HIPAA Privacy and Security Training for Researchers

Transcription

1 HIPAA Privacy and Security Training for Researchers Version April 2017 Mountain States Health Alliance Bringing Loving Care to Health Care 1

2 Course Objectives This learning course covers HIPAA, HITECH, and MSHA Privacy and Security Program. Acronyms and Terms HIPAA and HITECH Overview (HIPAA Privacy Rule and security Rule) Requirements of the Law The concept of protected health information (PHI) Permitted and Prohibited uses and disclosures of PHI MSHA Policies & Procedures HIPAA applied to real-life situations Specifics for research Mountain States Health Alliance Bringing Loving Care to Health Care 2

3 Definitions and Terms ARRA: American Recovery and Reinvestment Act, commonly referred to as the Stimulus or The Recovery Act. Breach: Improper access, use, or disclosure of Protected Health Information. Business Associate (BA): A person or company that accesses PHI because of its relationship with a covered entity. The HIPAA responsibilities of the BA are outlined in a business associate agreement between the BA(or company of employment) and the covered entity. A company that types/transcribes medical reports for a hospital or physician office is one example. Covered Entity (CE): Health plan, Health care clearinghouses, and Health care providers who conduct certain financial and administrative transactions electronically. MSHA is a covered entity. Mountain States Health Alliance Bringing Loving Care to Health Care 3

4 Definitions and Terms Protected Health Information (PHI): Individually identifiable health information in any form, oral and recorded, that relates to past, present, or future physical or mental health or condition of an individual, including demographic information. Disclosure: The release, transfer, provision of access to, or divulging in any manner of information outside the entity who holds the information. DHHS: Department of Health and Human Services HIPAA: Health Insurance Portability and Accountability Act. The HIPAA Security Rule was implemented in HITECH: Health Information Technology for Economic and Clinical Health Act a 2009 provision of the American Reinvestment and Recovery Act (ARRA). Mountain States Health Alliance Bringing Loving Care to Health Care 4

5 Definitions and Terms Minimum necessary: Use, access, and disclosure of PHI by a covered entity or business associate are limited to the minimum amount of information necessary to accomplish the required task. Office of Civil Rights (OCR): Entity of DHHS responsible for enforcing the HIPAA privacy and security rules. Privacy officer: Designated individual by a covered entity to oversee HIPAA Privacy Regulation compliance. You may contact MSHA HIPAA Officer, if any questions. De-identified information: PHI which has been sufficiently stripped of identifying information (obtain list of 18 PHI identifiers) so that the person to who it belongs can no longer be identified. Mountain States Health Alliance Bringing Loving Care to Health Care 5

6 Privacy Laws and Regulations There are many federal and state laws regarding Privacy of patient information. One such federal law is the Health Insurance Portability & Accountability Act of 1996 (HIPAA). HIPAA sets forth regulations or improved efficiency in healthcare delivery by patient information; requiring health identifiers; and creating Privacy standards. HIPAA brought about two rules: Privacy Rule compliance date of April 2003 Security Rule compliance date of April 2005 Mountain States Health Alliance Bringing Loving Care to Health Care 6

7 What are ARRA and HITECH? American Recovery and Reinvestment Act (ARRA), Public Law is an economic stimulus package which was signed into law on February 17, Health Information Technology for Economic and Clinical Health (HITECH) Act is the part the of ARRA law that deals with many of the health information communication and technology provisions including Subpart D Privacy. In January of 2013, the Department of Health and Human Services issued the Final Rule implementing HITECH s statutory amendments to HIPAA. Mountain States Health Alliance Bringing Loving Care to Health Care 7

8 Enforcement of HIPAA The Department of Health and Human Services (DHHS) is a department of the federal government that has overall responsibility for implementing and enforcing HIPAA. Office of Civil Rights (OCR) is responsible for implementing and enforcing the Privacy and Security Rules. MSHA Corporate Audit and Compliance Services department is responsible for monitoring and assessing MSHA compliance with HIPAA. Potential Penalties: Civil Criminal Federal lawsuit Loss of professional license Employer corrective action including termination Mountain States Health Alliance Bringing Loving Care to Health Care 8

