Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.



Annual Employee HIPAA Training

Betsy Donat

on 10 October 2014

Comments (0)

Please log in to add your comment.

Report abuse


Betsy Donat - CCO
Annual HIPAA Training
Health Insurance Portability and Accountability Act of 1996

Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164)
Office for Civil Rights, Centers for Medicare & Medicaid, and Dept of Justice enforces

Individual’s past, present or future:
Physical/mental condition
Treatment/provision of health care, and
Payment for treatment
Individually Identifiable Health Information:
Name(s), address, D.O.B/D.O.D, age, telephone number(s), email address, SSN, medical record/account #s, vehicle identifiers, full face photographic or other comparable images
Criminal Justice testing data is PHI

HIPAA is a Federal Regulation

Ensures health insurance portability
Reduces health care fraud and abuse
Protects patients from reputational harm or identity theft

Privacy Rule
covers keeping Protected Health Information (PHI) private
Security Rule
covers the national standards for securing electronic PHI (ePHI)

Protected Health Information (PHI)
Privacy Rule

Security Rule
Limits the way in which our workforce may use, disclose and release PHI.
Employees must have a job-related reason to use and or disclose PHI.
Requires that all employees access and use only the minimum amount of PHI necessary
to get the job done.
Requires that upon a proper request for PHI, we release only the minimal amount of PHI
in order to meet the request.
This is what HIPAA defines as the MINIMUM NECESSARY Standard.
The Patient Privacy Rights
Right to access PHI
Right to request an amendment to PHI
Right to request restrictions on how PHI is used for treatment, payment, and healthcare operations
Right to receive confidential communications
Right to request an accounting of disclosures
Right to complain to the Department of Health and Human Services’ Office for Civil Rights

The Notice of Privacy Practices
The Notice informs employees and patients of the follow:
Describes how we may use and disclose a patient’s PHI
Provides a clear and concise description of the patient’s rights:
Restricting PHI
Accounting of Disclosures of PHI
Inspection and Access to PHI
Amending PHI
Requires administrative, physical, and technical safeguards be implemented to address the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI)

The security of patient information is EVERYONE’S job! We owe it to our patients!
The security rule requires the company implement security protocols.
Requires each computer system user has a unique User Identity and Password.
Do not share or write down your password where it can be easily retrieved by others.
Do not walk away from your computer without signing off/locking your computer.
You are responsible for any activity that occurs under your user identity.
Your user identity is what can be used to monitor your activity on the system(s).
Report to Compliance all security risks you are currently or become aware of, such as:
Unauthorized or suspicious visitors
Logged-on but unattended workstations
Uncontrolled access to areas that house equipment and/or PHI
Passwords on Post-it™ notes
Staff accessing records without a job-related purpose
Privacy Compliance Tips
Do not discuss PHI in public, common areas or at home
Do not include any patient identifiers in the subject line of an email
Criminal Justice data should be treated like PHI since it is a Covered Entity
Keep all PHI locked and secured when you are away from your work area
Double check fax numbers for accuracy before sending a fax containing PHI
If a fax is sent to the wrong recipient in error, you must notify Compliance
Verify provider/agent’s identity PRIOR to discussing or disclosing PHI
Best practice is to not disclose PHI
Only look at the PHI we need to perform our job - no snooping
If you’re not sure what's right or wrong – call Compliance first
Security Compliance Tips
Lock your computers when you step away from your work area
Do not email a patient's name or identifier in the subject line of an email
Do not email any ePHI unless it is encrypted: [PHI] in the subject line
Double check email addresses before sending an email containing PHI
If an email is sent to the wrong recipient in error, you must notify Compliance
Only look at the PHI we need to perform our job - no snooping
As a user of a company systems (including the Internet) you are required to:
Use only your officially assigned user identity (e.g. user id/password)
Save data only to the Company Network Drive unless prior approval has been granted
Notify your manager and the HIPAA Security Officer if your password has been disclosed, or otherwise compromised, and immediately change your password
Lost phone/laptop/flash drive - IMMEDIATELY REPORT to Compliance even if you’re not sure PHI is on it
Disclosure of 500 individuals requires notice to MEDIA
California requires reporting be done within 5 DAYS
If you’re not sure what's right or wrong – call Compliance first
Criminal Prosecution & Jail sentences for HIPAA Breach
Aug. 2010: Dr Zhou received jail time for a misdemeanor HIPAA offense—for merely accessing confidential records without a valid reason or authorization even thought he did not profit from it through the sale or use of the information.
2006: Andrea Smith, LPN, and her husband were indicted on federal charges of conspiracy to violate and substantive violations of HIPAA - use of PHI illegally obtained from her employer's records for a civil suit her husband was involved.
2004: Richard Gibson, phlebotomist, obtained the demographic information of a cancer patient from his employer, Seattle Cancer Care Alliance and used this data to obtain credit cards in the patient’s name, eventually incurring over $9,000 in debt. Sentenced to 16 months in prison.
2005: Liz Arlene Ramierez, pled guilty and was convicted of selling confidential medical information belonging to a Federal Bureau of Investigation Special Agent to someone she believed was working for a drug trafficker. Sentenced to 6 months in prison.
2007: Isis Machado, a front desk office coordinator at The Cleveland Clinic in Weston, Florida, improperly obtained Medicare information and other demographic information for approximately 1,130 Cleveland Clinic patients in Naples, Florida, and sold that information to her cousin, co-defendant, Fernando Ferrer, for $5 to $10 each. That data led to $7 million in fraudulent Medicare claims. Machado was sentenced to 3 years probation, including 6 months of home confinement, and ordered to pay restitution of $2.5 million. Ferrer was sentenced to 87 months in prison, 3 years supervised release and ordered to pay $2.5 million in restitution.
Nov. 2009: Issac Earl Smith, 38, sentenced to 6 years prison for crimes involving health care fraud, aggravated identity theft and disclosures prohibited by HIPAA. Smith and others used the PHI to create counterfeit prescriptions that were presented to pharmacies in order to illegally obtain controlled substances.
Why is it not okay to share user ID/passwords?
Is storing passwords on post-it notes acceptable?
Your user identity is what can be used to monitor your activity on the company's system(s).
No, it is against company security policies to put your User ID/Password on a post-it note.
What is the company's practice for when we receive a request for PHI from patients, patient representatives, attorneys?
All PHI request for access to or release of PHI should be provided to your lab's compliance lead or provided directly to Compliance.
Are there any issues with posting PHI on facebook, twitter, or other social network sites?
Can we copy, take photos or just discuss PHI with co-workers, relatives, or on social network sites?
Yes - you may be terminated by the company for disclosing PHI without authorization and could face Civil and Criminal penalties for improper use/disclosure of PHI.
We only look at PHI needed to complete our job duties. We can discuss PHI if needed to complete job tasks.

We do not ever discuss PHI outside our job scope and especially not with friends, family or publicly.
Can we share lab results with patients?
What is the process when we inadvertently send out PHI ?
Yes, the HIPAA Final Rule and the CLIA were amended and now permits laboratories to share both laboratory records and billing records directly with patients when we receive a HIPAA compliant authorization form.
We IMMEDIATELY call compliance and provide details regarding the incident.
The company's HIPAA Privacy & Security Policy Manual is located on the company's sharepoint page:
What are the risks of sending out an unencrypted email?
Is it a HIPAA breach or inadvertent disclosure if the patient will never find out?
We put the company at risk of having to report the incident to the patients, the media, and the government and potentially pay a very large fine.
Yes, any unauthorized use or accidental disclosure is a HIPAA breach. Compliance needs to record each incident, so that Compliance can determine appropriate reporting obligations.
Guidelines for Requesting and Releasing PHI
Responding to Third Party, Patient, Patient Representatives, and Judicial and Administrative Proceedings Requests for PHI
Transmitting PHI via Fax, Phone, Email and Mail
Verifying Identity Prior to Disclosing PHI
Requests to Restrict Uses and Disclosures of PHI
Notice of Privacy Practices
Accounting PHI Disclosures
Business Associate Agreements
Unauthorized or Inadvertent PHI Disclosure
Incident, Investigation and Notification of Breach
Sanctions Against Employees for HIPAA Violations
Administrative Safeguards for ePHI
Assigned Responsibilities and Workforce Security
Security Incident Procedure
Emergency & Contingency Operations
Physical Safeguards for PHI and ePHI
Facility Access Controls
Workstation Use and Security
Device and Media Controls
Proper PHI Disposal
Technical Safeguards for ePHI
Audit Controls and Risk Assessments
Transmission Security
HIPAA Privacy & Security Manual which contains policies covering the following:

Betsy Donat, CCO is the company's designated Privacy Officer

Carl Warner, CIO is the company's designated Security Officer

Secon - Kelly Lane Workers' Comp - Joette Gittens Shared Services - Catie Bertrand
AFTS - Karen Steinert Norchem - Becky Gibbs
Forensic Labs - Catie Bertrand Sterling Ref Labs - Lisa Foster
The company has and will continue to conduct periodic internal and external Security Risk Assessments to test its security practices and protocols.

The company will attempt to reasonably mitigate any risks identified during these Security Risk Assessments.
All company employees and temporary employees have an obligation to report any HIPAA incidents, such as a misdirected faxes or email.

Failure to report may result in disciplinary action up to and including the employee's termination.

Employees will not be retaliated against for any reports made in good faith; however, reporting will not excuse deviation from company policy.
All HIPAA policies set forth companies to provide guidance to full time and temporary employees employees on how to perform their job duties in accordance with HIPAA and state privacy laws.

Any questions should be raised prior to undertaking questioned conduct. ASK BEFORE YOU LEAP!
All full time and temporary employees of the company have a duty to:
2) COMPLY therewith, and
3) REPORT any deviations

Failure to do any of these 3 requirements may result in the employee's termination or disciplinary action.

How do we dispose of documents containing PHI?
We securely destroy all documents containing PHI by putting the documents in the secure shred bin.
Full transcript