HIPAA Privacy and Security Training Program

Similar documents
HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

HIPAA Omnibus Notice of Privacy Practices

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

Putting It All Together:

RETINAL CONSULTANTS OF ARIZONA, LTD. HIPAA NOTICE OF PRIVACY PRACTICES. Our Responsibilities. Our Uses and Disclosures

Notice of Privacy Practices Page 1

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

HIPAA FOR BROKERS. revised 10/17

Your Information. Your Rights. Our Responsibilities.

Employee Security Awareness Training Program

HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA Security and Privacy Policies & Procedures

HIPAA Federal Security Rule H I P A A

Acknowledgement of Receipt of Notice of Privacy Practices

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

For any questions regarding this notice call: Meredith Damboise, Privacy Officer , ext. 17

Campus Health Your Information Your Rights Our Responsibilities

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA & Privacy Compliance Update

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

Security and Privacy Breach Notification

Information Privacy and Security Training 2016 for Instructors and Students. Authored by: Office of HIPAA Administration

LifeWays Operating Procedures

SHS Annual Information Privacy and Security Training

The HIPAA Omnibus Rule

Identity Theft Prevention Policy

2017_Privacy and Information Security_English_Content

HIPAA UPDATE. Michael L. Brody, DPM

HIPAA For Assisted Living WALA iii

TERMS OF USE Terms You Your CMT Underlying Agreement CMT Network Subscribers Services Workforce User Authorization to Access and Use Services.

Website Privacy Policy

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Compliance & HIPAA Annual Education

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

Information Privacy and Security Training Authored by: Office of HIPAA Administration

UTAH VALLEY UNIVERSITY Policies and Procedures

Data Security Policy for Research Projects

NOTE: The first appearance of terms in bold in the body of this document (except titles) are defined terms please refer to the Definitions section.

HIPAA 101: What All Doctors NEED To Know

ALLERGY CONSULTANTS, P.A. NOTICE OF PRIVACY PRACTICE 9 / 23 / 13

HIPAA-HITECH: Privacy & Security Updates for 2015

Name of Policy: Computer Use Policy

HIPAA Compliance & Privacy What You Need to Know Now

Data Compromise Notice Procedure Summary and Guide

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Data Protection Policy

Data Backup and Contingency Planning Procedure

Red Flags/Identity Theft Prevention Policy: Purpose

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

PRIVACY-SECURITY INCIDENT REPORT

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

Steffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

NMHC HIPAA Security Training Version

The Relationship Between HIPAA Compliance and Business Associates

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

EXHIBIT A. - HIPAA Security Assessment Template -

Physician Office Name Ambulatory EHR Security Risk Analysis

Information Security Policy

UWTSD Group Data Protection Policy

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Integrating HIPAA into Your Managed Care Compliance Program

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

ACCEPTABLE USE OF HCHD INTERNET AND SYSTEM

Seven gray areas of HIPAA you can t ignore

HIPAA: Health Insurance Portability & Accountability Act. Presented by the UAMS HIPAA Office August 2015

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

Information Technology Standards

HIPAA AND SECURITY. For Healthcare Organizations

HIPAA & HITECH Training 2018

Data Protection Policy

Federal Breach Notification Decision Tree and Tools

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Preventing Breaches When Using , Telephone and Fax Machines

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

Acceptable Use Policy

Beam Technologies Inc. Privacy Policy

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

ecare Vault, Inc. Privacy Policy

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

SPRING-FORD AREA SCHOOL DISTRICT

Excelity Privacy Statement & Terms of Use. August 2017

Self-Directed Learning: UPMC Privacy and Information Security Policies

INFORMATION ASSET MANAGEMENT POLICY

Transcription:

Note The following HIPAA training is intended for Vendors, Business Associates, Students, Pre Approved Shadowers, and Visitors. The following training module does not provide credit for annual training for employees. Use your down arrow key to begin the training. Note: If you are an employee, employees must login and take the HIPAA training through the approved Learning Management System at https://hrit.utah.edu/lms/#/

Welcome to the University of Utah Health HIPAA Privacy and Security Training Program Vendors, Business Associates (BAs), Pre Approved Shadowers, Students, Volunteers, and Visitors You cannot have Privacy without Security.

Vendors, BAs, Students & Shadowers Vendors, Business Associates (BAs), Students, and Shadowers, (also Volunteers and Visitors [who are not patients and/or not accompanying or visiting patients]), coming into the UUH facilities must: Sign a UUH Visitor s Confidentiality and Security Agreement Complete the required UUH HIPAA Privacy and Security training Obtain and be identified with a name tag or controlled UUH ID badge Understand and follow UUH policies and procedures

Requirements Individuals shadowing health care professionals or observing patient care in UUH must also have: A sponsor A complete and approved shadowing form Permission from the sponsor s direct supervisor Consent from the patient* *Patient consent may be verbal or written but must be documented.

Information Security and Privacy Commitment Protect the privacy of each patient, student, employee and client; Guard the confidentiality of all UUH patient information; Keep the integrity and honesty of all recorded information; and Ensure reasonable security and availability of all electronic information.

