHECK before sending!
• Include Confidentiality Statement in signature
  block on every email message
• Do not use non-DHS email systems (Yahoo, AOL,
  Hotmail) to send confidential information! Again,
  any confidential information should be protected,
  such as with a password or encryption, if email
  is being used.

87
Viruses

• Certain types of viruses and/or malware can
  compromise confidential information or threaten
  the security of such information, often for
  financial gain
• Viruses are becoming more lethal and
  sophisticated
• Never open an email attachment unless you know
  who sent it to you and why. If in doubt, contact
  the sender of the email and confirm that the
  attachment is safe and valid.
• Do not download files or screensavers

88
Media Storage Disposal

• Store confidential information on network drives,
  not your local hard drive
• Store files/backups containing PHI on portable
  media (disks, tapes) in a locked cabinet or room
• Wipe information on disks or destroy them before
  discarding or recycling
• Deleting does not completely erase data
• Call your Security Officer for assistance if
  unsure how to secure your devices

89
Disposal of Paper Containing Confidential
Information

• Client or confidential information stored on
  paper or computer diskettes should never be
  thrown into an open trash can, BECAUSE, no one
  knows who might end up seeing it once it leaves
  the building
• When discarding paper client or confidential
  information, make sure the information is put in
  the secure bin (in your area) to be destroyed
  later

90
Workstation Security

• Block screen from view of passers-by
• Log-off before leaving a workstation unattended
  this will prevent others from accessing ePHI
  under your user-id and limit access by
  unauthorized users (control-alt-del, select
  lock)
• Secure (lock up) portable devices (laptops,
  PDAs). Do not leave unattended!
• Secure workstations and portable devices when
  outside of normal work areas. This is
  particularly important in public areas and for
  telecommuters.

91
Bottom Line

• Consider the clients perspective and give them
  control over how their information is used. How
  would you feel if it were your information?
• Avoid situations in which the client would object
  to how their information was used or shared
• Implement appropriate security measures to
  maintain the integrity of client data, ensure its
  availability, and keep it confidential
• Be familiar with DHS privacy information
  security policies (http//dhfsweb/security/)

92
DHFS Contacts for Questions on HIPAA

• CAPS Team
• DHFSRESCAPS
• Department Privacy Officer
• Department Security Officer
• Section/Division Contacts
• http//dhfsweb/security/

93
Table of Contents
94
Table of Contents (Continued)
95
Table of Contents (Continued)
96
Table of Contents (Continued)
97
Table of Contents (Continued)
98
Table of Contents (Continued)
99
Table of Contents (Continued)
100
Resources

• http//www.hhs.gov/ocr/hipaa/
• http//www.cms.hhs.gov/home/regsguidance.asp
• http//dhfsweb/security/

101
Thank You!

• This concludes the HIPAA Basics module of the
  course. If you want to let the DHS training
  office know that you completed this module,
  select the DHS Training Complete link below.
  You will need to do this to get credit for taking
  the training. Thank you. Note After clicking
  on this link, a Security Alert window will
  display, select Yes to proceed.
• DHS Training Complete