Title: Welcome to the Wis. Dept. of Health Services Privacy Training
1Welcome to the Wis. Dept. of Health Services
Privacy Training
- HIPAA Privacy and
- State Confidentiality Laws
- Awareness
2Why Are You Being Asked to Take This Training?
- You work in a position within DHS that requires
you to take HIPAA training because you work with
protected health information (PHI) - The HIPAA Privacy Rule requires covered entities
to train its workforce on the HIPAA policies and
those specific HIPAA-required procedures that may
affect the work you do for DHS - All DHS employees need to safeguard confidential
information
3 Published Horrors
- Here is why the Privacy Rule is important as
you can see by some examples provided of recent
improper disclosures - In the biggest loss ever of personal information
compiled by state government, a computer disk
containing data on 2.9 million Georgians has been
lost in shipping. State officials, who blame
Dallas-based Affiliated Computer Services for the
lost CD, said it contained names, Social Security
numbers, birth dates and addresses of people on
Medicaid and PeachCare for Kids, but no medical
information. (04/07)
4 Published Horrors
- Data of all American veterans who were discharged
since 1975 including names, Social Security
numbers, dates of birth and in many cases phone
numbers and addresses, were stolen from a VA
employee's home. Theft of the laptop and computer
storage device included data of 26.5 million
veterans. (5/06) - Note The employee was later dismissed.
5DHS Commitment to Privacy
- Preserve the privacy of all clients and employees
- Guard the confidentiality of health and
confidential information - Maintain the integrity of all recorded
information - Ensure reasonable safeguards of all electronic
information
6What is HIPAA? (Health Insurance Portability and
Accountability Act 1996)
- Protects the privacy and security of a clients
health information - The HIPAA Privacy Rule is the first enforceable,
federally-mandated, comprehensive set of privacy
rights and responsibilities - The Rule demands that healthcare providers and
organizations (health plans) paying for
healthcare have policies and processes which
apply reasonable safeguards to health information - Provides for electronic and physical security of
a patients health information
7What is HIPAA? (Health Insurance Portability and
Accountability Act 1996)
- Prevents health care fraud and abuse
- Guarantees health coverage when job changes
- Administrative Simplification
- Establishes national standards for
- Electronic (EDI) transactions
- Security and privacy of health care information
- Identifiers such as provider, payer and employer
improved efficiency of processing health care
information
8State Confidentiality Laws
- Wisconsin has enjoyed strong laws and
regulations protecting citizens health
information. But in many other states, their
states laws were either much less stringent than
ours or were not enforced. The Privacy Rule is
not intended to replace Wisconsin or other states
laws. The Privacy Rule doesnt override state
laws or policies providing more privacy. The Rule
is intended to establish minimum standards of
privacy protection. If a state law, regulation,
or an agencys policies are more stringent than
HIPAA, the more stringent safeguards prevail.
9Privacy Wisconsin Laws
- Wisconsins confidentiality laws
- Are similar to HIPAA in several ways
- Will preempt or override HIPAA if Wisconsin laws
are more stringent (i.e., give clients more
rights or protections) - HIPAA provides floor but not ceiling more
stringent state laws not pre-empted - Wisconsins identity theft laws (Wis. Stat.
895.507) - Require that individuals be notified if security
of their confidential information has been
breached
10Wisconsin Confidentiality Laws
11What does Wis. Stat. 146.82 Cover?
- Protects the confidentiality of patient health
care records and provides - Requirements for informed consent to release
information from patient health care records - Exceptions that permit release of information
without written informed consent
12What does Wis. Stat. 51.30 HFS 92 Cover?
- Protects the confidentiality of all records that
are created in the course of providing services
to individuals for mental health services,
developmental disabilities, alcoholism or drug
dependence and provides - Requirements for informed consent to release
information from treatment records - Exceptions that permit release of information
without written informed consent - Requirements for access by the clients, parents,
guardians, and etc. - Processes and penalties for violations of the law
- HFS 92 further operationalizes s. 51.30
13What Does Wis. Stat. 252.15 Cover?
