HIPAA TRAINING
2016 Required Training for ALL Employees
Great Expressions Dental Centers | Version 11.1 - October 2011 Proprietary Information – Restricted. For Internal Use Only.
HIPAA Training
Overview
HIPAA stands for Health Insurance Portability and Accountability Act of 1996
• The Federal act establishes standards for the privacy and security of health information as well as standards for electronic exchange of information
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
(not spelled HIPPA )
HIPAA Training
Effective Date
Original HIPAA Privacy Notice was put into effect April 14, 2003, revised in September 2013, and describes
1. How health information may be used and disclosed
2. How an individual can obtain access to their information
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Protected Health Information (PHI)
PHI is individually identifiable health information transmitted or maintained in any form or medium (verbal, paper, electronic)
• Examples include, but are not limited to . . .
– Name, address, birth date, social security number
– Email address, fax number, license number
– Medical/dental record number, medical history, treatment
– Photographs
– Financial and/or insurance information
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
HIPAA Privacy Rule
The Privacy Rule focuses on the right of an individual to control the use of his or her personal information
• It covers the confidentiality of PHI in all formats including paper, verbal, and electronic
• It sets boundaries and establishes safeguards on use and release/disclosure of information
• It holds violators accountable with civil and criminal penalties
• PHI should not be divulged or used by others without authorization from the patient.
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
HIPAA Privacy Rule con’t
HIPAA Privacy Rule states that disclosures are limited to the minimum amount of information needed to accomplish the
intended purpose!
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Who Has These Rights?
HIPAA Privacy Rule protects
1. Patients whose protected health information we maintain
2. Legal/authorized representatives, who the patient has authorized to have access to their health information
3. Parents and minors
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Covered Entity (CE)
A “covered entity” (CE) includes those listed below that transmit health information electronically
1. Health care providers
2. Health plans
3. Healthcare clearinghouses
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
What Does the HIPAA Privacy Rule Require Covered Entities To Do?
1. Direct providers (i.e., dental offices) must notify patients of
privacy rights
2. They must adopt and implement privacy procedures for the
practice
3. They must train employees so they understand privacy
procedures
4. They must have an established Privacy Officer
5. They must safeguard patient health information that
contains PHI
– And not make PHI available to those who don’t need the
information
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Business Associate (BA)
A BA is any person or entity (including the BA’s subcontractors) that performs or assists in functions or activities for GEDC that involve the use or disclosure of PHI.
• Their services may include, but are not limited to legal, accounting, consulting, marketing, data compilation, record storage/disposal, billing services, software vendors, transcription services. . .
• They must safeguard and use protected health information the same as a CE
• GEDC must have a Business Associate Agreement (BAA) in place with the BA
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
HITECH ACT (Health Information Technology for Economic and Clinical Health)
HITECH ACT strengthened HIPAA by further restricting the use of PHI
• Expanded the requirements of accounting for how PHI is disclosed and requires notification if security is breached/broken
• Increased penalties for breaches
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
HITECH ACT con’t
• It protects Electronic Health Records (EHR) & secures endpoints in communication
– ePHI is the electronic version of PHI
– There is a massive expansion in exchange of ePHI which increases the privacy and security concerns for all
– Under the HITECH ACT, “unsecured PHI” essentially means “unencrypted PHI”
– All emails that contain PHI that are sent OUTSIDE of the GEDC NETWORK must be ENCRYPTED!
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
HITECH ACT con’t How do I encrypt an email?
1. At the beginning of the subject line, add Encrypt:
2. Leave one space after the colon
3. Type your subject in the subject line
– Example
• Encrypt: Patient X-rays
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Security Rule
The Security Rule focuses on administrative, technical and physical safeguards specifically as they relate to electronic PHI (ePHI)
• It provides protection of ePHI data from unauthorized access
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Information Technology Security Review
• Never download or install applications on your computer. Always contact the IT Help Desk for assistance if you believe this is something you need to do.
• Never open email attachments from unknown sources
• Never use thumb drives or flash drives unless directed by the IT Department
• Never connect any device to our network without approval from the IT Department (i.e., personal computers/tablets, printers, etc.)
• Never disable or uninstall Antivirus software
• Never discard a computer. The hard drive inside the computer may contain patient information. All broken or unused computers must be returned to the IT Department.
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Information Technology Security Review con’t
Social Engineering is also another way for hackers to gain access to our systems. Methods used to do this are:
• Individuals could show up at your office and request to get access to
your computer systems. You can ALWAYS contact the IT Help Desk to
confirm if a technician is from GEDC if the visit is not already pre-
planned.
