JKO HIPAA Privacy and Security Officer Training
Privacy Officer
Patti Bushnell
Security Officer
Patti Bushnell
Protected Health Information (PHI)
Information that must be protected whether in written, oral, or electronic format.
Minimum Necessary Standard
Workforce uses only the minimum amount of PHI necessary to get the job done.
Patient Privacy Rights
HIPAA provided rights of patients.
Notice of Privacy Practices (NOPP/NPP)
Notification to patients that includes a description of patient's privacy rights, how EVO may use a patient's PHI, what family members the medical staff may interact with and how, information on how to file a complaint with HHS.
Privacy Policies
Policies regarding how EVO is allowed to use and disclose PHI.
HIPAA Security
Refers to portion of HIPAA that addresses physical, technical, and administrative safeguards that are put in place to protect confidentiality of information.
Electronic Protected Health Information (ePHI)
Refers to the integrity, confidentiality, and availability of patient health information stored in electronic formats.
User Identity
Unique User ID and Password.
Password Management
Selecting strong passwords, protecting those passwords, and changing passwords regularly.
Security Policies
Written policies that address how EVO will implement appropriate safeguards to ensure the confidentiality, integrity, and availability of ePHI.
WHY WAS THE HIPAA RULE ENACTED
BOTH A AND B
WHICH OF THE FOLLOWING IS A GOAL OF HIPPA
ALL OF THE ABOVE
FACILITY ACCESS CONTROLS IS AN EXPAMPLE OF WHICH HIPAA SAFEGUARD
PHYSICAL
CONTINGENCY PLANS ARE AN EXAMPLE OF WHICH SAFEGUARD
ADMINISTRATIVE
TRANSMISSION SECURITY IS AN EXAMPLE OF WHICH SAFEGUARD
TECHNICAL
PHI STANDS FOR WHICH OF THE FOLLOWING
PROTECTED HEALTH INFORMATION
True or False:
HEALTH INFORMATION TRANSMITTED RALLY IS NOT CONSIDERED PHI
FALSE
WHICH OF THE FOLLOWING WOULD BE AN EXAMPLE OF THE "MINIMUM NECESSARY" STANDARD
CREATING ROLE SPECIFIC USER ACCOUNTS BASED ON THE DATA NEEDED TO PERFORM
WHICH DATA ELEMENTS ARE CLASSIFIED AS BOTH PHI AND PII
ALL OF THE ABOVE
PII IS DEFINED AS
B & C ONLY
PER HIPAA WHICH OF THE FOLLOWING IS A PERMITTED USE/ DISCLOSURE OF PHI
BUSINESS MANAGEMENT AND ADMINISTRATIVE ACTIVITES
WITHIN WHAT TIME FRAME ARE YOU REQUIRED TO REPORT A BREACH TO ONE CALL
WITHIN 20 DAYS OF THE DISCOVERY OF THE BREACH
oNE CALL RESTRICTS ACCESS TO ONLY THOSE WITH A TRUE NEED- TO-KNOW FOR WHICH OF THE FOLLOWING
ALL OF THE ABOVE
WHICH OF THE FOLLOWING ARE THINGS YOU CAN DO TO SECURE PHI AND PII
ALL OF THE ABOVE
True or False:
LOSING YOU JOB OR NETWORK STATUS IS THE ONLY POSSIBLE DISCIPLINARY ACTION FOR VIOLATING THE INFORMATION SECURITY POLICY
FALSE
HIPAA
As a result, the federal government decided that privacy legislation must be enacted. In the 1970's, Congress began working to reform many aspects of the health care industry. By 1996, the Health Insurance Portability and Accountability Act (HIPAA) was passed in the House and Senate and was signed by the President. HIPAA became law, and many rules were set in place to protect patients and their personal health information.
The Purposes of HIPAA
-Privacy of Health Information
-Security of Electronic Records
-Administrative Simplification
-Insurance Portability
Privacy of Health Information
-According to HIPAA, a patient's health information is private. Before a patient's information is released to anyone, such as a family member or another physician, the patient must give written authorization.
-The privacy regulations are outlined in a section of HIPAA called the Privacy Rule. The Privacy Rule provides detailed instructions for handling and protecting a patient's personal health information.
Security of Electronic Records
-In recent years, there has been a trend in health care facilities to convert all medical records from paper form to electronic form.
