2014
Core Training
Course Agenda
• Review of Key Privacy Laws/Regulations:
– Federal HIPAA/HITECH regulations – State privacy laws
• Privacy & Security Policies & Procedures
– Huntsville Hospital Health System policies and procedures related to privacy & security
• Your Responsibilities for:
– Protecting confidential and sensitive information – Good computer practices
– Reporting privacy breaches and security incidents
Key Privacy Laws/ Regulation
• HIPAA
(the Health Insurance Portability & Accountability Act) Is the Federal law, passed in 1996, which requires us to protect the privacy of PHI (protected health information) that is electronic (ePHI) and physical.• PHI includes at least one of the following 18 identifiers:
• Name
• Postal address
• All elements of dates except year
• Telephone number
• Fax number
• Email address
• URL address
• IP address
• Social security number
• Account numbers
• License numbers
• Medical record number
• Health plan beneficiary number
• Device identifiers and their serial numbers
• Vehicle identifiers and serial number
• Biometric identifiers (finger and voice prints)
• Full face photos and other comparable images
• Any other unique identifying number, code, or characteristic
Key Privacy Laws/ Regulation
• In 2013 HIPAA was updated with:
– The Final Omnibus Rule, and – The HITECH Act.
• This update to HIPAA includes:
– Increased fines and penalties for privacy violations
– Additional responsibility for not just employees, but also business associates to protect PHI
– Patient Rights
– Updates to the Security Rule and Breach Notification – requiring organizations to share when a breach has occurred, not just if it caused harm to the individual
HIPAA Penalties
• Expanded penalties include:
– HIPAA Civil Penalties
• $100 ‐ $1,500,000/year fines; and more fines if multiple year violations
– HIPAA Criminal Penalties
• $50,000 ‐ $250,000 fines & Imprisonment up to 10 years – State Laws
• Fines and penalties apply to individuals as well as health care providers, up to a maximum of $250,000
• May impact your professional license & Imprisonment up to 10 years
• Huntsville Hospital Health System
– Up to and including termination
Our Responsibilities:
and Protected Health Information
Our Responsibilities
We are required by HIPAA to keep PHI secure by:
• Communicating privacy rights with our patients
• Access and the ability to receive a copy of one’s own PHI (paper or electronic formats)
• Request amendments to information
• Request restriction of PHI uses and disclosures
• Restrict disclosure to health plans for services self‐paid in full (“self‐pay restriction”)
• Request alternative forms of communications (mail to P.O. Box not street address, no message on answering machine, etc.)
• Accounting of the disclosures of PHI
Patient’s Rights with PHI include:
Our Responsibilities
We are required by HIPAA to keep PHI secure by:
• Ensuring you only view, use, and share PHI when required for your job.
• The NPP allows PHI to be used and disclosed for purposes of Treatment, Payment, or Operations (TPO)
– Use: Accessing, Viewing, and Using PHI within the department or with business associates
– Disclosure: The release, transfer, provision of access to, or divulging in any other manner of PHI outside the department.
• Ensuring “Minimum Necessity “ for accessing PHI,
that means users access the minimum amount of information necessary to perform their duties
• Protecting access to confidential/ sensitive information
• Reporting privacy breaches immediately to the Privacy Officer
Our Responsibilities: to Patients
HIPAA requires we communicate patient’s right to privacy by:
• OFFERING a Notice of Privacy
Practice (NPP), which
– Advises Patients of their privacy rights
– And is posted in public registration areas & our website
• ATTEMPT to get a signature on the
Patient Acknowledgement
Agreement (PAA), acknowledging
receipt of the NPP
– This is required, except in emergency situations
– And if not we must document the reason why
Our Responsibilities: to Patients
HIPAA requires we get the proper release for PHI:
• GETTING WRITTEN PERMISSION
if we release PHI for a reason other than TPO
(Treatment, Payment or Operations)
– Exception is for immunization records for children,
in states that require those records
Our Responsibilities: to Patients
• SPECIAL DIRECTIONS for Facility Directory
– During registration are asked about being in the directory
– Only the location and general
condition my be disclosed if someone asks for the patient by name
– If the patient objects, DO NOT
acknowledge that the patient is in the facility.
• SPECIAL DIRECTIONS for Fundraising – Additional rules apply for those involved
in fundraising, see Policies Policy 124
Privacy & Security:
Our Individual Roles
Our Role in Protecting PHI
We are each responsible
to protect PHI:
– Follow policies and procedures
– Protect the privacy and security of information
– Asking your Supervisor or Manager for guidance
• All Policies and Procedures for the Health
System are listed on Pulse/Hotlist/HIPAA
Our Role: Protecting Physical PHI
• Handling PHI
– Double check the address, or fax number when mailing or faxing
– Only fax PHI to a secure fax (inside a secure area)
– Use the approved Huntsville Hospital Health System cover sheet containing a confidentiality statement.