Protected Health Information PHI

Definition of PHI Protected Health Information (PHI) includes: Any health information created, received, sent, or kept by University of Utah Health (UUH). Any information, in any form,that is related to the past, present, or future physical or mental health or condition of an individual; or payment for services. Health and demographic information that can be used to identify an individual.

PHI Comes in All Forms Spoken / Verbal Communications Paper or Hard Copy Forms Documents Paper charts Labels on patient care items Photos, X rays and graphics Electronic Electronic Medical Records EMRs (i.e., EPIC, PowerChart) Computer spreadsheets, lists, notes, etc. Video, audio recordings CDs, DVDs, tapes Etc., etc., etc.

The Minimum Necessary Rule Limit the uses, disclosures and requests for Protected Health Information (PHI) to the minimum necessary to do your job Be sure to get the required documentation when using, disclosing or requesting PHI

How We Use and Disclose PHI Treatment, Payment and Healthcare Operations TPO

Treatment, Payment & Operations We may use and share patient health information (PHI) as we do our jobs Treat Our Patients We can use health information and share it with other professionals who are treating or are directly involved in the patient s care Bill and Receive Payment Health information may be used and shared to bill and get payment from health plans or other entities Improve Our Organization We can use and share patient s health information to run our organization and improve care

How We Use and Disclose PHI Special Situations* *Authorized personnel only

Special Situations* We may share patient information in ways that contribute to the public good To help with public health and safety issues To do approved research To respond to organ and tissue donation requests If state or federal law require it To work with a medical examiner or funeral director when an individual dies *Authorized personnel only

Special Situations* (cont.) For worker s compensation claims For law enforcement purposes (must be authorized in writing) For law, military, national security reasons and/or presidential protective services Note: In response to law enforcement, legal actions and lawsuits, we will only share health information in response to a court order or subpoena signed by a judge *Authorized personnel only

How We Use and Disclose PHI Research

Research Research UUH may use or disclose de identified patient information for authorized research purposes Institutional Review Board (IRB) approval is required including: Documentation, IRB number, IRB review, approval, and appropriate signatures The use of de identified information for research is not subject to HIPAA De identified patient information has to meet a special de identification process Contact the department study coordinator or the Institutional Review Board (IRB) with questions

How We Use and Disclose PHI PHI for Patient Care

Sharing PHI with a Patient s Family When family and or friends accompany a patient to UUH health information may be shared: If we ASK the patient and they give their oral consent; If the patient does not actively object; If the family and/or friend are going to be involved in the patient s care outside of UUH, only give the amount of information necessary to care for the patient.

Patient Rights

Patient Rights Patients have the right to: Access and request a copy of their records Amend their records Designate a personal representative Receive a copy of the UUH Privacy Notice Request an accounting of disclosures Request confidential communications Request that we do not bill their insurance Request special privacy restrictions

Patient Rights Patients may request their records in paper or electronic format Send patients/individuals with requests regarding their medical records to Health Information (Medical Records) at 801 581 2704

Your Access to PHI

Access to Other s PHI It is A VIOLATION OF UNIVERSITY POLICIES to open or look at the protected health information (PHI) of ANY PERSON including children, family members, co workers, friends, supervisors, high profile patients, etc., unless you are part of the care team. You may NOT access the records (PHI) of your family members using the electronic medical record system(s) (EMRs), even with written authorization. You must go to the Health Information Department to request access for family members health records. Questions regarding release of PHI? Contact Health Information (Medical Records) 801 581 2704

UUH Encryption Processes

Encryption Process ALL laptops, USB drives and external storage devices that are used to conduct University of Utah Health business MUST be whole disk encrypted. (Call the Hospital Help Desk at 801 587 6000 with questions.) This applies to ALL devices (used to conduct UUH business) regardless of whether they are personally owned or issued by the University. If USB devices are not encrypted, access to the network will be denied. Approved encrypted USB drives are available at the University Bookstore and can also be ordered by authorized individuals through Asset Management at http://uuh.utah.edu/asset/

Email and PHI If you must send restricted or sensitive information through email: Limit the amount of sensitive information to need to know to get the task done Send to single addressee only, not to distribution lists or list serves, and double check the address Encryption resources are available only through the University of Utah email system (Umail) Use only your Umail email account for any workrelated efforts ( @...utah.edu)

Email and PHI Do not send PHI using a non University personal email account (i.e., MSN, Hotmail, Yahoo, Gmail, etc.): Sending PHI using a non University personal email is a violation of University policy Risks the privacy of our patients health information Puts the University at financial and reputational risk May subject you to disciplinary action Do not Auto Forward email (including PHI) to your personal email account (i.e., MSN, Hotmail, Yahoo, Gmail, etc.): Others have no way of knowing you are auto forwarding Email could be auto forwarded without being encrypted Puts our patient s PHI, you and our organization at great risk

How to Encrypt Email To encrypt a message from your issued Umail account, simply add the letters PHI to the subject line of the message Both uppercase or lowercase PHI / phi are effective. Do not include any personal identifiable information in the subject line. Note: The subject line of the email is not encrypted. The code PHI must stand alone words containing phi, i.e., philosophy, or punctuation next to phi i.e., phi:, phi,, phi, phi=, etc., will not activate the encryption program.

