GBMC HIPAA Compliance Program

1
Menu

• GBMC HIPAA Compliance Program

2
HIPAA Requires
Menu

• Standards for Electronic Transactions and Code
  Sets
• Compliance Date October 16, 2003
• Enforced by Centers for Medicare and Medicaid
  (CMS)
• Standards for Privacy of Individually
  Identifiable Health Information
• Compliance Date April 14, 2003
• Enforced by Office of Civil Rights (OCR)
• Standards for Security of Electronic Protected
  Health Information
• Compliance Date April 20, 2005
• Enforced by Centers for Medicare and Medicaid
  (CMS)

3
Menu
Diagram of the HIPAA Statute
Security
Code Sets
4
Training Focus
Menu
The training that you are receiving today will
focus on learning what responsibilities you have
in order to ensure GBMC complies with HIPAA
Privacy and HIPAA Security Regulations. The
following topics will be covered
HIPAA PRIVACY
HIPAA SECURITY
5
HIPAA Privacy
Menu

• The Privacy Rule
• Protects information known as PROTECTED HEALTH
  INFORMATION (PHI) that exists in written, oral,
  and electronic formats.

Protected Health Information
6
HIPAA Privacy
Menu

• Examples of PHI

• Vehicle and Serial Number
• Device Identifier and Serial Number
• Precinct
• Date of Death
• Medical Record Number
• Internet Protocol Number
• Full Face Photographic Images
• Zip Code
• Telephone Number
• Health Plan Beneficiary Number
• Biometrics Identifiers (i.e. finger prints)
• Any Other Unique Identifying Number,
  Characteristic, or Code

• Name
• Birth Date
• Fax Number
• Account Number
• Web Universal Resource Locator (URL)
• Street Address
• Admission Date
• Electronic mail address
• Certificate/License Number
• License Plate Number
• City
• Discharge Date
• Social Security Number

Protected Health Information
7
HIPAA Privacy
Menu

• The Privacy Rule
• Limits the way in which members of the GBMC
  workforce may use and disclose (release) PHI.
  GBMC workforce must have a job-related reason to
  use and or disclose PHI.
• Requires that all GBMC workforce use only the
  minimum amount of PHI necessary to get the job
  done. This is what HIPAA defines as the MINIMUM
  NECESSARY Standard.

Workforce means employees, volunteers,
trainees, and other persons who conduct work for
GBMC and are under the direct control of GBMC,
whether or not they are paid by GBMC.
Minimum Necessary
8

Menu

• Annual Acknowledgment of the Minimum Necessary
  Standard
• Every year, employees affirm their commitment to
  this standard by electronically signing the GBMC
  Code of Business Ethics Acknowledgment,
  Confidentiality of Information Agreement, and
  Appropriate Use Agreement.
• Failure to comply with this standard will lead to
  disciplinary action, up to and including
  termination.

Minimum Necessary
9

• Minimum Necessary Scenarios
• A patient that I cared for in the ICU was
  transferred to a medical unit. May I look in the
  patients record to see how she is doing? May I
  call the unit and talk to the nurse who is now
  caring for her?
• As much as this may reflect your compassion and
  concern for patients whom you have taken care of
  in the past, you may not inquire into her status
  unless there is a job-related reason. For
  example, if you have to complete a note in her
  record after she has left your unit, you may
  access her record to complete your note.

Minimum Necessary
10

• Minimum Necessary Scenarios
• I am a unit clerk and while I was working night
  shift, a nurse named Mary became very ill.
  Another nurse named Alice transported Mary to the
  Emergency Dept (ED) described for the nursing
  staff in the ED what symptoms Mary had complained
  of having. Alice was thanked for her assistance
  told that she could return to her floor. Later
  that evening, I walked by Alice while she was on
  the computer she called me over. She had
  Marys lab results up on her screen. Can she do
  this?
• No, Alice should not look at this information.
  She has violated the minimum necessary standard.
  Such violation is punishable up to and including
  termination.

Minimum Necessary
11
HIPAA Privacy
Menu

• The Privacy Rule
• Provides patients with certain rights - these
  rights are commonly referred to as the PATIENT
  PRIVACY RIGHTS.
• These rights are communicated to the patient in
  the Notice of Privacy Practices.
• If a patient wishes to exercise any of these
  Patient Privacy Rights (which are outlined on the
  next slide), they must do so in writing. You
  should contact Medical Records - Correspondence
  Department (443-849-2274) for the correct forms.

Patient Rights
12
HIPAA Privacy
Menu

• The Patient Privacy Rights
• Right to access PHI
• Right to request an amendment to PHI
• Right to request restrictions on how PHI is used
  for treatment, payment, and healthcare operations
• Right to receive confidential communications
• Right to request an accounting of disclosures
• Right to complain to the Department of Health and
  Human Services Office for Civil Rights

Patient Rights
13
HIPAA Privacy
Menu

• The Privacy Rule
• Requires that GBMC provide all patients with a
  copy of its NOTICE OF PRIVACY PRACTICES (NOPP).
• Each patient must sign an acknowledgment after
  receiving the NOPP unless the patient is unable
  to do so at the time of registration.
• Copies of the NOPP may be ordered from
  Purchasing.

Notice of Privacy Practices
14
HIPAA Privacy
Menu

• The Notice of Privacy Practices
• The Notice is a useful tool not only for you but
  also for the patient. The NOPP
• describes how GBMC may use a patients PHI
• provides a clear and concise description of the
  patients rights
• discusses how a patient may opt-out of the
  facility directory
• discusses how the medical staff may interact with
  the patients family

Notice of Privacy Practices
15
HIPAA Privacy
Menu

• The Privacy Rule
• Requires that GBMC create policies regarding how
  GBMCs workforce is allowed to use and disclose
  (release) PHI.
• Also requires that GBMC make available to and
  educate its workforce on those policies.
• All of GBMCs PRIVACY POLICIES are located on the
  Compliance Page of the GBMC InfoWeb.
• Hardcopies of the policies may be printed
  directly from the InfoWeb or obtained from the
  Compliance Department.

Privacy Policies
16
HIPAA Privacy
Menu

• THE GBMC Privacy Policies
• Examples of GBMC Privacy Policies include
• 003.102 Minimum Necessary Use and Disclosure of
  Protected Health Information
• 003.105 Uses and Disclosures for Involvement in
  the Individuals Care and Notification Purposes
• 003.114 Uses and Disclosures of Protected Health
  Information for Law Enforcement Purposes

Privacy Policies
17
HIPAA Privacy
Menu

• The Privacy Rule
• Requires that GBMC designate someone who is
  responsible for
• the development and implementation of the privacy
  policies
• privacy related training and education
• investigating privacy related complaints
• conducting routine audits to make sure that all
  of GBMCs workforce are complying with the
  privacy policies
• The PRIVACY OFFICER for GBMC is Tara Miller.

Privacy Officer
18
HIPAA Privacy
Menu

• THE Privacy Rule
• Requires that GBMC provide a way for patients and
  workforce to REPORT PRIVACY CONCERNS or ask
  privacy questions.

Reporting Privacy Concerns
19
HIPAA Privacy
Menu

• Privacy Compliance Tips
• Keep all PHI locked and secured when you are away
  from your work area.
• Do not include any patient identifiers in the
  subject line of an email.
• Do not discuss PHI in public or common areas.
• Make sure to check the fax number for accuracy
  before sending a fax that contains PHI. All
  faxes must include a completed GBMC standard fax
  cover sheet (see fax policy for limited
  exceptions).
• If a fax is sent to the wrong recipient in error,
  you must complete the Accounting of Disclosures
  log located on the Compliance page of the InfoWeb
  and send it to Medical Records.
• Sign-in sheets are allowed as long as we continue
  to follow the standard protocols that have always
  been in place at GBMC. Sign - in sheets should
  be limited to patient name and appointment time.

20
HIPAA Security
Menu

• The Security Rule
• Requires administrative, physical, and technical
  safeguards be implemented to address the
  confidentiality, integrity, and availability of
  ELECTRONIC PROTECTED HEALTH INFORMATION (ePHI).
• Security of patient information is EVERYONES
  job! We owe it to our patients!

Electronic Protected Health Information
21
HIPAA Security
Menu

• The Security Rule
• Requires GBMC provide each computer system user
  with a unique USER IDENTITY.
• Your user identity is the combination of your
  user id and your password do not share or write
  down your password where it can be easily
  retrieved by someone other than you.
• Your user identity is what is used to monitor
  your activity on the system(s).
• Do not leave yourself signed onto a computer and
  then walk away without signing off. You are
  responsible for any activity that occurs under
  your user identity. Your user identity appears
  on audit reports which are frequently monitored.

