HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Size: px

Start display at page:

Download "HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information"

Byron Alexander
6 years ago
Views:

1 HIPAA Privacy & Security Training Privacy and Security of Protected Health Information

2 Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security of sensitive information and protected health information (PHI) within The Orthopaedic & Fracture Clinic. During this course you will learn: About the Health Insurance Portability and Accountability ( HIPAA ) Privacy and Security Rules; How to recognize situations in which confidential and protected health information can be mishandled; About practical ways to protect the privacy and security of PHI; And that employees will be held responsible if they improperly handle confidential or protected health information.

3 Understanding Provider Responsibilities Under HIPAA The Health Insurance Portability and Accountability Act (HIPAA) Rules provide federal protections for patient health information and give patients an array of rights with respect to that information. This suite of regulations includes the Privacy Rule, which protects the privacy of individually identifiable health information; And the Security Rule, which sets national standards for the security of electronic Protected Health Information (ephi). Whether patient health information is on a computer, in an Electronic Health Record (EHR), on paper, or in other media, providers have responsibilities for safeguarding the information by meeting the requirements of the Rules.

4 Why Do Privacy and Security Matter? To reap the promise of digital health information to achieve better health outcomes, smarter spending, and healthier people, providers and individuals alike must trust that an individual s health information is private and secure. When patients trust you and health information technology enough to share their health information, you will have a more complete picture of patients overall health. In addition, when breaches of health information occur, they can have serious consequences for your organization, including reputational and financial harm or harm to your patients. Poor privacy and security practices heighten the vulnerability of patient information in your health information system, increasing the risk of successful cyber-attack.

5 The HIPAA Privacy Rule The Privacy Rule establishes national standards to protect individuals medical records and other personal health information. The Rule requires appropriate safeguards to protect the privacy of personal health information. It sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

6 Informing Patients about How We Use or Disclose Their Health Information A Covered Entity (CE) must post and distribute a Notice of Privacy Practices (NPP). The notice must describe the ways in which the CE may use and disclose PHI. The notice must state the CE s duties to protect privacy, provide an NPP, and abide by the terms of the current notice. The notice must describe individuals rights, including the right to complain to the U.S. Department of Health and Human Services (HHS) and to the CE if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the CE. When a patient signs an acknowledgement that they received the Notice of Privacy Practices, this is not a substitute for the HIPAA Release of Information authorization/consent form. The patient still needs to sign and give authorization for disclosure of their PHI in certain situations.

7 HIPAA Permitted Disclosures of PHI: Disclosure to the individual/personal representative (parent/guardian) Disclosure for treatment, payment, and health care operations Disclosures required by state or federal law Disclosures to Business Associates Disclosures as authorized by the patient Disclosure to Family/Friends when authorized per the patient or when it is in the best interest of the patient Public Health Activities To public health authority To report child abuse/neglect To FDA Law Enforcement Purposes Abuse, Neglect, and Domestic Violence Judicial and Administrative Proceedings If you are unsure whether a disclosure is permitted talk to the Compliance Officer or Privacy Officer.

8 HIPAA Incidental Disclosures: Incidental uses and disclosures are defined as secondary uses or disclosures that: Are permitted by HIPAA Cannot be reasonably prevented Are limited in nature Occur as a by-product of an otherwise permissible use or disclosure Reasonable Safeguards and Minimum Necessary Standards are in place Example A doctor can confer at a nurse s station without fear of being in violation of the rule if overheard by a passerby. And, provided reasonable safeguards and appropriate minimum necessary standards are in place.

9 Minimum Necessary Standard PHI should not be accessed or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The Minimum Necessary Standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. Minimum Necessary Standard does not apply to the following: Disclosures to or requests made by a healthcare provider for treatment purposes Uses and disclosures by or to a patient for their own PHI Disclosures made under a valid authorization Disclosures to public officials when disclosure is required by law and the official represents that the information requested is the minimum required for the purpose

10 Patients Rights and Your Responsibilities As a health care provider, you have responsibilities to patients under the HIPAA Privacy Rule including: Responding to their requests for access; Amendments; Accounting of disclosures; Restrictions on uses and disclosures of their health information, and confidential communications.

11 HIPAA Privacy Rule Safeguards Close doors when discussing treatment & procedures Avoid discussion about individuals in public places Secure storage and transportation of PHI Keep posted or written information away from public access Do not leave detailed voice messages unless approved by the individual

12 The HIPAA Security Rule The Security Rule establishes a national set of minimum security standards for protecting all ephi that a Covered Entity (CE) and Business Associate (BA) create, receive, maintain, or transmit. The Security Rule concentrates on safeguarding PHI by focusing on the confidentiality, integrity, and availability of PHI. Confidentiality means that data or information is not made available or disclosed to unauthorized persons or processes. Integrity means that data or information has not been altered or destroyed in an unauthorized manner. Availability means that data or information is accessible and useable upon demand only by an authorized person. These Security Rule safeguards can help health care providers avoid some of the common security gaps that could lead to cyber-attack intrusions and data loss. Safeguards can protect the people, information, technology, and facilities that health care providers depend on to carry out their primary mission: caring for their patients.

