HIPAA Privacy and Security Training for Researchers

Similar documents
What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

MCCP Online Orientation

HIPAA PRIVACY TRAINING

FCSRMC 2017 HIPAA PRESENTATION

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Advanced HIPAA Communications and University Relations

Information Privacy and Security

Privacy and Security For Teammates

HIPAA Education Program

Chapter 9 Legal Aspects of Health Information Management

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

HIPAA Policies and Procedures Manual

CLINICIAN S GUIDE TO HIPAA PRIVACY

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

2018 Employee HIPAA Orientation (EHO) Handbook

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

HIPAA Privacy Training for Non-Clinical Workforce

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

A general review of HIPAA standards and privacy practices 2016

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

Health Information Privacy Policies and Procedures

Compliance Program, Code of Conduct, and HIPAA

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

HIPAA THE PRIVACY RULE

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

East Carolina University 2010 Annual HIPAA Privacy Training

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

HIPAA Privacy Rule. Best PHI Privacy Practices

HIPAA Training

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

HIPAA Privacy Policies & Procedures Table of Contents

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

VHA Privacy Policy Training FY VHA Privacy Office

HIPAA Privacy & Security Training

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

Emergency Medical Services Division Policies Procedures Protocols

NOTICE OF PRIVACY PRACTICES

Protecting Patient Privacy It s Everyone s Responsibility

Understanding the Privacy and Security Regulations

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

HIPAA and HITECH: Privacy and Security of Protected Health Information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

The Queen s Medical Center HIPAA Training Packet for Researchers

The HIPAA privacy rule and long-term care : a quick guide for researchers

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

HIPAA Privacy Regulations Governing Research

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

CHI Mercy Health. Definitions

Notice of HIPAA Privacy Practices Updates

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

HIPAA Privacy & Security Training

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

Compliance & Privacy For Teammates

Parental Consent For Minors to Receive Services

NOTICE OF PRIVACY PRACTICES

Patient Privacy Requirements Beyond HIPAA

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

PRIVACY POLICIES AND PROCEDURES

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

The Privacy & Security of Protected Health Information

PROTECTING PATIENT PRIVACY IS NOT ONLY

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

HIPAA Notice of Privacy Practices

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

Faculty Profile. PART I Privacy Training for Health Professionals. Disclaimer. Always Be Prepared 7/11/2013. Why should you care about Privacy?

Title: HIPAA PRIVACY ADMINISTRATIVE

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

CENTRAL TEXAS MEDICAL CENTER

Compliance & Privacy For Teammates

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

NOTICE OF PRIVACY PRACTICES

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

Patient name (print) Signature of Patient/ Legal Representative. Relationship to Patient FOR OFFICE USE ONLY

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

Notice of Privacy Practices

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

INFORMATION ABOUT Children s Mercy Hospitals and Clinics for our Affiliates

Notice of Privacy Practices

SUMMARY OF NOTICE OF PRIVACY PRACTICES

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

HIPAA-HITECH HELPBOOK NJ Physician Practices

HIPAA Health Insurance Portability and Accountability Act of 1996

INFORMATION ABOUT CHILDREN S MERCY HOSPITALS AND CLINICS

CAPITAL SURGEONS GROUP, PLLC

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

Transcription:

HIPAA Privacy and Security Training for Researchers Version April 2017 Mountain States Health Alliance Bringing Loving Care to Health Care 1

Course Objectives This learning course covers HIPAA, HITECH, and MSHA Privacy and Security Program. Acronyms and Terms HIPAA and HITECH Overview (HIPAA Privacy Rule and security Rule) Requirements of the Law The concept of protected health information (PHI) Permitted and Prohibited uses and disclosures of PHI MSHA Policies & Procedures HIPAA applied to real-life situations Specifics for research Mountain States Health Alliance Bringing Loving Care to Health Care 2

Definitions and Terms ARRA: American Recovery and Reinvestment Act, commonly referred to as the Stimulus or The Recovery Act. Breach: Improper access, use, or disclosure of Protected Health Information. Business Associate (BA): A person or company that accesses PHI because of its relationship with a covered entity. The HIPAA responsibilities of the BA are outlined in a business associate agreement between the BA(or company of employment) and the covered entity. A company that types/transcribes medical reports for a hospital or physician office is one example. Covered Entity (CE): Health plan, Health care clearinghouses, and Health care providers who conduct certain financial and administrative transactions electronically. MSHA is a covered entity. Mountain States Health Alliance Bringing Loving Care to Health Care 3