– Check printers, faxes, and copier machines when you are finished
– Don’t leave PHI on your desk, lock it up – Double check when handing documents to
patients/family members
Our Role: Protecting Physical PHI
• Taking PHI offsite
– You must first obtain approval from your supervisor.
– Never leave PHI unattended in your bag, briefcase or car
(even if it’s locked in the trunk!)
– All devices that access ePHI or Huntsville Hospital Health System email must be password protected – Access PHI remotely
• Disposal of paper documents
– Shred PHI First! Then use the Trash:
Recycle and trash bins are NOT all secure
– Shred bins only work when papers are put inside the bins
Our Role: Protecting Audible PHI
• Avoid Discussing PHI in public areas
– Be aware of your surroundings when talking – Do not leave PHI on answering machines
– Don’t speak too loudly, or to the wrong person – Ask yourself,
“What if my information was being discussed like
this?”
Our Role: Protecting ePHI
For electronic protected health information
• Avoid unauthorized computer access by:
– Protecting your user ID – Protecting your password
– Logging out of programs that access PHI when not in use
Our Role: Protecting ePHI
For electronic protected health information
• All devices used to access ePHI must be
password protected, including:
• Your HH email
• Personal laptop
• iPad/tablet
• iPhone/smartphone
Did You Know??
Even if you don’t intentionally save PHI onto your device, your Huntsville Hospital Health
System email files may download to your device without your knowledge.
Our Role: Protecting ePHI
• Encrypt all emails with PHI going to email addresses that
do not end with: @
theheartcenter.md compone.org dmhnet.org hhsys.org firstcomm.org hgala.org namci.com namci.org
• How To “Encrypt” email; always start with:
or
in the subject line of the email
[Encrypt] Secure:
Our Role: Protecting ePHI
• Practice Safe Emailing
– Do not open, forward, or reply to:
• Suspicious emails
• Suspicious email attachments
• Or unknown website addresses
– NEVER provide your username and password to an email request – Delete spam and empty the “Deleted Items” folder regularly
– It is your responsibility when communicating to send all PHI securely
Our Role: Protecting ePHI
• Do not share patient PHI on social media, that
means anything from your work at the Health
System
– Even if information is public
– Information obtained from your patient/provider relationship is confidential
What to do:
Reporting a Suspected Breach of PHI?
Our Role: Reporting a Breach
• PRIVACY BREACH: Report when PHI is:
– Physically lost or stolen
– Misdirected to others outside of HH Health System, including:
• PHI verbal messages left for the wrong person
• Misdirected mail, fax or email containing PHI
• When user does not use secure email with PHI
• Posted to Huntsville Hospital Health System intranet, internet, websites, Facebook, Twitter
Your Supervisor
Privacy Officer at (256) 265-4477/9257
IT Security at (256) 265-4555 IMMEDIATELY REPORT TO:
Our Role: Reporting a Breach
• PRIVACY BREACH: Report when:
– PHI is part of a Security Incident:
– When an electronic device is lost/stolen
– When any unusual or suspected information is missing
• The loss and/or theft of any form of ePHI
• Unusual computer activity
Your Supervisor
Privacy Officer at (256) 265-4477/9257
IT Security at (256) 265-4555 IMMEDIATELY REPORT TO:
Our Role: Reporting a Breach
• FAX PRIVACY BREACH: Report if:
– You send a fax containing PHI to the wrong phone or fax number – You receive a fax in error – Immediately:
• Alert the sender
• Do not use or disclose the information
Privacy Officer at (256) 265-4477/9257 IMMEDIATELY REPORT TO:
Our Role: Reporting a Breach
• In every circumstance, you will need to
provide the following information:
– Date and time the breach was discovered
– Name and contact information of the
person who discovered the breach
– The specific information disclosed
– The number of individuals who had their
information disclosed
– How the breach happened
– Actions taken following detection
– The department contact for follow-up
Privacy Officer at (256) 265-4477 or 9257
IMMEDIATELY REPORT any known/suspected PRIVACY BREACHES to the
In Review
In Review: It’s Our Job to Protect PHI
• It is the Law to Protect our Patient’s privacy
– HIPAA law was developed to protect the privacy of our patient’s health information
– It is only appropriate to share, use, access PHI when it is needed to do our job.
• We must follow Health System policies
– Protecting verbal, written, and electronic information – Use safe computing and email practices
• Report suspected privacy & security incidents
– Privacy Breaches – Security Breaches
Privacy Officer at (256) 265-4477/9257 IT Security at (256) 265-4555
