• No results found

2014 Core Training 1


Academic year: 2021

Share "2014 Core Training 1"

Show more ( Page)

Full text



Core Training


Course Agenda

• Review of Key Privacy Laws/Regulations:

– Federal HIPAA/HITECH regulations – State privacy laws

• Privacy & Security Policies & Procedures

– Huntsville Hospital Health System policies and procedures related to privacy & security

• Your Responsibilities for:

– Protecting confidential and sensitive information – Good computer practices

– Reporting privacy breaches and security incidents


Key Privacy Laws/ Regulation


(the Health Insurance Portability & Accountability Act) Is the Federal law, passed in 1996, which requires us to protect the privacy of PHI (protected health information) that is electronic (ePHI) and physical.

• PHI includes at least one of the following 18 identifiers:


Postal address

All elements of dates except year

Telephone number

Fax number

Email address

URL address

IP address

Social security number

Account numbers

License numbers

Medical record number

Health plan beneficiary number

Device identifiers and their serial numbers

Vehicle identifiers and serial number

Biometric identifiers (finger and voice prints)

Full face photos and other comparable images

Any other unique identifying number, code, or characteristic


Key Privacy Laws/ Regulation

• In 2013 HIPAA was updated with:

– The Final Omnibus Rule, and – The HITECH Act.

• This update to HIPAA includes:

– Increased fines and penalties for privacy violations

– Additional responsibility for not just employees, but also business associates to protect PHI

– Patient Rights

– Updates to the Security Rule and Breach Notification – requiring organizations to share when a breach has occurred, not just if it caused harm to the individual


HIPAA Penalties

• Expanded penalties include:

– HIPAA Civil Penalties

• $100 ‐ $1,500,000/year fines; and more fines if multiple year violations

– HIPAA Criminal Penalties

• $50,000 ‐ $250,000 fines & Imprisonment up to 10 years – State Laws

• Fines and penalties apply to individuals as well as health care providers, up to a maximum of $250,000

• May impact your professional license & Imprisonment up to 10 years

• Huntsville Hospital Health System

– Up to and including termination


Our Responsibilities:

and Protected Health Information


Our Responsibilities

We are required by HIPAA to keep PHI secure by:

Communicating privacy rights with our patients

Access and the ability to receive a copy of one’s own PHI (paper or electronic formats)

• Request amendments to information

• Request restriction of PHI uses and disclosures

• Restrict disclosure to health plans for services self‐paid in full (“self‐pay restriction”)

• Request alternative forms of communications (mail to P.O. Box not street address, no message on answering machine, etc.)

Accounting of the disclosures of PHI

Patient’s Rights with PHI include:


Our Responsibilities

We are required by HIPAA to keep PHI secure by:

Ensuring you only view, use, and share PHI when required for your job.

• The NPP allows PHI to be used and disclosed for purposes of Treatment, Payment, or Operations (TPO)

– Use: Accessing, Viewing, and Using PHI within the department or with business associates

– Disclosure: The release, transfer, provision of access to, or divulging in any other manner of PHI outside the department.

Ensuring “Minimum Necessity “ for accessing PHI,

that means users access the minimum amount of information necessary to perform their duties

Protecting access to confidential/ sensitive information

Reporting privacy breaches immediately to the Privacy Officer


Our Responsibilities: to Patients

HIPAA requires we communicate patient’s right to privacy by:

• OFFERING a Notice of Privacy

Practice (NPP), which

– Advises Patients of their privacy rights

– And is posted in public registration areas & our website

• ATTEMPT to get a signature on the

Patient Acknowledgement

Agreement (PAA), acknowledging

receipt of the NPP

– This is required, except in emergency situations

– And if not we must document the reason why


Our Responsibilities: to Patients

HIPAA requires we get the proper release for PHI:


if we release PHI for a reason other than TPO

(Treatment, Payment or Operations)

– Exception is for immunization records for children,

in states that require those records


Our Responsibilities: to Patients

SPECIAL DIRECTIONS for Facility Directory

– During registration are asked about being in the directory

– Only the location and general

condition my be disclosed if someone asks for the patient by name

– If the patient objects, DO NOT

acknowledge that the patient is in the facility.