- Restricts use of test results for HIV
- Written consent is needed to disclose a persons
test results
142008 State Confidentiality Law Changes Wis.
Stat. 51.30
- Changes effective October 1, 2008
- Additions to the listing of elements to be
exchanged without the patients consent was
expanded to include diagnostics and symptoms - Removal of the within a related health care
entity (s. 51.30(4)(b)8G) so that health care
information can be shared with any provider who
is involved in the patient's care and needs the
information to treat the patient
152008 State Confidentiality Law Changes Wis.
Stat. 146
- Changes effective April 1, 2008
- Eliminates the requirement to document all
disclosures. Health care providers will still be
required to document disclosures as required by
HIPAA. - Allows general health information to be exchanged
with any health care provider who is involved
with the patients care. In the past, Chapter
146 of Wisconsin law prohibited health care
providers who received general patient health
care information from providers outside their
institution from disclosing the same information
to a subsequent provider.
162008 State Confidentiality Law Changes Wis.
Stat. 146 (continued)
- Allow health care providers to disclose health
information to a patients family, friend or
another person identified by the patient and is
involved in the patients care - If the patient provides informal permission to do
so - If the patient is not able to grant informal
permission, a health care provider is permitted
to use his or her professional judgment to
determine whether disclosing the information is
in the best interests of the patient and the
patient would otherwise allow such a disclosure
NOTE DHS doesnt generally deal with this
provision except for the institutions.
17Why Comply with HIPAA State Confidentiality
Laws?
- Its the law!
- Public expectations that well maintain
confidentiality of information - Imposes severe penalties for non-compliance
- Potential withholding of federal Medicaid and
Medicare funds - Possible litigation
- Public relations and business risk issues
18Terms You Should Know
- To understand HIPAA, there are some important
terms you must know - They are
- Covered Entity
- Hybrid Entity
- Health Care Component
- Protected Health Information
- Individually Identifiable
- Information
19Covered Entity
- HIPAA's regulations directly cover three basic
groups of individual or corporate entities - Health Care Provider means a provider of medical
or health services, and entities who furnishes,
bills, or is paid for health care in the normal
course of business - Health Plan means any individual or group that
provides or pays for the cost of medical care,
including employee benefit plans - Healthcare Clearinghouse means an entity that
either processes or facilitates the processing of
health information
20Hybrid Entity
- A Hybrid Entity is
- A single legal entity whose business activities
include both non-covered and covered functions
(i.e., as a provider or health plan) - The hybrid entity is the covered entity
- DHS is a hybrid entity
- The hybrid entity is responsible for ensuring
that its health care components comply with the
rules
21Health Care Component
- A health care component is a component of a
covered entity that performs covered functions
that qualify the component as a Health Care
Provider, Health Plan or Health Care
Clearinghouse - DHS is made up of health care components (often
called covered health care components)
22What is DHS Responsibility as a Hybrid Entity?
- Identify its covered health care components
- Identify components that act as a business
associate to covered health care components - Erect firewalls between covered and non-covered
components - Ensure compliance with HIPAA by covered components
23Who is Covered in DHS?
- Health Care Providers
- Mendota MH Inst.
- Winnebago MH Inst.
- Sand Ridge
- WI Resource Center
- N. WI Center
- Central WI Center
- S. WI Center
24Who is Covered in DHS?
- Health Plans
- BadgerCare/Plus
- Chronic Disease Program
- Medicaid
- Senior Care
- WI Well-Woman Program
- WI Partnership/PACE Programs
- Family Care
- Healthy Start
- Medical Assistance Purchase Plan
- Community Options Program Waiver
- Community Integration Programs II, 1A 1B
- Brain Injury Waiver Program
- Childrens Long-Term Support Waiver Program
25What is Protected Health Information (PHI)?
- Name
- Address (geographic subdivisions smaller than a
State) - Street address
- City
- County
- Zip code/equivalent geocodes
- E-mail address
- Dates (except years)
- Birth date
- Admission/discharge dates
- Telephone numbers
- Fax numbers
- Social security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including
license plate numbers - Device identifiers and serial numbers
- URLs
- IP Addresses
- Biometric identifiers
- Full face photographic images
- Any other unique identifier or codes
- Note These are the data elements that need
to be removed in order for the data to be
considered de-identified.
