HIPAA PRIVACY TRAINING FOR ASSOCIATES

HAYS MEDICAL CENTER

CHRISTY STAHL, CPC

COMPLIANCE MANAGER

&

PRIVACY OFFICER

HIPAA

HaysMed’s Privacy

Officer is Christy Stahl.

She is responsible for

the oversight of

HaysMed’s compliance

with the HIPAA privacy

regulations. She also

investigates any alleged

privacy violations.

Associates

You will notice the term “Associates” is used throughout this

training. “Associates” is a broad term that represents all the

following individuals who are associated with HaysMed:

• Employees

• Volunteers

• Students

• Other trainees

• Members of the Board of Directors

• Locum Tenens

• Contract Staff

• Independent Contractors

• Other persons whose conduct is under the direct control of

HaysMed (whether or not they are compensated by HaysMed

for such services)

HIPAA

LESSON ONE

Welcome to the introductory lesson on the

HIPAA Privacy and Security Rules

HIPAA

COURSE RATIONALE

In this course, you will learn about:

• Federal regulations concerning patient

confidentiality and computer security

• How those regulations impact your job

duties/training at HaysMed

HIPAA

COURSE GOALS

After completing this course, you should

• know the rules regarding the use and disclosure of protected health information

• Understand safeguards to protect patient privacy

• Appreciate the importance of computer security

HIPAA

COURSE OUTLINE

Lesson 1 – this introductory lesson gives you the course

rationale, goals, and outline

Lesson 2 – provides an overview of the HIPAA Privacy and

Security Rules

Lesson 3 – explains the rules regarding use and disclosure of

patient information

Lesson 4 – addresses patients’ rights concerning their health

information

Lesson 5 – talks about safeguards to protect patient privacy and security

HIPAA

LESSON 2

Overview of the HIPAA Privacy and Security

Rules

HIPAA

Welcome to Lesson 2 for an overview of the HIPAA

Privacy and Security Rules

After completing this lesson, you should:

– Understand where the rules came from

– Appreciate why we have these rules

– Know the consequences of violating the rules

HIPAA

• HIPAA stands for the Health Insurance

Portability and Accountability Act of 1996

• HIPAA is a federal law that was enacted by Congress

and signed by the President in 1996

HIPAA

As part of the HIPAA law, Congress directed the

U.S. Department of Health and Human Services

(DHHS) to develop regulations that would:

protect patient privacy

protect the security of health information stored

and transmitted electronically

HIPAA

The final HIPAA Privacy Rule became effective in April 2003

The final HIPAA Security Rule became effective in April 2005

These rules regulate the way covered entities handle protected health information

HIPAA

The HIPAA Privacy and Security Rules only apply to covered entities

We refer to covered entities as CEs

There are three types of CEs:

Health Care Providers (e.g., hospitals, physicians, nursing

homes, pharmacies)

Health Plans (e.g., health insurance companies, employee-

sponsored health plans)

Healthcare Clearinghouses (organizations that process

insurance claims)

HaysMed is a CE, so the hospital, its physician clinics, and Associates must comply with the HIPAA Privacy and Security Rules

HIPAA

The HIPAA Privacy and Security Rules

regulate how we safeguard, use, and

disclose Protected Health Information or

PHI.

PHI includes all individually identifiable health

information

PHI is not limited to paper documents. It includes

data and oral communications

HIPAA

Health information includes:

- Past, present, or future physical or mental health or

condition of an individual

- Provision of health care to an individual; or

- Past, present, or future payment for the provision of

health care to an individual.

Information is protected regardless of how sensitive it may be

HIPAA

Health information is individually identifiable if:

- identifies an individual

- provides some basis from which someone could identify

an individual if they really wanted to

HIPAA

Examples of information that is considered “identifying”:

- name, address, telephone number, fax number, email

address

- birth date, admission date, discharge date

- social security number, medical record number, account

number

- information about relatives, employers, etc.

- vehicle ID number, URL address

Examples of PHI

All of the following constitute PHI:

- A lab test report that lists only the patient’s medical record number

- A conversation between two nurses about the patient in Room 202

- A message on an answering machine asking John Doe to call his

doctor’s office

- A receipt for payment of an office visit co-payment

Examples of PHI

- Patient Photos

- Status boards in the Electronic Medical Record

- Emails containing patient information

- Patient Discharge Instructions

HIPAA

Consequences of violating the HIPAA Privacy and Security Rules

- Significant government fines and penalties against HaysMed

- Up to $50,000 per violation

- Criminal penalties against the individuals involved in the violation

- Expensive civil lawsuits brought by individuals against HaysMed and its Associates

- Damage to HaysMed’s reputation in the community

- For licensed individuals (e.g., nurses, therapists), disciplinary action by their licensing board

HIPAA

• Consequences of violating HaysMed’s HIPAA policies:

- For HaysMed employees, disciplinary action by HaysMed, up to and including termination

- For students, termination of their training at HaysMed

- For contracted individuals, termination of their contract with HaysMed

- Understand that HaysMed is obligated to report licensed Associates to their licensing agencies when the Associate violates HIPAA

HIPAA

You have completed Lesson 2 on the purpose of the HIPAA Privacy and Security Rules

HIPAA

Remember:

• The HIPAA Privacy and Security Rules regulate the way covered

entities safeguard, use, and disclosure protected health information

PHI is any information relating to a person’s health, healthcare, or payment for healthcare services that contains something that could be used to identify the person

• PHI is not limited to paper documents. It includes electronic data and oral communications

• The consequences of violating these rules can be severe for HaysMed and its Associates

HIPAA

Lesson 3

Uses and Disclosures of PHI

HIPAA

Welcome to Lesson 3 on uses and disclosures of PHI

After completing this lesson, you should be able to:

- List uses and disclosures of PHI allowed under the

HIPAA Privacy Rule

- Recognize what must be included in written permission

for uses and disclosures

- Define “minimum necessary” use or disclosure

HIPAA

Competing Interests

The HIPAA Privacy Rule tries to balance two competing

interests:

- No. 1: protect patient privacy

- No. 2: allow the flow of PHI when needed to

ensure high quality healthcare and protect

public health

HIPAA

A CE cannot use or disclose PHI without the

patient’s authorization unless an exception applies

Exceptions are based on the purpose of the use or

disclosure, as opposed to the type of PHI involved

Lets look at some of those exceptions

HIPAA

Treatment, Payment, Health Care Operations

Use and disclosure of PHI is permitted without patient

authorization if the purpose of use or disclosure is

- treatment

- payment

- health care operations

HIPAA

Treatment

HaysMed may use and disclose PHI to treat its

patients

HaysMed may disclose PHI to other healthcare

providers for them to treat their patients

HIPAA

Payment

HaysMed may use and disclose PHI to obtain

payment for services it provides.

HaysMed may disclose PHI to another CE as

necessary for that CE’s payment purposes

HIPAA

Health Care Operations

HaysMed may use and disclose PHI for health care operations, which include:

- management functions necessary to support treatment or payment

- quality assurance activities

- utilization review activities

- audits

- credentialing

Research activities and marketing do not qualify as health care operations

HaysMed may disclose PHI to another CE for that CE’s health care operations only if that CE has a pre-existing treatment relationship with the patient

Opportunity to Opt Out

HaysMed may use or disclose PHI in the following ways without a written authorization if the individual has the opportunity to agree to or prohibit or restrict the use or disclosure:

- HaysMed may use a patient’s name, location in the facility, religious affiliation, and condition described in general terms to maintain a facility directory. HaysMed may disclose this information to clergy or, with the exception of religious affiliation, to other persons who ask for the person by name

HIPAA

Business Associates (BAs) • Third parties that access or create PHI on behalf of HaysMed for

purposes other than treatment

• Must have written Business Associate Agreement (“BAA”) with

HaysMed regarding use of PHI

• BAs subject to certain provisions of HIPAA Privacy and Security

Rules

• HaysMed liable for BA if BA acts as HaysMed’s agent

HIPAA

- HaysMed may disclose to a patient’s family member, close

personal friend, or other person identified by the patient PHI

directly relevant to such person’s involvement with the patient’s

care or payment for services

- HaysMed may use or disclose PHI to notify a family member,

a personal representative of the individual, or other person

responsible for the individual’s care

HIPAA

Other Permitted Uses and Disclosures Without Written Authorization

The HIPAA Privacy Rule includes several other exceptions that permit use and disclosure of PHI without written authorization

- as specifically required by law

- for public health activities (e.g., reporting disease or injury)

- to report victims of abuse, neglect, or domestic violence

- for health oversight activities by the government

- in judicial and administrative proceedings

HIPAA

Continued:

- for law enforcement purposes

- to disclose information to coroners, including medical

examiners, or for the purpose of cadaveric organ, eye and

tissue donations

- to avert a serious threat to health and safety

- to a funeral director as necessary to carry out duties with

respect to decedent

- for specialized governmental functions

- for workers compensation claims

HIPAA

Special Rules for Certain Types of

Disclosures

Use and disclosure of PHI for the following purpose

without an authorization is permitted in limited

circumstances

- marketing

- fundraising

- research

HIPAA

Special Rules for Certain Types of PHI

Certain types of PHI are subject to special

protections under state and federal law - HIV/AIDS information

- records of treatment in a federally-assisted drug and alcohol

treatment program

- information relating to patients of community mental health

centers, community service providers, psychiatric hospitals,

or state institutions for the mentally retarded

Even if a particular use or disclosure is permitted without an authorization under the

HIPAA Privacy Rule, such use or disclosure may be prohibited under these rules

HIPAA

Authorizations

If no exceptions applies, HaysMed must obtain a

written authorization from the patient (or personal

representative) before using or disclosing the

patient’s PHI

Authorization Required Elements

To be effective, a written authorization must include: - Description of PHI to be used or disclosed

- Description of the purpose of the use or disclosure

- Description of the persons or class of persons that may use PHI or to who the PHI may be disclosed

- Revocation and re-disclosure instructions

- Notice that HaysMed must treat the patient regardless of whether authorization is given

- Expiration date or triggering event

- Individual’s signature or personal representative’s signature and authority

HaysMed has a standard Authorization Form it uses to release PHI.

• You may access or discuss PHI only to extent necessary to

perform job duties

• Electronic audit trails track each time you access a record

(including status boards)

• If you access or discuss any patient’s PHI without a legitimate

job-related reason for doing so, you will be disciplined,

including possible termination

– Regardless of location (at work, at home, in a social setting)

– Includes friends and family members

Role-Based Restrictions

HIPAA • Breach Notification

– If a patient’s PHI is breached, HaysMed must provide

specific written notice of such breach to that patient within

60 days of discovery

– Must submit annual reports to the government

– Breach = improper use or disclosure + potential for harm to

the individual

– HaysMed must review every improper use or disclosure to

determine if it constitutes a breach

– Failure to document such review = HIPAA violation

• Associates must report all improper uses or

disclosures of PHI to HaysMed’s Privacy Officer

Enhanced Enforcement

• Department of Health and Human Services must investigate any complaint

which may involve willful neglect

• State Attorneys General may bring action to enjoin violations or obtain

damages

• Penalties reinvested in enforcement activity

• Individual harmed by violation eligible for portion of any penalty

Five Factors For Breech Evaluation

1. Nature and extent of violation

2. Nature and extent of harm resulting from

violation

3. History of prior compliance and violations

4. Financial condition of violator

5. Such other matters as justice may require

Tier 1

Violation not known or

reasonably known

Tier 2

Violation due to

reasonable cause, but

not willful neglect

Tier 3

Violation due to willful

neglect, if corrected

Tier 4

Violation due to willful

neglect, if not corrected

At least $100 per

violation, $25,000 max

for identical violations in

calendar year

At least $1,000 per

violation, $100,000 max

for identical violations in

calendar year

At least $10,000 per

violation, $250,000 max

for identical violations in

calendar year

At least $50,000 per

violation, $1.5 million

max for identical

violations in calendar

year

Civil Monetary Penalties

• Employees and other agents may be held

criminally liable for HIPAA violations

Criminal Penalties

• No laptops at meetings if viewing patient information

• Do not view/work on medical records where other can see the patient’s information