-Electronic medical records (EMR) help the health care industry to operate more efficiently. However, EMR creates many security and privacy issues. As a result, HIPAA provides regulations to make sure that confidential records are kept secure. This is called the -Security Rule.
Security Rule Safeguards
-According to the Security Rule, health care facilities must provide three types of safeguards when using electronic records.
Physical Safeguards
-include rules for providing a safe and hazard-free environment in which to store medical records.
For example:
-Doors should be locked.
-Computer server rooms should be locked and accessed by authorized personnel only.
-Any paper records should be stored in locked, fireproof cabinets.
Technical Safeguards
include rules for protecting electronic information.
For example:
-All medical records should be password-protected, and passwords should be updated regularly.
-Information that is transmitted electronically should be encrypted.
-All computer systems must have effective anti-virus software.
Administrative Safeguards
include rules for managing employees who have access to protected health records. For example:
-Policies must be in place regarding which employees are allowed to access information.
-All employees should complete security awareness training.
Administrative Simplification
-Because most health care agencies have adopted an electronic records system, there was a need for national standards for health transactions. These standards are created in HIPAA in the Transaction and Code Set Rule. As a result of this rule, all medical transactions and codes have become the same nationwide. For example, a medical office assistant will be able to submit an insurance claim in the same format for any insurance plan and any insurance company.
-By standardizing these transactions, the health care industry has simplified its claims process. The process for transmitting data has also become more efficient. Standard, electronic claims are filed faster. And they are typically more accurate than the old paper forms.
Health Insurance Access, Portability, and Renewability
-section of HIPAA was created to provide continuous insurance coverage for people when they change or lose a job. A change in jobs usually results in a change in health insurance. HIPAA prevents health insurance companies from denying or limiting coverage for people who have pre-existing conditions.
Insurance Portability
For example, suppose that Rose Wilson had health insurance through her employer. After several years of employment, Rose developed a heart condition. She decided to quit her job and begin her own business working from home. When Rose applies for a new health insurance policy, it is illegal for the insurance company to deny coverage on the basis of her pre-existing heart condition.
Privileged Communication
information that is shared within a protected relationship. Such relationships include physician and patient, attorney and client, and clergy and counselee. The confidentiality, or privacy, of privileged communication is protected by law. In other words, under most circumstances, privileged communication cannot be disclosed. For example, an employee has taken a lot of sick days. The employer knows the employee's physician and asks the physician why the employee has taken so many sick days. The physician cannot answer the employer's question without the patient's permission.
The Privacy Rule
-established nationwide standards that are used to protect private patient information. For example, personal health information may only be shared among the members of a patient's health care team. Under most circumstances, it may not be disclosed to anyone else without the patient's permission. Violations of the Privacy Rule may include civil and criminal penalties, such as fines and loss of license.
-The Privacy Rule was not intended to slow down health care or to make health care more complicated. Rather, the rule was created to protect private health information while still allowing the flow of necessary information. As a result, patients should feel confident that their information is being treated properly and respectfully.
Protected health information (PHI)
is any individually identifiable health information about a patient. This is information about a patient's health status, provision of health care, and payment for health care that also identifies the patient's name, social security number, address, telephone number, date of birth, etc. PHI can be oral-, paper-, or electronic-based.
privacy
defined as a patient's right to control the use of protected health information.
Confidentiality
using discretion when handling protected health information. So then, patients have the right to the privacy of their health information, and health care employees have the responsibility to keep a patient's health information confidential.
Disclosure
release, transfer, or provision of access to protected health information. Patients must give permission for their health information to be disclosed to other people, including other doctors, family members, friends, health insurance companies, employers, and attorneys.
Authorization
the permission that patients give in order to disclose protected health information. Several elements must be included in formal authorization.
Authorization must be in writing and in plain language.
Authorization must name the entities that are allowed to receive health information. Entities include health care providers, health insurance providers, and health care clearinghouses, who handle insurance claims.
Authorization must state the people that are allowed to view health information, such as a spouse or other relatives.
Authorization must state the extent of health information that approved entities and people are allowed to access.
Authorization must include a statement that patients have the right to refuse authorization. As a result, health care providers have the right to limit treatment to that patient.
Authorization must have an expiration date.
Authorization must be signed and dated by the patient.