9 Criminal Liability of the American Recovery and Reinvestment Act: Clarified that employees of covered entities may be held criminally liable for obtaining or disclosing individually identifiable health information maintained by covered entities without authorization. Who? Individuals who "knowingly" obtain or disclose individually identifiable health information in violation of HIPAA What? A fine of from $50,000 up to $250,000 and Imprisonment from one year up to ten years Mountain States Health Alliance Bringing Loving Care to Health Care 9

10 Privacy Rule: Administrative Requirements The Privacy Rule contains many other requirements that MSHA must comply with such as: Business Associate Contracts: Under certain conditions, MSHA is required to maintain legal contracts with business partners whose activity may involve the use or disclosure of individually identifiable health information. MSHA Legal Counsel should be consulted regarding contracts when patient information is involved. De-Identification of PHI: Under certain scenarios, information can be used or disclosed if de-identified. Refer to MSHA policy De-Identification of Protected Health Information IM for details. Minimum Necessary: When using or disclosing PHI or when requesting PHI, a reasonable effort must be made to limit the PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Refer to MSHA policy IM Minimum Necessary Use and Disclosure of Protected Health Information for details. Mountain States Health Alliance Bringing Loving Care to Health Care 10

11 Privacy and Security Rule The Privacy Rule is intended to protect the privacy of an individual s health information; regardless of whether the information is written, spoken, or stored in a computer. The Security Rule provides protection of all health information that is housed or transmitted electronically. Mountain States Health Alliance Bringing Loving Care to Health Care 11

12 Privacy Rule MSHA follows the Privacy Rule which describes many ways how organization may use or disclose a patient s protected health information including: To the Individual; To Others Involved in the Individuals Care For Treatment, Payment, or Health Care Operations ( TPO ) When an authorization from the patient is required Within the Facility Directory Disclosure of PHI when required by law; For Public Health or Health Oversight Law Enforcement Purposes; Research Purposes; For Organ Donation; For Workers Compensation; others For Disclosures about Victims of Abuse, Neglect, Domestic Violence Mountain States Health Alliance Bringing Loving Care to Health Care 12

13 Treatment, Payment and Health Care Operations (TPO) HIPAA permits use and disclosure of PHI for TPO: Treatment: the provision, coordination or management of care and services, including the coordination by provider with a third party; consultation between health care providers; or referral from one provider to another. Payment: activities to obtain or provide reimbursement for services; Billing, claims management, collection activities; Review for medical necessity; Utilization review, pre-certification and pre-authorization of services; Disclosure to consumer reporting agencies; others. Health Care Operations: operating activities such as Conducting quality improvement activities; Reviewing competence of health care professionals: Underwriting, premium rating, etc.; Medical review, legal services, auditing; Business planning/development; others. Disclosures for TPO purposes do not require a provider to obtain authorization from the patient. Mountain States Health Alliance Bringing Loving Care to Health Care 13

14 Privacy Rule: Permitted Uses and Disclosures While the Privacy Rules describes many ways that permit MSHA to use and disclosure patient information BEFORE using or discloses any patient information you must refer to MSHA policy IM Release, Use, and Disclosure of Patient Information and MR Release of Medical Records for the Purpose of Research for details. No MSHA team member or researcher shall disclose information without first knowing: To whom they are disclosing the information Whether the recipient is authorized to receive the information Whether the requested information is appropriate for the content and purpose of the request Whether applicable content of this policy has been addressed in the process of disclosing the information. Mountain States Health Alliance Bringing Loving Care to Health Care 14

15 HIPAA Identifiers If the information includes any of the identifiers below of the patient or the patient s relative, household member, or employer the information is considered identifiable and subject to the HIPAA Rules. 1. Names 2. All geographic subdivisions smaller than state 3. All dates related to an individual, including DOB, admission date, discharge date, death date, and all ages over Telephone numbers 5. Vehicle identifiers and serial numbers including license plate numbers 6. Fax numbers 7. Device identifiers and serial numbers 8. addresses 9.URLs 10. IP addresses 11. Social Security Numbers 12. Medical Record Numbers 13. Biometric identifiers, including finger and voice prints 14. Health plan beneficiary numbers 15. Full-face photographs 16. Account numbers 17. Any other unique or identifying characteristic, number or code 18. Certificate or license numbers Mountain States Health Alliance Bringing Loving Care to Health Care 15

16 PHI Receiving Special Protections The HIPAA Rules recognize certain categories of PHI as ultrasensitive and require special protections of such information. Mental and Behavioral Health records Psychotherapy Notes STD testing HPV testing Alcohol or Drug abuse records Genetic Testing Mountain States Health Alliance Bringing Loving Care to Health Care 16