• Lock down computer monitors

• Be cautious in selecting a patient’s name when printing documents from Access E-Forms

• Obtain assistance before communicating with law enforcement

• Remove patient history information before handing the clipboard to the next patient

• Double check fax numbers before faxing

Lessons Learned

Minimum Necessary Rule

Any use or disclosure must be limited to the minimum amount of information necessary to accomplish the specific purpose of the use or disclosure.

HIPAA

The minimum necessary rule does not apply to:

- uses and disclosures for treatment purposes

- uses and disclosures made pursuant to an authorization

- disclosures to the person who is the subject of the information

- disclosures required by law

Associate Access to PHI

An Associate may access or discuss any patient’s

PHI only to the extent necessary to perform

his/her job duties

An Associate who accesses or discusses any

patient’s PHI (including family members) without

a legitimate job-related reason for doing so will be

subject to discipline up to and including

termination

HIPAA

What To Do If You Have Questions

The rules concerning use and disclosure of PHI can be confusing

If you have a question concerning these rules, contact HaysMed’s Privacy Officer, Christy Stahl

- 785-623-2188 work #

- 785-623-1821 cell #

- Christy.stahl@haysmed.com

HIPAA

You have completed Lesson 3 on uses and disclosures of PHI

HIPAA

Remember:

- you cannot use or disclose PHI without written authorization unless an exception applies

- uses and disclosures for treatment, payment, and health care operations are permitted

- there are several other exceptions that apply in specific circumstances

- a written authorization must contain specific information to be valid

- All improper uses or disclosures of PHI must be reported to the Privacy Officer to determine if breach notification is required

- an associate who uses or discloses a patient’s PHI without a job related reason for doing so will be disciplined

- Seek guidance from your supervisor or the Privacy Officer before disclosing any protected healthcare information to a police officer

- if you have questions concerning uses and disclosures of PHI, contact HaysMed’s Privacy Officer

HIPAA

Lesson 4

Patients’ Rights Concerning Their PHI

HIPAA

Welcome to Lesson 4 on patients’ rights

concerning their PHI

After completing this lesson, you should be able to:

- identify patients’ rights concerning their PHI

- assist a patient who wants to exercise one of those rights

HIPAA

Right to Access PHI

HaysMed must give a patient access to inspect and

copy his or her PHI maintained in a designated

record set

A patient wanting access must submit a written

request to the Medical Records Department

HIPAA

Right to an Accounting

A patient may request accounting of HaysMed’s uses and disclosures of the patient’s PHI made within the last 6

years

Such an accounting does not include uses or disclosures for treatment, payment, or health care operations or uses and disclosures authorized by the patient

A patient wanting an accounting must submit a written request to the Privacy Officer

HIPAA

Right to Request Amendments

A patient can request that PHI be amended if he or she believes it is not accurate

HaysMed can deny such request if the information is accurate and complete or not created by HaysMed

A patient seeking an amendment must submit a written request to the Privacy Officer or to the Medical Records Department

HIPAA

Right to Request Restrictions

A patient may request HaysMed restrict those uses

or disclosures permitted without authorization

Such request must be made in writing to the Privacy

Officer or to the Medical Records Department

HaysMed is not required to agree to such request

HIPAA

Right to Receive Confidential

Communications

A patient may request that HaysMed communicate with him

or her by alternative means or at alternative locations (e.g.,

only contact the patient at a certain telephone number)

HaysMed must abide by all reasonable requests

If a patient makes such a request to you, make sure such

request is communicated to the appropriate people and

documented appropriately

HIPAA

You have completed Lesson 4 on patients’ rights concerning their PHI

HIPAA

Remember:

A patient has the right to: - access his/her PHI

- obtain an accounting of HaysMed’s disclosures of his/her PHI

- request an amendment to his/her PHI

- request restrictions on uses and disclosures permitted without an authorization

- receive confidential communications

HIPAA

Lesson 5

Administrative Requirements

HIPAA

Welcome to Lesson 5 on administrative requirements

When you complete this lesson, you should be able to:

- identify the administrative requirements the HIPAA Privacy Rule imposes on HaysMed

- understand the importance of following safeguards to prevent improper disclosures of PHI

HIPAA

Notice of Privacy Practices

• HaysMed must give all of its patients a written

Notice of Privacy Practices

• Patients are requested to sign an acknowledgement

of receipt

• A copy of the Notice is available on HaysMed’s

website, www.haysmed.com

Safeguards

All Associates must follow safeguards to prevent improper uses and disclosures of PHI

As part of your work, you will have conversations with patients, family member, co-workers involving PHI. You must take care to avoid others overhearing those conversations

Never leave documents containing PHI unattended where they could be accessed by unauthorized persons

Safeguards

Never share your computer password with anyone else

Never allow anyone else to use your computer password

If you have reason to believe the security of your password has been compromised, notify the Privacy Officer immediately

Safeguards

Always wear name badges to prevent unauthorized

individuals from having access to PHI

Confirm identity of person with whom speaking

and follow procedures when leaving messages

Keep all PHI within HaysMed’s facility unless job

duties specifically require otherwise (this is the

rule, not the exception)

Safeguards

Always lock doors

Be cautious when stuffing envelopes with

patient information

Double check fax number before sending

PHI and always use a fax cover sheet

• Lock down your computer before leaving it

– Alt + Q

– Ctrl + Alt + Delete

• Do not get caught in a phishing attack

• Beware of social engineering

• Do not plug an unknown USB into your

computer

Everyday Safeguards

Email has become a vital tool for communication in today’s healthcare delivery environment. This tool, however, does not come without risks.

First off, it is extremely easy to send Protected Health Information in near real time. This is very valuable when done correctly. We are trying to remind associates, when it is necessary to send any sensitive data to a non-HaysMed email account, be sure to send it securely. This is accomplished by using the word “secure” in square brackets anywhere in the “Subject:” line of the email (e.g. [secure] ). This will allow the recipient to retrieve the email through a secure website.

Secondly, this note is a caution to users that email is a favored mechanism of “bad-actors” with malicious intent who are continually trying to compromise HaysMed’s network resources. Associates need to always remain vigilant with messages they receive. Exercise extreme care when clicking website links received via email; as a general rule, you should never click an unsolicited link and you should never give your login information if prompted after clicking these types of links (see example malicious email message below).

Dear Account Owner,

We want to upgrade all Microsoft Exchange email account scheduled for today as part of our duty to strengthen security of your mailbox. CLICK HERE to upgrade your account to Outlook Web Apps 2015. If your settings is not updated today, your account will be inactive and cannot send or receive message any longer. Sincerely, -IT Department Microsoft Corporation. All rights reserved

Security of the HaysMed network is everyone’s responsibility and we look to you to help to keep our data secure.

Scott Rohleder

Hays Medical Center

http://www.haysmed.com

scott.rohleder@haysmed.com

Phishing Attack

Secondly, this note is a caution to users that email is a favored mechanism of “bad-actors” with malicious intent who are continually trying to compromise HaysMed’s network resources. Associates need to always remain vigilant with messages they receive. Exercise extreme care when clicking website links received via email; as a general rule, you should never click an unsolicited link and you should never give your login information if prompted after clicking these types of links (see example malicious email message below).

Dear Account Owner,

We want to upgrade all Microsoft Exchange email account scheduled for today as part of our duty to strengthen security of your mailbox. CLICK HERE to upgrade your account to Outlook Web Apps 2015. If your settings is not updated today, your account will be inactive and cannot send or receive message any longer. Sincerely,

-IT Department Microsoft Corporation. All rights reserved

Phishing Attack

Safeguarding Electronic PHI (e-PHI)

Computer Security Measures:

▪ Passwords and access codes ▪ User profiles

▪ Audit logs ▪ Encryption

▪ Physical location of equipment ▪ Data back-up

▪ Firewalls, virus detection

▪ Password-protected screensavers

▪ Removal and destruction

HIPAA

Your duties and responsibilities

Do not disclose password or access code to any person (except

authorized IT staff)

Do not ask anyone to disclose his/her password or access code

Do not store PHI on any hard drive (both work and personal devices)

Do not transmit any PHI (e.g., e-mail) unless properly encrypted

(Contact IT Department for directions on encrypting messages)

HIPAA

Mobile devices (CDs, flash drives, memory

cards, cell/smart phones)

Restrict use of mobile devices for storage or transmission of e-PHI

To the extent possible, password protect mobile devices

Return mobile devices for proper destruction to IT Department

• Includes Facebook, Twitter, LinkedIn, school

blogs, etc.

• You are personally and legally responsible for content you post on any social networking site

• Even when using privacy settings, you should treat all postings as public information

Social Media

An Associate shall adhere to all provisions of the Confidentiality Agreement when posting on any social networking site. An Associate shall not post to any social networking site during work hours, unless an Associate’s job description requires such posts to be made as part of maintaining a Hays Medical Center sponsored social networking page.

Social Media

1. Do not post any information about a HaysMed patient, even if you do not identify the patient by name or otherwise

Friends and family members --only if your knowledge of such person’s condition is based solely on personal

experience

2. Do not blog or post comments, messages, or other content anonymously when commenting about HaysMed or any HaysMed physician or employee

3. When blogging or posting comments, messages, or other content regarding HaysMed, you must affirmatively state that your views are not those of HaysMed

Social Media – Three Rules

HIPAA

Other Administrative Requirements

To comply with the HIPAA Privacy Rule, HaysMed must:

- discipline Associates, Vendors, and Agents that violate the HIPAA Privacy Rule

- maintain a complaint/grievance process for complaints about HIPAA Privacy Rule violations

- take action to mitigate any bad effect of inappropriate disclosure or use of PHI to the extent possible

HIPAA

Reporting Concerns

If you believe there has been a violation of the

HIPAA Privacy Rule, report that information to

the Privacy Officer as soon as possible

HIPAA

Immediately report any of the following to Christy Stahl,

HaysMed Privacy Officer:

• Any lost or stolen device (laptop, cell phone, memory card, etc)

• Any lost or stolen paper records

• Any potential compromised password

• Any suspected unauthorized access to PHI

• Any postings of PHI to any website

• Any unauthorized disclosure of PHI (no authorization form, no

applicable exception)

HIPAA

Prohibition on Waiver and Retaliation

HaysMed will not require any person to waive his or

her rights under the HIPAA Privacy Rule as a

condition of treatment or payment of benefits

HaysMed strictly prohibits any sort of retaliation,

intimidation, or discrimination against persons

exercising their rights under the HIPAA Privacy

Rule

HIPAA

You have completed Lesson 5 on the HIPAA Privacy Rule’s administrative requirements

HIPAA

Remember:

- you must act to protect patient confidentiality

- you will be disciplined if you do not follow proper safeguards

- you must report suspected violations of the Privacy Rule to HaysMed’s Privacy Officer

Your Responsibilities

• Comply with the HIPAA Privacy Rules

• Follow the Confidentiality Agreement

• Do not take any PHI out of the facility

• Do not access your medical record or the medical record of your family members on your own – make request at the Medical Records Department (Health Information Management)

• Do not access any medical records unless your job/training requires you to access a patient’s medical record

• Do not have an Associate, Physician, or any other person access a record for you

• Never use PHI in an educational presentation unless the patient has signed an Authorization

Your Responsibilities

• Do not view patient status boards for other departments

• Never text any information about a patient

• Do not discuss patients with persons outside HaysMed

• Do not discuss your training experience at HaysMed on Facebook, MySpace or Twitter…………….even if you do not mention patient names

• Associates that are students must de-identify all information used, unless your HaysMed supervisor gives you approval to obtain an authorization from the patient

• Never take a picture of a patient or a patient’s information with your cell phone

• Never give any documents to a patient until you verify the identity of the patient and verify the documents