Patient Rights under the Privacy Rule
At a patient's first visit to a health care facility, the patient must be given a written copy of the facility's rules and the patient's rights regarding protected health information.
Right to request restrictions on certain uses of protected health information
Patients may select which items in their medical records should not be disclosed. For example, a patient may restrict an item in the medical record if the previous health condition is no longer applicable or if the patient feels that it will cause embarrassment.
Right to request confidential communications
Patients may request reasonable, alternative forms of communication. For example, a patient may ask to be contacted at a work phone number instead of a home phone number.
Right to access a copy of protected health information
With the exception of psychotherapy notes, patients may access, inspect, and obtain a copy of their medical records. Typically, the request must be made in writing and acted on within 30 days. Most facilities will charge a fee to patients to obtain copies of their medical records.
Right to request an amendment of protected health information
Patients may request a change to their medical record if they feel that something is incorrect. The requests must be made in writing. Facilities must respond in a timely fashion. In some cases, the requests may be denied.
Right to receive an accounting of disclosures of protected health information
Patients may request a record of all the instances in which their personal information was disclosed. Each item in the record must include the date of disclosure, the name of the entity or person to which information was disclosed, a description of the information that was disclosed, and the reason for disclosure.
Medical Facility Responsibilities
Medical facilities must abide by HIPAA and Privacy Rule regulations. Each facility must have a written policy for adhering to these rules. The policy must be recorded in electronic and paper form.
Medical Facility Responsibilities
When patients come to a medical facility for the first time, they must receive a copy of the facility's privacy policy. This is called the Notice of Privacy Practice form. All patients must read and sign the form. In addition, patients must sign a Release of Information form to allow the facility to disclose medical information to authorized entities or people.
Disclosure without Authorization
When a patient requests to see his or her own personal information: Patients may have access to their own medical record at any time.
When permission to disclose is obtained: If a patient is admitted to the hospital, the patient will be asked if his or her name may be listed in the directory. Then, if any guests request to see the patient by name, the guests can be directed to the correct room.
When information is used for treatment, payment, and health care operations: If a patient is referred from one doctor to another doctor, these two doctors may share the patient's health information.
When disclosures are obtained incidentally: Incidental information is information that is obtained accidentally, even when privacy precautions are taken. For example, if a doctor discusses a medical condition with a patient behind closed doors and someone outside the door overhears, this is considered incidental.
When information is needed for research: Some health data may be released to researchers or for public health purposes. In these cases, identifying information, such as names, social security numbers, and addresses, has been removed from the data.
The final situation for when disclosure of protected health information is allowed without authorization occurs when there are legal or public interest issues involved. Some examples of legal or public interest issues include:
When information in a medical record must be provided to a court of law.
When law enforcement needs medical records to identify a suspect or missing person.
When reporting cases of abuse, neglect, or domestic violence.
When births and deaths occur.
When a patient contracts a serious communicable disease, such as tuberculosis.
When information is needed to facilitate organ transplants from deceased donors.
Emotional abuse
includes excessive demands. It includes insults and humiliation. It also includes jealousy, control, and isolation. Emotional abuse includes stalking and threats. And it includes lack of affection and support.
Physical abuse
includes hitting, kicking, pushing, shaking, pulling hair, pinching, choking, biting, burning, scalding, and threatening with a weapon. It also includes inappropriate restraint. And physical abuse includes withholding food and water, not providing physical care, and abandonment.
Sexual abuse
includes using sexual gestures, suggesting sexual behavior, and unwanted sexual touching or acts.
Signs of Abuse
-Patient statements
-Unexplained injuries, such as bruises, abrasions, fractures, bite marks, and burns
-Unreasonable explanations for injuries
-Malnutrition and dehydration
-Poor personal hygiene
-Pain or bruising in the genital area
-Unexplained genital infections
-Emotional problems, such as anxiety, depression, aggressiveness, -
changes in appetite, problems at school or work
Medical Records
-Personal information, such as full name, phone number, address, work number and address, birth date, social security number, and marital status
-Medical history
-Description of symptoms
-Diagnoses
-Treatments
-Prescriptions and refills
-Records of patient's telephone calls
-Name of legal guardian
-Name of power of attorney
-Notes about copies of medical records
Ownership of Medical Records
Medical records belong to health care providers, but patients have the right to see and obtain a copy of their records. The exception to this is patients with mental illness. This is because knowledge of their medical information may make such patients' condition worse. In addition, if a patient's employer or prospective employer pays for a job-related physical examination, the employer, not the patient, has the right to see and obtain a copy of the records. In this case, the employer must give permission for the patient to see and obtain a copy of the records.
