HIPAA 101

1

• HIPAA 101
• Basic Privacy and Security HIPAA Training

2
This HIPAA Training Program will help you
understand

• What...is HIPAA?
• How....does HIPAA affect you and your job?
• Where...can you get help with HIPAA?
• How you can protect CCSC patients confidential
  and sensitive information and your own personal
  information in any format
• How to understand the risks when using and
  storing electronic information
• How to reduce those risks

3
What Is Health Insurance Portability and
Accountability Act ? HIPAA?
HIPAA is a Federal law enacted to

• Protect the privacy of a patients personal and
  health information.
• Provide for the physical and electronic security
  of personal health information.
• Simplify billing and other transactions with
  Standardized Code Sets and Transactions
• Specify new rights of patients to approve
  access/use of their medical information

4
Do the HIPAA laws apply to you?

• The Health Insurance Portability
  Accountability Act (HIPAA) requires that CCSC
  train all members of its workforce about the
  Clinics HIPAA Policies and specific procedures
  required by HIPAA that may affect the work you do
  for the CCSC.

5
What are the HIPAA requirements?

• To protect the privacy and security of an
  individuals Protected Health Information (PHI)
• To require the use of minimal necessary
• To extend the rights of individuals over the use
  of their protected health information

6
What Patient Information Must We Protect?

• We must protect an individuals personal and
  health information that
• Is created, received, or maintained by a health
  care provider or health plan
• Is written, spoken, or electronic
• And, includes at least one of the 18 personal
  identifiers in association with health information

Health Information with identifiers Protected
Health Information (PHI)
7
Examples of Protected Health Information (PHI,
ePHI)

• Name, address, birth date, phone and fax numbers,
  e-mail address, social security numbers, and
  other unique numbers
• Billing records, claim data, referral
  authorizations
• Medical records, diagnosis, treatments, x-rays,
  photos, prescriptions, laboratory, and any other
  test results
• Research records
• Patient can be identified from health information
  
• All formats including verbal, written, electronic

8
specifically allows
HIPAA

• The clinic to create, use, and share a persons
  protected health information for healthcare
  operations such as
• Treatment
• Payment
• Operations, including teaching, Medical staff
  activities, disclosures required by law and
  governmental reporting

But only if CCSC ensures that each patient
receives a copy of the CCSC
Notice of Privacy Practices
9
In order for CCSC Healthcare Provider to use or
disclose PHI

• The Clinic must give each patient a Notice of
  Privacy Practices that
• Describes how the Clinic may use and disclose the
  patients protected health information (PHI) and
• Advises the patient of his/her privacy rights
• The Clinic must attempt to obtain a patients
  signature acknowledging receipt of the Notice,
  EXCEPT in emergency situations. If a signature
  is not obtained, the Clinic must document the
  reason it was not.

10
But, for purposes other than treatment, payment,
operations

• The clinic must obtain authorization and use
  only the minimum necessary
• Patient Authorization - allows for CCSC to
  disclose information for other purposes
  (164.508)
• Minimum necessary applies to all uses and
  disclosures (164.502(b), 164.514(d))

11
With All of the State and Federal Laws, what
Patient Information Must Be Protected? Keep it
simple

• All personal and health information that exists
  for every individual in any form
• Written
• Spoken
• Electronic
• This includes HIPAA protected health information
  and confidential information under State laws.

3/6/03
12
To the patient, its all confidential information

• Patient Personal Information
• Patient Financial Information
• Patient Medical Information
• Written, Spoken, Electronic PHI

13
I do not provide Patient Caredo I Need
Training?I do not use or have contact with
Patient health or financial informationdo I Need
Training?And..Isnt this just an IT Problem?
Why Me?
14
Who Uses PHI at CCSC?

• Anyone who works with or may see health,
  financial, or confidential information with HIPAA
  PHI identifiers
• Everyone who uses a computer or electronic device
  which stores and/or transmits information
• Such as
• CCSC employees
• CCSC Volunteers
• CCSC students who work with patients
• CCSC board members
• Almost Everyone at one time or another!

15
Why is protecting privacy and security important?

• We all want our privacy protected!
• Its the right thing to do!
• HIPAA and Ohio laws require us to protect a
  persons privacy!
• CCSC requires everyone to follow the Clinics
  privacy and security policies!

16
When should you

• Look at PHI?
• Use PHI?
• Share PHI?

17
HIPAA Scenario 1

• I volunteer at the reception desk of CCSC. A
  friend of mine asks me if I knew any of the
  patients coming to clinic.

Should you give your friend this information?
18
HIPAA Scenario 2

• I am a file clerk. While opening lab
  reports, I saw my friends daughters pregnancy
  test results. Her pregnancy test was positive!
  That night at a holiday party, I saw her and her
  mother, and congratulated her on her pregnancy.
  Later I heard that my friend did not know about
  the pregnancy. I was the first person to tell
  her!
• Did I do the right thing?

19
Ask yourself these questions

• Did you need to read the lab results to do your
  job?
• Is it your job to provide a patients mother with
  her health informationeven if the individual is
  a friend or fellow employee?
• Is it your job to let other people know an
  individuals test results?
• How would you feel if this had happened to you?