Prevent and Report PHI Data Disclosures

Prevent Unauthorized Disclosures Think before you act! Be careful when sending PHI Verify correct recipient is getting correct info Limit information to need to know Encrypt email; remember to use PHI in the subject line Verify fax numbers and always dial full 10 digit fax numbers (area code + number) even within UUH Lock and/or log off your computer when unattended Never share passwords Never, ever share accounts Encrypt all laptops and USB drives Do not store PHI on laptops or portable media Backup your files to the network drive At end of life, dispose of PHI by shredding or destroying

You Will Be Protected Anyone who makes a report to the Privacy Office as required by HIPAA will be protected. It is a violation of University of Utah policy and federal law to intimidate, threaten, or harass anyone who exercises their rights and responsibilities under HIPAA by filing a complaint or reporting a privacy and/or security issue. It s the Law.

Business Associates and Business Associate Agreements

Business Associates A Business Associate is a person or company who does something for UUH or on our behalf and with whom we share PHI. A Business Associate Agreement outlines permitted use, disclosure, restrictions, and outlines any safeguards to protect any restricted information that may be shared with the business associate. Questions regarding Business Associates or a Business Associate Agreement should be directed to the Privacy Office at 801 587 9241

Business Associate Agreements A Business Associate Agreement (BAA) spells out: How the Business Associate will use/disclose our PHI Appropriate safeguards to protect our information That the Business Associate will develop a BAA with all their sub contractors That the Business Associate will have our PHI available on request and available for amendment and/or available for accounting of disclosures At termination of the contract, all PHI must be returned or destroyed or the PHI contract protections may be extended Questions about Business Associates should be referred to the Information Security and Privacy Office at 587 9241.

Violations and Sanctions (Sanctions = Consequences)

University of Utah and UUH penalties apply, up to and including termination of the contract of the business relationship, if there is a willful disregard to policy. Violating the Privacy and/or Security Rules can result in personal liability, civil or criminal sanctions, including fines, and/or jail time.

Violations Include Improper use of Passwords and/or sharing account information. Examples may include but are not limited to: Allowing a co worker to use your login, or using a co worker s login, for any reason Failure to report unauthorized use of an account or password belonging to someone else If anyone (even someone in a management position) asks you to share your account, for any reason, contact the Information Security and Privacy Office at www.privacy.utah.edu > Report an Incident. Your report will remain confidential.

Violations Include Getting into information outside the minimum necessary to do your job, and/or, outside your professional need to know (i.e., for personal reasons, out of curiosity [co workers, celebrities, highprofile patients, family, etc.], and/or at the request of someone who cannot, or does not want to log on under their own account, etc.) Posting PHI or other personally identifiable data on the Internet (i.e., social networking sites) Installing or downloading unauthorized software (i.e., Illegal Peer to Peer file sharing/distributing of movies, music, other media, copyright infringement, gaming programs, gambling, etc.)

Violations Include Attempting to avoid, or bypass the security mechanisms of any IT resources Illegally altering, destroying, or intentionally removing PHI or other private data from the U of U/UUH Selling health or personal information; or inappropriately selling/giving such information to the news media Transporting, taking home, or photocopying of protected health information

Consequences Can Include U of U and UUH sanctions for violations can include: Loss of access to all computers and computer programs Federal sanctions can include personal liability for Civil Charges of between $100 to $1,000 each per standard / per violation / per year, up to $1,500,000, OR Criminal Charges up to $1,500,000 and 10 years in prison

HIPAA Enforcement U.S. Dept. of Health and Human Services (HHS) will conduct periodic audits of University of Utah Health (and our Business Associates) to assess compliance Enhanced Enforcement, as listed in HIPAA, permits State Attorneys General to pursue civil actions Mandatory monetary penalties will be imposed for willful neglect of privacy and security

Information Security Information security is essential to help mitigate risk and protect our IT resources (computer, servers, and other electronic devices). Secure and protect your physical environment Create strong passwords and keep your computer accounts safe and secure Avoid computer security risks at work, home and on the road Understand violations and consequences

Report Unauthorized Disclosures If you discover a potential disclosure, or if you become aware of someone not following information privacy and security policies Report! Complete an incident report at: www.privacy.utah.edu Immediately Call the Hospital Help Desk at 801 587 6000 Privacy personnel will be notified and will begin an investigation

Congratulations! You have completed the HIPAA Privacy and Security training module for Students, Vendors and Shadowers. Continue to the next slide, print and sign the attestation certificate. Questions? Contact the Information Security and Privacy Office at 587 9241

UNIVERSITY OF UTAH HEALTH HIPAA PRIVACY AND SECURITY TRAINING I attest that I have successfully completed the assigned HIPAA course of study required by University of Utah Health for Vendors, Shadowers and Visiting and Visiting Students Students and will comply with the HIPAA Privacy and Security Regulations and University of Utah Health Policies and Procedures. Print Name Date Signature

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback