Transcript Security Awareness T..

HIPAA &
Security Awareness Training
Annual Mandatory Education
Objectives




Define the Health Insurance Portability and
Accountability Act (HIPAA)
Describe patient rights and protections
under the HIPAA Privacy Rule
Identify good practices for treatment of
patient information under the HIPAA
Privacy and Security Rules
Identify appropriate physical safeguards to
assist in the protection of electronic patient
information
Introduction
The Health Insurance Portability and Accountability
Act (HIPAA) of 1996 is an enacted Federal Law
created by President Bill Clinton and enforced by the
Department of Health and Human Services to
address patient information in relation to:
• Privacy and Confidentiality of Patient Information
• Security of Electronic Protected Health Information
• Transactions and Code Sets
The Rules Address the Need To:



Standardize the format of health care
data across the industry
Standardize rules for treatment of health
care data
Share health care data among providers
The Rules Address the Need To:



Evolve from paper to electronic records
thereby reducing the cost of maintaining
health care data
Establish rules that grant rights to patients’
own health care information
Protect patient information from
unauthorized use and disclosure
Protected Health Information








Names
Addresses
Employers
Relatives Names
Telephone, cell or
fax numbers
Email Addresses
Social Security
Number
Medical Record
Number







Member or Account
Number
Certificate Numbers
Voiceprints
Fingerprints
Photos
Codes
Any other
characteristic that
may identify a
person or a
combination of
information
Patient Privacy Rights

Notice of Privacy Practices

File Complaints

Request restrictions on uses and disclosures

Request confidential communication
Patient Privacy Rights

Request access to PHI for inspection and
copying

Request amendments

Request accounting of disclosures

All rights apply to all patients, living or
deceased
Question #1
Which is not a benefit of the HIPAA Rules?
A.Standardize rules for the treatment of
health information
B.Reduce health care costs
C.Prevent data from being shared among
current care providers
D.Protect patient information from
unauthorized use and disclosure
Question #2
Which is not a patient right under the HIPAA
Rules?
A.Request restrictions on uses and
disclosures
B.Request an accounting of all disclosures
C.Request confidential communications
D.Request that certain data is stricken from
their medical record
Use and Disclosure
Three kinds of use or disclosure that need NO
prior authorization are:
Treatment
Health Care
Operations
Payment
Authorization




Obtained for any reason other than
treatment, payment, health care operations
Specific in how the information will be
used, by whom and for how long
Right to revoke authorizations at any time
All requests that require authorization must
go to Medical Records for review
Minimum Necessary Standard
In circumstances other than treatment, including
payment and health care operations, only the
minimum amount of information necessary for the
task or purpose should be released.
This is called the “Minimum Necessary Standard”
Known Individuals

Family, friends or well known figures

Cannot access for personal reasons

Only access what you need to do
your job
Personal Representatives

May have legal
authority to act on
behalf of a patient

May have a courtappointed document

Family member or
friend providing care

Treated no
differently than the
patient with respect
to HIPAA
Question #3
Authorization is needed to disclose patient
information to another care provider currently
caring for a patient.
A.True
B.False
Question #4
When patient information is requested for
reasons other than treatment, payment or
health care operations, to which department
should the request be forwarded?
A.
Information Technology Department
B.
Medical Records
C.
Patient Accounting
D.
Access Department
Privacy Rule
Privacy and confidentiality are an essential part of
CHPC’s policies and procedures. Our privacy
policies apply to Protected Health Information in
three forms.
Written
Verbal
Electronic
Best Practices for Written PHI

Medical Records
 Keep locked in a secure area



Always sign out and sign in
Cover with a Confidentiality
Statement page
When traveling keep secure in car or
on person
Best Practices for Written PHI

File Cabinets, Whiteboards, etc.
 Keep cabinets locked



Place in secure area and/or
behind locked doors
Keep the general public or those
who have no need to know out of
the secure areas
Don’t allow whiteboards to face
windows or open doors
Best Practices for Written PHI

Desks and Loose Papers
 Never leave desks with PHI unattended

Dispose of unnecessary paper PHI in
recycle bins

Don’t bring paper PHI into general areas

Clean desk policy applies
Best Practices for Written PHI

Copiers, Printer and Fax Machines
 Located in secure areas
 Pick up print and copy jobs
immediately
 Use coversheets with
Confidentiality Statements on all
faxes
 Call recipient of fax to confirm they
received
 Check fax machines frequently for
PHI
Best Practices for Written PHI

Staff Mailboxes
 Must be either located in secure area or
must NOT contain PHI

Check frequently
Question #5
Which is not a best practice when using fax
machines to send or receive PHI?
A.
Double check the fax number before you
send the fax
B.
Use a cover sheet with a confidentiality
statement
C.
Call the recipient to make sure they
received it
D.
Never send faxes with PHI because it is
not secure
Question #6
Where should written PHI be disposed of when
it is no longer needed?
A.
Turn it in to Medical Records
B.
Trashcans
C.
Shredders
D.
Recycle Bins
Best Practices for Verbal PHI

Conversations

Need to know

Hold in private areas at all times

Never in public areas

Incidental disclosures
Best Practices for Verbal PHI

Telephones and Voicemails
 Hold conversations in a
secure area, not public areas
or within earshot of the public


Try to ensure the person on
the other end is the person
who should be receiving the
PHI
Never leave PHI on a
voicemail
Question #7
Which is a secure area for holding
conversations containing patient
information?
A.
Cubicles in the team area
B.
Hallways
C.
Around the nursing station
D.
In the restrooms
The Security Rule
The Security Rule only applies to PHI in an electronic
format whereas the Privacy Rule applies to PHI in any
format.
The Security Rule has three types of safeguards:



Administrative Safeguards – Policies and
Procedures
Technical Safeguards – Restricting access to data
transmitted over the network
Physical Safeguards – Physical computer and
network facilities
Facility Security Plan




Badges must be worn at all times
Visitors must sign in and remain in non-PHI
areas
Reception areas control who enters the
facility
Reception areas are only open doors, all
others remain locked when not in use
Facility Security Plan

Security button to access areas

Security cameras

Alarm System
Workstation Use





Equipment and access determined by job
description and supervisor
Use for business purposes only
May not leave workstation unattended while
logged in
May not attach any peripheral device
Only organization-issued software and
hardware may be used
Workstation Use



Position monitors so they cannot be
seen though doors, windows or in
high-traffic areas
Computers and other technology may
only be used by the person to whom
the equipment it was issued
Never share passwords or log another
person in
Information Security



All information on the network
belongs to CHPC
May not send and receive files
from home
May not email PHI or transmit
PHI unless encrypted
Technology Accountability



You are responsible for the security and
care of company issued hardware resources
Equipment and software may not be
removed from the premises without
permission from IT
Turn in all equipment upon termination of
employment
Internet Usage

Business purposes only

No downloads

No streaming video or audio

Internet usage is monitored
Email Etiquette




Email is an official communication tool
Don’t use email for sensitive issues that
should be discussed face-to-face
NO PHI IS SENT VIA EMAIL OUTSIDE
OUR ORGANIZATION
Email usage is monitored
Question #8
Which of the following is not a good
workstation use practice?
A.Logging out when you step away from your
computer
B.Using the workstation to research
medications or medical conditions
C.Using an external drive such as a thumb or
jump drive with my workstation
D.Being cognizant of who can view my
computer’s monitor
Questions #9
Emails containing PHI may be sent to my coworker internally, if they have a need to
know, but may never be sent outside the
network.
A.True
B.False
Thank you
Amy Smith
Privacy/Security
Officer
989-2076
Sue Zogaria
Privacy Officer
(Alternate)
989-2113
Gordon Grieble
Security Officer
(Alternate)
989-2085