Definitions and Terms Protected Health Information (PHI): Individually identifiable health information in any form, oral and recorded, that relates to past, present, or future physical or mental health or condition of an individual, including demographic information. Disclosure: The release, transfer, provision of access to, or divulging in any manner of information outside the entity who holds the information. DHHS: Department of Health and Human Services HIPAA: Health Insurance Portability and Accountability Act. The HIPAA Security Rule was implemented in 2005. HITECH: Health Information Technology for Economic and Clinical Health Act a 2009 provision of the American Reinvestment and Recovery Act (ARRA). Mountain States Health Alliance Bringing Loving Care to Health Care 4

Definitions and Terms Minimum necessary: Use, access, and disclosure of PHI by a covered entity or business associate are limited to the minimum amount of information necessary to accomplish the required task. Office of Civil Rights (OCR): Entity of DHHS responsible for enforcing the HIPAA privacy and security rules. Privacy officer: Designated individual by a covered entity to oversee HIPAA Privacy Regulation compliance. You may contact MSHA HIPAA Officer, if any questions. De-identified information: PHI which has been sufficiently stripped of identifying information (obtain list of 18 PHI identifiers) so that the person to who it belongs can no longer be identified. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/deidentification/index.html Mountain States Health Alliance Bringing Loving Care to Health Care 5

Privacy Laws and Regulations There are many federal and state laws regarding Privacy of patient information. One such federal law is the Health Insurance Portability & Accountability Act of 1996 (HIPAA). HIPAA sets forth regulations or improved efficiency in healthcare delivery by patient information; requiring health identifiers; and creating Privacy standards. HIPAA brought about two rules: Privacy Rule compliance date of April 2003 Security Rule compliance date of April 2005 Mountain States Health Alliance Bringing Loving Care to Health Care 6

What are ARRA and HITECH? American Recovery and Reinvestment Act (ARRA), Public Law 111-5 is an economic stimulus package which was signed into law on February 17, 2009. Health Information Technology for Economic and Clinical Health (HITECH) Act is the part the of ARRA law that deals with many of the health information communication and technology provisions including Subpart D Privacy. In January of 2013, the Department of Health and Human Services issued the Final Rule implementing HITECH s statutory amendments to HIPAA. Mountain States Health Alliance Bringing Loving Care to Health Care 7

Enforcement of HIPAA The Department of Health and Human Services (DHHS) is a department of the federal government that has overall responsibility for implementing and enforcing HIPAA. Office of Civil Rights (OCR) is responsible for implementing and enforcing the Privacy and Security Rules. MSHA Corporate Audit and Compliance Services department is responsible for monitoring and assessing MSHA compliance with HIPAA. Potential Penalties: Civil Criminal Federal lawsuit Loss of professional license Employer corrective action including termination Mountain States Health Alliance Bringing Loving Care to Health Care 8

Criminal Liability 13409 of the American Recovery and Reinvestment Act: Clarified that employees of covered entities may be held criminally liable for obtaining or disclosing individually identifiable health information maintained by covered entities without authorization. Who? Individuals who "knowingly" obtain or disclose individually identifiable health information in violation of HIPAA What? A fine of from $50,000 up to $250,000 and Imprisonment from one year up to ten years Mountain States Health Alliance Bringing Loving Care to Health Care 9

Privacy Rule: Administrative Requirements The Privacy Rule contains many other requirements that MSHA must comply with such as: Business Associate Contracts: Under certain conditions, MSHA is required to maintain legal contracts with business partners whose activity may involve the use or disclosure of individually identifiable health information. MSHA Legal Counsel should be consulted regarding contracts when patient information is involved. De-Identification of PHI: Under certain scenarios, information can be used or disclosed if de-identified. Refer to MSHA policy De-Identification of Protected Health Information IM-900-006 for details. Minimum Necessary: When using or disclosing PHI or when requesting PHI, a reasonable effort must be made to limit the PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Refer to MSHA policy IM-900-014 Minimum Necessary Use and Disclosure of Protected Health Information for details. Mountain States Health Alliance Bringing Loving Care to Health Care 10