26Individually Identifiable Health Information
- Any information, including demographic
information collected from an individual, that - a) Is created or received by a health care
provider, health plan, employer, or health care
clearinghouse and - b) Relates to the past, present, or future
physical or mental health or condition of an
individual, the provision of health care to an
individual, or the past, present, or future
payment of the provision of health care to an
individual, and - (i) Identifies the individual, or
- (ii) With respect to which there is a reasonable
basis to believe that the information can be used
to identify the individual
27Privacy Rule Objectives
- Give individuals more control over their health
information - Set boundaries on the use and disclosure of their
health information - Establish appropriate safeguards for all people
who participate or are involved with the
provision of health care to ensure they honor
individuals rights to privacy of their PHI - Hold violators accountable through civil and
criminal penalties
28When is it Covered?
- Let me count the ways
- When you use it
- When you disclose it
- When you store it
- When you see it on your computer
- When it is lying on your desk
- When you share it with another health care
provider - When you share it with a contracted service
provider - When you are talking about it face to face
- When you are talking about it over the phone
29What is Not Covered?
- De-identified health information
- Information that is de-identified is no longer
considered to be protected health information,
and is thus exempt from the other provisions of
the Privacy HIPAA regulation
30What is Not Covered? (Continued)
- Means of de-identifying
- Removal of certain identifiers (18 elements) -
removal of the 18 elements doesnt mean the data
is considered de-identified. There also must be
no reasonable basis that the individual may no
longer be identified. - Otherwise eliminating, concealing, or completely
redacting
31Minimum Necessary Standard
- Who has access to PHI and the need-to-know
principle - A covered entity must make reasonable efforts to
limit the use or disclosure of, and requests for
PHI to a minimum amount necessary to accomplish
the intended purpose
32Minimum Necessary Standard (Continued)
- Does not apply if disclosure is needed
- For treatment (except for s. 51.30 treatment
record information) - Pursuant to a clients authorization
- Disclosed to client (clients own information)
- Health oversight activities
- To HHS Secretary (federal)
- As required by law
33Minimum Necessary Standard (Continued)
- When using, disclosing, or requesting Protected
Health Information, make reasonable efforts to
limit PHI to minimum necessary to accomplish
the purpose - Do not disclose more than is necessary
- Only share on a need to know basis, even within
the Department - Can you de-identify the information and still
accomplish the purpose? - Never send the entire medical record unless
absolutely necessary
34Uses Disclosures
35Basic Rule
- A Covered Entity may not use or disclose PHI in
any form except as authorized by patient or as
permitted by the regulations - Prior Rule State law generally governed the
confidentiality of medical information - Preemption HIPAA now preempts state
confidentiality laws unless state laws are
stricter
36Use vs. Disclosure
- Use the sharing, employment, application,
utilization, examination, or analysis of
Protected Health Information (PHI) within the
covered health care component that maintains the
PHI - Disclosure the release, transfer, provision of
access to, or divulging in any other manner of
PHI outside the covered health care component
holding the information
37Uses and Disclosures for Treatment, Payment
Health Care Operations (TPO)
38Treatment
- Provision, coordination or management of health
care and related services by a health care
provider - Coordination and management of health care by a
health care provider with a third party (e.g.,
HMOs) - Consultations among health care providers
- Referrals of patients from one health care
provider to another
39Payment
- Activities by a health plan to obtain premiums or
fulfill obligations for coverage and the
provision of benefits (e.g., Medicaid
eligibility) - Activities by either a provider or a health plan
to obtain or provide reimbursement (e.g.,
Medicaid payment of claims provider filing of
claims)
40Health Care Operations
- Health care operations support treatment and
payment activities - Limited to our operations
- Examples of health care operations
- Quality Improvement
- Review provider qualifications performance
- Medical review, legal audit services
- Business planning development
- Business management general administration
41Other Permitted Uses Disclosures
- Covered health care components may use or
disclose PHI without a consent or authorization
when the use or disclosure comes within one of
the listed exceptions - Required by law
- Activities involving public health
- Adult abuse, neglect or domestic violence
- Child abuse or neglect
- Health oversight activities
- Judicial and administrative proceedings (follow
both state and HIPAA)
42Other Permitted Uses Disclosures (Continued)
- Law enforcement (follow both state and HIPAA)
- Decedents
- Organ transplants
- Avert serious threat to health or safety
- Other specialized government functions
- Workers Compensation
- Research purposes
43When are Authorizations Needed?
