HIPAA Privacy HIPAA Privacy & &

Security Security Training Training

for ApolloMD and for ApolloMD and Affiliated Groups Affiliated Groups

Revised January 2017

This Training Covers:

2

Who must Who must adhere to adhere to HIPAA? HIPAA?

What is HIPAA?What is HIPAA?What health What health information information

must be must be protected? protected?

What is the What is the “Minimum Necessary “Minimum Necessary

Standard?” Standard?”

When is an employee When is an employee required to report a required to report a

disclosure? disclosure?

What rights to What rights to individuals have individuals have regarding their regarding their

PHI?PHI?

What is the What is the Privacy Rule? Privacy Rule? Security Rule?Security Rule?

What are the What are the three types of three types of disclosures? disclosures?

When is an When is an authorization authorization

required?required?

What is a What is a Covered Entity?Covered Entity?

What are access What are access controls?controls?

What is HIPAA? • The Health Insurance Portability & Accountability Act of 1996

public law was passed by Congress:

– To improve portability and continuity of health insurance coverage in the group and individual markets.

– To combat waste, fraud, and abuse in health insurance and health care delivery.

– To reduce costs and the administrative burdens of health care by standardizing the interchange of electronic data for specified administrative and financial transactions.

– To ensure the privacy of Americans’ personal health records by protecting the security and confidentiality of health care information. 3

HIPAA: Privacy vs. Security Two of the Administrative Simplification rules under Title II of HIPAA are the Privacy Rule and the Security Rule.•Privacy Rule

– Refers to WHAT is protected – an Individual’s Protected Health Information (PHI) – and the determination of WHO is permitted to use, disclose, or access that information.

•Security Rule– Refers to HOW electronic Protected Health Information (ePHI) is

safeguarded – ensuring privacy by controlling access to information and protecting that information from inappropriate disclosure, destruction or loss (be it accidental or intentional).

– There are three types of security safeguards required for compliance: administrative, physical, and technical.

4

Who Must Adhere to HIPAA and What Health Information Must be Protected?

• Those who must adhere to HIPAA include everyone who: – Works with or may see health, financial, or confidential

information with HIPAA PHI identifiers.– Uses a computer or electronic device which stores and/or

transmits information.

• Health information that must be protected includes any personally identifiable information that is:

CreatedKeptFiledUsed

SharedWrittenSpoken

Electronic5

HIPAA Defines the Following as PHI Identifiers:

• Name • Postal addresses• All elements of dates except

year• Telephone number• Fax number• Email address• URL address• IP addresses• Social security number• Account numbers• License numbers

• Medical record number• Health plan beneficiary

number• Device identifiers and their

serial numbers• Vehicle identifiers and serial

number• Biometric identifiers (finger

and voice prints)• Full face photos and other

comparable images• Any other unique identifying

number, code, or characteristic

6

What is a Covered Entity? • The following groups are Covered Entities:

– Health Care Providers– Health Care Clearinghouses– Health Care Plans

• The Privacy and Security Rules apply only to Covered Entities.  Individuals, organizations, and agencies that meet the definition of a Covered Entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.

Note: ApolloMD and Affiliated Groups are Covered Entities.7

When Can a Covered Entity Use and Disclose PHI?

• For the treatment of a patient.• For the payment of bills.• For the purpose of health care operations.

– However, even a Covered Entity can only look at, discuss, or disclose an individual’s PHI to the extent necessary to complete one of the functions listed above. 

Employees should protect every patient’s informationas if it were their own!

8

Minimum Necessary Standard

• When using, disclosing, or requesting PHI for purposes of TPO (treatment, payment, or operations), the HIPAA Privacy Rule requires that we limit the use and/or disclosure of PHI to the minimum reasonably necessary to accomplish the intended purpose.

• The sender of PHI needs to define what falls under the category of “needs to know” instead of releasing “all” information.

• This rule is true both when communicating within our organization or communicating with other organizations.

• Less is better.9

Exceptions to the Minimum Necessary Rule

• Healthcare providers treating patients.

• Disclosures to the individual about his/her own health information.

• Disclosures to the U.S. Department of Health and Human Services.

• Uses or disclosures required by law.

• Uses or disclosures otherwise authorized by the individual.10

When is anauthorization required?

• The Privacy Rule requires a Covered Entity to obtain an authorization for uses and disclosures of PHI requested by a third party or non-covered entity. – Example: A patient must sign an authorization before ApolloMD can

release said individual’s medical record to an attorney’s office.

• The HIPAA Privacy Rule does not require an authorization when using, disclosing, or requesting PHI within our organization or between our organization and another Covered Entity for the purpose of TPO (treatment, payment, or operations).

– Example: ApolloMD does not need a signed authorization in order to release a patient’s medical record to his or her insurance company.

11

Individuals’ Rights Regarding PHI

• With a few rare exceptions, individuals have the right to:

– Inspect and copy their medical records and other PHI.

– Request corrections to their records. We must make corrections except when we did not create the record or when the record is accurate, complete, and contains no errors.

– Request an accounting of disclosures that we have made of their PHI.

– Request restrictions on disclosures. With a few exceptions (see next page), a Covered Entity must honor an individual’s prohibition of disclosure to the patient’s health plan when the provider has already been fully paid out-of-pocket.

12

Disclosure Exceptions to Privacy • A Covered Entity is not bound to the patient’s prohibition of

disclosure if any of the following applies:– Where required by law.

– When subpoenaed by law enforcement.

– As ordered in judicial proceedings.

– As required for healthcare oversight activities.

– To coroners, medical examiners, and funeral directors.

– In cases of emergencies involving imminent threat to the health or safety of the individual or the public. 13

What are Access Controls?• Access controls are defined as the ability to grant or deny users

certain permissions to access company resources based on the individual’s role within the company and that individual’s “need to know” specific information in order to meet the company’s business objectives. – Example: An Accounts Receivable employee will be granted access to

view patient information specific to the states for which that employee is responsible. The employee will not be given access to view PHI for patients in other states.

14

Password Management• ApolloMD Information Resources will assign unique user identifiers (user IDs),

which may include any or all of the following, or another appropriate method:  (a) Biometric identification (b) Workforce members’ names (c) Exclusive numbers (e.g., PIN, Password).

• Employees have the responsibility of keeping their login credentials private. Employees cannot share user IDs that allow access to ePHI systems/software with anyone.

• Corporate employees that find their system login account disabled after three unsuccessful login attempts will need to contact the ApolloMD IT Support Desk at support@apollomd.com to have their account reset.

• Employees should not base passwords on personal information such as birthdays, anniversaries, phone numbers, pet names, nicknames, names of family members, etc.

• Employees should notify the ApolloMD IT Support Desk at support@apollomd.com of any suspicious activities on their workstations, as this may be an indication of unauthorized access. 15

Secure all PHIAll employees should:•Lock your computer when leaving your desk area (<ctrl> <alt> <delete> or finger swipe). •Disguise visibility of documents when leaving your desk area by turning papers upside down or otherwise obscuring them from view. •Use only company phones for conversations involving confidential information (not your cellular phone).•Never remove documents containing PHI from work premises and secure areas. •Appropriately dispose of documents containing PHI in authorized trash bins designated for shredding. •Log-off computers nightly and file documents containing PHI in locking cabinets/drawers or rooms. 16

Faxing PHI• Great care should be taken when sending a fax with PHI to ensure that

it is received by the intended recipient.

• Any fax containing PHI that is misdirected must be reported and documented.

• PHI transmitted by fax should be limited to the minimum necessary to meet the recipient’s needs.

• Any fax containing PHI must contain the Company-approved disclaimer on the fax cover sheet.

17

What Must a Fax Cover Sheet Include?

• Sender's name and Company name. • Sender’s telephone number and fax number.• Date of transmission. • Number of pages being faxed.• Recipient’s name and Company name.• Recipient’s telephone number and fax number.• Summary of the content being faxed (do NOT include PHI on the cover

sheet). • Name and number to call to verify receipt, report a transmittal problem

or to inform of a misdirected fax.• Instructions for handling misdirected faxes (the recipient should mail back

the information or shred the document). 18

Emailing PHI• Employees who have been assigned a Company email address (an @apollomd.com address)

are required to use that assigned account for sending all emails containing ePHI. Personal email accounts should not be used for sending ePHI.

• Before sending an email containing ePHI, ensure that the email is properly encrypted. Remember that information transmitted over the Internet is not encrypted by default; however, the Company has provided for email encryption through our corporate email system (Outlook). Employees should contact the support help desk at support@apollomd.com for assistance with encryption, if necessary.

• ApolloMD is using ZixCorp for its email encryption services. Further information/instructions regarding this system will be distributed, but ePHI can be encrypted and sent via three means:– Marking the message as confidential in Microsoft Outlook– Using the Microsoft plug-in to specify email encryption– Using specific keyword(s) in the email subject line. 

• ePHI may be sent between Company email addresses (@apollomd.com to @apollomd.com) without manually forced encryption.

Note: All Emails Should Contain Our Company Disclaimer. 19

Malicious Software Attacks• Malicious software attacks can threaten the privacy of stored PHI.• Your computer may have been infected if you experience any of

the following:• An alert message from your malicious code detection software is

displayed.• Some programs stop working (or run slower than normal) or data files

are deleted without cause.• You receive error messages relating to missing “.dill or “.exe” files

when accessing data.

• What is your role:– If you suspect an infection, contact the ApolloMD IT Support Desk at

support@apollomd.com.• Help prevent attacks by following the Company’s Acceptable Use

Policy.20

Breach Penalties & Fines• A breach occurs when unsecured PHI has been accessed, used, or

disclosed in violation of the Privacy Rule and the disclosure or use poses a significant risk of financial, reputational, or other harm to an individual.

• Following a breach, Covered Entities must: • Provide notification of the breach to the affected individual(s) without

unreasonable delay and in no case later than 60 days following the discovery of a breach.

• If the breach affects more than 500 residents of a state or jurisdiction, the Covered Entity responsible for the breach is required to provide notice to the media and submit a breach report to the Health and Human Services (HHS) website no later than 60 days following discovery of the breach.

• HIPAA has four levels of penalties ranging from $100 per violation to $1.5 million, depending on the nature of the violation(s).

21

Types of Unauthorized Disclosures• Incidental Disclosure: An “incidental” disclosure occurs as a by-

product of another permissible or required use or disclosure under the Privacy Rule. It is a limited disclosure that cannot reasonably be prevented. – Examples of "incidental" disclosure: A hospital visitor overhears a provider's

confidential conversation with another provider or a patient, or a visitor catches a glimpse of a patient's information on a sign-in sheet or nursing station whiteboard.

• Accidental Disclosure: An "accidental" disclosure is not permitted under the regulations and would potentially subject the organization to penalties for the violation. • Example of “accidental” disclosure: An employee intends to fax a patient’s

medical record to the patient’s health plan, but, instead, “accidentally” faxes the record/PHI to a restaurant.

• Intentional Disclosure: A disclosure that is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.

22

Reporting Disclosures• If you personally make an unauthorized disclosure, or if you

become aware of an unauthorized disclosure made by another employee, you are obligated to immediately report the disclosure to the Compliance Officer (see contact information on the following slide).

– Incidental Disclosures do not have to be reported as long as reasonable safeguards have been applied.

– Accidental Disclosures must be reported.

– Intentional Disclosures must be reported.

23

Compliance Officer• The Compliance Officer serves as the focal point for the

company’s privacy-related initiatives.

• The Corporation’s current Compliance Officer is William Le who may be reached:Phone – 404.961.2731 Email - wle@apollomd.comMail - 5665 New Northside Drive, Suite 320 Atlanta, Georgia 30328

• If an employee is uncertain whether specified conduct is prohibited, that employee should contact the Compliance Officer prior to engaging in such conduct. Likewise, an employee should report to the Officer any potentially non-compliant behavior of other employees.

24

Conclusion• This concludes our general HIPAA training. You will now need to

complete a brief assessment. Please answer each question to the best of your ability.

• Individuals who score at least 80% on the test will be emailed a certificate of completion. Please retain a copy of this certificate for your records.

• In the event that you score below 80%,on the test, you must retake this training. You will have up to three opportunities to take and pass this assessment.

Thank you for your commitment to HIPAA compliance.

25