Privacy and Security Rule The Privacy Rule is intended to protect the privacy of an individual s health information; regardless of whether the information is written, spoken, or stored in a computer. The Security Rule provides protection of all health information that is housed or transmitted electronically. Mountain States Health Alliance Bringing Loving Care to Health Care 11

Privacy Rule MSHA follows the Privacy Rule which describes many ways how organization may use or disclose a patient s protected health information including: To the Individual; To Others Involved in the Individuals Care For Treatment, Payment, or Health Care Operations ( TPO ) When an authorization from the patient is required Within the Facility Directory Disclosure of PHI when required by law; For Public Health or Health Oversight Law Enforcement Purposes; Research Purposes; For Organ Donation; For Workers Compensation; others For Disclosures about Victims of Abuse, Neglect, Domestic Violence Mountain States Health Alliance Bringing Loving Care to Health Care 12

Treatment, Payment and Health Care Operations (TPO) HIPAA permits use and disclosure of PHI for TPO: Treatment: the provision, coordination or management of care and services, including the coordination by provider with a third party; consultation between health care providers; or referral from one provider to another. Payment: activities to obtain or provide reimbursement for services; Billing, claims management, collection activities; Review for medical necessity; Utilization review, pre-certification and pre-authorization of services; Disclosure to consumer reporting agencies; others. Health Care Operations: operating activities such as Conducting quality improvement activities; Reviewing competence of health care professionals: Underwriting, premium rating, etc.; Medical review, legal services, auditing; Business planning/development; others. Disclosures for TPO purposes do not require a provider to obtain authorization from the patient. Mountain States Health Alliance Bringing Loving Care to Health Care 13

Privacy Rule: Permitted Uses and Disclosures While the Privacy Rules describes many ways that permit MSHA to use and disclosure patient information BEFORE using or discloses any patient information you must refer to MSHA policy IM-900-019 Release, Use, and Disclosure of Patient Information and MR-900-055 Release of Medical Records for the Purpose of Research for details. No MSHA team member or researcher shall disclose information without first knowing: To whom they are disclosing the information Whether the recipient is authorized to receive the information Whether the requested information is appropriate for the content and purpose of the request Whether applicable content of this policy has been addressed in the process of disclosing the information. Mountain States Health Alliance Bringing Loving Care to Health Care 14

HIPAA Identifiers If the information includes any of the identifiers below of the patient or the patient s relative, household member, or employer the information is considered identifiable and subject to the HIPAA Rules. 1. Names 2. All geographic subdivisions smaller than state 3. All dates related to an individual, including DOB, admission date, discharge date, death date, and all ages over 89 4. Telephone numbers 5. Vehicle identifiers and serial numbers including license plate numbers 6. Fax numbers 7. Device identifiers and serial numbers 8. Email addresses 9.URLs 10. IP addresses 11. Social Security Numbers 12. Medical Record Numbers 13. Biometric identifiers, including finger and voice prints 14. Health plan beneficiary numbers 15. Full-face photographs 16. Account numbers 17. Any other unique or identifying characteristic, number or code 18. Certificate or license numbers Mountain States Health Alliance Bringing Loving Care to Health Care 15

PHI Receiving Special Protections The HIPAA Rules recognize certain categories of PHI as ultrasensitive and require special protections of such information. Mental and Behavioral Health records Psychotherapy Notes STD testing HPV testing Alcohol or Drug abuse records Genetic Testing Mountain States Health Alliance Bringing Loving Care to Health Care 16

Privacy Rule: Authorizations There are many reasons including research that information about a patient is used within MSHA or disclosed outside of MSHA. Generally, an authorization is not required to use or disclose patient information to carry out Treatment, Payment, or Health Care Operations ( TPO ). Other exceptions may apply. MSHA also discloses patient information as required by law or as required reporting; which do not require patient authorization. Examples include: Birth data to the TN Dept of Vital Statistics Cancer data to the State Tumor Registry Data to Protective Services Agencies(for victims of crime, abuse, or neglect) Many others Mountain States Health Alliance Bringing Loving Care to Health Care 17

HIPAA and Research Data The HIPAA Rules regulate how protected health information may be obtained and used for research purposes. This is true whether the PHI is completely identifiable or partially deidentified in a limited data set. In order to use PHI for research purposes appropriate HIPAA documentation must be obtained, including either: 1. Individual patient authorization; or 2. Approved waiver of authorization from the IRB MSHA utilizes service of ETSU IRB; therefore, HIPAA requirements for accessing and using PHI for research can be found on the University s IRB website: http://www.etsu.edu/irb/policies/procedures.aspx Mountain States Health Alliance Bringing Loving Care to Health Care 18

Notice Of Privacy Practice (NPP) Notice of Privacy Practices is a requirement of HIPAA and the NPP describes how MSHA uses, discloses a patient s information and how the patient can access information. The NPP must be: Given to each patient at time of registration Posted in registration areas Signed Acknowledgement of receipt must be obtained from the patient Posted on MSHA website Access the MSHA NPP by using the link below https://www.mountainstateshealth.com/notice-privacypractices In research: HIPAA information must be presented as free standing form or be included in Informed Consent Form (ICF). If no direct contact with patient, then HIPAA Waiver can be requested from IRB. Mountain States Health Alliance Bringing Loving Care to Health Care 19

Patient Rights A patient has the right to: Access his/her record (research record not included) Receive a notice (notice of privacy practices) that tells you how your health information may be used and shared. Request restrictions/confidential communications about the use and disclosure of their PHI. Restriction for Out-of-Pocket Payments: Patient may restrict disclosure of protected health information to a health plan when the patient has paid out-of-pocket in full for the services. Refer to MSHA IM-900-019 Request for Restriction of the Use and/or Disclosure of Patient PHI. Request to amend specific portions of their record. MSHA may deny the amendment, but must have a procedure available for the patient to request the amendment. Refer to MSHA policy IM-900-005 Corrections/Amendments to the Medical Record. Request a copy of the accounting of disclosures. MSHA is required to keep a history of when and to whom information was disclosed about a patient for purposes other than treatment, payment or health care operations. Refer to MSHA policy IM-900-002 Accounting of Disclosures of Protected Health Information. Mountain States Health Alliance Bringing Loving Care to Health Care 20

Privacy and Security Program Additional HIPAA Administrative Requirements: MSHA must provide education to work force on the policies and procedures. MSHA may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against anyone who makes a complaint. Team members must promptly report all HIPAA concerns. Review IM-900-026 Reporting of Potential or Actual Breaches of Patient Protected Health Information Remember, just because you have the ability to access a record does not mean you are authorized under the law to do so. You are only authorized to access protected health to access protected health information when necessary to perform your job! Mountain States Health Alliance Bringing Loving Care to Health Care 21

De-identified Data (in research) The HIPAA Rules do not restrict the use or disclosure of de-identified health information, because the information is not considered PHI if it is de-identified. The primary purpose of HIPAA is to protect the privacy of the individual when it comes to their health information. If the individual cannot be identified, the risk to the individual s privacy is minimal. Two Methods to Achieve De-identification: Safe Harbor Method 1. Removal of all 18 HIPAA identifiers; and 2. The covered entity possesses no actual knowledge that the remaining information could be used to identify the individual. Expert Determination Method 1.Expert determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, to identify the individual; and 2. Expert documents the methods and risk results of the analysis that justify such determination Information is de-identified and no longer considered PHI. HIPAA restrictions do not apply! Mountain States Health Alliance Bringing Loving Care to Health Care 22

Privacy and Security Program MSHA must reasonably safeguard PHI from intentional or unintentional use or disclosure: Work force must reasonably safeguard PHI to limit incidental uses or disclosures MSHA must apply sanctions when there is failure to comply with the privacy policies and procedures. MSHA work force members needing access to their own or a family members medical record should contact Medical Records department per policy IM-900-024 Team Member Access to Their Own or Family Members Medical Record Protected Health Information (PHI). MSHA must implement policies and procedures with respect to PHI that are designed to comply with the HIPAA Rules. Review MSHA policy IM-900-018 Privacy and Security Program. Mountain States Health Alliance Bringing Loving Care to Health Care 23