- For disclosures of PHI for specified purposes
other than Treatment, Payment, or Health Care
Operations that are not otherwise allowed under
the regulations - For disclosures to third parties specified by the
client - For medical research
- For marketing by third party
- To use or disclose psychotherapy notes (also
required by Wis. Stat. 51.30)
44Individual Privacy Rights
45Client Rights Golden Rule
- We should treat health information about others
as we would want others to treat health
information about us. - Privacy has always meant that health information
must be kept confidential.
46Individual Privacy Rights
- Individuals (including you) have the right to
- Request to access to their PHI
- Request amendments to their PHI
- Receive an accounting of disclosures of PHI
- Request restrictions on who sees their PHI
- Request confidential communications
- Receive a Notice of Privacy Practices
- File a complaint without fear of retaliation
47Right to Access
- Client has a right to inspect and copy own
protected health information in a designated
record set maintained by its covered entity and
its business associates - Right lasts as long as covered entity maintains
PHI
48Designated Record Set
- This is information used to make decisions about
individuals. An individuals access to their PHI
is limited to the PHI in the designated record
set. - For Providers, this includes
- Medical records
- Billing records
- For Health Plans, this includes
- Enrollment, payment, and claims records
- Check with your privacy officer for guidance
on how to proceed with a request of an
individuals access to their designated record
set.
49Denial of Access (With Opportunity to Review)
- Denial of a clients access to his/her designated
record set with opportunity for review when in
the opinion of a licensed health care
professional that - Information would endanger life or safety of
patient or others - References to others is reasonably likely to
cause substantial harm to that other person - Request was made by the clients personal
representative and access would likely cause
substantial harm to the client or others - Check with your supervisor or privacy officer if
unsure how to handle a denial of access request.
50Denial of Access (Without Opportunity for Review)
- Denial of a clients access to his/her designated
record set without opportunity for review - Psychotherapy notes (Wis. Stat. 51.30 more
stringent) - Information compiled for civil, criminal or
administrative actions - Inmate request that would jeopardize health or
safety of inmate or others - Research that includes treatment
- Information obtained from an anonymous source
under a promise of confidentiality - Check with your supervisor or privacy officer if
unsure how to handle a denial of access request.
51Amendments to PHI
- Clients have a right to amend any element of
protected health information (PHI) in the
designated record sets, for as long as that
information is maintained by the covered entity - Entities are not obligated to amend if they
determine that another entity was the creator of
information at issue, unless the individual
provides a reasonable basis to believe that the
originator is no longer available to act on the
request
52Amendments to PHI (Continued)
- In amending a record, the information at issue is
not deleted. Additional notes are added to
describe the amendment. - If an amendment is made, the covered entity must
make a reasonable attempt to notify those with
incorrect or incomplete information
53Accounting of Disclosures
- Covered entities must account per clients
request, for each non-excepted disclosure made
during the previous six years - Accounting must include
- Disclosure date
- Name and address of receiving person or entity
- Brief description of information disclosed
- The accounting must be provided within 60 days of
request - Rights last as long as records as maintained
54Accounting of Disclosures Excepted Disclosures
- A covered entity need not document the following
disclosures - For treatment, payment or health care operations
- To individual
- Prior to Privacy Rule compliance date 4/14/03
- To law enforcement, correctional institutions or
for national security - Common examples of accounting of disclosures
requiring documentation - Public health
- Inadvertent/inappropriate disclosure of PHI
55Restrictions on PHI
- A covered entity may permit a client to request
restriction on use or disclosure for - Treatment, payment, or health care operations
- To relatives or others involved in the care of
- A covered entity is not required to agree, but if
agrees - The covered entity must comply with restriction
until expired
56Confidential Communications
- Clients right to confidential communications by
alternative means or at alternative locations - Should a client be concerned about receiving
information about their health treatment or
payment at home, they have the right to request
that they be contacted only in a specified manner
such as - Being called only at work
- Sending communications to another address
This request should be honored if there is any
indication that the disclosure of this
information could endanger the client.
