To become HIPAA certified, read the material below and take the self test to ensure you understand patient privacy issues.
 

HIPAA Compliance Training Certification – National Educational Seminars, Inc.

Everyone with access to others’ health and medical  information must comply with HIPAA (the Health and Insurance Portability  and Accountability Act).

This training gives an overview of selected aspects of HIPAA and outlines your responsibilities as a healthcare provider or an associate of a healthcare provider.

The Law

What is HIPAA?  HIPAA is a federal law designed to protect health information.  It applies to any covered entity.

Protected Health Information (PHI):  The term used in  HIPAA that refers to the information HIPAA protects.  It is any  information about a patient, or that can be used to identify a patient.   This training covers only some of the ways HIPAA requires you to  protect PHI.  HIPAA requires us to guard PHI in many ways.  This  training will cover the ways outlined in privacy-oriented sections of  HIPAA, but you are required by law to protect PHI by following security  policies which further ensure the security of PHI, such as maintaining  the security of computer passwords, keeping computers fully updated and  virus free, only accessing PHI over secure network connections, locking  all doors and file storage areas, and physically securing all equipment  (laptops, servers, fax machines, etc.).  For example, behind locked  doors or where access is controlled.

Types of PHI

Different types of health information count as PHI.  PHI  can be about a person who is alive or deceased, past, present, or future  information about an individual’s health, the treatment of their health  condition, or the billing/payment for their health services.  Any  unique number of characteristics that could be linked to an individual,  for example, Names (including names of relatives), photographs or  images, phone numbers, addresses, or a person’s health condition or  treatment.

Protecting PHI

No matter its form, you must protect PHI.  HIPAA requires  you to always protect PHI.  For example, you can protect PHI by never  using patients’ names or personal details when talking in hallways or  other public spaces, never taking PHI out of the clinic, using secure  recycling or shredders, securely storing all paper files and removable  electronic media, encrypting electronic files and emails, and using  screen filters so that others cannot read the information on your  computer screen.

Access PHI on a need to know basis

Access PHI only on a need to know basis.  HIPAA requires  that you only access or disclose PHI as part of job related duties.  If  you access or disclose PHI without a patient’s written authorization or  for anything other that treatment, payment, or health operations  purposes, you are violating HIPAA.  It makes no difference if the  information relates to a high profile person of a close friend or family  member.  These rules apply to all employees, including health care  professionals.  Remember, just because you have access to the  information does not mean it is legal for you to look at it.

Real life example

Last year, a former UCLA Health System employee became  the first person in the US to receive jail time in a federal prison for a  misdemeanor HIPAA offense.  The employee used his access to the  university’s electronic medical records system to view the medical  records of his supervisors, co-workers, and high profile patients.   While he did not sell or use the information for any personal gain, the  access was illegal because he lacked a valid reason for looking at the  records.  He was sentenced to four months in federal prison and $2,000  in fines.

Protect PHI, even while not at work

It is easy to forget about work rules whey you are done  with your work day, but HIPAA rules apply to you no matter where you are  or what time of day it is.  Do not discuss patient information casually  with your friends or acquaintances in any setting.  Do not talk about  patients on social media (Facebook, Twitter, etc.).  People have  violated HIPAA in conversations at restaurants.  It is not enough to  avoid using a person’s name.  Any identifiable information about an  individual is PHI.

Real life example

A doctor at Westerly Hospital in Rhode Island was fired  for posting information on Facebook about a patient she treated.   Although the posting did not reveal the patient’s name, there was enough  information that others could easily identify him or her and indicated  the patient had problems with alcohol and marijuana abuse.  In addition  to losing her job, the doctor was also reprimanded by the state medical  board and fined $500.

Reporting breaches of PHI

A breach is a HIPAA violation that occurs when PHI is  lost, stolen, or improperly disposed of.  For example, the paper or  device upon which PHI is recorded cannot be accounted for, if the  computer is hacked into by people or computer programs that are not  authorized to have access, if the PHI is sent to others who have no  official need to receive it.   HIPAA requires you to report breaches to  your HIPAA compliance officer and to Health and Human Services.

Retaliation is strictly prohibited

Employees may not threaten or take any retaliatory action  against an individual for reporting or filing a HIPAA report or  complaint, including notification of a privacy or security breach.

Violation penalties

HIPAA violations carry serious penalties.  In addition to  losing your job, the federal government might order you to pay fines or  serve a prison sentence or both, depending on the circumstances.  Up to  $250,000 in fines and 10 years in prison.  HIPAA violations can also  result in criminal and civil penalties for the clinic.  $50,000 per  incident, up to $1.5 million per calender year.  Although penalties are  for more serious for those who intentionally break the law, HIPAA   penaltiess apply to unintentional violations, too. For more on penalties, review the HIPAA Administrative Simplification document available on our Downloads page. 

Patient rights

A patient has the right to receive a copy of the clinic’s  Notice of Privacy Practices Form, to request restrictions an  confidential communications of their PHI, to inspect and copy their  healthcare records, to request corrections of their healthcare records,  to obtain an accounting of disclosures, and to file a complaint with a  health provider or insurer and the US Government if the patient believes  his or her rights have been denied or that PHI is not being protected.

Minimum necessary

HIPAA states that when the use of disclosure of PHI is  permitted, only the minimum necessary information may be used or  disclosed.  This is intended to protect PHI, it does not restrict the  ability of healthcare providers to share information needed to treat  patients, process payments, or to report public health concerns.   Patients must always sign an authorization form before their PHI may be  released to outside parties such as a life insurer, bank , or marketing  firm.

Marketing

Without an authorization, the clinic may not use  information about the medical treatment of an individual for targeted  marketing, such as testimonials on a website.

Business associates

An outside company or individual is considered a HIPAA  Business Associate when providing services involving PHI maintained by  the clinic.  HIPAA requires that business associates enter into a  Business Associate Agreement (BAA) with the clinic, use appropriate  safeguards to prevent the use of disclosure of PHI other than as  permitted by a contract with the clinic, notify the clinic of any  individual instances of a breach for which the business associate was  responsible, where PHI has been improperly accessed, used, or disclosed,  ensure that their employees and subcontractors receive HIPAA  training,and protect PHI to the same degree as the clinic.


 Once you have completed your thorough review of this training material, you may click the button below to proceed to Step 2, the HIPAA Compliance Self-Test