Do not look at, read, use or tell others about an
individuals information (PHI) unless it is a
part of your job.
20

Remember

• Use only if necessary to perform job duties
• Use the minimum necessary to perform you job
• Follow CCSC policies and procedures for
  information confidentiality and security. (see
  notice of privacy practices)

21
HIPAA Violations Can Carry Penalties--

• Criminal Penalties
• 50,000 - 250,000 fines
• Jail Terms up to10 years
• Civil Monetary Penalties
• 100 - 25,000/yr fines
• more if multiple year violations
• Fines Penalties Violation of State Law

22
How Can You Protect Patient Information PHI /
ePHI /Confidential

• Verbal Awareness
• Written Paper / Hard Copy Protections
• Safe Computing Skills
• Reporting Suspected Security Incidents

23
Patients can be concerned about

• Being asked to state out loud certain types of
  confidential or personal information
• Overhearing conversations about PHI by staff
  performing their job duties
• Being asked about their private information in a
  loud voice in public areas, e.g.
• In clinics, waiting rooms, service areas
• In hallways, in elevators, on shuttles, on streets

24
Protecting Privacy Verbal Exchanges

• Patients may see normal clinical operations as
  violating their privacy (incidental disclosure)
• Ask yourself-What if it were
• my information being
• discussed in this place or
• in this manner?

25
Incidental disclosures and HIPAA

• Incidental a use or disclosure that cannot
  reasonably be prevented, is limited in nature and
  occurs as a by-product of an otherwise permitted
  use or disclosure. (164.502(c)(1)(iii)
• Example calling out a patients name in the
  waiting room sign in sheets in clinic.

26
Incidental disclosures and HIPAA

• Incidental uses and disclosures are permitted, so
  long as reasonable safeguards are used to protect
  PHI and minimum necessary standards are applied.
• Commonly misunderstood by patients!

27
Information can be lost
Physically lost Paper copies,
films, tapes, devices Lost anywhere at
anytime-streets, restrooms, shuttles, coffee
houses, left on top of car when driving away
from UCSF Misdirected to outside
world Mislabeled mail, wrong fax number, wrong
phone number Wrong email address, misplaced on
UCSF intranet Not using secured email Verbal
release of information without patient approval
28
We need to protect the entire lifecycle of
information

• Intake/creation of PHI
• Storage of PHI
• Destruction of PHI
• For any format of PHI

29
Do you know where you left your paperwork?
30

• Shredding bins work best when papers are put
  inside the bins. If its outside the bin, its
  
• Daily gossip
• Daily trash
• Public

31
Information can also be lost or stolen
electronically

• Lost/stolen laptops, PDAs, cell phones
• Lost/stolen zip disks, CDs, floppies
• Unprotected systems were hacked
• Email sent to the wrong address or wrong person
  (faxes have same issues)
• User not logged off of system

32
Be aware that ePHI is everywhere
33

• 10 Good Computer Security Practices
• for protecting restricted data

34
Good Computing Practices 10 Safeguards for
Users

• Passwords
• Lock Your Screen
• Workstation Security
• Portable Device
• Data Management

• Anti Virus
• Computer Security
• Email
• Safe Internet Use
• Reporting Security Incidents / Breach

35
Good Computing Practices 1 Passwords

• Use cryptic passwords that cant be easily
  guessed and protect your passwords - dont write
  them down and dont share them!

36
Good Computing Practices 2 Workstation Security

• Physically secure your area and data when
  unattended

• Secure your files and portable equipment -
  including memory sticks.
• Secure laptop computers with a lockdown cable.
• Never share your access code, card, or key (e.g.
  Axiom card)

37
Good Computing Practices 3 Computer Security

• Dont install unknown or unsolicited programs on
  your computer.

38
Good Computing Practices 4 Safe Internet Use
Practice safe internet use

• Accessing any site on the internet could be
  tracked back to your name and location.
• Accessing sites with questionable content often
  results in spam or release of viruses.
• And it bears repeating
• Dont download unknown or unsolicited programs!

39
Good Computing Practices 5 Reporting Security
Incidents/ Breach

• How to Reporting Security Incidents/ Breach?
• Report lost or stolen laptops, blackberries,
  PDAs, cell phones, flash drives, etc

Loss or theft of any computing device MUST be
reported immediately to the CCSC executive
director
40
Good Computing Practices 6 Reporting Security
Incidents/ Breach contd

• Immediately report anything unusual, suspected
  security incidents, or breaches to the executive
  director.
• This also goes for loss/theft of PHI in hardcopy
  format (paper, films etc).

41
HIPAA Security Reminders
Send Email Securely
Password Required
Password protect your computer
Run Anti-virus Anti-spam software,
Anti-spyware
Keep disks locked up
Keep office secured
42
THANK YOU!

• THANKS FOR VOLUNTEERING AND ALSO FOR COMPLETING
  THE CCSC HIPAA TRAINING.
• PLEASE SIGN THE ACKNOWLEDGEMENT OF COMPLETION AND
  RETURN TO TERESA DITMER.