57Receive a Notice of Privacy Practices
- We must provide a copy of our Notice of Privacy
Practices to our clients - Providers at the time of the patients first
visit - Health plan at the time of enrollment and every
three years, beginning after the implementation
of HIPAA in 2003 (e.g., 2006, 2009 and etc) - This notice describes the uses and disclosures of
protected health information that may be made by
the covered entity, and of the individuals
rights and the covered entitys legal duties with
respect to protected health information
58Right to File a Complaint
- Who may complain?
- Individuals
- Whistleblowers
- Complain about what?
- Privacy policies
- Misuse of PHI
- Denial of access to PHI or amendments to PHI
59Right to File a Complaint (Continued)
- Who do they complain to?
- Covered entitys Department Privacy Officer
- HHS Secretary (Office of Civil Rights - Federal)
- No retaliation for complaints
60Business Associate
61Business Associate
- Business Associate An individual or entity who
on behalf of DHS - Performs or assists in performing functions or
activities involving the use or disclosure of PHI
or - Provides certain services to DHS which include
use or disclosure of PHI by DHS - Activities must be related to treatment, payment
or health care operations
62Business Associate Relationship Tests
- Performs function or activity on a covered
entitys behalf that involves either creating or
receiving PHI for or from a covered entity - Examples of functions includes consulting or
administrative (or legal, actuarial, accounting,
data aggregation, management or financial)
services
63Business Associate Obligations
- Contracts with a Business Associate require that
the Business Associate - Not use or further disclose PHI other than as
- Permitted in the contract or
- As required by law
- Use appropriate security safeguards
- Report any improper use or disclosure of which it
becomes aware of to the covered entity - Ensure its agents (including subcontractors)
agree to the same restrictions as in the contract - Make available to Federal HHS its internal
practices and books relating to the use and
disclosure of PHI.
64Privacy Security Incidents
65How Much is Enough? How Much is too Much?
- There are three types of problem disclosures
- Incidental
- Accidental
- Intentional
66Incidental Disclosures
- If reasonable steps are taken to safeguard a
clients information and a visitor happens to
overhear or see PHI that you are using, you will
not be liable for that disclosure - Incidental disclosures are going to happeneven
in the best of circumstances - An incidental disclosure is not a privacy
incident. This is not an accountable disclosure.
67Reasonable Safeguards to Avoid Incidental
Disclosures
- Keep your voice low
- Discuss in a private area as possible in the
circumstances - Do not leave PHI or information where others can
see or access them
68Reasonable Safeguards to Avoid Incidental
Disclosures (Continued)
- Cover papers and shield computer screens in
public areas to make them secure as possible.
Dont allow unauthorized individuals (i.e.,
visitors, friends, or family members) to view
your computer screen as you access PHI or other
confidential information. - When using a computer, if you need to walk away,
you should ALWAYS - Log off OR
- Lock the computer screen (Ctrl-Alt-Del and select
lock)
69Reasonable Safeguards to Avoid Incidental
Disclosures (Continued)
- Dont leave documents containing PHI unattended
in fax machines, printers, or copiers - When disposing of confidential data, either shred
or put in locked recycling bin for destruction
70Accidental Disclosures
- Mistakes happen. If you disclose PHI or
confidential information to an unauthorized
person or if you breach the security of
confidential data - Acknowledge the mistake and notify your
supervisor and the Privacy Officer immediately - Learn from the error, revise procedures to
prevent from happening again - Assist in correcting the error only if you are
instructed to. Dont cover up or try to make
right by yourself - Accidental disclosures are Privacy Incidents and
must be reported to your Privacy Officer
immediately! This is an accountable disclosure.
