Hipaa certification

Hipaa Certification

Protecting Patient Privacy
Skip to content

    Clinic Paperwork




Required Staff Training

To become HIPAA certified, read the material below and take the self test to ensure you understand patient privacy issues.
HIPAA Certification – National Educational Seminars, Inc.
Everyone with access to others’ health and medical  information must comply with HIPAA (the Health and Insurance Portability  and Accountability Act).
This training gives an overview of selected aspects of HIPAA and outlines your responsibilities.
The Law
What is HIPAA?  HIPAA is a federal law designed to protect health information.  It applies to any covered entity.
Protected Health Information (PHI):  The term used in  HIPAA that refers to the information HIPAA protects.  It is any  information about a patient, or that can be used to identify a patient.   This training covers only some of the ways HIPAA requires you to  protect PHI.  HIPAA requires us to guard PHI in many ways.  This  training will cover the ways outlined in privacy-oriented sections of  HIPAA, but you are required by law to protect PHI by following security  policies which further ensure the security of PHI, such as maintaining  the security of computer passwords, keeping computers fully updated and  virus free, only accessing PHI over secure network connections, locking  all doors and file storage areas, and physically securing all equipment  (laptops, servers, fax machines, etc.).  For example, behind locked  doors or where access is controlled.
Types of PHI
Different types of health information count as PHI.  PHI  can be about a person who is alive or deceased, past, present, or future  information about an individual’s health, the treatment of their health  condition, or the billing/payment for their health services.  Any  unique number of characteristics that could be linked to an individual,  for example, Names (including names of relatives), photographs or  images, phone numbers, addresses, or a person’s health condition or  treatment.
Protecting PHI
No matter its form, you must protect PHI.  HIPAA requires  you to always protect PHI.  For example, you can protect PHI by never  using patients’ names or personal details when talking in hallways or  other public spaces, never taking PHI out of the clinic, using secure  recycling or shredders, securely storing all paper files and removable  electronic media, encrypting electronic files and emails, and using  screen filters so that others cannot read the information on your  computer screen.
Access PHI on a need to know basis
Access PHI only on a need to know basis.  HIPAA requires  that you only access or disclose PHI as part of job related duties.  If  you access or disclose PHI without a patient’s written authorization or  for anything other that treatment, payment, or health operations  purposes, you are violating HIPAA.  It makes no difference if the  information relates to a high profile person of a close friend or family  member.  These rules apply to all employees, including health care  professionals.  Remember, just because you have access to the  information does not mean it is legal for you to look at it.
Real life example
Last year, a former UCLA Health System employee became  the first person in the US to receive jail time in a federal prison for a  misdemeanor HIPAA offense.  The employee used his access to the  university’s electronic medical records system to view the medical  records of his supervisors, co-workers, and high profile patients.   While he did not sell or use the information for any personal gain, the  access was illegal because he lacked a valid reason for looking at the  records.  He was sentenced to four months in federal prison and $2,000  in fines.
Protect PHI, even while not at work
It is easy to forget about work rules whey you are done  with your work day, but HIPAA rules apply to you no matter where you are  of what time of day it is.  Do not discuss patient information casually  with your friends or acquaintances in any setting.  Do not talk about  patients on social media (Facebook, Twitter, etc.).  People have  violated HIPAA in conversations at restaurants.  It is not enough to  avoid using a person’s name.  Any identifiable information about an  individual is PHI.
Real life example
A doctor at Westerly Hospital in Rhode Island was fired  for posting information on Facebook about a patient she treated.   Although the posting did not reveal the patient’s name, there was enough  information that others could easily identify him or her and indicated  the patient had problems with alcohol and marijuana abuse.  In addition  to losing her job, the doctor was also reprimanded by the state medical  board and fined $500.
Reporting breaches of PHI
A breach is a HIPAA violation that occurs when PHI is  lost, stolen, or improperly disposed of.  For example, the paper or  device upon which PHI is recorded cannot be accounted for, if the  computer is hacked into by people or computer programs that are not  authorized to have access, if the PHI is sent to others who have no  official need to receive it.   HIPAA requires you to report breaches to  your HIPAA compliance officer and to Health and Human Services.
Retaliation is strictly prohibited
Employees may not threaten or take any retaliatory action  against an individual for reporting or filing a HIPAA report or  complaint, including notification of a privacy or security breach.
Violation penalties
HIPAA violations carry serious penalties.  In addition to  losing your job, the federal government might order you to pay fines or  serve a prison sentence or both, depending on the circumstances.  Up to  $250,000 in fines and 10 years in prison.  HIPAA violations can also  result in criminal and civil penalties for the clinic.  $50,000 per  incident, up to $1.5 million per calender year.  Although penalties are  for more serious for those who intentionally break the law, HIPAA   penaltiess apply to unintentional violations, too.
Patient rights
A patient has the right to receive a copy of the clinic’s  Notice of Privacy Practices Form, to request restrictions an  confidential communications of their PHI, to inspect and copy their  healthcare records, to request corrections of their healthcare records,  to obtain an accounting of disclosures, and to file a complaint with a  health provider or insurer and the US Government if the patient believes  his or her rights have been denied or that PHI is not being protected.
Minimum necessary
HIPAA states that when the use of disclosure of PHI is  permitted, only the minimum necessary information may be used or  disclosed.  This is intended to protect PHI, it does not restrict the  ability of healthcare providers to share information needed to treat  patients, process payments, or to report public health concerns.   Patients must always sign an authorization form before their PHI may be  released to outside parties such as a life insurer, bank , or marketing  firm.
Without an authorization, the clinic may not use  information about the medical treatment of an individual for targeted  marketing, such as testimonials on a website.
Business associates
An outside company or individual is considered a HIPAA  Business Associate when providing services involving PHI maintained by  the clinic.  HIPAA requires that business associates enter into a  Business Associate Agreement (BAA) with the clinic, use appropriate  safeguards to prevent the use of disclosure of PHI other than as  permitted by a contract with the clinic, notify the clinic of any  individual instances of a breach for which the business associate was  responsible, where PHI has been improperly accessed, used, or disclosed,  ensure that their employees and subcontractors receive HIPAA  training,and protect PHI to the same degree as the clinic.
1. Who is covered under HIPAA?
A. Clearinghouses
B. Healthcare Providers
C. Health Plans
D. All of the above
2. My friend and I go out to lunch every week, and she always  asks me “How’s work?” I tell her about the patients we have. I never  mention their names, so the patients are de-identified. That’s ok,  right?
A. yes
B. no
3. What can happen to a person who knowingly violates patient privacy for personal gain or malicious harm?
A. Disciplinary action
B. Loss of access privileges
C. Fines and penalties
D. Imprisonment
E. All of the above
4. Are members of the office who are not involved in a patient’s care allowed to review the patient’s chart out of curiosity?
A. Yes
B. No
5. What makes a good password?
A. Using a wide range of characters
B. Using mixed case in words
C. None of the above
D. All of the above
6. If someone forgets his log-in ID, can I let him use mine?
A. Yes, if he is an employee and you know him
B. Yes, if your supervisor says it is ok
C. No, sharing log-ins and passwords is a security violation
7. What are some things I can do to be more alert to Privacy and Security?
A. Keep patient information to myself
B. Report incidents
C. Activate a screen saver with a password
D. Improve your password strength and do not share it with anyone
E. Make sure your virus software is enabled
F. All of the above
8. What does “minimum necessary” mean?
A. I am only expected to complete the minimum requirements of my job
B. An employee’s access to PHI is limited to only what is needed to perform his/her responsibilities
C. Requests and disclosures of PHI are limited to what is needed to perform the task
D. A clinic is no longer allowed to provide information about patients to the media under any circumstances
E. b and c
9. Should I report a security or privacy violation?
A. No, that is a job for the police
B. Yes, but only the really serious ones
C. Yes, all employees have a responsibility to report suspected and  actual violations. Ask the supervisor about the proper reporting  procedures
10. How do you get rid of patient paperwork?
A. Use it as scratch paper
B. Throw it in the trash can
C. Have it shredded
11. Who is responsible for addressing patient complaints about privacy?
A. Privacy Officer
B. Safety Officer
C. Compliance Officer
12. True or False? Under HIPAA, a patient has the following rights:
To receive a Notice of Privacy Practices
To see or receive a copy of his/her PHI
To ask for PHI to be sent to him/her in a different format
To receive a list of disclosures
13. Are Consents and Authorizations the same?
A. Yes, they can be used interchangeably
B. No. Consents are used to get the patient’s permission to use or  disclose health information for treatment, payment or business  operations. Authorizations are used to obtain permission to disclose PHI  for activities outside the realm of treatment, payment, or business  operations
1. D
2. B
3. E
4. B
5. D
6. C
7. F
8. E
9. C
10. C
11. A
12. T, T, T, T
13. B