SlideShare uma empresa Scribd logo

2018-HIPAA-Renewal-Training.pptx

Transferir como PPTX, PDF
F
Fariida Osman

pressentaton

Saúde e medicina
1 de 32
HIPAA Privacy and Security Annual Renewal Training For Employees Compliance is Everyone’s Job For UA Health Care Components, Business Associates & Health Plans 2018 v1 INTERNAL USE ONLY
What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation which addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers. The portions that are important for our purposes are those that deal with protecting the privacy (confidentiality) and security (safeguarding) of health data, which HIPAA calls Protected Health Information or PHI. INTERNAL USE ONLY 2
What is Protected Health Information? (PHI) • Any information, transmitted or maintained in any medium, including demographic information • Created/received by covered entity or business associate • Relates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare; and • Can be used to identify the patient INTERNAL USE ONLY 3
Types of Data Protected by HIPAA • Written documentation and all paper records • Spoken and verbal information including voice mail messages • Electronic databases and any electronic information, including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic device • Photographic images • Audio and Video recordings INTERNAL USE ONLY 4
To De-Identify Patient Information You Must Remove All 18 Identifiers • Names • Geographic subdivisions smaller than state (address, city, county, zip) • All elements of DATES (except year) including DOB, admission, discharge, death, ages over 89, dates indicative of age • Telephone, fax, SSN#s, VIN, license plate #s • Med record #, account #, health plan beneficiary # • Certificate/license #s • Email address, IP address, URLs • Biometric identifiers, including finger & voice prints • Device identifiers and serial numbers • Full face photographic and comparable images • Any other unique identifying #, characteristic, or code INTERNAL USE ONLY 5
UA HIPAA Sanctions • Employees, students, and volunteers who do not follow HIPAA rules are subject to disciplinary action. • UA sanctions depend on severity of violation, intent, pattern/practice of improper activity, etc., and might include: – Dismissal from academic program – Termination of employment – Suspension without pay – Denial of an annual raise or reduction in pay • Civil and/or criminal penalties including incarceration INTERNAL USE ONLY 6
Notice of Health Information Practices • Explains how the covered entity will use/disclose patient’s PHI • Explains a patient’s rights and where to file a complaint • Is offered to a patient at the time of the first visit (and patient should sign & date acknowledgement of receiving at time of first visit) • Is posted on facility’s web page and in patient reception area INTERNAL USE ONLY 7
TPO as Permitted Use and Disclosure of PHI PHI may be used and disclosed to facilitate TPO, which means: • For Treatment • For Payment • For certain healthcare Operations, such as quality improvement, credentialing, compliance, and patient/employee safety activities INTERNAL USE ONLY 8
Authorizations and Patient’s Right to Access their PHI as Permitted Use and Disclosure of PHI • A covered entity may generally use and disclose PHI to a third party if it gets the patient’s signed HIPAA-valid authorization – However, a HIPAA authorization form should not be used when a patient asks for a copy of their PHI for themselves or to be sent to a third party – in that case, use a Patient Request for Health Information Form – It is a HIPAA violation to use the wrong form in this circumstance (the regulations require different information on each form) – The fees that can be charged for a copy of a patient’s PHI or record differs based on whether the records are being released per an Authorization or a Patient’s Request – A covered entity can only charge a reasonable, cost-based amount when a patient requests the records – It is permissible to charge up to $6.50 for a flat fee for electronic copies (for labor, supplies and postage) • Only designated, HIPAA-trained personnel are permitted to approve disclosure of PHI per the person’s HIPAA-valid authorization or Patient Request for Health Information Form • For any questions concerning releases pursuant to a HIPAA authorization or Patient Request for Health Information Form, please contact your Privacy Officer • For a complete list of permitted uses and disclosures of PHI without the patient’s authorization, see your entity’s Notice of Health Information Practices INTERNAL USE ONLY 9
Can Family/Friends Know? • Yes, but only PHI directly relevant to that person’s involvement with the patient’s healthcare or payment related to patient’s healthcare. • And, only if the provider reasonably infers that the patient does not object. INTERNAL USE ONLY 10
Minimum Necessary Standard • When HIPAA permits use or disclosure of PHI, a covered entity must use or disclose only the minimum necessary PHI required to accomplish the purpose of the use or disclosure. • The only exceptions to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons: – Treatment – Purposes for which an authorization is signed – Disclosures required by law – Sharing information to the patient about himself/herself INTERNAL USE ONLY 11
Other Privacy Safeguards • Avoid conversations involving PHI in public or common areas such as hallways or elevators. • Keep documents containing PHI in locked cabinets or locked rooms when not in use. • During work hours, place written materials in secure areas that are not in view or easily accessed by unauthorized persons. • Do not leave materials containing PHI on desks or counters, in conference rooms, on fax machines/printers, or in public areas. • Do not remove PHI in any form from the designated work site unless authorized to do so by management. • Never take unauthorized photographs in patient care areas including audio and video. INTERNAL USE ONLY 12
Patient Rights Under HIPAA The Notice of Health Information Practices outlines the patient’s following rights to: • Restrict disclosure of PHI to health plan if patient pays out of pocket in full for the healthcare item/service • Look at and obtain a copy of record/PHI or ePHI or request that a copy of their record be sent to their attorney, insurance company, or a third party – Remember, the patient should not have to fill out a HIPAA authorization for this purpose – a verbal request is fine, but should be documented. – A patient’s request to direct PHI to another person must be in writing, signed by the individual and clearly identify the designated person and where to send the PHI (i.e., Patient Request for Health Information form) – Remember that the only charge to a Patient exercising their right to a copy of the record is a reasonable, cost-based amount ($6.50 flat fee for electronic copy) • Amend incorrect or misleading information in record • Receive an accounting of disclosures of PHI • Be notified of a breach of PHI • File a complaint INTERNAL USE ONLY 13
HIPAA Put New Requirements on Research • If you work for a HIPAA-covered Health Care Provider, do not release PHI for research unless: – The patient has signed a valid HIPAA authorization, or – The Institutional Review Board (IRB) at UA has approved a waiver of authorization; or – The IRB agrees that an exception applies Information regarding HIPAA and Research is available through UA’s Office for Research Compliance. INTERNAL USE ONLY 14
Business Associate (BA) Agreements • Are required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which may involve the use or disclosure of the covered entity’s PHI • Law now requires BA to comply with certain Privacy and Security rules & subjects BA to HIPAA criminal and civil penalties. • BA also subject to breach of contract claims • BA Agreement must be approved in accordance with appropriate UA policies and procedures Individual employees are NOT authorized to sign contracts on behalf of UA. INTERNAL USE ONLY 15
What is a Breach? • Breach is defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of the information. • Impermissible use or disclosure is presumed to be a breach unless the facility or business associate proves that there is a low probability that PHI has been compromised. INTERNAL USE ONLY 16
What Constitutes a Breach? • A breach could result from many activities. – Accessing more than the minimum necessary – Failing to log off when leaving a workstation – Unauthorized access to PHI – Sharing confidential information, including passwords – Having patient-related conversations in public settings – Improper disposal of confidential materials in any form – Copying or removing PHI from the appropriate area • Why? – Curiosity…about a co-worker or friend – Laziness…so shared sign-on to information systems – Compassion…the desire to help someone – Greed or malicious intent…for personal gain INTERNAL USE ONLY 17
Risk Assessment Required To assess the probability that PHI has been compromised, we are required to consider: • The nature and extent of PHI and likelihood of re- identification (credit card/SSN, etc.) • Unauthorized person who used PHI or to whom disclosure was made • Whether PHI was actually acquired or viewed • The extent to which the risk of PHI has been mitigated (recipient destroyed it) INTERNAL USE ONLY 18
