To become HIPAA certified, read the material below and take the self test to ensure you understand patient privacy issues.
HIPAA Certification – National Educational Seminars, Inc.
Everyone with access to others’ health and medical information must comply with HIPAA (the Health and Insurance Portability and Accountability Act).
This training gives an overview of selected aspects of HIPAA and outlines your responsibilities.
What is HIPAA? HIPAA is a federal law designed to protect health information. It applies to any covered entity.
Protected Health Information (PHI): The term used in HIPAA that refers to the information HIPAA protects. It is any information about a patient, or that can be used to identify a patient. This training covers only some of the ways HIPAA requires you to protect PHI. HIPAA requires us to guard PHI in many ways. This training will cover the ways outlined in privacy-oriented sections of HIPAA, but you are required by law to protect PHI by following security policies which further ensure the security of PHI, such as maintaining the security of computer passwords, keeping computers fully updated and virus free, only accessing PHI over secure network connections, locking all doors and file storage areas, and physically securing all equipment (laptops, servers, fax machines, etc.). For example, behind locked doors or where access is controlled.
Types of PHI
Different types of health information count as PHI. PHI can be about a person who is alive or deceased, past, present, or future information about an individual’s health, the treatment of their health condition, or the billing/payment for their health services. Any unique number of characteristics that could be linked to an individual, for example, Names (including names of relatives), photographs or images, phone numbers, addresses, or a person’s health condition or treatment.
No matter its form, you must protect PHI. HIPAA requires you to always protect PHI. For example, you can protect PHI by never using patients’ names or personal details when talking in hallways or other public spaces, never taking PHI out of the clinic, using secure recycling or shredders, securely storing all paper files and removable electronic media, encrypting electronic files and emails, and using screen filters so that others cannot read the information on your computer screen.
Access PHI on a need to know basis
Access PHI only on a need to know basis. HIPAA requires that you only access or disclose PHI as part of job related duties. If you access or disclose PHI without a patient’s written authorization or for anything other that treatment, payment, or health operations purposes, you are violating HIPAA. It makes no difference if the information relates to a high profile person of a close friend or family member. These rules apply to all employees, including health care professionals. Remember, just because you have access to the information does not mean it is legal for you to look at it.
Real life example
Last year, a former UCLA Health System employee became the first person in the US to receive jail time in a federal prison for a misdemeanor HIPAA offense. The employee used his access to the university’s electronic medical records system to view the medical records of his supervisors, co-workers, and high profile patients. While he did not sell or use the information for any personal gain, the access was illegal because he lacked a valid reason for looking at the records. He was sentenced to four months in federal prison and $2,000 in fines.
Protect PHI, even while not at work
It is easy to forget about work rules whey you are done with your work day, but HIPAA rules apply to you no matter where you are of what time of day it is. Do not discuss patient information casually with your friends or acquaintances in any setting. Do not talk about patients on social media (Facebook, Twitter, etc.). People have violated HIPAA in conversations at restaurants. It is not enough to avoid using a person’s name. Any identifiable information about an individual is PHI.
Real life example
A doctor at Westerly Hospital in Rhode Island was fired for posting information on Facebook about a patient she treated. Although the posting did not reveal the patient’s name, there was enough information that others could easily identify him or her and indicated the patient had problems with alcohol and marijuana abuse. In addition to losing her job, the doctor was also reprimanded by the state medical board and fined $500.
Reporting breaches of PHI
A breach is a HIPAA violation that occurs when PHI is lost, stolen, or improperly disposed of. For example, the paper or device upon which PHI is recorded cannot be accounted for, if the computer is hacked into by people or computer programs that are not authorized to have access, if the PHI is sent to others who have no official need to receive it. HIPAA requires you to report breaches to your HIPAA compliance officer and to Health and Human Services.
Retaliation is strictly prohibited
Employees may not threaten or take any retaliatory action against an individual for reporting or filing a HIPAA report or complaint, including notification of a privacy or security breach.
HIPAA violations carry serious penalties. In addition to losing your job, the federal government might order you to pay fines or serve a prison sentence or both, depending on the circumstances. Up to $250,000 in fines and 10 years in prison. HIPAA violations can also result in criminal and civil penalties for the clinic. $50,000 per incident, up to $1.5 million per calender year. Although penalties are for more serious for those who intentionally break the law, HIPAA penaltiess apply to unintentional violations, too.
A patient has the right to receive a copy of the clinic’s Notice of Privacy Practices Form, to request restrictions an confidential communications of their PHI, to inspect and copy their healthcare records, to request corrections of their healthcare records, to obtain an accounting of disclosures, and to file a complaint with a health provider or insurer and the US Government if the patient believes his or her rights have been denied or that PHI is not being protected.
HIPAA states that when the use of disclosure of PHI is permitted, only the minimum necessary information may be used or disclosed. This is intended to protect PHI, it does not restrict the ability of healthcare providers to share information needed to treat patients, process payments, or to report public health concerns. Patients must always sign an authorization form before their PHI may be released to outside parties such as a life insurer, bank , or marketing firm.
Without an authorization, the clinic may not use information about the medical treatment of an individual for targeted marketing, such as testimonials on a website.
An outside company or individual is considered a HIPAA Business Associate when providing services involving PHI maintained by the clinic. HIPAA requires that business associates enter into a Business Associate Agreement (BAA) with the clinic, use appropriate safeguards to prevent the use of disclosure of PHI other than as permitted by a contract with the clinic, notify the clinic of any individual instances of a breach for which the business associate was responsible, where PHI has been improperly accessed, used, or disclosed, ensure that their employees and subcontractors receive HIPAA training,and protect PHI to the same degree as the clinic.
1. Who is covered under HIPAA?
B. Healthcare Providers
C. Health Plans
D. All of the above
2. My friend and I go out to lunch every week, and she always asks me “How’s work?” I tell her about the patients we have. I never mention their names, so the patients are de-identified. That’s ok, right?
3. What can happen to a person who knowingly violates patient privacy for personal gain or malicious harm?
A. Disciplinary action
B. Loss of access privileges
C. Fines and penalties
E. All of the above
4. Are members of the office who are not involved in a patient’s care allowed to review the patient’s chart out of curiosity?
5. What makes a good password?
A. Using a wide range of characters
B. Using mixed case in words
C. None of the above
D. All of the above
6. If someone forgets his log-in ID, can I let him use mine?
A. Yes, if he is an employee and you know him
B. Yes, if your supervisor says it is ok
C. No, sharing log-ins and passwords is a security violation
7. What are some things I can do to be more alert to Privacy and Security?
A. Keep patient information to myself
B. Report incidents
C. Activate a screen saver with a password
D. Improve your password strength and do not share it with anyone
E. Make sure your virus software is enabled
F. All of the above
8. What does “minimum necessary” mean?
A. I am only expected to complete the minimum requirements of my job
B. An employee’s access to PHI is limited to only what is needed to perform his/her responsibilities
C. Requests and disclosures of PHI are limited to what is needed to perform the task
D. A clinic is no longer allowed to provide information about patients to the media under any circumstances
E. b and c
9. Should I report a security or privacy violation?
A. No, that is a job for the police
B. Yes, but only the really serious ones
C. Yes, all employees have a responsibility to report suspected and actual violations. Ask the supervisor about the proper reporting procedures
10. How do you get rid of patient paperwork?
A. Use it as scratch paper
B. Throw it in the trash can
C. Have it shredded
11. Who is responsible for addressing patient complaints about privacy?
A. Privacy Officer
B. Safety Officer
C. Compliance Officer
12. True or False? Under HIPAA, a patient has the following rights:
To receive a Notice of Privacy Practices
To see or receive a copy of his/her PHI
To ask for PHI to be sent to him/her in a different format
To receive a list of disclosures
13. Are Consents and Authorizations the same?
A. Yes, they can be used interchangeably
B. No. Consents are used to get the patient’s permission to use or disclose health information for treatment, payment or business operations. Authorizations are used to obtain permission to disclose PHI for activities outside the realm of treatment, payment, or business operations
12. T, T, T, T