Privacy and Security Program Handling Work of Someone You Know You are expected to maintain the confidentiality of patient information. You may have access to and become knowledgeable about information of individuals who is known to you, such as, current and previous family members, friends, and co-workers. You should not access patient information that may place you or the patient in a compromising position or present a conflict of interest. Steps for work force member to take, when possible: Contact Supervisor/Manager to request the work be re-assigned. If a Supervisor/Manager is not readily available, then ask, as appropriate, another co-worker to complete the necessary work. If no other co-worker is available, and a Supervisor/Manager is not readily available, proceed with completing the work to insure that patient care is not compromised. Notify a Supervisor/Manager of the occurrence. Refer to policy IM-900-028 Handling of Work of Someone You Know Mountain States Health Alliance Bringing Loving Care to Health Care 24

Where is PHI in a Healthcare Organization? Verbal Conversations Consider where electronic PHI may be stored Paper Documents and Reports Computers and Technology Emails Files saved on a computer/laptop/tablet Shared network drives Flash drives/usb DVD s/cd s Cloud storage

HIPAA Knowledge Check When entering a patient treatment area to discuss the patient s medical condition, lab results, or treatment and the patient has visitors in the room the caregiver should courteously ask the visitor(s) to please step out of the room for a minute. o True o False Answer: True. As caregivers it is our responsibility to be the patient s ambassador and ensure the patient has given us authorization to disclose their PHI with family, friends, and others. Mountain States Health Alliance Bringing Loving Care to Health Care 26

Patient Information Inquiries It is the practice of MSHA to release information to the media in the same manner as the release to the general public; however, all requests for information from the media must be directed to the Department of Marketing / Public Relations. If requested for research, then permission to release must be granted by Director of research department General Public: When a visitor or caller requests information about a patient, unless the patient has opted out of the facility directory, generally only the following can be provided: Patient Name Patient Location Patient Condition The caller MUST ask for the patient by name Review policy CM-500-005 Release of Patient Information to the Media. Mountain States Health Alliance Bringing Loving Care to Health Care 27

Patient Information Inquiries At the time of registration, a patient may request that no information be released. Review IM-900-021Request for Restriction of the Use and/or Disclosure of Patient Protected Health Information. Exemption: agreement to participate in research study Information about patients under substance abuse care is more restrictive. In the event of a disaster, existing disaster protocols should be followed. MSHA has a VIP (Very Important Partner) program available for patients who are admitted as an inpatient. Review P&P PC-600-143 Very Important Partner (VIP) Program. Mountain States Health Alliance Bringing Loving Care to Health Care 28

MSHA Policy and Procedures Policy IM-900-007 Disposal of Documents Containing Patient Information addresses proper disposal of PHI. Paper Documents should be shredded. -If an outside shredding service is utilized, it should be the MSHA approved shredding vendor. -The Materials Management Department of the facility should be contacted for information about the shredding service. Magnetic Media should be destructed using bulk erasure. CDs/Platters should be pulverized or broken up. Facility records must be destroyed in a manner that ensures the confidentiality of the records and renders the PHI no longer recognizable. Mountain States Health Alliance Bringing Loving Care to Health Care 29

Balancing Privacy With Adoption of Technology Access to PHI Researchers and work force members should not access their own PHI or that of a family member or someone they know. Researchers should only access the records identify as part of the research study. Photographs of patients is considered PHI. Photography includes photographs, still images, videotape recordings, digital or any other image method. - All patient photographs are the property of MSHA and are to be filed in the patient s medical record. - The use of personal equipment including cellular phone cameras to photograph patients is strictly prohibited. Review P&P PCA-600-011 Photography of Patients. Mountain States Health Alliance Bringing Loving Care to Health Care 30

HIPAA Security Rule Whereas, the HIPAA Privacy Rule deals with Protected Health Information (PHI) in general, the HIPAA Security Rule (SR) deals with electronic Protected Health Information (ephi), which is essentially a subset of what the HIPAA Privacy Rule encompasses. The Security Rule specifies a series of: Administrative Safeguards Physical Safeguards Technical Safeguards That covered entities are to use to assure the confidentiality, integrity, and availability of e-phi. 31

HIPAA Security Rule Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all e-phi they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce 32