Breach Notification Regulations • If it is determined that a breach of PHI occurred, then the covered entity must notify the affected individual (or next of kin) without unreasonable delay, but not later than 60 calendar days from discovering the breach. – Time runs when incident first known or reasonably should have been known (true for covered entity and business associate), NOT when it is determined that a breach occurred. – Breach is treated as discovered when workforce member or other agent has knowledge of incident. • That means an employee or volunteer must IMMEDIATELY report! – Delay permissible in certain circumstances where law enforcement has requested a delay. INTERNAL USE ONLY 19
Responsibility to Report Promptly • When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together. • If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please let your organization’s privacy and/or security officer know immediately. • It is much better to investigate and discover no breach than to wait and later discover that something did happen. INTERNAL USE ONLY 20
Security Standards – General Rules • HIPAA security standards ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (PHI –Protected Health Information) by and with all facilities. • Protect against any reasonably anticipated threats or hazards to the security or integrity or such information. • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted. INTERNAL USE ONLY 21
Rules for Access • Access to computer systems and information is based on your work duties and responsibilities. • Access privileges are limited to only the minimum necessary information you need to do your work. • Access to an information system does not automatically mean that you are authorized to view or use all the data in that system. • Different levels of access for personnel to PHI is intentional. • If job duties change, clearance levels for access to PHI is re-evaluated. • Access is eliminated if employee is terminated. • Accessing PHI for which you are not cleared or for which there is no job- related purpose will subject you to sanctions. INTERNAL USE ONLY 22
Rules for Protecting Information • Do not allow unauthorized persons into restricted areas where access to PHI could occur. • Arrange computer screens so they are not visible to unauthorized persons and/or patients; use security screens in areas accessible to public. • Log in with password, log off prior to leaving work area, and do not leave computer unattended. • Close files not in use/turn over paperwork containing PHI. • Do not duplicate, transmit, or store PHI without appropriate authorization. • Storage of PHI on unencrypted removable devices (Disk/CD/DVD/Thumb Drives) is prohibited without prior authorization. Consider using UA Box. INTERNAL USE ONLY 23
Encryption of PHI • Electronic protected health information must be encrypted when stored in any location outside the EHR including desktops, laptops, and other mobile devices (thumb drives, CDs, DVDs, smart phones, email, cloud storage devices (e.g. UA Box), etc.). – Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure • Use of personal computers or other personal electronic equipment (non- UA owned equipment) is not allowed to store protected health information. Any exceptions must be approved by senior leadership or in compliance with your entity's portable device guidelines. • Due to a lack of infrastructure and control of delivery, the use of unencrypted text messaging of any protected health information is strongly discouraged. Text messaging of medical orders is prohibited INTERNAL USE ONLY 24
Password Management • Do not allow coworkers to use your computer without first logging off your user account. • Do not share passwords or reuse expired passwords. • Do not use passwords that can be easily guessed (dictionary words, pets name, birthday, etc.). • Should not be written down, but if writing down the password is required, must be stored in a secured location. • Should be changed if you suspect someone else knows it. • Disable passwords or delete accounts when employees leave. • Passwords: – Should be minimum 8 characters long – Include 3 of 4 data types (upper/lower case, numeric, special characters) – Should be changed periodically – Good password scheme is critical for complex passwords – R0llt!de (don’t use this, just an example) INTERNAL USE ONLY 25
Protection from Malicious Software • Malicious software can be thought of as any virus, worm, malware, adware, etc. • As a result of an unauthorized infiltration, PHI and other data can be damaged or destroyed. • Notify your supervisor, system support representative, and/or security officer immediately if you believe your computer has been compromised or infected with a virus—do not continue using computer until resolved. • Managed anti virus and other security software is installed on all University computers and should not be disabled. • Any personal devices used for access to PHI must have appropriate anti virus software . • Do not open e-mail or attachments from an unknown, suspicious, or untrustworthy source or if the subject line is questionable or unexpected—DELETE THEM IMMEDIATELY. INTERNAL USE ONLY 26
Ransomware • Ransomware is malicious software that denies access to data, usually by encrypting the data with a private encryption key that is only provided once the ransom is paid. • Presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident. – Whether it results in an impermissible disclosure of PHI and/or a breach depends on the facts and circumstances of the attack. – When ePHI is encrypted due to a ransomware attack, a breach has occurred because the ePHI was acquired. • Once the ransomware is detected, we must initiate our security incident response and reporting procedures. – If computer with encrypted data is powered on and the operating system loaded, the data is decrypted and breach notification may need to occur. – Notification of a breach of unencrypted or decrypted data must occur unless there is a “low probability the PHI has been compromised” • Maintaining frequent backups and ensuring ability to recover data from backups may show low probability (if no exfiltration of PHI). INTERNAL USE ONLY 27
Beware of Suspicious Emails • Be very cautious of suspicious emails that request information such as email ID and password, or other personal information claiming that you need to verify an account, or you are out of disk space, or some other issue with your account. If they claim to come from the University check the following: – From Address: Make sure the from address has ua.edu after the @ – URL Link: If you can see the URL in the message, make sure it has ua.edu before the first slash (/) – Hover trick: If you can’t see the URL, you can hover your mouse pointer over the link without clicking, and a box with the URL will appear. Check for ua.edu INTERNAL USE ONLY 28
Use of Technology • Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization. • Email, internet use, fax and telephones are to be used for UA business purposes (see UA policies). • Fax of PHI should only be done when the recipient can be reliably identified; Verify fax number and recipient before transmitting. • No PHI is permitted to leave facility in any format without prior approval. • Where technically feasible, email should be avoided when communicating unencrypted sensitive PHI - follow your organization’s email policy for PHI. • No PHI is permitted on any social networking sites (Twitter, Facebook, etc.) without appropriate authorization. • No PHI is permitted on any texting or chat platforms. • If a situation requires use of email or text, appropriate encryption techniques must be used. INTERNAL USE ONLY 29
Rules for Disposal of Computer Equipment • Only authorized employees should dispose of PHI in accordance with retention policies. • Documents containing PHI or other sensitive information must be shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding. • All questions concerning media reallocation and disposal should be directed to your HIPAA Security Officer; OIT systems representatives or your departmental IT support teams are responsible for sanitization and destruction methods. • Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying. • “Sanitize” means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media. • If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction. • NOTES: Deleting a file does not actually remove the data from the media. Formatting does not constitute sanitizing the media. INTERNAL USE ONLY 30
Reporting Security Incidents • Notify your Security Officer of any unusual or suspicious incident. • Security incidents include the following: – Theft of or damage to equipment – Unauthorized use of a password – Unauthorized use of a system – Violations of standards or policy – Computer hacking attempts – Malicious software – Security Weaknesses – Breaches to patient, employee, or student privacy INTERNAL USE ONLY 31
UA Contacts Know Your Security and Privacy Officer • University-wide Privacy Officer: Jan Chaisson • University-wide Security Officer: Ashley Ewing • University Medical Center Privacy Officer: Jan Chaisson • University Medical Center Security Officer: Amy Sherwood • Brewer Porch Privacy/Security Officer: Warren Williams • Speech and Hearing Privacy/Security Officer: JoAnne Payne • Autism Spectrum Disorders Clinic Privacy/Security Officer: JoAnne Payne • UA Group Health Plan/FSA Privacy Officer: Emily Marbutt • UA Group Health Plan/FSA Security Officer: Greg Gaddis • Working on Womanhood Program (WOW) Privacy/Security Officer: Jill Beck • Center for Advanced Public Safety (CAPS) Privacy/Security Officer: Vaughn Poe • Institutional Review Board Compliance Officer: Tanta Myles INTERNAL USE ONLY 32

Recomendados

Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy PracticesSpringfield Clinic
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power pointchwiso8418
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentialitychwiso8418
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power pointchwiso8418
 
Hipaa basics.pp2
Hipaa basics.pp2Hipaa basics.pp2
Hipaa basics.pp2martykoepke
 
Patient confidentiality.ppt
Patient confidentiality.pptPatient confidentiality.ppt
Patient confidentiality.pptchwiso8418
 
CONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.pptCONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.pptMohamedSultan234109
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011darichardson
 

Recomendados

Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy PracticesSpringfield Clinic
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power pointchwiso8418
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentialitychwiso8418
 
Patient confidentiality power point
Patient confidentiality power pointPatient confidentiality power point
Patient confidentiality power pointchwiso8418
 
Hipaa basics.pp2
Hipaa basics.pp2Hipaa basics.pp2
Hipaa basics.pp2martykoepke
 
Patient confidentiality.ppt
Patient confidentiality.pptPatient confidentiality.ppt
Patient confidentiality.pptchwiso8418
 
CONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.pptCONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.pptMohamedSultan234109
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011darichardson
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research TrainingCynthia Holland
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio PresentationLisa Shannon, RN, BSN, JD.
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?TriageLogic
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12O2 TESTING SERVICES
 
UNA HIPAA Training 8-13
UNA HIPAA Training 8-13UNA HIPAA Training 8-13
UNA HIPAA Training 8-13University of North Alabama - Academic Affairs
 
Hipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility modeHipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility moderobint2125
 
What You Don’t Know About the HIPAA Security Rule
What You Don’t Know About the HIPAA Security RuleWhat You Don’t Know About the HIPAA Security Rule
What You Don’t Know About the HIPAA Security RuleCooperative of American Physicians, Inc.
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 Meg Oser
 
HIPAA and Privacy Training
HIPAA and Privacy TrainingHIPAA and Privacy Training
HIPAA and Privacy TrainingJasAmataga
 
MHA690 confidentiality training
MHA690 confidentiality trainingMHA690 confidentiality training
MHA690 confidentiality trainingsdavis49
 
Confidentiality Awareness
Confidentiality AwarenessConfidentiality Awareness
Confidentiality Awarenessitchomecare
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2martykoepke
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inserviceKelly Snyder
 
Dustin HIPAA
Dustin HIPAADustin HIPAA
Dustin HIPAADustin Kinzinger
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
Healthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONNHealthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONNAtlantic Training, LLC.
 
HIPAA Training by UCSD
HIPAA Training by UCSDHIPAA Training by UCSD
HIPAA Training by UCSDAtlantic Training, LLC.
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarcEtienne6
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
Hippa training 2017
Hippa training 2017Hippa training 2017
Hippa training 2017Ashley Valenzuela
 
Call Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...
Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...
Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...narwatsonia7
 

Mais conteúdo relacionado

Semelhante a 2018-HIPAA-Renewal-Training.pptx

2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research TrainingCynthia Holland
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?TriageLogic
 
Hipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility modeHipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility moderobint2125
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 Meg Oser
 
HIPAA and Privacy Training
HIPAA and Privacy TrainingHIPAA and Privacy Training
HIPAA and Privacy TrainingJasAmataga
 
MHA690 confidentiality training
MHA690 confidentiality trainingMHA690 confidentiality training
MHA690 confidentiality trainingsdavis49
 
Confidentiality Awareness
Confidentiality AwarenessConfidentiality Awareness
Confidentiality Awarenessitchomecare
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2martykoepke
 
Healthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONNHealthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONNAtlantic Training, LLC.
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarcEtienne6
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 

Semelhante a 2018-HIPAA-Renewal-Training.pptx (20)

2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio Presentation
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12
 
UNA HIPAA Training 8-13
UNA HIPAA Training 8-13UNA HIPAA Training 8-13
UNA HIPAA Training 8-13
 
Hipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility modeHipaa training new_staff_december 2018 - compatibility mode
Hipaa training new_staff_december 2018 - compatibility mode
 
What You Don’t Know About the HIPAA Security Rule
What You Don’t Know About the HIPAA Security RuleWhat You Don’t Know About the HIPAA Security Rule
What You Don’t Know About the HIPAA Security Rule
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017
 
HIPAA and Privacy Training
HIPAA and Privacy TrainingHIPAA and Privacy Training
HIPAA and Privacy Training
 
MHA690 confidentiality training
MHA690 confidentiality trainingMHA690 confidentiality training
MHA690 confidentiality training
 
Confidentiality Awareness
Confidentiality AwarenessConfidentiality Awareness
Confidentiality Awareness
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inservice
 
Dustin HIPAA
Dustin HIPAADustin HIPAA
Dustin HIPAA
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
Healthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONNHealthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONN
 
HIPAA Training by UCSD
HIPAA Training by UCSDHIPAA Training by UCSD
HIPAA Training by UCSD
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentation
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
 
Hippa training 2017
Hippa training 2017Hippa training 2017
Hippa training 2017
 

Último

Call Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...
Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...
Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...narwatsonia7
 
Call Girls Jabalpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Jabalpur Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Jabalpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Jabalpur Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...Call Girls in Nagpur High Profile
 
Premium Call Girls Cottonpet Whatsapp 7001035870 Independent Escort Service
Premium Call Girls Cottonpet Whatsapp 7001035870 Independent Escort ServicePremium Call Girls Cottonpet Whatsapp 7001035870 Independent Escort Service
Premium Call Girls Cottonpet Whatsapp 7001035870 Independent Escort Servicevidya singh
 
The Most Attractive Hyderabad Call Girls Kothapet 𖠋 6297143586 𖠋 Will You Mis...
The Most Attractive Hyderabad Call Girls Kothapet 𖠋 6297143586 𖠋 Will You Mis...The Most Attractive Hyderabad Call Girls Kothapet 𖠋 6297143586 𖠋 Will You Mis...
The Most Attractive Hyderabad Call Girls Kothapet 𖠋 6297143586 𖠋 Will You Mis...chandars293
 
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
Low Rate Call Girls Kochi Anika 8250192130 Independent Escort Service Kochi
Low Rate Call Girls Kochi Anika 8250192130 Independent Escort Service KochiLow Rate Call Girls Kochi Anika 8250192130 Independent Escort Service Kochi
Low Rate Call Girls Kochi Anika 8250192130 Independent Escort Service KochiSuhani Kapoor
 
(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...
(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...
(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...Taniya Sharma
 
(Rocky) Jaipur Call Girl - 09521753030 Escorts Service 50% Off with Cash ON D...
(Rocky) Jaipur Call Girl - 09521753030 Escorts Service 50% Off with Cash ON D...(Rocky) Jaipur Call Girl - 09521753030 Escorts Service 50% Off with Cash ON D...
(Rocky) Jaipur Call Girl - 09521753030 Escorts Service 50% Off with Cash ON D...indiancallgirl4rent
 
VIP Call Girls Tirunelveli Aaradhya 8250192130 Independent Escort Service Tir...
VIP Call Girls Tirunelveli Aaradhya 8250192130 Independent Escort Service Tir...VIP Call Girls Tirunelveli Aaradhya 8250192130 Independent Escort Service Tir...
VIP Call Girls Tirunelveli Aaradhya 8250192130 Independent Escort Service Tir...narwatsonia7
 
Lucknow Call girls - 8800925952 - 24x7 service with hotel room
Lucknow Call girls - 8800925952 - 24x7 service with hotel roomLucknow Call girls - 8800925952 - 24x7 service with hotel room
Lucknow Call girls - 8800925952 - 24x7 service with hotel roomdiscovermytutordmt
 
Russian Escorts Girls Nehru Place ZINATHI 🔝9711199012 ☪ 24/7 Call Girls Delhi
Russian Escorts Girls Nehru Place ZINATHI 🔝9711199012 ☪ 24/7 Call Girls DelhiRussian Escorts Girls Nehru Place ZINATHI 🔝9711199012 ☪ 24/7 Call Girls Delhi
Russian Escorts Girls Nehru Place ZINATHI 🔝9711199012 ☪ 24/7 Call Girls DelhiAlinaDevecerski
 
Call Girls Ludhiana Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Call Girls Faridabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Faridabad Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Faridabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Faridabad Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Call Girls Siliguri Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Siliguri Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Siliguri Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Siliguri Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
VIP Service Call Girls Sindhi Colony 📳 7877925207 For 18+ VIP Call Girl At Th...
VIP Service Call Girls Sindhi Colony 📳 7877925207 For 18+ VIP Call Girl At Th...VIP Service Call Girls Sindhi Colony 📳 7877925207 For 18+ VIP Call Girl At Th...
VIP Service Call Girls Sindhi Colony 📳 7877925207 For 18+ VIP Call Girl At Th...jageshsingh5554
 
VIP Russian Call Girls in Varanasi Samaira 8250192130 Independent Escort Serv...
VIP Russian Call Girls in Varanasi Samaira 8250192130 Independent Escort Serv...VIP Russian Call Girls in Varanasi Samaira 8250192130 Independent Escort Serv...
VIP Russian Call Girls in Varanasi Samaira 8250192130 Independent Escort Serv...Neha Kaur
 
Top Rated Hyderabad Call Girls Erragadda ⟟ 6297143586 ⟟ Call Me For Genuine ...
Top Rated Hyderabad Call Girls Erragadda ⟟ 6297143586 ⟟ Call Me For Genuine ...Top Rated Hyderabad Call Girls Erragadda ⟟ 6297143586 ⟟ Call Me For Genuine ...
Top Rated Hyderabad Call Girls Erragadda ⟟ 6297143586 ⟟ Call Me For Genuine ...chandars293
 
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Nagpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 

Último (20)

Call Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Aurangabad Just Call 9907093804 Top Class Call Girl Service Available
 
Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...
Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...
Top Rated Bangalore Call Girls Mg Road ⟟ 8250192130 ⟟ Call Me For Genuine Sex...
 
Call Girls Jabalpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Jabalpur Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Jabalpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Jabalpur Just Call 9907093804 Top Class Call Girl Service Available
 
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
 
Premium Call Girls Cottonpet Whatsapp 7001035870 Independent Escort Service
Premium Call Girls Cottonpet Whatsapp 7001035870 Independent Escort ServicePremium Call Girls Cottonpet Whatsapp 7001035870 Independent Escort Service
Premium Call Girls Cottonpet Whatsapp 7001035870 Independent Escort Service
 
The Most Attractive Hyderabad Call Girls Kothapet 𖠋 6297143586 𖠋 Will You Mis...
The Most Attractive Hyderabad Call Girls Kothapet 𖠋 6297143586 𖠋 Will You Mis...The Most Attractive Hyderabad Call Girls Kothapet 𖠋 6297143586 𖠋 Will You Mis...
The Most Attractive Hyderabad Call Girls Kothapet 𖠋 6297143586 𖠋 Will You Mis...
 
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Bhubaneswar Just Call 9907093804 Top Class Call Girl Service Avail...
 
Low Rate Call Girls Kochi Anika 8250192130 Independent Escort Service Kochi
Low Rate Call Girls Kochi Anika 8250192130 Independent Escort Service KochiLow Rate Call Girls Kochi Anika 8250192130 Independent Escort Service Kochi
Low Rate Call Girls Kochi Anika 8250192130 Independent Escort Service Kochi
 
(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...
(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...
(👑VVIP ISHAAN ) Russian Call Girls Service Navi Mumbai🖕9920874524🖕Independent...
 
(Rocky) Jaipur Call Girl - 09521753030 Escorts Service 50% Off with Cash ON D...
(Rocky) Jaipur Call Girl - 09521753030 Escorts Service 50% Off with Cash ON D...(Rocky) Jaipur Call Girl - 09521753030 Escorts Service 50% Off with Cash ON D...
(Rocky) Jaipur Call Girl - 09521753030 Escorts Service 50% Off with Cash ON D...
 
VIP Call Girls Tirunelveli Aaradhya 8250192130 Independent Escort Service Tir...
VIP Call Girls Tirunelveli Aaradhya 8250192130 Independent Escort Service Tir...VIP Call Girls Tirunelveli Aaradhya 8250192130 Independent Escort Service Tir...
VIP Call Girls Tirunelveli Aaradhya 8250192130 Independent Escort Service Tir...
 
Lucknow Call girls - 8800925952 - 24x7 service with hotel room
Lucknow Call girls - 8800925952 - 24x7 service with hotel roomLucknow Call girls - 8800925952 - 24x7 service with hotel room
Lucknow Call girls - 8800925952 - 24x7 service with hotel room
 
Russian Escorts Girls Nehru Place ZINATHI 🔝9711199012 ☪ 24/7 Call Girls Delhi
Russian Escorts Girls Nehru Place ZINATHI 🔝9711199012 ☪ 24/7 Call Girls DelhiRussian Escorts Girls Nehru Place ZINATHI 🔝9711199012 ☪ 24/7 Call Girls Delhi
Russian Escorts Girls Nehru Place ZINATHI 🔝9711199012 ☪ 24/7 Call Girls Delhi
 
Call Girls Ludhiana Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 9907093804 Top Class Call Girl Service Available
 
Call Girls Faridabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Faridabad Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Faridabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Faridabad Just Call 9907093804 Top Class Call Girl Service Available
 
Call Girls Siliguri Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Siliguri Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Siliguri Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Siliguri Just Call 9907093804 Top Class Call Girl Service Available
 
VIP Service Call Girls Sindhi Colony 📳 7877925207 For 18+ VIP Call Girl At Th...
VIP Service Call Girls Sindhi Colony 📳 7877925207 For 18+ VIP Call Girl At Th...VIP Service Call Girls Sindhi Colony 📳 7877925207 For 18+ VIP Call Girl At Th...
VIP Service Call Girls Sindhi Colony 📳 7877925207 For 18+ VIP Call Girl At Th...
 
VIP Russian Call Girls in Varanasi Samaira 8250192130 Independent Escort Serv...
VIP Russian Call Girls in Varanasi Samaira 8250192130 Independent Escort Serv...VIP Russian Call Girls in Varanasi Samaira 8250192130 Independent Escort Serv...
VIP Russian Call Girls in Varanasi Samaira 8250192130 Independent Escort Serv...
 
Top Rated Hyderabad Call Girls Erragadda ⟟ 6297143586 ⟟ Call Me For Genuine ...
Top Rated Hyderabad Call Girls Erragadda ⟟ 6297143586 ⟟ Call Me For Genuine ...Top Rated Hyderabad Call Girls Erragadda ⟟ 6297143586 ⟟ Call Me For Genuine ...
Top Rated Hyderabad Call Girls Erragadda ⟟ 6297143586 ⟟ Call Me For Genuine ...
 
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Nagpur Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Nagpur Just Call 9907093804 Top Class Call Girl Service Available
 

2018-HIPAA-Renewal-Training.pptx

  • 1. HIPAA Privacy and Security Annual Renewal Training For Employees Compliance is Everyone’s Job For UA Health Care Components, Business Associates & Health Plans 2018 v1 INTERNAL USE ONLY
  • 2. What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation which addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers. The portions that are important for our purposes are those that deal with protecting the privacy (confidentiality) and security (safeguarding) of health data, which HIPAA calls Protected Health Information or PHI. INTERNAL USE ONLY 2
  • 3. What is Protected Health Information? (PHI) • Any information, transmitted or maintained in any medium, including demographic information • Created/received by covered entity or business associate • Relates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare; and • Can be used to identify the patient INTERNAL USE ONLY 3
  • 4. Types of Data Protected by HIPAA • Written documentation and all paper records • Spoken and verbal information including voice mail messages • Electronic databases and any electronic information, including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic device • Photographic images • Audio and Video recordings INTERNAL USE ONLY 4
  • 5. To De-Identify Patient Information You Must Remove All 18 Identifiers • Names • Geographic subdivisions smaller than state (address, city, county, zip) • All elements of DATES (except year) including DOB, admission, discharge, death, ages over 89, dates indicative of age • Telephone, fax, SSN#s, VIN, license plate #s • Med record #, account #, health plan beneficiary # • Certificate/license #s • Email address, IP address, URLs • Biometric identifiers, including finger & voice prints • Device identifiers and serial numbers • Full face photographic and comparable images • Any other unique identifying #, characteristic, or code INTERNAL USE ONLY 5
  • 6. UA HIPAA Sanctions • Employees, students, and volunteers who do not follow HIPAA rules are subject to disciplinary action. • UA sanctions depend on severity of violation, intent, pattern/practice of improper activity, etc., and might include: – Dismissal from academic program – Termination of employment – Suspension without pay – Denial of an annual raise or reduction in pay • Civil and/or criminal penalties including incarceration INTERNAL USE ONLY 6
  • 7. Notice of Health Information Practices • Explains how the covered entity will use/disclose patient’s PHI • Explains a patient’s rights and where to file a complaint • Is offered to a patient at the time of the first visit (and patient should sign & date acknowledgement of receiving at time of first visit) • Is posted on facility’s web page and in patient reception area INTERNAL USE ONLY 7
  • 8. TPO as Permitted Use and Disclosure of PHI PHI may be used and disclosed to facilitate TPO, which means: • For Treatment • For Payment • For certain healthcare Operations, such as quality improvement, credentialing, compliance, and patient/employee safety activities INTERNAL USE ONLY 8
  • 9. Authorizations and Patient’s Right to Access their PHI as Permitted Use and Disclosure of PHI • A covered entity may generally use and disclose PHI to a third party if it gets the patient’s signed HIPAA-valid authorization – However, a HIPAA authorization form should not be used when a patient asks for a copy of their PHI for themselves or to be sent to a third party – in that case, use a Patient Request for Health Information Form – It is a HIPAA violation to use the wrong form in this circumstance (the regulations require different information on each form) – The fees that can be charged for a copy of a patient’s PHI or record differs based on whether the records are being released per an Authorization or a Patient’s Request – A covered entity can only charge a reasonable, cost-based amount when a patient requests the records – It is permissible to charge up to $6.50 for a flat fee for electronic copies (for labor, supplies and postage) • Only designated, HIPAA-trained personnel are permitted to approve disclosure of PHI per the person’s HIPAA-valid authorization or Patient Request for Health Information Form • For any questions concerning releases pursuant to a HIPAA authorization or Patient Request for Health Information Form, please contact your Privacy Officer • For a complete list of permitted uses and disclosures of PHI without the patient’s authorization, see your entity’s Notice of Health Information Practices INTERNAL USE ONLY 9
  • 10. Can Family/Friends Know? • Yes, but only PHI directly relevant to that person’s involvement with the patient’s healthcare or payment related to patient’s healthcare. • And, only if the provider reasonably infers that the patient does not object. INTERNAL USE ONLY 10
  • 11. Minimum Necessary Standard • When HIPAA permits use or disclosure of PHI, a covered entity must use or disclose only the minimum necessary PHI required to accomplish the purpose of the use or disclosure. • The only exceptions to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons: – Treatment – Purposes for which an authorization is signed – Disclosures required by law – Sharing information to the patient about himself/herself INTERNAL USE ONLY 11
  • 12. Other Privacy Safeguards • Avoid conversations involving PHI in public or common areas such as hallways or elevators. • Keep documents containing PHI in locked cabinets or locked rooms when not in use. • During work hours, place written materials in secure areas that are not in view or easily accessed by unauthorized persons. • Do not leave materials containing PHI on desks or counters, in conference rooms, on fax machines/printers, or in public areas. • Do not remove PHI in any form from the designated work site unless authorized to do so by management. • Never take unauthorized photographs in patient care areas including audio and video. INTERNAL USE ONLY 12
  • 13. Patient Rights Under HIPAA The Notice of Health Information Practices outlines the patient’s following rights to: • Restrict disclosure of PHI to health plan if patient pays out of pocket in full for the healthcare item/service • Look at and obtain a copy of record/PHI or ePHI or request that a copy of their record be sent to their attorney, insurance company, or a third party – Remember, the patient should not have to fill out a HIPAA authorization for this purpose – a verbal request is fine, but should be documented. – A patient’s request to direct PHI to another person must be in writing, signed by the individual and clearly identify the designated person and where to send the PHI (i.e., Patient Request for Health Information form) – Remember that the only charge to a Patient exercising their right to a copy of the record is a reasonable, cost-based amount ($6.50 flat fee for electronic copy) • Amend incorrect or misleading information in record • Receive an accounting of disclosures of PHI • Be notified of a breach of PHI • File a complaint INTERNAL USE ONLY 13
  • 14. HIPAA Put New Requirements on Research • If you work for a HIPAA-covered Health Care Provider, do not release PHI for research unless: – The patient has signed a valid HIPAA authorization, or – The Institutional Review Board (IRB) at UA has approved a waiver of authorization; or – The IRB agrees that an exception applies Information regarding HIPAA and Research is available through UA’s Office for Research Compliance. INTERNAL USE ONLY 14
  • 15. Business Associate (BA) Agreements • Are required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which may involve the use or disclosure of the covered entity’s PHI • Law now requires BA to comply with certain Privacy and Security rules & subjects BA to HIPAA criminal and civil penalties. • BA also subject to breach of contract claims • BA Agreement must be approved in accordance with appropriate UA policies and procedures Individual employees are NOT authorized to sign contracts on behalf of UA. INTERNAL USE ONLY 15
  • 16. What is a Breach? • Breach is defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of the information. • Impermissible use or disclosure is presumed to be a breach unless the facility or business associate proves that there is a low probability that PHI has been compromised. INTERNAL USE ONLY 16
  • 17. What Constitutes a Breach? • A breach could result from many activities. – Accessing more than the minimum necessary – Failing to log off when leaving a workstation – Unauthorized access to PHI – Sharing confidential information, including passwords – Having patient-related conversations in public settings – Improper disposal of confidential materials in any form – Copying or removing PHI from the appropriate area • Why? – Curiosity…about a co-worker or friend – Laziness…so shared sign-on to information systems – Compassion…the desire to help someone – Greed or malicious intent…for personal gain INTERNAL USE ONLY 17
  • 18. Risk Assessment Required To assess the probability that PHI has been compromised, we are required to consider: • The nature and extent of PHI and likelihood of re- identification (credit card/SSN, etc.) • Unauthorized person who used PHI or to whom disclosure was made • Whether PHI was actually acquired or viewed • The extent to which the risk of PHI has been mitigated (recipient destroyed it) INTERNAL USE ONLY 18
  • 19. Breach Notification Regulations • If it is determined that a breach of PHI occurred, then the covered entity must notify the affected individual (or next of kin) without unreasonable delay, but not later than 60 calendar days from discovering the breach. – Time runs when incident first known or reasonably should have been known (true for covered entity and business associate), NOT when it is determined that a breach occurred. – Breach is treated as discovered when workforce member or other agent has knowledge of incident. • That means an employee or volunteer must IMMEDIATELY report! – Delay permissible in certain circumstances where law enforcement has requested a delay. INTERNAL USE ONLY 19
  • 20. Responsibility to Report Promptly • When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together. • If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please let your organization’s privacy and/or security officer know immediately. • It is much better to investigate and discover no breach than to wait and later discover that something did happen. INTERNAL USE ONLY 20
  • 21. Security Standards – General Rules • HIPAA security standards ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (PHI –Protected Health Information) by and with all facilities. • Protect against any reasonably anticipated threats or hazards to the security or integrity or such information. • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted. INTERNAL USE ONLY 21
  • 22. Rules for Access • Access to computer systems and information is based on your work duties and responsibilities. • Access privileges are limited to only the minimum necessary information you need to do your work. • Access to an information system does not automatically mean that you are authorized to view or use all the data in that system. • Different levels of access for personnel to PHI is intentional. • If job duties change, clearance levels for access to PHI is re-evaluated. • Access is eliminated if employee is terminated. • Accessing PHI for which you are not cleared or for which there is no job- related purpose will subject you to sanctions. INTERNAL USE ONLY 22
  • 23. Rules for Protecting Information • Do not allow unauthorized persons into restricted areas where access to PHI could occur. • Arrange computer screens so they are not visible to unauthorized persons and/or patients; use security screens in areas accessible to public. • Log in with password, log off prior to leaving work area, and do not leave computer unattended. • Close files not in use/turn over paperwork containing PHI. • Do not duplicate, transmit, or store PHI without appropriate authorization. • Storage of PHI on unencrypted removable devices (Disk/CD/DVD/Thumb Drives) is prohibited without prior authorization. Consider using UA Box. INTERNAL USE ONLY 23
  • 24. Encryption of PHI • Electronic protected health information must be encrypted when stored in any location outside the EHR including desktops, laptops, and other mobile devices (thumb drives, CDs, DVDs, smart phones, email, cloud storage devices (e.g. UA Box), etc.). – Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure • Use of personal computers or other personal electronic equipment (non- UA owned equipment) is not allowed to store protected health information. Any exceptions must be approved by senior leadership or in compliance with your entity's portable device guidelines. • Due to a lack of infrastructure and control of delivery, the use of unencrypted text messaging of any protected health information is strongly discouraged. Text messaging of medical orders is prohibited INTERNAL USE ONLY 24
  • 25. Password Management • Do not allow coworkers to use your computer without first logging off your user account. • Do not share passwords or reuse expired passwords. • Do not use passwords that can be easily guessed (dictionary words, pets name, birthday, etc.). • Should not be written down, but if writing down the password is required, must be stored in a secured location. • Should be changed if you suspect someone else knows it. • Disable passwords or delete accounts when employees leave. • Passwords: – Should be minimum 8 characters long – Include 3 of 4 data types (upper/lower case, numeric, special characters) – Should be changed periodically – Good password scheme is critical for complex passwords – R0llt!de (don’t use this, just an example) INTERNAL USE ONLY 25
  • 26. Protection from Malicious Software • Malicious software can be thought of as any virus, worm, malware, adware, etc. • As a result of an unauthorized infiltration, PHI and other data can be damaged or destroyed. • Notify your supervisor, system support representative, and/or security officer immediately if you believe your computer has been compromised or infected with a virus—do not continue using computer until resolved. • Managed anti virus and other security software is installed on all University computers and should not be disabled. • Any personal devices used for access to PHI must have appropriate anti virus software . • Do not open e-mail or attachments from an unknown, suspicious, or untrustworthy source or if the subject line is questionable or unexpected—DELETE THEM IMMEDIATELY. INTERNAL USE ONLY 26
  • 27. Ransomware • Ransomware is malicious software that denies access to data, usually by encrypting the data with a private encryption key that is only provided once the ransom is paid. • Presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident. – Whether it results in an impermissible disclosure of PHI and/or a breach depends on the facts and circumstances of the attack. – When ePHI is encrypted due to a ransomware attack, a breach has occurred because the ePHI was acquired. • Once the ransomware is detected, we must initiate our security incident response and reporting procedures. – If computer with encrypted data is powered on and the operating system loaded, the data is decrypted and breach notification may need to occur. – Notification of a breach of unencrypted or decrypted data must occur unless there is a “low probability the PHI has been compromised” • Maintaining frequent backups and ensuring ability to recover data from backups may show low probability (if no exfiltration of PHI). INTERNAL USE ONLY 27
  • 28. Beware of Suspicious Emails • Be very cautious of suspicious emails that request information such as email ID and password, or other personal information claiming that you need to verify an account, or you are out of disk space, or some other issue with your account. If they claim to come from the University check the following: – From Address: Make sure the from address has ua.edu after the @ – URL Link: If you can see the URL in the message, make sure it has ua.edu before the first slash (/) – Hover trick: If you can’t see the URL, you can hover your mouse pointer over the link without clicking, and a box with the URL will appear. Check for ua.edu INTERNAL USE ONLY 28
  • 29. Use of Technology • Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization. • Email, internet use, fax and telephones are to be used for UA business purposes (see UA policies). • Fax of PHI should only be done when the recipient can be reliably identified; Verify fax number and recipient before transmitting. • No PHI is permitted to leave facility in any format without prior approval. • Where technically feasible, email should be avoided when communicating unencrypted sensitive PHI - follow your organization’s email policy for PHI. • No PHI is permitted on any social networking sites (Twitter, Facebook, etc.) without appropriate authorization. • No PHI is permitted on any texting or chat platforms. • If a situation requires use of email or text, appropriate encryption techniques must be used. INTERNAL USE ONLY 29
  • 30. Rules for Disposal of Computer Equipment • Only authorized employees should dispose of PHI in accordance with retention policies. • Documents containing PHI or other sensitive information must be shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding. • All questions concerning media reallocation and disposal should be directed to your HIPAA Security Officer; OIT systems representatives or your departmental IT support teams are responsible for sanitization and destruction methods. • Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying. • “Sanitize” means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media. • If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction. • NOTES: Deleting a file does not actually remove the data from the media. Formatting does not constitute sanitizing the media. INTERNAL USE ONLY 30
  • 31. Reporting Security Incidents • Notify your Security Officer of any unusual or suspicious incident. • Security incidents include the following: – Theft of or damage to equipment – Unauthorized use of a password – Unauthorized use of a system – Violations of standards or policy – Computer hacking attempts – Malicious software – Security Weaknesses – Breaches to patient, employee, or student privacy INTERNAL USE ONLY 31
  • 32. UA Contacts Know Your Security and Privacy Officer • University-wide Privacy Officer: Jan Chaisson • University-wide Security Officer: Ashley Ewing • University Medical Center Privacy Officer: Jan Chaisson • University Medical Center Security Officer: Amy Sherwood • Brewer Porch Privacy/Security Officer: Warren Williams • Speech and Hearing Privacy/Security Officer: JoAnne Payne • Autism Spectrum Disorders Clinic Privacy/Security Officer: JoAnne Payne • UA Group Health Plan/FSA Privacy Officer: Emily Marbutt • UA Group Health Plan/FSA Security Officer: Greg Gaddis • Working on Womanhood Program (WOW) Privacy/Security Officer: Jill Beck • Center for Advanced Public Safety (CAPS) Privacy/Security Officer: Vaughn Poe • Institutional Review Board Compliance Officer: Tanta Myles INTERNAL USE ONLY 32