17 Privacy Rule: Authorizations There are many reasons including research that information about a patient is used within MSHA or disclosed outside of MSHA. Generally, an authorization is not required to use or disclose patient information to carry out Treatment, Payment, or Health Care Operations ( TPO ). Other exceptions may apply. MSHA also discloses patient information as required by law or as required reporting; which do not require patient authorization. Examples include: Birth data to the TN Dept of Vital Statistics Cancer data to the State Tumor Registry Data to Protective Services Agencies(for victims of crime, abuse, or neglect) Many others Mountain States Health Alliance Bringing Loving Care to Health Care 17

18 HIPAA and Research Data The HIPAA Rules regulate how protected health information may be obtained and used for research purposes. This is true whether the PHI is completely identifiable or partially deidentified in a limited data set. In order to use PHI for research purposes appropriate HIPAA documentation must be obtained, including either: 1. Individual patient authorization; or 2. Approved waiver of authorization from the IRB MSHA utilizes service of ETSU IRB; therefore, HIPAA requirements for accessing and using PHI for research can be found on the University s IRB website: Mountain States Health Alliance Bringing Loving Care to Health Care 18

19 Notice Of Privacy Practice (NPP) Notice of Privacy Practices is a requirement of HIPAA and the NPP describes how MSHA uses, discloses a patient s information and how the patient can access information. The NPP must be: Given to each patient at time of registration Posted in registration areas Signed Acknowledgement of receipt must be obtained from the patient Posted on MSHA website Access the MSHA NPP by using the link below In research: HIPAA information must be presented as free standing form or be included in Informed Consent Form (ICF). If no direct contact with patient, then HIPAA Waiver can be requested from IRB. Mountain States Health Alliance Bringing Loving Care to Health Care 19

20 Patient Rights A patient has the right to: Access his/her record (research record not included) Receive a notice (notice of privacy practices) that tells you how your health information may be used and shared. Request restrictions/confidential communications about the use and disclosure of their PHI. Restriction for Out-of-Pocket Payments: Patient may restrict disclosure of protected health information to a health plan when the patient has paid out-of-pocket in full for the services. Refer to MSHA IM Request for Restriction of the Use and/or Disclosure of Patient PHI. Request to amend specific portions of their record. MSHA may deny the amendment, but must have a procedure available for the patient to request the amendment. Refer to MSHA policy IM Corrections/Amendments to the Medical Record. Request a copy of the accounting of disclosures. MSHA is required to keep a history of when and to whom information was disclosed about a patient for purposes other than treatment, payment or health care operations. Refer to MSHA policy IM Accounting of Disclosures of Protected Health Information. Mountain States Health Alliance Bringing Loving Care to Health Care 20

21 Privacy and Security Program Additional HIPAA Administrative Requirements: MSHA must provide education to work force on the policies and procedures. MSHA may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against anyone who makes a complaint. Team members must promptly report all HIPAA concerns. Review IM Reporting of Potential or Actual Breaches of Patient Protected Health Information Remember, just because you have the ability to access a record does not mean you are authorized under the law to do so. You are only authorized to access protected health to access protected health information when necessary to perform your job! Mountain States Health Alliance Bringing Loving Care to Health Care 21

22 De-identified Data (in research) The HIPAA Rules do not restrict the use or disclosure of de-identified health information, because the information is not considered PHI if it is de-identified. The primary purpose of HIPAA is to protect the privacy of the individual when it comes to their health information. If the individual cannot be identified, the risk to the individual s privacy is minimal. Two Methods to Achieve De-identification: Safe Harbor Method 1. Removal of all 18 HIPAA identifiers; and 2. The covered entity possesses no actual knowledge that the remaining information could be used to identify the individual. Expert Determination Method 1.Expert determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, to identify the individual; and 2. Expert documents the methods and risk results of the analysis that justify such determination Information is de-identified and no longer considered PHI. HIPAA restrictions do not apply! Mountain States Health Alliance Bringing Loving Care to Health Care 22

23 Privacy and Security Program MSHA must reasonably safeguard PHI from intentional or unintentional use or disclosure: Work force must reasonably safeguard PHI to limit incidental uses or disclosures MSHA must apply sanctions when there is failure to comply with the privacy policies and procedures. MSHA work force members needing access to their own or a family members medical record should contact Medical Records department per policy IM Team Member Access to Their Own or Family Members Medical Record Protected Health Information (PHI). MSHA must implement policies and procedures with respect to PHI that are designed to comply with the HIPAA Rules. Review MSHA policy IM Privacy and Security Program. Mountain States Health Alliance Bringing Loving Care to Health Care 23

24 Privacy and Security Program Handling Work of Someone You Know You are expected to maintain the confidentiality of patient information. You may have access to and become knowledgeable about information of individuals who is known to you, such as, current and previous family members, friends, and co-workers. You should not access patient information that may place you or the patient in a compromising position or present a conflict of interest. Steps for work force member to take, when possible: Contact Supervisor/Manager to request the work be re-assigned. If a Supervisor/Manager is not readily available, then ask, as appropriate, another co-worker to complete the necessary work. If no other co-worker is available, and a Supervisor/Manager is not readily available, proceed with completing the work to insure that patient care is not compromised. Notify a Supervisor/Manager of the occurrence. Refer to policy IM Handling of Work of Someone You Know Mountain States Health Alliance Bringing Loving Care to Health Care 24

25 Where is PHI in a Healthcare Organization? Verbal Conversations Consider where electronic PHI may be stored Paper Documents and Reports Computers and Technology s Files saved on a computer/laptop/tablet Shared network drives Flash drives/usb DVD s/cd s Cloud storage

26 HIPAA Knowledge Check When entering a patient treatment area to discuss the patient s medical condition, lab results, or treatment and the patient has visitors in the room the caregiver should courteously ask the visitor(s) to please step out of the room for a minute. o True o False Answer: True. As caregivers it is our responsibility to be the patient s ambassador and ensure the patient has given us authorization to disclose their PHI with family, friends, and others. Mountain States Health Alliance Bringing Loving Care to Health Care 26

27 Patient Information Inquiries It is the practice of MSHA to release information to the media in the same manner as the release to the general public; however, all requests for information from the media must be directed to the Department of Marketing / Public Relations. If requested for research, then permission to release must be granted by Director of research department General Public: When a visitor or caller requests information about a patient, unless the patient has opted out of the facility directory, generally only the following can be provided: Patient Name Patient Location Patient Condition The caller MUST ask for the patient by name Review policy CM Release of Patient Information to the Media. Mountain States Health Alliance Bringing Loving Care to Health Care 27

28 Patient Information Inquiries At the time of registration, a patient may request that no information be released. Review IM Request for Restriction of the Use and/or Disclosure of Patient Protected Health Information. Exemption: agreement to participate in research study Information about patients under substance abuse care is more restrictive. In the event of a disaster, existing disaster protocols should be followed. MSHA has a VIP (Very Important Partner) program available for patients who are admitted as an inpatient. Review P&P PC Very Important Partner (VIP) Program. Mountain States Health Alliance Bringing Loving Care to Health Care 28

29 MSHA Policy and Procedures Policy IM Disposal of Documents Containing Patient Information addresses proper disposal of PHI. Paper Documents should be shredded. -If an outside shredding service is utilized, it should be the MSHA approved shredding vendor. -The Materials Management Department of the facility should be contacted for information about the shredding service. Magnetic Media should be destructed using bulk erasure. CDs/Platters should be pulverized or broken up. Facility records must be destroyed in a manner that ensures the confidentiality of the records and renders the PHI no longer recognizable. Mountain States Health Alliance Bringing Loving Care to Health Care 29

30 Balancing Privacy With Adoption of Technology Access to PHI Researchers and work force members should not access their own PHI or that of a family member or someone they know. Researchers should only access the records identify as part of the research study. Photographs of patients is considered PHI. Photography includes photographs, still images, videotape recordings, digital or any other image method. - All patient photographs are the property of MSHA and are to be filed in the patient s medical record. - The use of personal equipment including cellular phone cameras to photograph patients is strictly prohibited. Review P&P PCA Photography of Patients. Mountain States Health Alliance Bringing Loving Care to Health Care 30

31 HIPAA Security Rule Whereas, the HIPAA Privacy Rule deals with Protected Health Information (PHI) in general, the HIPAA Security Rule (SR) deals with electronic Protected Health Information (ephi), which is essentially a subset of what the HIPAA Privacy Rule encompasses. The Security Rule specifies a series of: Administrative Safeguards Physical Safeguards Technical Safeguards That covered entities are to use to assure the confidentiality, integrity, and availability of e-phi. 31

32 HIPAA Security Rule Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all e-phi they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce 32

33 Administrative Safeguards Actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI. In general, these safeguards require MSHA to: Maintain processes to address management of security, including: Risk analysis Disciplinary policies System activity review Identify an individual who is responsible for overseeing compliance with the HIPAA Security Rule. At MSHA, this person is HIPAA Compliance Officer in the Corporate Audit and Compliance Services Department. 33

34 Administrative Safeguards (continued) MSHA must: Implement policies/procedures addressing access to electronic PHI. Provide training on security processes and practices. Implement policies/procedures to address security incidents/violations. Establish policies/procedures for contingency plans, data backup, disaster recovery, etc. Develop processes to perform periodic evaluations of security processes. Include security requirements in appropriate contracts. 34

35 Technical Safeguards HIPAA Security Rule requires a covered entity to implement technology, policies and procedures to properly address: Access Control: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-phi). Audit Controls: A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-phi. Integrity Controls: A covered entity must implement policies and procedures to ensure that e-phi is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-phi has not been improperly altered or destroyed. Transmission Security: A covered entity must implement technical security measures that guard against unauthorized access to e-phi that is being transmitted over an electronic network. 35

36 Technical Safeguards General safeguards at MSHA: Implement policies and procedures to allow access only to those who have the right to such access. This includes assigning unique user passwords for identifying and tracking user identity. Implement mechanisms that record system activity/audits. Implement processes to protect electronic PHI against improper destruction. In order to insure security of username and password MSHA users should not use MSHA password on any personal sites. This helps to minimize our exposure to inappropriate third party unknown access to your account. 36

37 Technical Safeguards Use of Personal Devices Use of personal devices to access work applications and work files is not recommended. Remote Access When a personal device is used to access work applications or work files the device the workforce member is responsible for ensuring the device has up-to-date operating systems, anti-virus and antimalware software. Access to MSHA computer systems is limited to workforce members who have appropriate work reason and requires approval by appropriate MSHA leaders. Workforce members with remote access are responsible for complying with all MSHA HIPAA Privacy and Security policies. Students generally are not granted remote access. 37

38 Passwords Passwords are considered a technical safeguard. You are responsible for your user ID and passwords and will be held accountable for any access or actions taken using your login ID. Do not share your password. Do not leave a computer you are logged on to unattended. Do not let others access PHI while you are logged on to the computer or application. Do not use your MSHA password on any third party websites. ** Review MSHA policy IM Computer Access Codes Management.** 38

39 MSHA Electronic Communication MSHA has many ways of communicating electronically. It is the Workforce members responsibility to keep PHI confidential. Electronic Mail Always us secure method if you are sending patient information to a non-msha address. Type [secur ] in the subject line. Never include patient information in the subject line even when sending the to a MSHA address. FAX Verify all FAX numbers before faxing any patient information. Routinely check auto-fax numbers. Keep faxing to a minimum. Use approved MSHA fax cover sheet with disclaimer. Lync When using Lync be thoughtful about what is presented and who the recipient(s) may be. Vocera o Be aware of your surroundings and comply with Vocera policies. 39

40 Safeguarding ephi The use of USB (flash, thumb, jump) drives, CD s is discouraged if PHI is involved. If, your job duties require you to distribute or store ephi on any electronic media per policy you must: Obtain approval from your Director, IT Security, and Compliance. Encrypted and/or password protected. Laptop computers, and other mobile devices which are used to access ephi should be encrypted. 40

41 Social Media and Recording PHI Using social media to share patient information is prohibited per policy. This includes media such as Facebook, Twitter, Instagram, etc. Texting of patient information is prohibited unless; Using a MSHA approved secure texting methodology is used and; Department leader has approved the operational process of texting. Photography or videoing of patients requires an IT approved secure solution and must have department head approval. The use of personal equipment including cellular phone cameras to photograph patients is prohibited per policy. **Review P&P HR Conduct of MSHA Using Social Media ** 41

42 Phishing/Spear Phishing/Malware Phishing s Phishing is the attempt to acquire sensitive information such as usernames and passwords. More advanced types of these attacks are called Spear-phishing. Spear-phishing attacks can capture financial data, even credit card details, by masquerading as a trustworthy entity (CEO, CFO, COO, etc.) in s and may also contain links to websites that are infected with various forms of malware, including ransomware. If you receive a suspicious , do not click on any embedded link on this message and promptly report to IS Help Desk. 42

43 Steps to Avoid Ransomware Do not reply to or visit any websites within any unexpected (especially from an unfamiliar sender). Hold the pointer over any link to see the real website it is connected to before clicking on a link. Limit any web browsing and use to official business websites only. If the text within an requires or has pressure to conduct immediate action by the user, it is likely fraudulent. Never reset a password from an unsolicited link. If you receive an that tells you to do so, visit the known primary site directly. Never use the same password for your work and personal log-ins. 43

44 Physical Safeguards Facility Access and Control: A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed. Workstation and Device Security: A covered entity must implement policies and procedures to: Specify proper use of and access to workstations and electronic media. Regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-phi). In general, these safeguards require MSHA to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. 44

45 Physical Safeguards (continued) Measures, policies and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. In general, these safeguards require MSHA to: Implement policies and procedures to control access to systems and facilities housing electronic PHI. Implement policies and procedures to insure facility security and appropriate functions of workstations. Implement policies and procedures that govern controls for devices and media. 45

46 Physical Safeguards (continued) Protected Health Information (PHI) originals or copies should not be taken outside of the organizations without MSHA approval. This includes reports, lists, census, s, excel and Word files, etc.. that contain PHI. PHI that is taken outside of any MSHA covered entity, as part of an approved and valid healthcare operational reason should follow the physical safeguards per MSHA policy on External Transport of Patient Information. Patient information (including screenshots that only contain a patient s name) should not be used in presentations. **Review P&P IM External Transport of Patient Information** **Review P&P IM Removal of Medical Records** 46

47 Software and Vendor Services The installation of software or hardware is prohibited without; Approval by MSHA IS Dept. Requests must be submitted per MSHA IT guidelines and are subject to approval criteria. New applications that will access, use, collect PHI or use the internet must go through the organizations review and approval process (i.e. ETAF) prior to initiating the purchase. Utilization of a vendor to provide a software solution or staffing resource requires: Financial review/approval ETAF review and approval Contracts development and possibly a business associate agreement. 47

48 Reporting Security Incidents or Concerns Report loss of any MSHA owned or managed device. Report loss of any personal device which may contain any patient information. Immediately notify MSHA IS Help Desk or MSHA Corporate Audit and Compliance Services Dept (CACS). Examples of devices that may contain PHI are: Computers (laptop s, netbooks, ipads, desktop, etc..) CD s, USB flash drive, thumb drive, jump drive Hard drive Cell phones used for work **Review P&P IM Reporting Potential or Actual Breaches of Patient Protected Health Information ** 48

49 What Can you do? A Few Ways to protect patient information: Access, use or disclose patient information only if involved in the care of the patient. Never share passwords and logoff off or lock computers when away! BE ALERT to verbal discussions and surroundings. Make other team members aware if you are hearing conversations that should not be heard. Provide privacy for patients during discussions; including asking others to leave the room if necessary. Be aware of access to patient information such as printouts, computer screens, reports, etc. Appropriately secure patient records when not in use. Patient information should be placed in confidential shred-it containers when discarding. Be knowledgeable with MSHA policies, procedures and practices relating to patient information. Mountain States Health Alliance Bringing Loving Care to Health Care 49

50 Summary This course has provided an abbreviated overview of the HIPAA: Privacy Rule Security Rule HITECH Principles practiced throughout MSHA. All patient information, whether it is verbal, written or in any computer system should be securely maintained for confidentiality. Everyone who comes into contact with patient information is responsible for ensuring compliance with HIPAA. Remember the Need to Know rule. Only access information that you have a need to know to do your job. Sanctions are applied for violation of privacy/security regulations and organization policies. Mountain States Health Alliance Bringing Loving Care to Health Care 50

51 Who to Contact for Questions? Research Department HIPAA Compliance Office Note: For purpose of research: Proof of completion of HIPAA training will be required at the time of IRB & MSHA administrative approval request submission. ETSU and MSHA employees may complete an organizational HIPAA training(s). Mountain States Health Alliance Bringing Loving Care to Health Care 51

52 Almost finished. Please close this window. Print HIPAA training confirmation letter, sign and submit to (fax) or to