To become HIPAA certified, read the material below and take the self test to ensure you understand patient privacy issues.
HIPAA Compliance Training Certification – National Educational Seminars, Inc.
Everyone with access to others’ health and medical information must comply with HIPAA (the Health and Insurance Portability and Accountability Act).
This training gives an overview of selected aspects of HIPAA and outlines your responsibilities as a healthcare provider or an associate of a healthcare provider.
What is HIPAA? HIPAA is a federal law designed to protect health information. It applies to any covered entity.
Protected Health Information (PHI): The term used in HIPAA that refers to the information HIPAA protects. It is any information about a patient, or that can be used to identify a patient. This training covers only some of the ways HIPAA requires you to protect PHI. HIPAA requires us to guard PHI in many ways. This training will cover the ways outlined in privacy-oriented sections of HIPAA, but you are required by law to protect PHI by following security policies which further ensure the security of PHI, such as maintaining the security of computer passwords, keeping computers fully updated and virus free, only accessing PHI over secure network connections, locking all doors and file storage areas, and physically securing all equipment (laptops, servers, fax machines, etc.). For example, behind locked doors or where access is controlled.
Types of PHI
Different types of health information count as PHI. PHI can be about a person who is alive or deceased, past, present, or future information about an individual’s health, the treatment of their health condition, or the billing/payment for their health services. Any unique number of characteristics that could be linked to an individual, for example, Names (including names of relatives), photographs or images, phone numbers, addresses, or a person’s health condition or treatment.
No matter its form, you must protect PHI. HIPAA requires you to always protect PHI. For example, you can protect PHI by never using patients’ names or personal details when talking in hallways or other public spaces, never taking PHI out of the clinic, using secure recycling or shredders, securely storing all paper files and removable electronic media, encrypting electronic files and emails, and using screen filters so that others cannot read the information on your computer screen.
Access PHI on a need to know basis
Access PHI only on a need to know basis. HIPAA requires that you only access or disclose PHI as part of job related duties. If you access or disclose PHI without a patient’s written authorization or for anything other that treatment, payment, or health operations purposes, you are violating HIPAA. It makes no difference if the information relates to a high profile person of a close friend or family member. These rules apply to all employees, including health care professionals. Remember, just because you have access to the information does not mean it is legal for you to look at it.
Real life example
Last year, a former UCLA Health System employee became the first person in the US to receive jail time in a federal prison for a misdemeanor HIPAA offense. The employee used his access to the university’s electronic medical records system to view the medical records of his supervisors, co-workers, and high profile patients. While he did not sell or use the information for any personal gain, the access was illegal because he lacked a valid reason for looking at the records. He was sentenced to four months in federal prison and $2,000 in fines.
Protect PHI, even while not at work
It is easy to forget about work rules whey you are done with your work day, but HIPAA rules apply to you no matter where you are or what time of day it is. Do not discuss patient information casually with your friends or acquaintances in any setting. Do not talk about patients on social media (Facebook, Twitter, etc.). People have violated HIPAA in conversations at restaurants. It is not enough to avoid using a person’s name. Any identifiable information about an individual is PHI.
Real life example
A doctor at Westerly Hospital in Rhode Island was fired for posting information on Facebook about a patient she treated. Although the posting did not reveal the patient’s name, there was enough information that others could easily identify him or her and indicated the patient had problems with alcohol and marijuana abuse. In addition to losing her job, the doctor was also reprimanded by the state medical board and fined $500.
Reporting breaches of PHI
A breach is a HIPAA violation that occurs when PHI is lost, stolen, or improperly disposed of. For example, the paper or device upon which PHI is recorded cannot be accounted for, if the computer is hacked into by people or computer programs that are not authorized to have access, if the PHI is sent to others who have no official need to receive it. HIPAA requires you to report breaches to your HIPAA compliance officer and to Health and Human Services.
Retaliation is strictly prohibited
Employees may not threaten or take any retaliatory action against an individual for reporting or filing a HIPAA report or complaint, including notification of a privacy or security breach.
HIPAA violations carry serious penalties. In addition to losing your job, the federal government might order you to pay fines or serve a prison sentence or both, depending on the circumstances. Up to $250,000 in fines and 10 years in prison. HIPAA violations can also result in criminal and civil penalties for the clinic. $50,000 per incident, up to $1.5 million per calender year. Although penalties are for more serious for those who intentionally break the law, HIPAA penaltiess apply to unintentional violations, too. For more on penalties, review the HIPAA Administrative Simplification document available on our Downloads page.
A patient has the right to receive a copy of the clinic’s Notice of Privacy Practices Form, to request restrictions an confidential communications of their PHI, to inspect and copy their healthcare records, to request corrections of their healthcare records, to obtain an accounting of disclosures, and to file a complaint with a health provider or insurer and the US Government if the patient believes his or her rights have been denied or that PHI is not being protected.
HIPAA states that when the use of disclosure of PHI is permitted, only the minimum necessary information may be used or disclosed. This is intended to protect PHI, it does not restrict the ability of healthcare providers to share information needed to treat patients, process payments, or to report public health concerns. Patients must always sign an authorization form before their PHI may be released to outside parties such as a life insurer, bank , or marketing firm.
Without an authorization, the clinic may not use information about the medical treatment of an individual for targeted marketing, such as testimonials on a website.
An outside company or individual is considered a HIPAA Business Associate when providing services involving PHI maintained by the clinic. HIPAA requires that business associates enter into a Business Associate Agreement (BAA) with the clinic, use appropriate safeguards to prevent the use of disclosure of PHI other than as permitted by a contract with the clinic, notify the clinic of any individual instances of a breach for which the business associate was responsible, where PHI has been improperly accessed, used, or disclosed, ensure that their employees and subcontractors receive HIPAA training,and protect PHI to the same degree as the clinic.
Once you have completed your thorough review of this training material, you may click the button below to proceed to Step 2, the HIPAA Compliance Self-Test