SPECIAL DIRECTIONS for Fundraising – Additional rules apply for those involved

in fundraising, see Policies Policy 124


Privacy & Security:

Our Individual Roles


Our Role in Protecting PHI

We are each responsible

to protect PHI:

– Follow policies and procedures

– Protect the privacy and security of information

– Asking your Supervisor or Manager for guidance

• All Policies and Procedures for the Health

System are listed on Pulse/Hotlist/HIPAA


Our Role: Protecting Physical PHI

• Handling PHI

– Double check the address, or fax number when mailing or faxing

– Only fax PHI to a secure fax (inside a secure area)

– Use the approved Huntsville Hospital Health System cover sheet containing a confidentiality statement.

– Check printers, faxes, and copier machines when you are finished

– Don’t leave PHI on your desk, lock it up – Double check when handing documents to

patients/family members


Our Role: Protecting Physical PHI

• Taking PHI offsite

– You must first obtain approval from your supervisor.

– Never leave PHI unattended in your bag, briefcase or car

(even if it’s locked in the trunk!)

– All devices that access ePHI or Huntsville Hospital Health System email must be password protected – Access PHI remotely

• Disposal of paper documents

– Shred PHI First! Then use the Trash:

Recycle and trash bins are NOT all secure

– Shred bins only work when papers are put inside the bins


Our Role: Protecting Audible PHI

• Avoid Discussing PHI in public areas

– Be aware of your surroundings when talking – Do not leave PHI on answering machines

– Don’t speak too loudly, or to the wrong person – Ask yourself,

“What if my information was being discussed like



Our Role: Protecting ePHI

For electronic protected health information

• Avoid unauthorized computer access by:

– Protecting your user ID – Protecting your password

– Logging out of programs that access PHI when not in use


Our Role: Protecting ePHI

For electronic protected health information

• All devices used to access ePHI must be

password protected, including:

Your HH email

Personal laptop



Did You Know??

Even if you don’t intentionally save PHI onto your device, your Huntsville Hospital Health

System email files may download to your device without your knowledge.


Our Role: Protecting ePHI

• Encrypt all emails with PHI going to email addresses that

do not end with: @

theheartcenter.md compone.org dmhnet.org hhsys.org firstcomm.org hgala.org namci.com namci.org

• How To “Encrypt” email; always start with:


in the subject line of the email

[Encrypt] Secure:


Our Role: Protecting ePHI

• Practice Safe Emailing

– Do not open, forward, or reply to:

• Suspicious emails

• Suspicious email attachments

• Or unknown website addresses

– NEVER provide your username and password to an email request – Delete spam and empty the “Deleted Items” folder regularly

– It is your responsibility when communicating to send all PHI securely


Our Role: Protecting ePHI

• Do not share patient PHI on social media, that

means anything from your work at the Health


– Even if information is public

– Information obtained from your patient/provider relationship is confidential


What to do:

Reporting a Suspected Breach of PHI?


Our Role: Reporting a Breach

• PRIVACY BREACH: Report when PHI is:

– Physically lost or stolen

– Misdirected to others outside of HH Health System, including:

• PHI verbal messages left for the wrong person

• Misdirected mail, fax or email containing PHI

• When user does not use secure email with PHI

• Posted to Huntsville Hospital Health System intranet, internet, websites, Facebook, Twitter

Your Supervisor

Privacy Officer at (256) 265-4477/9257

IT Security at (256) 265-4555 IMMEDIATELY REPORT TO:


Our Role: Reporting a Breach

• PRIVACY BREACH: Report when:

– PHI is part of a Security Incident:

– When an electronic device is lost/stolen

– When any unusual or suspected information is missing

• The loss and/or theft of any form of ePHI

• Unusual computer activity

Your Supervisor

Privacy Officer at (256) 265-4477/9257

IT Security at (256) 265-4555 IMMEDIATELY REPORT TO:


Our Role: Reporting a Breach


– You send a fax containing PHI to the wrong phone or fax number – You receive a fax in error – Immediately:

• Alert the sender

• Do not use or disclose the information

Privacy Officer at (256) 265-4477/9257 IMMEDIATELY REPORT TO:


Our Role: Reporting a Breach

• In every circumstance, you will need to

provide the following information:

– Date and time the breach was discovered

– Name and contact information of the

person who discovered the breach

– The specific information disclosed

– The number of individuals who had their

information disclosed

– How the breach happened

– Actions taken following detection

– The department contact for follow-up

Privacy Officer at (256) 265-4477 or 9257



In Review


In Review: It’s Our Job to Protect PHI

• It is the Law to Protect our Patient’s privacy

– HIPAA law was developed to protect the privacy of our patient’s health information

– It is only appropriate to share, use, access PHI when it is needed to do our job.

• We must follow Health System policies

– Protecting verbal, written, and electronic information – Use safe computing and email practices

• Report suspected privacy & security incidents

– Privacy Breaches – Security Breaches

Privacy Officer at (256) 265-4477/9257 IT Security at (256) 265-4555

And if you don’t know, Ask!


The Course is Finished!

Time to Take the Test

What happens at Huntsville Hospital,

Stays at Huntsville Hospital.


Related documents

We are required by the Federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Act, and applicable Maine state law to maintain

However, due to the federal Privacy Rule that was promulgated under the Health Insurance Portability and Accountability Act (HIPAA) (the HIPAA Privacy Rule), there are

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal regulation that requires health care providers and entities to ensure the protection, privacy,

Everyone with access to Protected Health Information (PHI) must comply with HIPAA (the Health Insurance Portability and Accountability Act).. The UT Dallas HIPAA Privacy Officer

The federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, along with state law, mandates the privacy and security of Protected Health Information (PHI);

Metropolitan Living, LLC is required to protect the privacy of your Protected Health Information (PHI.) We are also required by the Health Insurance Portability and Accountability

The purpose of this regulation is to incorporate the requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and federal regulations

The policy was submitted and agreed at last week’s Clinical Governance and Safety Committee.. The Management Board approved the policy document

1. Pearman v North Essex Health Authority 10 was a case involving an admitted delay in diagnosis of an acute disc prolapse. The only issue was causation. noted in his judgment that

LIST OF ACRONYMS ... Research Questions ... Research Methodology ... Aims and Objectives ... Method of Data Analysis and Processing ... Experimental Methodology ...

Some of this information is made confidential by law (such as “protected health information” or “PHI” under the federal Health Insurance Portability and Accountability Act) or

It also contains references to the Health Insurance Portability and Accountability Act (HIPAA), a federal law that provides privacy protections and patient rights with

In addition to the physical evaluation, a perceptual eval- uation of the different simulation algorithms was conducted based on two overall measures for the degree of

Portability and Accountability Act (HIPAA) as it pertains to protected health information (PHI), electronic protected health information (EPHI) and all other relevant state

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is federal legislation that was passed under the Clinton Administration. Title I of HIPAA has been in

While bibliometric patent analysis, also known as bibliometric focuses on the analysis and the organization of large amount of historical data to support decision making [4]


nonetheless and the Blue Devil plays out in a particular way. This research demonstrates that this approach can be productive in fostering the kinds of dialogues in which I am

Encouraged by the suc- cesses of Neighborhood Conservation Districts in other communities, the Council began exploring this possibil- ity by appointing a committee of residents

This inverse relationship between power and perspective taking emerged across multiple forms of perspective taking; regardless of whether participants were explicitly told to

Tableau 08: Répartition du cancer du sein chez les femmes jeunes avec antécédents familiaux en fonction d’âge à la première grossesse dans la population de Tlemcen. Age à

Privacy and Security Training (or equivalent UC training) is required by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) for all workforce

The optometric practice of ______________________________________________, in compliance with the federal Health Insurance Portability and Accountability Act (HIPAA)