TRAINING MODULE The Health Insurance Portability and Accountability Act: Privacy and Security Rules Click to Begin

TRAINING MODULE

The Health Insurance Portability and Accountability Act:

Privacy and Security Rules

Click to BeginClick to Begin

2

The Purpose of this Training Module

As employees involved in Human Resources, it is imperative that we understand and apply the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA).

These rules require that employees who may have access to Protected Health Information (PHI) be trained about the HIPAA Privacy and Security Policies and Procedures.

The ACWA/JPIA has made this module available to meet the training needs of employers and employees.

Training Module

NextNextBackBack

3

Course ObjectivesAs an employee who has been identified as having access to PHI, at completion of this Training Module you will be able to:

Demonstrate the basic HIPAA Rules regarding the use, transmission, security and privacy of healthcare data

Recognize what is HIPAA protected information as well as know how to manage it in accordance with HIPAA regulations

Manage and limit risk associated with the improper disclosure of PHI

Training Module Introduction

NextNextBackBack

4

Quiz Instructions

To complete this module you will need to proceed as follows: This training module contains 5 Lessons. Read the

information provided in each Lesson, clicking the arrow at the bottom right of the slide to move forward.

At the end of each Lesson there is a quiz. Click the answers you believe are correct to move forward.

At the end of this module is a printable Certificate of Completion. You will need to print, sign and return this Certificate to Human Resources.

Training Module Introduction

NextNextBackBack

LESSON ONE

What is Protected Health Information and

How Do You Recognize It?

Begin LessonBegin LessonBackBack

6

Definition of Key TermsP

rotected Health Information (PHI): Individually identifiable health information (past, present, future), including payment or treatment history, generated by a Health Plan, Provider, or Clearinghouse. PHI includes information provided on paper, orally, or by electronic media.

Covered Entities (In our world: the Group Health Plan): Health Plans, Health Care Providers, Clearinghouses.

Summary Health Information: Aggregated utilization (e.g. 3,100 hospital days used in March).

De-identified Information: Key data removed such as name, address, phone/FAX, email address, SSNs, medical records numbers, etc.

Lesson One

More DefinitionsMore DefinitionsBackBack

7

Definition of Key Terms (cont’d)

Health Plans: Medical, dental, vision plans, etc., whether insured or self-insured.

Health Care Providers: Doctors, hospitals, etc.

Health Care Clearinghouse: Third-party billing agencies (TPAs).

Health Care Operations: Treatment (Providers); Payment (TPAs); and, Operations (Administration, marketing, etc.).

Lesson One

More DefinitionsMore DefinitionsBackBack

8

Definition of Key Terms (cont’d)

Business Associates: Brokers, benefits consultants, TPAs, actuaries, attorneys, CPAs, etc.

Employer/Plan Sponsor: NEITHER a Covered Entity NOR a Business Associate.

Electronic Media: Storage media: Hard drives, tapes, discs; and,

Transmission media: Internet, intranet, extranet, leased lines, dialup lines, LAN, PLN;

BUT NOT: Faxes or voicemails.

Lesson One

NextNextBackBack

9

Examples of PHIC

laims experience reports with names, social security numbers, diagnosis, etc.;

Explanation of Benefits (EOB);

Physician/hospital bills for services rendered to a Plan Participant;

Verbal or written information on an individual’s claim or treatment;

Medical, dental, vision or mental health medical files and records

Lesson One

NextNext

• If it is by name or otherwise individualized, it’s technically PHI

• However, the Privacy Rules don’t apply if the data is used for employment-related activities

A Word About Census DataA Word About Census Data

BackBack

10

What Information is NOT PHINot everything with medical information is protected by HIPAA’s Rules. Here are some examples of what is NOT protected:

Information required for Workers’ Compensation, Fit for Duty, Return to Work, FSAs, HSAs, or any information related to employment;

Rules on eligibility for benefits coverage (waiting periods, benefits offered to different classes of employees, contribution information);

Plan design questions; and,

Summary health information (de-identified data, aggregated claims experience, etc.).

Lesson One

Lesson One QuizLesson One QuizBackBack

Which one of these is PHI?

A birthday card to individual staff members for Human Resources.

Human Resources notifies HR Staff that Enda is sick and would love some home cooked meals.

Kaiser nurse tells friend that Brad Pitt is her patient.

Human Resources tells employee that the plan covers in vitro fertilization.

Incorrect, try againIncorrect, try again



Correct! NextCorrect! Next

11Lesson One Quiz

BackBack

Answer Explanation: Lesson One

Answer 3 is PHI: Kaiser is a Covered Entity (a Plan). The fact that Brad is getting treatment is PHI!