Proper Maintenance
Medical records are legal documents. Therefore, they must be properly maintained. Specifically, medical records must be complete, legible, and timely. In addition, all information in records must be objective and the information must be initialed and dated. Subjective observations made by health care workers should never be included. On the other hand, subjective statements made by patients may be included. These should be recorded in patients' exact words and quotation marks should surround them.
-Furthermore, errors should never be erased or covered with correction fluid. Instead, a single line should be drawn through an error so that the error is still readable. And the word "error" should be written and initialed. An explanation of the error may be included. Then, correct information may be inserted, initialed, and dated.
-Records should also be kept for at least two to seven years, according to federal and state laws. When records are destroyed, they should be shredded.
Electronic Medical Records
advantages
-Instant access
-Remote access to up-to-date information
-Simultaneous access
-Decreased time to record information
-Legible
-Better organization
-Flexible data layout
-Automated checks and reminders
-Increased privacy and decreased tampering, destruction, and loss due to required authorization
disadvantages of electronic medical records
-Additional hardware, software, and licensing costs
-Resistance to giving up paper records
-Difficult data entry
-Training
-Computer downtime, such as unexpected failure or routine servicing
-Confidentiality and security concerns, such access of information to unauthorized individuals
Confidentiality of Electronic Records
-Limit individuals who have access to records by using passwords, fingerprints, voice recognition, and eye patterns.
-Require codes to access specific information.
-Place monitors in areas where others cannot see the screen.
-Do not leave monitors unattended while confidential information is on the screen.
-Do not send confidential information by e-mail.
-Back up data.
Constantly monitor and evaluate the use of electronic medical records.
Printers
-Do not leave printers unattended while printing confidential information.
-Do not print confidential information on printers that are shared by unauthorized individuals.
-Do not print confidential information on wrong printers.
Make sure to collect printouts of confidential information from printers.
-Do not throw unneeded printouts of confidential information in trash cans. Instead, these should be shredded.
Copiers
-Do not copy confidential information if unauthorized individuals are in the area and can see the information.
-Do not leave copiers unattended while copying confidential information.
-If a paper jam occurs, be sure to remove the copies that caused the jam from the copier.
-Make sure to collect all copies of confidential information as well as the original from the copier.
-Do not throw unneeded copies of confidential information in trash cans. Instead, these should be shredded.
Fax machines
-Contact the receiver and verify the fax number of the receiving location before faxing confidential information.
-Do not fax confidential information to unauthorized individuals.
-Attach a cover sheet that contains a confidentiality statement.
-Do not fax confidential information if unauthorized individuals are in the area and can see the information.
-Do not leave fax machines unattended while faxing confidential information.
--Make sure to collect confidential information from fax machines.
-Do not throw unneeded faxes of confidential information in trash cans. Instead, this should be shredded.
-Contact the receiver after faxing confidential information.
Telephones
-Do not use patients' names if unauthorized individuals are in the area and can overhear.
-When leaving messages, simply ask patients to return the call. Do not speak about any confidential information.
Which of the following is not among HIPAA's primary purposes?
advising patient on which health screenings they need to monitor their health
XYZ Ltd., a business associate of a healthcare provider, was responsible for handling all accounting services for the provider. While performing an audit, Brooke, one of XYZ's employees, shared confidential patient information on social media in violation of HIPAA. What penalties may XYZ face?
XYZ faces potential audits and penalties from HHS
Under which of the following conditions could Meredith show the patient's records to Caitlin?
If Caitlin needed to view the chart for purposes of treatment, payment, or operations.
what's the worst thing that could happen to Meredith if she shows Caitlin the patient's records without the patient's prior consent?
She could be fined or even imprisoned.
As Tracy prepared to leave work for the day, she put documents containing PHI in a folder on her desk, shut off her computer and left her office without locking the door. Which of Tracy's actions put PHI at risk?