13 The Threat of Cyber Attacks Cybersecurity refers to ways to prevent, detect, and respond to attacks against or unauthorized access against a computer system and its information. It is important to have strong cybersecurity practices in place to protect patient information, organizational assets, your practice operations, and of course to comply with the HIPAA Security Rule. The following slides will review common security threats and ways to mitigate these threats.

14 Viruses A computer virus is a major threat to the information system. Viruses infect your computer by modifying how it operates and, in many cases, destroying data. Viruses spread to other machines by the actions of users, such as opening infected attachments. Viruses can forward PHI to unauthorized persons by attaching themselves to documents, which are then ed by the virus.

15 Worms Worms are programs that can: Run independently without user action; Spread complete working versions of themselves onto other computers on a network within seconds; And quickly overwhelm computer resources with the potential for data destruction as well as unauthorized disclosure of sensitive information.

16 Spam and Phishing Spam is an unsolicited or junk electronic mail message, regardless of content. Spam usually takes the form of bulk advertising and may contain viruses, spyware, inappropriate material, or scams. Spam also clogs systems. Phishing is a particularly dangerous form of spam that seeks to trick users into revealing sensitive information, such as passwords.

17 Mitigating Cyber Threats Be Skeptical about s! Look at the address - who sent it? Take notice of the subject line - is it what you were expecting? Most phishing s try to trick you into clicking the link or button in the . If you question an , please contact IT. Thumb drives and removal memory: both of these can be dangerous. OFC policy states you are not allowed to bring in any personal or unauthorized software. Viruses can travel from PC to PC with this kind of media. Even if you believe the drive is safe, these viruses hide and you will unknowing infect your pc and the network. If you need a drive for a project, please see IT.

18 and Texting Increased online access and great demand by consumers for near real-time communications has increased the threat of impermissible use or disclosures. The Security Rule requires that when you send ephi, you send it through a secure method and that you have a reasonable belief that it will be delivered to the intended recipient. If you use or text you should be careful to use a communications mechanism that allows you to implement the appropriate Security Rule safeguards, such as an system that encrypts messages or requires a login.

19 HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose usernames or passwords Passwords should never be posted near work station Never copy files containing PHI to a laptop or mobile device PHI should never be stored on a C: drive Log off when leaving your work station Employee access audits throughout the year Encryption Laptops Desktops Phones If something is not encrypted use extreme caution!

20 Breach Notification, HIPAA Enforcement, and Other Laws and Requirements Covered Entities (CEs) and Business Associates (BAs) that fail to comply with Health Insurance Portability and Accountability Act (HIPAA) Rules can receive civil and criminal penalties. Your good faith effort to be in compliance with the HIPAA Rules is essential.

21 The Breach Notification Rule: What to Do If You Have a Breach A breach is, generally, an impermissible use or disclosure under the HIPAA Rule that compromises the security or privacy of PHI. When a breach of unsecured PHI occurs, the Rules require your practice to notify affected individuals, the Secretary of HHS, and, in some cases, the media. If you can demonstrate through a risk assessment that there is a low probability that the use or disclosure compromised unsecured PHI, then breach notification is not necessary.

22 Employee Responsibilities The first line of defense in data security is the OFC employee. Employees are responsible for the security of all data which may come to them in whatever format. Avoid storing sensitive information on your C: Drive. Access information only as necessary for your authorized job responsibilities. Keep your passwords confidential. Comply with the HIPAA Security and Privacy policies. Report promptly to OFC s Privacy Officer or Compliance Officer any concerns regarding unauthorized disclosure of PHI or other Sensitive Information.

23 Common HIPAA Rule Issues: It is never acceptable for an employee to look at PHI just out of curiosity, even if no harm is intended (i.e., retrieving an address to send a get well card). Remember Minimum Necessary Standards What patient information do you need to access in order to do your job? Unauthorized Access is a prohibited practice Do not access family & friends PHI unless authorized Do not access co-workers PHI unless authorized Accessing or reviewing birth dates or addresses of friends or relatives, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI. Accessing or reviewing ANY patient s record for any reason, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI. Accessing or reviewing confidential information of another employee that is also an OFC patient, without a permissible purpose is unauthorized access of PHI. HIPAA employee sanctions will be followed

24 Employee Sanctions Under HIPAA A CE is required by law to sanction employees who violate HIPAA Privacy & Security Rules. Any violations of HIPAA will be handled under the CE s discipline policy, similar to other employee discipline issues. An employee who breaches the HIPAA Privacy or Security Rule Policy is subject to formal disciplinary action, up to and including termination.

25 HIPAA Privacy & Security Audits OFC audits all employees. Please be diligent in accessing only records you are authorized to do so. This means only accessing a patient s PHI that is needed for your job function. As an employee of a CE, your conduct will at all times be compliant with HIPAA.

26 HIPAA Privacy & Security Rule Questions: If you have any questions or concerns regarding the HIPAA Privacy & Security Rules, please contact: Privacy Officer (Bobbi Nawrocki) ( bobbi@ofc-clinic.com ) Compliance Officer (Julie Morgan) ( jmorgan@ofc-clinic.com ) IT Director (Brad Nawrocki) ( brad@ofc-clinic.com )

HIPAA Security and Privacy Policies & Procedures

HIPAA Security and Privacy Policies & Procedures Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400