Answers 1, 2, and 4 are incorrect: 1. The birth date is information the employer uses for

employment reasons and didn’t come from the group health plan.

2. With Edna, you can presume she authorized a request for home cooked meals and HR did not disclose the illness. NOT a good practice, though.

4. Plan design information is not PHI. Next LessonNext Lesson

12

BackBack

LESSON TWO

The Patient’s Right to Privacy


14

Patients Rights

1.1.• Right to access their PHI;

2.2.• Right to restrict PHI disclosures (e.g. to family members, etc.);

3.3.• Right to receive PHI in a confidential manner (e.g. secure email);

4.4.• Right to inspect and copy PHI (psychotherapy restrictions);

5.5.• Right to amend (e.g. add explanation, correct and error); and,

6.6.• Right to an accounting of how PHI has been used including its

use in plan operations.

Lesson Two

NextNextBackBack

15

The Patient’s Right to Privacy

The patient’s right to privacy of health information is absolute: ALMOST . . . The health care industry would come to a grinding halt unless there were exceptions to this right.

The usual rule is that the patient/plan participant’s written permission is required to use or release this information to third parties. Users must have written permission unless the use or release of information falls under one of the exceptions specified in the HIPAA Rules.

Lesson Two

NextNextBackBack

16

The Patient’s Right to Privacy (cont’d)

HIPAA Rules allow the release or use of PHI without permission under the following circumstances:

Covered Entities (e.g. the Group Health Plan). Covered Entities do not need permission as long as the PHI is used for treatment, payment, or health care operations.

When Required By Law. For example:

Public Health Authority investigating diseases, injury, or death; Victims of abuse; Food and Drug Administration investigating drug interactions; or, Law enforcement, judicial proceedings, etc.

Lesson Two

NextNextBackBack

17

When Used By Business AssociatesBusiness Associates of Covered Entities include auditors, lawyers, consultants, data collection organizations and billing firms, or others with whom the Covered Entities have agreements involving the use of PHI.

PHI may be disclosed to Business Associates for purposes of:

Processing claims, billing, or analyzing data; Performing benefit management services; and, Providing legal, actuarial or accounting services.

HIPAA requires a Business Associate Agreement between the Plan as Covered Entity and each Business Associate.

Lesson Two

NextNextBackBack

18

Plans Must Disclose How They Intend to Use PHI: Notice of Privacy Practices (NOPPs)Before disclosing PHI, a Covered Entity must provide plan participants with a NOPP and make a good-faith effort to obtain each individual’s written acknowledgment of receiving it.

The NOPP must inform the plan participants of:

The uses and disclosures of PHI that the covered entity may make;

The individual's right to access and amend their medical information; and

The Covered Entity's responsibilities with respect to PHI.

Lesson Two

Lesson Two QuizLesson Two QuizBackBack

Q-1. A Visitor comes to Human Resources and identifies herself as Charlie’s lawyer, Ima Shyster. You received a call from Charlie (you think) telling you that “Ima” will be coming by and can you release Charlie’s PHI to Ima. Do you release Charlie’s PHI?

NO, do not release the PHI to Ms. Shyster.

YES, release the PHI. Incorrect, try againIncorrect, try again


19Lesson Two Quiz

BackBack

Answer Explanation: Lesson Two Q-1

No. You cannot give Charlie’s PHI to Ms. Shyster until Charlie gives you written permission.

When releasing information to third parties, the Plan must have written authorization. A phone call is not good enough, even if you think you recognize Charlie’s voice.

Second QuestionSecond Question

20

BackBack

Q-2. You are having lunch with a co-worker who tells you that John, another employee, fell in the office yesterday. She asks you if he was injured. What can you say to her?

An ambulance took him to the hospital.

All of the above

None of the above.

This is the second time John has fallen at work.

21

This would be a Workers Comp claim if he was hurt.

Lesson Two Quiz





Correct! NextCorrect! NextBackBack

Answer Explanation: Lesson Two Q-2A

nswers 1, 2 and 3 are all correct:

1. OK since HIPAA Privacy Rules do not apply to Workers Comp claims (because they are employment related).

2. OK since ambulance transportation info is not PHI (no treatment info).

3. OK since the first fall was also Workers Comp related (no disclosure of injury or treatment).

Third QuestionThird Question

22

BackBack

Q-3. An adult patient was transferred from a hospital to a skilled nursing facility for long-term care. Prior to transfer, the hospital social worker called Adult Protective Services (APS) with a concern that family members were neglecting the patient and using the patient’s money for their own benefit. APS then came to our facility asking to review the patient’s medical record. Do we need written permission to release the medical records?

NO, let APS review the patient’s medical record.

YES, get written permission. Incorrect, try againIncorrect, try again


23Lesson Two Quiz

BackBack

Answer Explanation: Lesson Two Q-3

No. APS and Child Protective Services have authority under state law to obtain the information they need to investigate cases under their jurisdiction.

Because APS has an open investigation in this case, the caseworker has legal authority to review the patient’s medical record or obtain copies without authorization from the patient or the patient’s legal representative.

Next LessonNext Lesson

24

BackBack

LESSON THREE

As Someone Who May Handle or Even Create PHI, What Must You Do

to Make the Information Secure?


26

Physical Safeguards Implementation

The Security Rule requires a number of physical steps to ensure that PHI contained on computers is properly protected from fire and environmental hazards, as well as from intrusion. Work areas requiring Physical Safeguards include secure areas (such as cubicles or examination rooms):

Lock file cabinets;

Protect data (such as records on laptops) while traveling;

Maintain records on what and where data is stored; and,

Dispose of PHI when permitted.

Lesson Three

NextNextBackBack

27

Electronic Safeguards Implementation

The Security Rule also requires the following Electronic Safeguards be implemented:

Require password protections;

Limit login capabilities;

Lock media up when not in use;

Protect data against malicious software; and,

Implement a data back up plan.

Lesson Three

NextNextBackBack

28

Administrative Safeguards Implementation

Administrative Safeguards include the development, implementation and monitoring of policies and procedures designed to prevent, detect, contain, and correct security violations:

Conduct security awareness and training;

Conduct audits on use and storage of media;

Assure minimum necessary disclosures; and,

Test procedures and revise as needed, including with subcontractors.

Lesson Three

Lesson Three QuizLesson Three QuizBackBack

Call the Privacy/Security Officer at your first opportunity if a breach is suspected.

Both Answers 1 and 4.

Dismiss it as no big deal.

Tell the Privacy/Security Officer the next time yousee him or her.

Q-1. You are working late. You notice a janitor cleaning the next office. He’s been there a while and a file drawer is open. What should you do?

29

Go to the room, determine if the drawer may contain PHI, and if so, secure the file drawer.

Lesson Three Quiz






Answer Explanation: Lesson Three Q-15

. is correct. Inspect the area for a possible breach of PHI and secure the drawer if needed. Call the Privacy Officer at your first opportunity if a breach is suspected.

Answers 2., 3., and 4. are incorrect: 1. Make a preliminary identification of the drawer contents (A

drawer full of coffee mugs doesn’t need to be reported as a possible breach).

2. You cannot just dismiss the incident. Some investigation is necessary.

3. You can’t wait until you run into the Privacy officer at lunch. There is urgency and you have a duty to mitigate a possible breach.

4. Common sense dictates you should investigate the open drawer and report any possible breach immediately.Second QuestionSecond Question

30

BackBack

Q-2. You are assisting a plan participant, Maria, resolve a claims problem. You have taken notes, received copies of medical records, and it’s time for lunch. Should you:

Lock the records in your desk.

Destroy the records.

Turn the documents upside down and go to lunch..

Leave the records in the back seat of your car.

31

Take Maria’s records with you to lunch.

Lesson Three Quiz







. is OK. By putting the records in your locked desk, you have protected the PHI.

Answers 1., 2., 3., and 4. are incorrect: 1. Bringing the PHI into a public place is not a good idea. You must

protect and secure the PHI.

2. There is no need to destroy the records. You may not be done with the matter.

3. Leaving PHI available on a desktop, even if upside down, could leave the information vulnerable to a breach.

4. You cannot tell your dinner guests about the matter, even if they know Maria.

Third QuestionThird Question

32

BackBack

Q-3. You have saved the notes and documents regarding Maria’s claim problem on a flash drive. Is the PHI secure if you…

Store the flash drive in your unlocked desk drawer with other office supplies.

Keep the flash drive in your purse or briefcase.

Lock it up with other PHI at the office.

Keep it at home on your desk where no other employees can access it.





33Lesson Three Quiz

BackBack

Answer Explanation: Lesson Three Q-3A

nswer 1. is correct. As this PHI is unencrypted and not in current use, it should be kept locked up at the office with other PHI. The Security Officer should periodically purge PHI that is no longer needed

Answers 2., 3., and 4. are incorrect: 2. A purse or briefcase is not necessarily a secure location.

Purses and unlocked briefcases may be stolen or easily accessed.

3. A flash drive sitting in an unlocked drawer, even though not in an openly recognizable format, is very easily accessed.

4. Storing PHI at home is never a good idea, especially not locked up. This is unsecured PHI. Fourth QuestionFourth Question

34

BackBack

Q-4. The General Manager asks you about Maria’s problem. What should you do?

Stonewall the GM.

Minimum necessary PHI.

Respond by saying you are helping her with a health claim and, as such, you can’t go into detail without violating your HIPAA obligations.

Just enough to make the GM go away.





35Lesson Three Quiz

BackBack


Answer 2. is correct. It’s OK to provide non-PHI such as “I am helping her get a medical claim adjudicated properly.”

Answers 1., 3., and 4. are incorrect:

1. Stonewalling is probably not a good idea. You might create a performance problem for yourself.

3. Disclosing minimum necessary PHI is not OK. You cannot disclose any PHI, even a little bit, without violating your HIPAA obligations.

4. Same as Answer 3.: You cannot disclose even a little bit of PHI!Next LessonNext Lesson

36

BackBack

LESSON FOUR

Procedures in the Event of a PHI Breach


38

Procedures in the Event of a PHI BreachIn the past two years, along with Health Care Reform, Congress created the Health Information Technology for Economic and Clinical Health Act (HITECH) which sets the federal standards for what one needs to do in the event there is a breach, allowing PHI to be exposed.

Comply with all the Rules promulgated for breach notification;

Encrypt or Destroy PHI: Eliminate “unsecured PHI”; and,

Cooperate with the Office of Civil Rights in any investigation.

Lesson Four

NextNextBackBack

39

HITECH DefinitionsS

ecuritized PHI: PHI that is rendered unusable, unreadable, or indecipherable.

Information: Includes information on paper, in use, transferred internally or redacted, or aggregated but not fully identified.

Breach: Information involved is:

Not encrypted or fully destroyed;

Used or disclosed in an unauthorized manner; or,

A risk of financial, reputational, or other harm to the individual.

Lesson Four

NextNextBackBack

40

Breach ExceptionsHITECH includes three exceptions to the definition of "breach", which include situations where a violation of the Privacy Rule has occurred, but the violation is not to be considered a breach. These exceptions include when:

The breach was in good faith and within the scope of employment;

The breach was inadvertent and happened only once; or,

The recipient of the information wouldn’t reasonably have been expected to retain it.

Breach exceptions should be determined by the Privacy Officer or HITECH Security Officer when a possible breach is reported.

Lesson Four

NextNextBackBack

41

Notice Requirements for Covered Entities after a Breach OccursThe HITECH Rule requires Covered Entities to provide:

A notice to all affected individuals within 60 days from date of discovery of the breach;

Written notice by first class mail to the individual; and,

If deceased, then next of kin.

If the breach involves 500 or more individuals: Notify media; and,

Notify the Department Health and Human Services (HHS).

Lesson Four

Lesson Four QuizLesson Four QuizBackBack

Find a new job.

Continue your search, but call your Supervisor immediately.

See if you can reproduce the lost files for the office.

Wait 30 days to tell your Supervisor in case you find them and HITECH Rules give you 60 days.

Q-1. You work from home. You bring paper files home following proper office safeguards. The dog ate them! Actually, you hope the dog ate them because you can’t find them anywhere. What is your first obligation?

42

Follow the dog closely when he goes outside.

Lesson Four Quiz






Answer Explanation: Lesson Four Q-14

. is OK. You must continue your search and call your supervisor. These are your priorities.

Answers 1., 2., 3., and 5. are incorrect:

The HITECH Regulations require you to mitigate any potential breach.

Did someone break into your car?

Was the housekeeper or “au per” around when you got home?

Did it get buried in the mail you just picked up?

You have a major duty to investigate.Second QuestionSecond Question

43

BackBack

Q-2. If a breach of PHI is identified, which of the following is correct procedure?

Notification can be made by bulk mailing to affected individuals.

Notify all affected individuals within 90 days.

If the breach involves 500 or more individuals, you must notify media.

Wait to see if a possible breach is reported by more than one person.





44Lesson Four Quiz

BackBack

Answer Explanation: Lesson Four Q-2

Answer 1. is correct. For large informational breaches, Covered Entities must inform the public through the media.

Answers 2., 3., and 4. are incorrect:

2. Affected individuals must be notified within 60 days.

3. Notification must be sent by first class mail to affected individuals.

4. Once a possible breach is reported, whether by one or more individual’s, it must be investigated.Next LessonNext Lesson

45

BackBack

LESSON FIVE

What Are the Penalties for Failure to Comply with HIPAA’s Rules?


47

HIPAA Compliance and Enforcement

It is important to note that failure to comply with the Privacy or Security Rule not only can lead to significant disciplinary action but also can lead to considerable financial and other types of penalties and fines.

Recent laws have increased the civil penalty amounts determined by type of violation.

Lesson Five

NextNextBackBack

48

Civil Penalties for NoncomplianceNo Knowledge: Where a person does not know (and by exercising due diligence would not have known) of a violation, the minimum penalty is $100 per violation, with a cap of $25,000 for identical violations during a calendar year.

Reasonable Cause: Where a violation is due to “reasonable cause,” the minimum penalty is $1,000 per violation, with a cap of $100,000 for identical violations during a calendar year.

Lesson Five

NextNext

The maximum penalty allowed for “no knowledge” or “reasonable cause” shall be $50,000 per violation with a cap of $1.5 million for identical violations during a calendar year.

The maximum penalty allowed for “no knowledge” or “reasonable cause” shall be $50,000 per violation with a cap of $1.5 million for identical violations during a calendar year.

BackBack

49

Civil Penalties for Noncompliance (cont’d)

Willful Neglect: Where violation is due to "willful neglect," the minimum penalty is $10,000 per violation, with a cap of $250,000 for identical violations during a calendar year.

If the Willful Neglect violation is not corrected within 30 days, then the minimum penalty increases to $50,000 per violation, with a cap of $1.5 million for identical violations during a calendar year

Lesson Five

Lesson Five QuizLesson Five QuizBackBack

Q-1. An external disk drive containing the eligiblity list and related PHI of the group health plan is discovered missing. You observe an unauthorized individual leaving the building. What should you do next?

Call security.

Call the Security Officer.

Answer 1. or 2. based on the situation.

Take down the individual’s license plate number and call the police.





50Lesson Five Quiz

BackBack

Answer Explanation: Lesson Five Q-14

. is OK. You must mitigate when the circumstances allow it.

Answers 1., 2., and 3 are incorrect:

1. If it is clear that the event is over, then this is the correct answer: Call the Security Officer.

2. On the other hand, if you think you see the perpetrator walking through the office, you have a duty to take steps to mitigate the loss: Call security.

3. Leave identification of the individual to security; they are trained for it.

Second QuestionSecond Question

51

BackBack

Keep the encrypted data pending your Supervisor’s approval to destroy it.

Put it in the paper recycle bin.

Destroy it, now. You can always retrieve the basic data from the TPA.

Q-2. As a part of your job, you’ve been asked to study and report on the frequency of cancer claims filed under the group health plan in the last 3 years. You obtained and printed out information from encrypted records provided by the TPA. You have now completed the project and have no apparent need for the data. What should you do next?

52

Take the print version and the report in hard copy, two hole punch, and put it in your research files (locked file cabinet).

Lesson Five Quiz





Answer Explanation: Lesson Five Q-2A

nswer 2. is correct. If the data is encrypted it meets HITECH standards. You can destroy it, but we suggest you wait until you know the project is complete.

Answers 1., 3., and 4. are incorrect: 1. There is no need to give life to the hard copy of the underlying data.

Also there would be no need to have the report in hard copy. A locked file cabinet is not always locked.

3. If you destroy the data and then need to modify your report, you will need to retrieve the data again, un-encrypt it, use it, and re-encrypt it. Leaving your report encrypted until you know the project is complete eliminates the additional steps and the re-creation of an unencrypted record.

4. Even if your paper report will be destroyed at some point, it is available to ‘dumpster divers” in the meantime.Final StepsFinal Steps

53

BackBack

FINAL STEPS

Completing This HIPAA Training

NextNextBackBack

55

Identify All Employees Needing This Training

If you are a Supervisor: Assure that training gets extended to your staff.

Establish inspection teams to identify deficiencies.

Your Security Officer can provide checklists and FAQs to assist in ongoing compliance.

Develop alternative training materials and methods.

Make sure that you and your staff receive periodic refresher training.


NextNextBackBack

56

Where to Get Help?T

he Human Resources Manager

The Security Officer

The HITECH Security Officer


NextNextBackBack

57

Certificate of Completion• Completing This HIPAA Training

• Print and complete the Certificate of Completion provided with this Training– Print your name, fill in the date, and sign the Certificate.– Take the completed Certificate to Human Resources.

BackBack

You are Done!You are Done!

Documents

TRAINING MODULE The Health Insurance Portability and Accountability Act: Privacy and Security Rules Click to Begin