Administrative Safeguards Actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI. In general, these safeguards require MSHA to: Maintain processes to address management of security, including: Risk analysis Disciplinary policies System activity review Identify an individual who is responsible for overseeing compliance with the HIPAA Security Rule. At MSHA, this person is HIPAA Compliance Officer in the Corporate Audit and Compliance Services Department. 33

Administrative Safeguards (continued) MSHA must: Implement policies/procedures addressing access to electronic PHI. Provide training on security processes and practices. Implement policies/procedures to address security incidents/violations. Establish policies/procedures for contingency plans, data backup, disaster recovery, etc. Develop processes to perform periodic evaluations of security processes. Include security requirements in appropriate contracts. 34

Technical Safeguards HIPAA Security Rule requires a covered entity to implement technology, policies and procedures to properly address: Access Control: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-phi). Audit Controls: A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-phi. Integrity Controls: A covered entity must implement policies and procedures to ensure that e-phi is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-phi has not been improperly altered or destroyed. Transmission Security: A covered entity must implement technical security measures that guard against unauthorized access to e-phi that is being transmitted over an electronic network. 35

Technical Safeguards General safeguards at MSHA: Implement policies and procedures to allow access only to those who have the right to such access. This includes assigning unique user passwords for identifying and tracking user identity. Implement mechanisms that record system activity/audits. Implement processes to protect electronic PHI against improper destruction. In order to insure security of username and password MSHA users should not use MSHA password on any personal sites. This helps to minimize our exposure to inappropriate third party unknown access to your account. 36

Technical Safeguards Use of Personal Devices Use of personal devices to access work applications and work files is not recommended. Remote Access When a personal device is used to access work applications or work files the device the workforce member is responsible for ensuring the device has up-to-date operating systems, anti-virus and antimalware software. Access to MSHA computer systems is limited to workforce members who have appropriate work reason and requires approval by appropriate MSHA leaders. Workforce members with remote access are responsible for complying with all MSHA HIPAA Privacy and Security policies. Students generally are not granted remote access. 37

Passwords Passwords are considered a technical safeguard. You are responsible for your user ID and passwords and will be held accountable for any access or actions taken using your login ID. Do not share your password. Do not leave a computer you are logged on to unattended. Do not let others access PHI while you are logged on to the computer or application. Do not use your MSHA password on any third party websites. ** Review MSHA policy IM-900-004 Computer Access Codes Management.** 38

MSHA Electronic Communication MSHA has many ways of communicating electronically. It is the Workforce members responsibility to keep PHI confidential. Electronic Mail Always us secure email method if you are sending patient information to a non-msha email address. Type [securemail] in the subject line. Never include patient information in the subject line even when sending the email to a MSHA email address. FAX Verify all FAX numbers before faxing any patient information. Routinely check auto-fax numbers. Keep faxing to a minimum. Use approved MSHA fax cover sheet with disclaimer. Lync When using Lync be thoughtful about what is presented and who the recipient(s) may be. Vocera o Be aware of your surroundings and comply with Vocera policies. 39

Safeguarding ephi The use of USB (flash, thumb, jump) drives, CD s is discouraged if PHI is involved. If, your job duties require you to distribute or store ephi on any electronic media per policy you must: Obtain approval from your Director, IT Security, and Compliance. Encrypted and/or password protected. Laptop computers, and other mobile devices which are used to access ephi should be encrypted. 40

Social Media and Recording PHI Using social media to share patient information is prohibited per policy. This includes media such as Facebook, Twitter, Instagram, etc. Texting of patient information is prohibited unless; Using a MSHA approved secure texting methodology is used and; Department leader has approved the operational process of texting. Photography or videoing of patients requires an IT approved secure solution and must have department head approval. The use of personal equipment including cellular phone cameras to photograph patients is prohibited per policy. **Review P&P HR-200-117 Conduct of MSHA Using Social Media ** 41

Phishing/Spear Phishing/Malware Phishing Emails Phishing is the attempt to acquire sensitive information such as usernames and passwords. More advanced types of these attacks are called Spear-phishing. Spear-phishing attacks can capture financial data, even credit card details, by masquerading as a trustworthy entity (CEO, CFO, COO, etc.) in emails and may also contain links to websites that are infected with various forms of malware, including ransomware. If you receive a suspicious email, do not click on any embedded link on this message and promptly report to IS Help Desk. 42