71Examples of Accidental Disclosures
- Sending an email to the wrong person
- Emails sent out externally are not secure unless
encrypted or secured (more information on this
later) - Sending a fax to the wrong number
- Disclosing data to someone who didnt have the
right to receive it - Sending information to the wrong address
- Loss of a file containing confidential
information
72Intentional Disclosures
- If you ignore the rules and carelessly or
deliberately use or disclose protected health or
confidential information, you can expect - DHS disciplinary action
- Civil and/or criminal charges
- If youre not sure about a use or disclosure,
check with your supervisor or the Privacy Officer.
73Examples of Intentional Violations
- Improper use of passwords sharing, posting or
distributing personal password or account access
information - Allowing a co-worker to log-on with your password
because it provides access to more or different
security levels your co-worker doesnt have - Attempting to learn or use another persons
access information
74Examples of Intentional Violations (Continued)
- Discussing PHI or confidential information in a
public area or elevator - Selling health or personal information or
inappropriately providing to the news media - Accessing information that you do not have a
need to know for your job because of personal
curiosity or as a favor to someone else
75When to Report Privacy Security Violations?
- All accidental and intentional violations, known
and suspected, must be reported immediately to
your supervisor and privacy officer! - So they can be investigated and managed
- So they can be prevented from happening again in
the future - So damages can be kept to a minimum
- To minimize your personal risk
- Incidental disclosures need not be reported,
but if youre not sure, report anyway.
76When to Report Privacy Security Violations?
(Continued)
- In some instances, management may have to notify
affected parties of lost, stolen, or compromised
data. If you learn of inappropriate disclosures - Immediately notify your supervisor and your
division Privacy Officer!
77DHS Sanctions for Privacy and Information
Security Violations
- DHS considers it a serious incident anytime a
privacy or security violation occurs - HIPAA requires that we monitor information system
activity which assists in identifying violations
and that we document all incidents - Disciplinary/corrective action ranges from
training/counseling to termination
78Imposing Compliance
- General Civil Penalty for Failure to Comply
- 100 per person per violation
- 25,000 fine per year for multiple violations
- Not to exceed 25,000 in one calendar year
- YOU can be personally liable
79Imposing Compliance
- Criminal Penalties (Privacy) - Person who
knowingly and wrongfully discloses individually
identifiable health information is subject to
fines and imprisonment - Simple offense - Up to 50,000 /or 1 year
imprisonment - If committed under false pretenses - Up to
100,000 /or 5 years imprisonment - If committed with intent to sell, transfer, or
use Individual Identifiable Health Information
for commercial advantage, personal gain, or
malicious harm - Up to 250,000 /or 10 years
imprisonment - Again, YOU can be personally liable
80Enforcement Agency
- Federal Department of Health and Human Services
(Office of Civil Rights) will - Investigate complaints
- Enforce compliance
- Impose civil monetary penalties
- Department of Justice will
- Enforce criminal penalties
- Center for Medicare and Medicaid (CMS) will
- Oversee compliance with the Security Rule,
Transaction Code Sets and Identifiers
81Safeguarding PHI/Confidential Information is
Everyones Responsibility
- Protect it at all times
- Do not share it with anyone unless there is a
need to know or is needed to accomplish your job - Constantly monitor your actions If I do this,
will I increase the risk of unauthorized access? - Only access the minimum amount of PHI needed to
do your job
82What Can You Do to Safeguard Confidential
Information?
- Take all reasonable precautions to safeguard
confidential information including - Protecting your passwords
- Using strong passwords
- Practicing good email security do not send
emails containing confidential information
without protecting - Preventing viruses
- Storing media securely
- Disposal of confidential paper and media in a
secure manner - Practicing good workstation etiquette
83Protect Your Passwords
- You are responsible for actions taken under your
user id and passwords - The Post-It Note can undo the most elaborate
security measures. Do not post, write or share
your password with anyone! - Protect your user id/password from fraudulent
use, unethical behavior or irresponsible actions
by others. In other words, dont let someone be
you and use your user id/password for illegal
purposes.
