1 / 40

HIPAA & Security Awareness Training

HIPAA & Security Awareness Training. Annual Mandatory Education. Objectives. Define the Health Insurance Portability and Accountability Act (HIPAA) Describe patient rights and protections under the HIPAA Privacy Rule

kaleb
Download Presentation

HIPAA & Security Awareness Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA &Security Awareness Training Annual Mandatory Education

  2. Objectives • Define the Health Insurance Portability and Accountability Act (HIPAA) • Describe patient rights and protections under the HIPAA Privacy Rule • Identify good practices for treatment of patient information under the HIPAA Privacy and Security Rules • Identify appropriate physical safeguards to assist in the protection of electronic patient information

  3. Introduction • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is an enacted Federal Law created by President Bill Clinton and enforced by the Department of Health and Human Services to address patient information in relation to: • Privacy and Confidentiality of Patient Information • Security of Electronic Protected Health Information • Transactions and Code Sets

  4. Standardize the format of health care data across the industry Standardize rules for treatment of health care data Share health care data among providers The Rules Address the Need To:

  5. The Rules Address the Need To: • Evolve from paper to electronic records thereby reducing the cost of maintaining health care data • Establish rules that grant rights to patients’ own health care information • Protect patient information from unauthorized use and disclosure

  6. Names Addresses Employers Relatives Names Telephone, cell or fax numbers Email Addresses Social Security Number Medical Record Number Member or Account Number Certificate Numbers Voiceprints Fingerprints Photos Codes Any other characteristic that may identify a person or a combination of information Protected Health Information

  7. Patient Privacy Rights • Notice of Privacy Practices • File Complaints • Request restrictions on uses and disclosures • Request confidential communication

  8. Patient Privacy Rights • Request access to PHI for inspection and copying • Request amendments • Request accounting of disclosures • All rights apply to all patients, living or deceased

  9. Question #1 • Which is not a benefit of the HIPAA Rules? • Standardize rules for the treatment of health information • Reduce health care costs • Prevent data from being shared among current care providers • Protect patient information from unauthorized use and disclosure

  10. Question #2 Which is not a patient right under the HIPAA Rules? • Request restrictions on uses and disclosures • Request an accounting of all disclosures • Request confidential communications • Request that certain data is stricken from their medical record

  11. Treatment Health Care Operations Payment Use and Disclosure Three kinds of use or disclosure that need NO prior authorization are:

  12. Authorization • Obtained for any reason other than treatment, payment, health care operations • Specific in how the information will be used, by whom and for how long • Right to revoke authorizations at any time • All requests that require authorization must go to Medical Records for review

  13. Minimum Necessary Standard In circumstances other than treatment, including payment and health care operations, only the minimum amount of information necessary for the task or purpose should be released. This is called the “Minimum Necessary Standard”

  14. Known Individuals • Family, friends or well known figures • Cannot access for personal reasons • Only access what you need to do your job

  15. Personal Representatives • May have legal authority to act on behalf of a patient • May have a court-appointed document • Family member or friend providing care • Treated no differently than the patient with respect to HIPAA

  16. Question #3 Authorization is needed to disclose patient information to another care provider currently caring for a patient. • True • False

  17. Question #4 • When patient information is requested for reasons other than treatment, payment or health care operations, to which department should the request be forwarded? • Information Technology Department • Medical Records • Patient Accounting • Access Department

  18. Written Verbal Electronic Privacy Rule Privacy and confidentiality are an essential part of CHPC’s policies and procedures. Our privacy policies apply to Protected Health Information in three forms.

  19. Best Practices for Written PHI • Medical Records • Keep locked in a secure area • Always sign out and sign in • Cover with a Confidentiality Statement page • When traveling keep secure in car or on person

  20. Best Practices for Written PHI • File Cabinets, Whiteboards, etc. • Keep cabinets locked • Place in secure area and/or behind locked doors • Keep the general public or those who have no need to know out of the secure areas • Don’t allow whiteboards to face windows or open doors

  21. Best Practices for Written PHI • Desks and Loose Papers • Never leave desks with PHI unattended • Dispose of unnecessary paper PHI in recycle bins • Don’t bring paper PHI into general areas • Clean desk policy applies

  22. Best Practices for Written PHI • Copiers, Printer and Fax Machines • Located in secure areas • Pick up print and copy jobs immediately • Use coversheets with Confidentiality Statements on all faxes • Call recipient of fax to confirm they received • Check fax machines frequently for PHI

  23. Best Practices for Written PHI • Staff Mailboxes • Must be either located in secure area or must NOT contain PHI • Check frequently

  24. Question #5 Which is not a best practice when using fax machines to send or receive PHI? • Double check the fax number before you send the fax • Use a cover sheet with a confidentiality statement • Call the recipient to make sure they received it • Never send faxes with PHI because it is not secure

  25. Question #6 • Where should written PHI be disposed of when it is no longer needed? • Turn it in to Medical Records • Trashcans • Shredders • Recycle Bins

  26. Best Practices for Verbal PHI • Conversations • Need to know • Hold in private areas at all times • Never in public areas • Incidental disclosures

  27. Best Practices for Verbal PHI • Telephones and Voicemails • Hold conversations in a secure area, not public areas or within earshot of the public • Try to ensure the person on the other end is the person who should be receiving the PHI • Never leave PHI on a voicemail

  28. Question #7 • Which is a secure area for holding conversations containing patient information? • Cubicles in the team area • Hallways • Around the nursing station • In the restrooms

  29. The Security Rule The Security Rule only applies to PHI in an electronic format whereas the Privacy Rule applies to PHI in any format. The Security Rule has three types of safeguards: • Administrative Safeguards – Policies and Procedures • Technical Safeguards – Restricting access to data transmitted over the network • Physical Safeguards – Physical computer and network facilities

  30. Facility Security Plan • Badges must be worn at all times • Visitors must sign in and remain in non-PHI areas • Reception areas control who enters the facility • Reception areas are only open doors, all others remain locked when not in use

  31. Facility Security Plan • Security button to access areas • Security cameras • Alarm System

  32. Workstation Use • Equipment and access determined by job description and supervisor • Use for business purposes only • May not leave workstation unattended while logged in • May not attach any peripheral device • Only organization-issued software and hardware may be used

  33. Workstation Use • Position monitors so they cannot be seen though doors, windows or in high-traffic areas • Computers and other technology may only be used by the person to whom the equipment it was issued • Never share passwords or log another person in

  34. Information Security • All information on the network belongs to CHPC • May not send and receive files from home • May not email PHI or transmit PHI unless encrypted

  35. Technology Accountability • You are responsible for the security and care of company issued hardware resources • Equipment and software may not be removed from the premises without permission from IT • Turn in all equipment upon termination of employment

  36. Internet Usage • Business purposes only • No downloads • No streaming video or audio • Internet usage is monitored

  37. Email Etiquette • Email is an official communication tool • Don’t use email for sensitive issues that should be discussed face-to-face • NO PHI IS SENT VIA EMAIL OUTSIDE OUR ORGANIZATION • Email usage is monitored

  38. Question #8 Which of the following is not a good workstation use practice? • Logging out when you step away from your computer • Using the workstation to research medications or medical conditions • Using an external drive such as a thumb or jump drive with my workstation • Being cognizant of who can view my computer’s monitor

  39. Questions #9 Emails containing PHI may be sent to my co-worker internally, if they have a need to know, but may never be sent outside the network. • True • False

  40. Thank you Amy Smith Privacy/Security Officer 989-2076 Sue Zogaria Privacy Officer (Alternate) 989-2113 Gordon Grieble Security Officer (Alternate) 989-2085

More Related