User Identity
22
HIPAA Security
Menu

• Protecting Your Password
• In order to protect against unauthorized access
  to our computers, GBMC has taken appropriate
  steps to monitor all activity on the network to
  ensure that people are not trying to break-in to
  those systems.
• However, as a user of a GBMC system, it is
  important that you also take measures to ensure
  that people cannot access GBMC systems this is
  partly accomplished through PASSWORD MANAGEMENT.
• Password management includes selecting a strong
  password, protecting your password, as well as
  frequently changing your password.

A password should be like a toothbrush. Use it
every day change it regularly and DONT share it
with friends - Usenet
Password Management
23
HIPAA Security
Menu

• Examples of How to Create a Strong Password

• Mix upper and lowercase characters
• 3bLINdmice
• 5gOLDenrings
• 4cALLingbirdS
• 2. Replace letters with numbers
• Replace E with 3
• Sp3cial or 3l3gant

• 3. Combine two words by using a special
  character
• RoofTop
• SugarDaddy
• B_at_tterup!
• 4. Use the first letter from each word of a
  phrase from a song
• Oops! I did it again becomes O!idia

In general, passwords should have a minimum
length of 6 characters but each application may
have other requirements/limitations.
Password Management
24
HIPAA Security
Menu

• The Security Rule
• Requires that GBMC train its workforce on
  appropriate computer security and APPROPRIATE USE
  OF COMPUTING DEVICES.
• As a user of a GBMC system (including the
  Internet) you are required to
• Use only your officially assigned user identity
  (e.g. user id and password)
• Save GBMC data only to the GBMC Network unless
  prior GBMC approval has been granted
• Notify your manager and the HIPAA Security
  Officer if your password has been disclosed, or
  otherwise compromised, and immediately change
  your password

Appropriate Use of Computing Devices
25
HIPAA Security
Menu

• The Do Nots When Using GBMC Systems
• As a user of a GBMC system (including the
  Internet) you may not
• Install unauthorized software (e.g. screensavers,
  games, or instant messenger programs)
• Install any unlicensed software on a GBMC
  computer or device
• Abuse your Internet or e-mail access privileges
• Relocate any computer equipment without prior MIS
  approval
• Bring into GBMC any personal computer equipment
  without prior MIS approval (e.g. printer, burner,
  scanner, PDA, or digital camera)

Appropriate Use of Computing Devices
26
HIPAA Security
Menu

• The Security Rule
• Requires that GBMC create SECURITY POLICIES
  regarding how GBMC will implement appropriate
  safeguards to ensure the confidentiality,
  integrity, and availability of ePHI.
• Examples of existing GBMC security policies are
• 304 Email Policy
• 348 Information Security Policy
• All GBMC policies are located on
• the GBMC InfoWeb.

Security Policies
27
HIPAA Security
Menu

• The Security Rule
• Requires that GBMC designate someone who is
  responsible for
• The development and implementation of information
  security policies and procedures
• Regular reviews of records of information system
  activity, such as audit logs, access reports, and
  security incident tracking reports
• The development of awareness and training
  programs for all members of its workforce
• The SECURITY OFFICER for GBMC is Tara Miller.

Security Officer
28
HIPAA Security
Menu

• The Security Rule
• Requires that GBMC establish a way for all GBMC
  workforce to REPORT SECURITY CONCERNS.
• Report all risks you are currently aware of and
  as you see them, such as
• Unauthorized or suspicious visitors
• Logged-on but unattended workstations
• Uncontrolled access to areas that house equipment
  and/or PHI
• Passwords on Post-it notes
• Staff accessing records without a need to know
• Report all security concerns to Tara Miller.

Reporting Security Concerns
29
HIPAA Privacy Security
Menu

• We hope this Computer-Based Learning course has
  been both informative and helpful. Feel free to
  review this course until you are confident about
  your knowledge of the material presented. Click
  the Take Test button on the left side when you
  are ready to complete the requirements for this
  course. Click on the My Records button to
  return to your CBL Courses to Complete list.
  Click the Exit button on the left to close the
  Student Interface.