Steps to Avoid Ransomware Do not reply to or visit any websites within any unexpected e-mail (especially from an unfamiliar sender). Hold the pointer over any link to see the real website it is connected to before clicking on a link. Limit any web browsing and use to official business websites only. If the text within an e-mail requires or has pressure to conduct immediate action by the user, it is likely fraudulent. Never reset a password from an unsolicited e-mail link. If you receive an e-mail that tells you to do so, visit the known primary site directly. Never use the same password for your work and personal log-ins. 43

Physical Safeguards Facility Access and Control: A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed. Workstation and Device Security: A covered entity must implement policies and procedures to: Specify proper use of and access to workstations and electronic media. Regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-phi). In general, these safeguards require MSHA to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. 44

Physical Safeguards (continued) Measures, policies and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. In general, these safeguards require MSHA to: Implement policies and procedures to control access to systems and facilities housing electronic PHI. Implement policies and procedures to insure facility security and appropriate functions of workstations. Implement policies and procedures that govern controls for devices and media. 45

Physical Safeguards (continued) Protected Health Information (PHI) originals or copies should not be taken outside of the organizations without MSHA approval. This includes reports, lists, census, emails, excel and Word files, etc.. that contain PHI. PHI that is taken outside of any MSHA covered entity, as part of an approved and valid healthcare operational reason should follow the physical safeguards per MSHA policy on External Transport of Patient Information. Patient information (including screenshots that only contain a patient s name) should not be used in presentations. **Review P&P IM-900-009 External Transport of Patient Information** **Review P&P IM-900-020 Removal of Medical Records** 46

Software and Vendor Services The installation of software or hardware is prohibited without; Approval by MSHA IS Dept. Requests must be submitted per MSHA IT guidelines and are subject to approval criteria. New applications that will access, use, collect PHI or use the internet must go through the organizations review and approval process (i.e. ETAF) prior to initiating the purchase. Utilization of a vendor to provide a software solution or staffing resource requires: Financial review/approval ETAF review and approval Contracts development and possibly a business associate agreement. 47

Reporting Security Incidents or Concerns Report loss of any MSHA owned or managed device. Report loss of any personal device which may contain any patient information. Immediately notify MSHA IS Help Desk or MSHA Corporate Audit and Compliance Services Dept (CACS). Examples of devices that may contain PHI are: Computers (laptop s, netbooks, ipads, desktop, etc..) CD s, USB flash drive, thumb drive, jump drive Hard drive Cell phones used for work **Review P&P IM-900-026 Reporting Potential or Actual Breaches of Patient Protected Health Information ** 48

What Can you do? A Few Ways to protect patient information: Access, use or disclose patient information only if involved in the care of the patient. Never share passwords and logoff off or lock computers when away! BE ALERT to verbal discussions and surroundings. Make other team members aware if you are hearing conversations that should not be heard. Provide privacy for patients during discussions; including asking others to leave the room if necessary. Be aware of access to patient information such as printouts, computer screens, reports, etc. Appropriately secure patient records when not in use. Patient information should be placed in confidential shred-it containers when discarding. Be knowledgeable with MSHA policies, procedures and practices relating to patient information. Mountain States Health Alliance Bringing Loving Care to Health Care 49

Summary This course has provided an abbreviated overview of the HIPAA: Privacy Rule Security Rule HITECH Principles practiced throughout MSHA. All patient information, whether it is verbal, written or in any computer system should be securely maintained for confidentiality. Everyone who comes into contact with patient information is responsible for ensuring compliance with HIPAA. Remember the Need to Know rule. Only access information that you have a need to know to do your job. Sanctions are applied for violation of privacy/security regulations and organization policies. Mountain States Health Alliance Bringing Loving Care to Health Care 50

Who to Contact for Questions? Research Department 423-431-5647 HIPAA Compliance Office 1-855-383-3401 Note: For purpose of research: Proof of completion of HIPAA training will be required at the time of IRB & MSHA administrative approval request submission. ETSU and MSHA employees may complete an organizational HIPAA training(s). Mountain States Health Alliance Bringing Loving Care to Health Care 51

Almost finished. Please close this window. Print HIPAA training confirmation letter, sign and submit to 423-431- 5685(fax) or e-mail to Christy.Adkins@msha.com

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback