HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Similar documents
HIPAA Security and Privacy Policies & Procedures

HIPAA FOR BROKERS. revised 10/17

Federal Breach Notification Decision Tree and Tools

HIPAA UPDATE. Michael L. Brody, DPM

HIPAA & Privacy Compliance Update

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA Privacy and Security Training Program

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Security and Privacy Breach Notification

HIPAA Compliance & Privacy What You Need to Know Now

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Compliance & HIPAA Annual Education

HIPAA Omnibus Notice of Privacy Practices

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Putting It All Together:

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

HIPAA Federal Security Rule H I P A A

SHS Annual Information Privacy and Security Training

Breach Notification Remember State Law

LifeWays Operating Procedures

HIPAA Compliance Checklist

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

TERMS OF USE Terms You Your CMT Underlying Agreement CMT Network Subscribers Services Workforce User Authorization to Access and Use Services.

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

HIPAA AND SECURITY. For Healthcare Organizations

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

NMHC HIPAA Security Training Version

HIPAA Security Manual

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

PULSE TAKING THE PHYSICIAN S

Integrating HIPAA into Your Managed Care Compliance Program

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

HIPAA 101: What All Doctors NEED To Know

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Your Information. Your Rights. Our Responsibilities.

HIPAA & HITECH Training 2018

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

The HIPAA Omnibus Rule

HIPAA Cloud Computing Guidance

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Information Privacy and Security Training 2016 for Instructors and Students. Authored by: Office of HIPAA Administration

HIPAA Regulatory Compliance

HIPAA For Assisted Living WALA iii

Employee Security Awareness Training Program


HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

RETINAL CONSULTANTS OF ARIZONA, LTD. HIPAA NOTICE OF PRIVACY PRACTICES. Our Responsibilities. Our Uses and Disclosures

Information Privacy and Security Training Authored by: Office of HIPAA Administration

QUALITY HIPAA December 23, 2013

University Policies and Procedures ELECTRONIC MAIL POLICY

Acceptable Use Policy

SECURITY & PRIVACY DOCUMENTATION

ACCEPTABLE USE OF HCHD INTERNET AND SYSTEM

II.C.4. Policy: Southeastern Technical College Computer Use

Department of Public Health O F S A N F R A N C I S C O

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

A Panel Discussion. Nancy Davis

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Checklist: Credit Union Information Security and Privacy Policies

Cleveland State University General Policy for University Information and Technology Resources

Information Technology Update

Steffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Data Backup and Contingency Planning Procedure

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Revised January

Audits Accounting of disclosures

HIPAA and HIPAA Compliance with PHI/PII in Research

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

IT ACCEPTABLE USE POLICY

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Lakeshore Technical College Official Policy

The Relationship Between HIPAA Compliance and Business Associates

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

For any questions regarding this notice call: Meredith Damboise, Privacy Officer , ext. 17

Implementing an Audit Program for HIPAA Compliance

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Security Audit What Why

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Electronic Communication of Personal Health Information

Campus Health Your Information Your Rights Our Responsibilities

HIPAA Comes of Age: 21 Years of Privacy and Security

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

efolder White Paper: HIPAA Compliance

Privacy & Information Security Protocol: Breach Notification & Mitigation

Transcription:

HIPAA Privacy & Security Training Privacy and Security of Protected Health Information

Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security of sensitive information and protected health information (PHI) within The Orthopaedic & Fracture Clinic. During this course you will learn: About the Health Insurance Portability and Accountability ( HIPAA ) Privacy and Security Rules; How to recognize situations in which confidential and protected health information can be mishandled; About practical ways to protect the privacy and security of PHI; And that employees will be held responsible if they improperly handle confidential or protected health information.

Understanding Provider Responsibilities Under HIPAA The Health Insurance Portability and Accountability Act (HIPAA) Rules provide federal protections for patient health information and give patients an array of rights with respect to that information. This suite of regulations includes the Privacy Rule, which protects the privacy of individually identifiable health information; And the Security Rule, which sets national standards for the security of electronic Protected Health Information (ephi). Whether patient health information is on a computer, in an Electronic Health Record (EHR), on paper, or in other media, providers have responsibilities for safeguarding the information by meeting the requirements of the Rules.

Why Do Privacy and Security Matter? To reap the promise of digital health information to achieve better health outcomes, smarter spending, and healthier people, providers and individuals alike must trust that an individual s health information is private and secure. When patients trust you and health information technology enough to share their health information, you will have a more complete picture of patients overall health. In addition, when breaches of health information occur, they can have serious consequences for your organization, including reputational and financial harm or harm to your patients. Poor privacy and security practices heighten the vulnerability of patient information in your health information system, increasing the risk of successful cyber-attack.

The HIPAA Privacy Rule The Privacy Rule establishes national standards to protect individuals medical records and other personal health information. The Rule requires appropriate safeguards to protect the privacy of personal health information. It sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Informing Patients about How We Use or Disclose Their Health Information A Covered Entity (CE) must post and distribute a Notice of Privacy Practices (NPP). The notice must describe the ways in which the CE may use and disclose PHI. The notice must state the CE s duties to protect privacy, provide an NPP, and abide by the terms of the current notice. The notice must describe individuals rights, including the right to complain to the U.S. Department of Health and Human Services (HHS) and to the CE if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the CE. When a patient signs an acknowledgement that they received the Notice of Privacy Practices, this is not a substitute for the HIPAA Release of Information authorization/consent form. The patient still needs to sign and give authorization for disclosure of their PHI in certain situations.

HIPAA Permitted Disclosures of PHI: Disclosure to the individual/personal representative (parent/guardian) Disclosure for treatment, payment, and health care operations Disclosures required by state or federal law Disclosures to Business Associates Disclosures as authorized by the patient Disclosure to Family/Friends when authorized per the patient or when it is in the best interest of the patient Public Health Activities To public health authority To report child abuse/neglect To FDA Law Enforcement Purposes Abuse, Neglect, and Domestic Violence Judicial and Administrative Proceedings If you are unsure whether a disclosure is permitted talk to the Compliance Officer or Privacy Officer.

HIPAA Incidental Disclosures: Incidental uses and disclosures are defined as secondary uses or disclosures that: Are permitted by HIPAA Cannot be reasonably prevented Are limited in nature Occur as a by-product of an otherwise permissible use or disclosure Reasonable Safeguards and Minimum Necessary Standards are in place Example A doctor can confer at a nurse s station without fear of being in violation of the rule if overheard by a passerby. And, provided reasonable safeguards and appropriate minimum necessary standards are in place.

Minimum Necessary Standard PHI should not be accessed or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The Minimum Necessary Standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. Minimum Necessary Standard does not apply to the following: Disclosures to or requests made by a healthcare provider for treatment purposes Uses and disclosures by or to a patient for their own PHI Disclosures made under a valid authorization Disclosures to public officials when disclosure is required by law and the official represents that the information requested is the minimum required for the purpose

Patients Rights and Your Responsibilities As a health care provider, you have responsibilities to patients under the HIPAA Privacy Rule including: Responding to their requests for access; Amendments; Accounting of disclosures; Restrictions on uses and disclosures of their health information, and confidential communications.

HIPAA Privacy Rule Safeguards Close doors when discussing treatment & procedures Avoid discussion about individuals in public places Secure storage and transportation of PHI Keep posted or written information away from public access Do not leave detailed voice messages unless approved by the individual

The HIPAA Security Rule The Security Rule establishes a national set of minimum security standards for protecting all ephi that a Covered Entity (CE) and Business Associate (BA) create, receive, maintain, or transmit. The Security Rule concentrates on safeguarding PHI by focusing on the confidentiality, integrity, and availability of PHI. Confidentiality means that data or information is not made available or disclosed to unauthorized persons or processes. Integrity means that data or information has not been altered or destroyed in an unauthorized manner. Availability means that data or information is accessible and useable upon demand only by an authorized person. These Security Rule safeguards can help health care providers avoid some of the common security gaps that could lead to cyber-attack intrusions and data loss. Safeguards can protect the people, information, technology, and facilities that health care providers depend on to carry out their primary mission: caring for their patients.

The Threat of Cyber Attacks Cybersecurity refers to ways to prevent, detect, and respond to attacks against or unauthorized access against a computer system and its information. It is important to have strong cybersecurity practices in place to protect patient information, organizational assets, your practice operations, and of course to comply with the HIPAA Security Rule. The following slides will review common security threats and ways to mitigate these threats.

Viruses A computer virus is a major threat to the information system. Viruses infect your computer by modifying how it operates and, in many cases, destroying data. Viruses spread to other machines by the actions of users, such as opening infected email attachments. Viruses can forward PHI to unauthorized persons by attaching themselves to documents, which are then emailed by the virus.

Worms Worms are programs that can: Run independently without user action; Spread complete working versions of themselves onto other computers on a network within seconds; And quickly overwhelm computer resources with the potential for data destruction as well as unauthorized disclosure of sensitive information.

Spam and Phishing Spam is an unsolicited or junk electronic mail message, regardless of content. Spam usually takes the form of bulk advertising and may contain viruses, spyware, inappropriate material, or scams. Spam also clogs email systems. Phishing is a particularly dangerous form of spam that seeks to trick users into revealing sensitive information, such as passwords.

Mitigating Cyber Threats Be Skeptical about emails! Look at the email address - who sent it? Take notice of the subject line - is it what you were expecting? Most phishing emails try to trick you into clicking the link or button in the email. If you question an email, please contact IT. Thumb drives and removal memory: both of these can be dangerous. OFC policy states you are not allowed to bring in any personal or unauthorized software. Viruses can travel from PC to PC with this kind of media. Even if you believe the drive is safe, these viruses hide and you will unknowing infect your pc and the network. If you need a drive for a project, please see IT.

Email and Texting Increased online access and great demand by consumers for near real-time communications has increased the threat of impermissible use or disclosures. The Security Rule requires that when you send ephi, you send it through a secure method and that you have a reasonable belief that it will be delivered to the intended recipient. If you use email or text you should be careful to use a communications mechanism that allows you to implement the appropriate Security Rule safeguards, such as an email system that encrypts messages or requires a login.

HIPAA Security Rule Safeguards Turn computer monitors away from view of others, minimize when not in use, or use a privacy screen Do not disclose usernames or passwords Passwords should never be posted near work station Never copy files containing PHI to a laptop or mobile device PHI should never be stored on a C: drive Log off when leaving your work station Employee access audits throughout the year Encryption Laptops Desktops Phones If something is not encrypted use extreme caution!

Breach Notification, HIPAA Enforcement, and Other Laws and Requirements Covered Entities (CEs) and Business Associates (BAs) that fail to comply with Health Insurance Portability and Accountability Act (HIPAA) Rules can receive civil and criminal penalties. Your good faith effort to be in compliance with the HIPAA Rules is essential.

The Breach Notification Rule: What to Do If You Have a Breach A breach is, generally, an impermissible use or disclosure under the HIPAA Rule that compromises the security or privacy of PHI. When a breach of unsecured PHI occurs, the Rules require your practice to notify affected individuals, the Secretary of HHS, and, in some cases, the media. If you can demonstrate through a risk assessment that there is a low probability that the use or disclosure compromised unsecured PHI, then breach notification is not necessary.

Employee Responsibilities The first line of defense in data security is the OFC employee. Employees are responsible for the security of all data which may come to them in whatever format. Avoid storing sensitive information on your C: Drive. Access information only as necessary for your authorized job responsibilities. Keep your passwords confidential. Comply with the HIPAA Security and Privacy policies. Report promptly to OFC s Privacy Officer or Compliance Officer any concerns regarding unauthorized disclosure of PHI or other Sensitive Information.

Common HIPAA Rule Issues: It is never acceptable for an employee to look at PHI just out of curiosity, even if no harm is intended (i.e., retrieving an address to send a get well card). Remember Minimum Necessary Standards What patient information do you need to access in order to do your job? Unauthorized Access is a prohibited practice Do not access family & friends PHI unless authorized Do not access co-workers PHI unless authorized Accessing or reviewing birth dates or addresses of friends or relatives, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI. Accessing or reviewing ANY patient s record for any reason, or requesting that another individual do so, without a permissible purpose is unauthorized access of PHI. Accessing or reviewing confidential information of another employee that is also an OFC patient, without a permissible purpose is unauthorized access of PHI. HIPAA employee sanctions will be followed

Employee Sanctions Under HIPAA A CE is required by law to sanction employees who violate HIPAA Privacy & Security Rules. Any violations of HIPAA will be handled under the CE s discipline policy, similar to other employee discipline issues. An employee who breaches the HIPAA Privacy or Security Rule Policy is subject to formal disciplinary action, up to and including termination.

HIPAA Privacy & Security Audits OFC audits all employees. Please be diligent in accessing only records you are authorized to do so. This means only accessing a patient s PHI that is needed for your job function. As an employee of a CE, your conduct will at all times be compliant with HIPAA.

HIPAA Privacy & Security Rule Questions: If you have any questions or concerns regarding the HIPAA Privacy & Security Rules, please contact: Privacy Officer (Bobbi Nawrocki) 386-6689 ( bobbi@ofc-clinic.com ) Compliance Officer (Julie Morgan) 386-6651 ( jmorgan@ofc-clinic.com ) IT Director (Brad Nawrocki) 386-6593 ( brad@ofc-clinic.com )

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback