Office of Compliance Programs HIPAA Privacy Training for Non-Clinical Workforce Revised: January 24, 2017 HIPAA Privacy Workforce Training The Health Insurance Portability & Accountability Act (HIPAA) requires that the University train all workforce members (faculty, staff, residents and students) about the University's HIPAA policies and those specific HIPAA required procedures that may affect the work you do for the University. Overview This presentation provides a brief summary of the HIPAA Privacy Rule. It lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow. The HIPAA Privacy Rule A covered entity (e.g. LSUHSC-NO and its faculty, staff and students) may not use or disclose protected health information (PHI)about a patient without that patient's written authorization unless the use or disclosure falls under one of the exceptions. What is PHI? PHI consists of two parts: Information that personally identifies the the patient (an identifier) Any information, including genetic information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. What is an identifier? Patient name Date of birth Genetic information Social Security number Driver s license number Phone and fax nubers
Mailing address Email address Hospital account number Medical record number Insurance identification number Medicare/Medicaid ID numbers Certificate/License numbers Device identifiers and serial numbers Vehicle identifiers and serial numbers Photographs, video or other images where the patient's face is recognizable. Biometric identifiers Any other unique identifying number, characteristic, or code, that could be used alone or in combination with other information to identify an individual who is a subject of the information. PHI does not include: Information on individuals who have been dead more than 50 years Student health records Health information LSUHSC-NO keeps in its role as an employer (e.g. occupational health and safety information) De-identified information Remember PHI can appear in any medium including but not limited to: Spoken (conversations, telephone calls, etc.) Written (invoices, photocopies, etc.) Electronic (emails, databases, spreadsheets, billing systems, electronic health records, etc.) Exceptions Uses and disclosures that do not require and authorization include but are not limited to: To the individual For treatment purposes For payment purposes For healthcare operations (e.g. quality improvement activities, training,legal services, audits, etc.) To the Secretary of the Department of Health and Human Services (HHS) There are other exceptions. If you have a concern regarding whether a particular use or disclosure requires an authorization from the patient, contact the LSUHSC-NO Privacy Officer at (504) 568-5135 or via email at nocompliance@lsuhac.edu. Protecting Patient Privacy Treat all information as you would want information about you or your family memeber treated. Do not discuss confidential patient information in areas where it is likely to be overheard such as elevators, hallways, cafeteria, restrooms, or other public places, etc. Shred documents and disks with PHI before discarding. Do not allow unauthorized visitors or patients in staff areas, dictating rooms, chart storage areas, etc.
Do not discuss patient information with your family, friends, or people in your facility who are not directly involved in the patient's treatment, payment, or operations. Do not share your passwords with anyone. Set an idle time out on your local workstation. Always log off of your computer when you leave your work area. Do not leave charts, schedules, or open documents on computer screens that may contain patient information in plain view. Conduct telephone conversations or dictation regarding confidential patient information in a discreet manner. Access only the information you are officially authorized to access. When scrapping or surplusing computer equipment, make sure someone from I.T. erases all the information from any storage devices (e.g. hard drives, solid state drives, flash drives, etc.) Each of us only has authorization to access PHI based on a need to know basis for the purpose of fulfilling our job responsibilities. Unfortunately, some take advantage of various sources of PHI to satisfy curiosity or other motives instead. LSUHSC-NO faculty, staff and students may find themselves working and/or training in facilities that use electronic systems containing PHI that are shared by multiple, independent health care providers. In such cases, an individual must be granted permission to access the electronic record in writing by the facility that owns the record, in addition to having a job related need to view the information before accessing the electronic record. No matter why an employee or physician accesses PHI, if there is not a job specific reason to do so, the access is prohibited by hospital policy, LSU policy, and HIPAA regulations. This includes access to family members information, including spouses, parents, adult children, siblings, significant others, coworkers, etc. Any such unauthorized access would be a direct violation of LSUHSC-NO policy and HIPAA regulations. Such action would expose the violator not only to disciplinary action, but also to possible legal action. LSUHSC-NO Privacy Policies The HIPAA Privacy Policies and Procedures are contained in Chancellor s Memorandum 53. What is a Breach? A breach of PHI is the unauthorized access, use, or disclosure of PHI that compromises the security of that information. Any unauthorized access, use, or disclosure of PHI should be reported immediately to the Compliance/Privacy Officer in the Office of Compliance Programs at LSUHSC-NO. Compliance will conduct a risk assessment to determine if the use and/or disclosure must be reported to the patient and the U.S. Department of Health and Human Services. Things to Remember about Breaches Breaches Happen!! Breaches can be deliberate or accidental. You can report them anonymously. Timely notification of any known Breach is CRITICAL as we only have 60 days from the discovery of the Breach to take the necessary action required by the Breach Notification Rule. If you are unsure whether or not an incident is a breach, call the Compliance Office. Some Examples of a Breach of PHI include, but are not limited to: PHI from discarded paper documents, computer hard drives, flash drives, backup tapes and optical disks.
PHI included in emails sent to the wrong recipient or PHI inappropriately attached to an email. PHI stolen and sold for monetary gain PHI obtained and disclosed by hackers. PHI contained in lost or stolen paper documents, laptops, flash drives, backup tapes or optical disks. PHI that is disclosed due to the actions of a computer virus. PHI inappropriately posted or to which access is provided on a web server. Privacy Complaints If anyone suspects or knows of mishandling or misuse of patient PHI, a complaint can be made to: The LSUHSC-NO Privacy Officer The Office of Compliance Programs The Office of Civil Rights of Department Health and Human Services The appropriate Privacy Officer at the institution if other than LSUHSC-NO How to Report a HIPAA Violation Contact the LSUHSC-NO Privacy Officer or the Office of Compliance Programs via: Office Phone: (504) 568-5135 Anonymous reporting hotline: (504) 568-2347 or, E-mail: nocompliance@lsuhsc.edu Contact the Privacy Officer or the Compliance department at the hospital/facility where you work. Penalties The HHS Office of Civil Rights shall assess penalties ranging from $100 per violation up to $1.5 million per violation. Please note that inappropriate use and or disclosure of information on each patient is a separate violation. In addition, LSUHSC-NO may take disciplinary action up to and including termination of employment or, if a student, expulsion from your program. Individuals and health care providers (hospitals, etc.) can also face civil and criminal prosecution, depending on the facts of the case. Recap HIPAA provides for the rights of patients in relation to their Protected Health information. It also provides for the privacy and security of that information.
It is everyone s responsibility to protect PHI. Violations of any of the HIPAA regulations may result in fines from the federal government. Violations of HIPAA privacy regulations can also include civil and even criminal penalties. Report breaches of PHI to Compliance immediately. If you are found to be deliberately accessing PHI for reasons other than related to performing your job, you will face disciplinary action, up to and including termination your employment or student status. Be familiar with the HIPAA Privacy policies wherever you work as they differ from institution to institution. Resources Chancellor s Memorandum 53 HHS Office of Civil Rights HIPAA webpage. Any Questions? We Are Here to Help! Office of Compliance Programs 433 Bolivar St. Suite 807 New Orleans, LA 70112 568-5135 nocompliance@lsuhsc.edu