HIPAA: Privacy/Info Security

HIP AA:

Privacy/Info Security

Jeff Jones

HIPAA Privacy Officer

HIPAA Information Security Officer

 Protected Health

Information(PHI)

 Disclosure & Use

 Authorization Form

 Minimum Necessary

 Patient Notice

 Security Awareness

 Security Training

 Information Security

Officer

 Security Mistakes

 Penalties

What you should know…

Discussion Topics

What Does HIPAA Do?

 Imposes new restrictions on the use and

disclosure of PHI.

 Gives patients greater access to their medical

records.

 Gives patients greater protection of their medical

records.

What is PHI?

 Protected Health Information:

 Individually Identifiable Health Information (IIHI)

relating to the past, present or future health

condition of the individual and is transmitted or

maintained in any form (electronically, orally or on

paper).

 Examples: Name, address, dates of service, date of

birth, social security number, etc.

What is Disclosure and Use?

 Use: Shared, examined, applied or analyzed

within an entity that holds the information.

 Disclosure: Released, transferred, or made

accessible to anyone outside the entity

holding the information.

When Can PHI be Used/Disclosed?

 PHI can be use or disclosed for:

 Treatment, Payment, Healthcare Operations

 With authorization from the individual

 Disclosure to the patient

 Incidental uses

When is Authorization Required?

 Generally speaking, for uses other than:

 Treatment

 Payment

 Hospital Operations

What is an Authorization Form?

 An authorization is a written document,

signed by the patient, that specifically allows

the covered entity to disclose PHI with

patient’s permission.

When is Authorization Not Required?

 To maintain a patient directory

 To inform family members of patient location,

general condition, or death

 Public health activities

 Coroners, medical examiners, funeral directors,

organ donations

 To avert a serious threat to health and safety

What is “Minimum Necessary”?

 Make sure the least amount of health

information is shared to accomplish the

task.

 Identify those who regularly access PHI and

the types of PHI necessary for proper TPO

of the patient.

What is the Notice of Privacy

Practices ^?

 The Patient Notice is a required document

that outlines the common uses of PHI.

 Must contain patient’s rights and the covered

entity’s legal duties.

 Must be made available in print.

 Must be displayed at the site of service and

Security Awareness: What is it?

 Recognizing what types of security issues

may arise in the workplace; and

 Knowing what actions to take in the event

of a security breach.

Security Awareness/Training

 The HIPAA Security Rule requires that

everyone in the workforce is trained.

 Members of the workforce include

volunteers!!!

What’s a Person to do?

 Always Report Anything Unusual.

 Notify your supervisor if you suspect a security

incident.

 Never share your user ID or password with

anyone.

Top 10 Workplace Security Mistakes

 1. Hidden under the keyboard – Keeping a computer password

on a yellow post-it note.

 2. I’ll do it my way – Not listening to or following security

procedures.

 3. On, gone, not locked – Walking away from the computer,

leaving it unlocked or not turned off.

 4. Gee, what’s in this attachment – Unknown email

attachments can cripple by carrying viruses.

Top 10 Workplace Security Mistakes

 6. Loose lips – Talking in public about things you shouldn’t.

 7. Laptops with legs – Laptops left unsecured and unattended

are vulnerable to theft.

 8. Law enforcement – Managers and supervisors need to ensure

ongoing compliance.

 9. The threat within – Statistically, most security breaches

originate inside the organization.

 10. Update now – Security updates don’t do any good unless

they are loaded on your computer.

How do We Comply?

 HIPAA requires that we assign a “Privacy

Officer” and “Information Security Officer”

 This person will be responsible for

overseeing all privacy policies and procedures.

 This person will be the contact person for

receiving complaints.

 Institute a training program for Volunteers.

What if We Don’t Comply?

 Civil penalties from $100 to $25,000

 Criminal penalties up to $250,000 and 10

years in prison

 Remember:

 It’s all about protecting patient’s right to

privacy and security.

 Put yourself in the patient’s place.

Summary

Please print out this page, sign and date

it, then turn it into your instructor.

Health Insurance Portability & Accountability Act – Instruction Session



I completed the instruction session on the Health Insurance Portability

& Accountability Act (HIPAA) on ______________________.



I understand the privacy and confidentiality policies of the clinical

facilities I will be attending for my clinical experiences. I know the

condition information terminology, the policies regarding “privacy

patients” and the disclosure of protected information. I also know the

“safeguards” to confidentiality and the penalties for violation of HIPAA.