HIPAA Privacy Security Education

1
HIPAA Privacy / Security Education
2
HIPAA Definitions

• HIPAA Health Insurance Portability and
  Accountability Act
• PHI Protected Health Information
• EPHI Electronic Protected Health Information

3
HIPAA Privacy / Security

• The Privacy regulations make sure PHI is properly
  handled.
• The Security regulations make sure EPHI is
  properly handled.
• Costly lawsuits in addition to penalties and
  fines if we do not comply.

4
HIPAA Privacy

• Privacy requirements apply to anyone that has
  access to or works with patients PHI.
• Keep a log of the patient complaints made,
  including the resolution.

5
HIPAA Privacy

• We use and disclose PHI to carry out essential
  health care functions
• Treatment
• Payment
• Healthcare Operations

6
HIPAA Privacy

• Treatment Management of healthcare by one or
  more providers.
• Payment Obtain payment or reimbursement for
  services.
• Operations Administrative, financial, legal or
  quality improvement activities necessary to run
  business and support functions of treatment and
  payment.

7
HIPAA Privacy

• Patient Requested Restrictions
• Hospital Directory Do Not Announce
• Can restrict PHI from being shared with others

8
HIPAA Privacy

• Accounting of Disclosures AOD
• A patient has a right to receive a Accounting Of
  Disclosures of PHI.

9
HIPAA Privacy

• AOD Exclusions
• Treatment, payment or healthcare operations
• Pursuant to a patients written authorization
• Persons involved in patients care
• Business Associates for purpose of treatment,
  payment or healthcare operations
• Directory
• Made to the patient

10
HIPAA Privacy

• Notice of Privacy Practices / Business Associate
  Agreement
• NPP Notice of Privacy Practices informs
  patients how we may use their PHI.
• BAA Contractors or other non-workforce members
  hired to do the work of, or for, that involves
  the use or disclosure of PHI.

11
HIPAA Privacy

• Minimum Necessary
• We must make reasonable efforts to limit the use
  or disclosure of, and requests for PHI to minimum
  amount necessary for the intended purpose.

12
HIPAA Privacy

• Overheard, Seen in Passing
• The regulation permits uses or disclosures
  incidents, provided minimum necessary and
  safeguard standards are met.

13
HIPAA Security

• Assurance of Confidentiality, Integrity and
  Availability of PHI in any form.

14
HIPAA Security

• Three Areas
• Physical Safeguards
• Technical Safeguards
• Administrative Safeguards

15
HIPAA Security

• Physical Safeguards
• Measures taken to protect our facility and
  computer systems from unauthorized use.
• Computer placement should be considered prior to
  computer arriving in the area.
• Employee badges are physical safeguards.

16
HIPAA Security

• Technical Safeguards
• Control access, validate the identity and have
  authorization of users and protect information.
• Computer system access should be available on a
  need to know basis.
• Audit trails can be used to monitor authorized
  and unauthorized system access.

17
HIPAA Security

• Administrative Safeguards
• Formal written policies and procedures to protect
  PHI.
• Periodic evaluations of all security safeguards
  should be conducted and documented.

18
HIPAA Security

• HIPAA Notes
• Do not share or display passwords.
• Do not e-mail PHI outside of SJHS without putting
  it into a password protected document.
• Become familiar with policy 30110-170 Use and
  Disclosure of PHI.

19
HIPAA Security

• HIPAA Notes
• Do not discuss patients PHI for personal gain.
• Do not place PHI documents in trash cans.
• Practice common sense security. Make sure doors
  and desks are locked, as appropriate.

20
HIPAA Security

• HIPAA Notes
• Everyone should be assigned a personal user ID
  and should never use someone elses.
• If you do not have access to certain records as
  part of your job, you should not be accessing
  them.