Leaving PHI in a folder on her desk and not locking her office door
Assuming the files and thumb drive contained unencrypted PHI, did Claire mishandle PHI here?
Yes, because she told Juan to throw the files and thumb drives in the dumpster
If Juan later took the thumb drives home with him, would this be a security breach?
Yes, because Juan was not authorized to take the thumb drives home.
What should Sam have done to protect the PHI on the flash drive?
Nothing. Sam should not have taken the PHI out of the office at all.
Assuming that the person who picked up the lost flash drive was a stranger unknown to Sam, would this be considered a "security breach" involving PHI under HIPAA
Yes, unless Sam's employer can prove it's unlikely the PHI has been compromised
Health
The "H" in HIPAA
Insurance
The "I" in HIPAA
Portability
The "P" in HIPAA
Accountability
The first "A" in HIPAA
Act
The second "A" in HIPAA
PHI
HIPAA acronym for confidential health information
Protected
The "P" in PHI
Information
The "I" in PHI
Harry owns a medical billing services company. In order to save money, Harry decides to eliminate HIPAA training for his employees. As a result, one of Harry's employees accidentally disclosed PHI. Which of the following statements is the most accurate?
Harry may be subject to significant civil and criminal penalties
Which of the following is not protected health information (PHI) under HIPAA
A pamphlet explaining the risks of smoking
Which of the following guidelines should you follow when handling PHI
Destroy PHI once it is no longer needed in accordance with the company's record management policies
Which of the following guidelines should you follow when handling PHI
Maintain strong passwords on electronic systems
which of the following is not a reasonable privacy safeguard required by HIPAA
Talking about PHI in Pig Latin
Which of the following is the best summary of one of HIPAA's primary purposes
Standardizing healthcare data
Which of these is the best reason to be sure you understand how HIPAA affects your day-to-day job responsibilities
Both of the above:
-violations of HIPAA can incur substantial penalties, including large fines and imprisonment
-Protecting the privacy of personal healthcare information aids the integrity of our healthcare system
When must a covered entity provide a Notice of Privacy Practices (NPP)
Whenever someone requests a copy of the NPP
Gayle recently had hip replacement surgery and has been visiting an outpatient rehabilitation center. Her medical costs are covered by Medicare. The rehabilitation center has sent Gayle a letter asking for certain information to resolve a billing problem. Is Gayle's personal health information protected by HIPAA in this situation?
Yes, because both Medicare and the rehabilitation center are subject to HIPAA
Ben just started a new job at a company that handles PHI. In exploring the layout of the office, Ben entered a room that houses hard copies of files that care being converted into an electronic format. Curious, Ben reviewed certain files, many of which contained PHI. What HIPAA security measure could have prevented Ben's unauthorized access to PHI?
Facility access controls
Which of the following is a physical safeguard required by HIPAA?
Developing procedures for the proper disposal of old laptops
Which of the following is an example of a technical safeguard required by HIPAA?
Using person or entity authentication to control access to PHI
Jenny's children go to school with the children of a pharmacist who works at her local drugstore. Jenny learned that the pharmacist disclosed Jenny's drug prescriptions to a teacher at the school to dissuade her from allowing Jenny to chaperone an overnight field trip. What action can Jenny take?
file a complaint with OCR
Which of the following is the most accurate summary of the possible penalties for a HIPAA violation?
All of the above:
-Civil fines of up to $1.65 million annually
-Criminal fines of up to $250,000
-Imprisonment for up to 10 years
In which of the following situations may we not use or disclose an individual's PHI without written authorization?
To discuss the patient's condition with family members
Affordable Health Plan Inc. posts its NPP on its website. Recently, the company made a material revision to the NPP. As a result, they mailed a new copy of the NPP and an explanation of the revisions to all of the individuals covered by their health plan. Did Affordable Health Plan Inc. act correctly?
No, the company also needs to post the material revisions on its website
Julia recently moved across the country and started seeing a new doctor. She never contacted her former doctor for her medical records. Six years before she moved, Julia was treated for depression. Is this information protected by HIPAA?
Yes, medical records never lose HIPAA protection
Which of the following situations present(s) potential violations of HIPAA
All of the above:
-The sale of a list of patient names and phone numbers to a marketing company
-The theft of a laptop containing unencrypted PHI
-A nurse sharing PHI with her husband to assist him in a lawsuit against a patient