84Passwords Guidance
- Guidelines for good passwords
- Six to eight characters or more
- Minimum of two alpha and one numeric, use of
special characters is allowed - Use upper and lower case
- Memorize your password (do not write down on
paper and post near your computer)
TIP Use a pass-phrase to help you remember
your password such as MbcFi2yo (My brown cat,
Fluffy, is two years old).
85Email Security
- Email sent over the Internet is unencrypted and
not secure. Note Email sent to other DHFS email
addresses is encrypted. - Do not include confidential information in an
email message unless it is encrypted. Unsure how
to do this, contact your Security Officer. - Confidential information can be sent in a
password-protected Word document, attached to a
message - Use Tools, Options, Save and enter a Password to
Save (Strong password!) - Share password via phone or other means
86Email Security (Continued)
- Confirm recipients addresses when sending
confidential information to avoid misdirected
emails DOUBLE-CHECK before sending! - Include Confidentiality Statement in signature
block on every email message - Do not use non-DHS email systems (Yahoo, AOL,
Hotmail) to send confidential information! Again,
any confidential information should be protected,
such as with a password or encryption, if email
is being used.
87Viruses
- Certain types of viruses and/or malware can
compromise confidential information or threaten
the security of such information, often for
financial gain - Viruses are becoming more lethal and
sophisticated - Never open an email attachment unless you know
who sent it to you and why. If in doubt, contact
the sender of the email and confirm that the
attachment is safe and valid. - Do not download files or screensavers
88Media Storage Disposal
- Store confidential information on network drives,
not your local hard drive - Store files/backups containing PHI on portable
media (disks, tapes) in a locked cabinet or room - Wipe information on disks or destroy them before
discarding or recycling - Deleting does not completely erase data
- Call your Security Officer for assistance if
unsure how to secure your devices
89Disposal of Paper Containing Confidential
Information
- Client or confidential information stored on
paper or computer diskettes should never be
thrown into an open trash can, BECAUSE, no one
knows who might end up seeing it once it leaves
the building - When discarding paper client or confidential
information, make sure the information is put in
the secure bin (in your area) to be destroyed
later
90Workstation Security
- Block screen from view of passers-by
- Log-off before leaving a workstation unattended
this will prevent others from accessing ePHI
under your user-id and limit access by
unauthorized users (control-alt-del, select
lock) - Secure (lock up) portable devices (laptops,
PDAs). Do not leave unattended! - Secure workstations and portable devices when
outside of normal work areas. This is
particularly important in public areas and for
telecommuters.
91Bottom Line
- Consider the clients perspective and give them
control over how their information is used. How
would you feel if it were your information? - Avoid situations in which the client would object
to how their information was used or shared - Implement appropriate security measures to
maintain the integrity of client data, ensure its
availability, and keep it confidential - Be familiar with DHS privacy information
security policies (http//dhfsweb/security/)
92DHFS Contacts for Questions on HIPAA
- CAPS Team
- DHFSRESCAPS
- Department Privacy Officer
- Department Security Officer
- Section/Division Contacts
- http//dhfsweb/security/
93Table of Contents
94Table of Contents (Continued)
95Table of Contents (Continued)
96Table of Contents (Continued)
97Table of Contents (Continued)
98Table of Contents (Continued)
99Table of Contents (Continued)
100Resources
- http//www.hhs.gov/ocr/hipaa/
- http//www.cms.hhs.gov/home/regsguidance.asp
- http//dhfsweb/security/
101Thank You!
- This concludes the HIPAA Basics module of the
course. If you want to let the DHS training
office know that you completed this module,
select the DHS Training Complete link below.
You will need to do this to get credit for taking
the training. Thank you. Note After clicking
on this link, a Security Alert window will
display, select Yes to proceed. - DHS Training Complete