• You may be called and asked for your user name and password. On
occasion our IT Help Desk may ask for this information but you
NEVER have to give this out. The IT Department can change your
password to give themselves access, but we can NEVER see your
password. If this information is ever requested of you it will be in
response to a ticket you submitted.
• Sticky notes on monitors that have usernames and passwords.
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Omnibus Rules – Effective March 2013
New rules that consolidated and enhance HIPAA privacy, security, enforcement, and breach notification. This means . . .
• Business associates are directly responsible for upholding the privacy/security rules
• Stronger limits are placed on how PHI is used for marketing/fundraising activities
• Restrictions are placed on how PHI is disclosed to an insurance company with regards to treatment of a patient who has paid all costs out-of-pocket
• Patient rights are expanded with regards to obtaining electronic copies of PHI
• Modification and redistribution of the Notice of Privacy Practices is required
• With a possible breach of PHI, there is a presumption the breach has occurred and it is the CE or BA responsibility to demonstrate that no PHI was compromised
• Penalties are increased with a maximum penalty of 1.5 million dollars per violation
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training Good Security Measures
Reasonable/appropriate administrative, technical, and physical safeguards to protect PHI may include, but are not limited to . . .
• Files, cabinets, areas with PHI are locked (where possible) • Encryption of ePHI • Protected logins and passwords • Shredding of PHI (i.e., routing slips) • Fax machine should be in a secure location; fax number should be confirmed
before faxing document • “Name alert” noted on charts (with patients who have the same name) • PHI should not leave the office • Voicemail messages should not be listened to on speaker-phone • Cell phone use prohibited in clinical areas • Be aware of surroundings – charts should not be left unattended, post-it notes
containing PHI should not be visible, be aware of what others may be overhearing
Report any known security breaches to Elaine Olejnik RDH BS, Compliance Officer, Patient Services and/or Joseph MacLean,
General Counsel
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
GEDC Privacy Notice
Our Privacy Notice must be made available
• On request
• On website
• Must be posted in prominent location
in the office
• (Located on iSmile,
Compliance & Risk folder)
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
HIPAA Consent Form (Privacy Practices Receipt/Consent Form)
A good faith attempt should be made to obtain a Privacy Practices Receipt/Consent Form (purple chart form) from all new patients
• It allows the use of PHI for Treatment, Payment, or health care Operations (TPO) • Patients can refuse to sign and still be treated! • HIPAA consent may be revoked by the
patient at any time – It must be done in writing and it is effective immediately
• *ALL new patients must be offered a copy of GEDC Notice of Privacy Practices (Located on iSmile)
– Hint: place on office clipboards
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Consent Form con’t (Privacy Practices Receipt/Consent Form) Patients have the right to . . .
• Designate specified individuals with whom their PHI may be shared (section F)
• Restrict their PHI from being shared with specified individuals (section G)
(Back side of purple HIPAA Consent Form
HIPAA Training
HIPAA Consent Form con’t
(Privacy Practices Receipt/Consent Form)
If a patient requests their PHI be shared and/or restricted (as noted on their HIPAA Consent Form, section F, G), a DV marker/alert must be created to direct the GEDC team member to the HIPAA Consent Form for further details.
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
HIPAA Consent Form con’t
(Privacy Practices Receipt/Consent Form)
A HIPAA Consent Form is not required prior to treatment in the following circumstances:
1. Emergencies, where obtaining consent would interfere with prompt treatment
2. Communications barriers (i.e., language) where obtaining consent is difficult to impossible
3. In cases where the provider is obligated to treat, but cannot obtain prior consent
Document, in chart, why consent could not be obtained and make a reasonable effort to get consent as soon as possible after treatment
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
The office is permitted to share PHI (face-to-face, over the phone, or in writing) with a family member, a friend, or other persons when for example:
• The patient is present, has the ability to make health care decisions and does not object
• The patient is not present and the office can reasonably assume that the patient would not object
• In an emergency situation and the office determines it is in the best interest of the patient
Use professional judgment when sharing patient PHI with family members and friends
• If there is any doubt that the patient would be concerned with whom their PHI is being shared, have the patient complete Section F of the HIPAA Consent Form
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
HIPAA Authorization Form
Patient must sign a HIPAA Authorization Form for the release or disclosure of their PHI to third parties that is not related to treatment, payment, or health care operations
• Third party requests for patient PHI are always addressed by GEDC Patient Services Department/PSC N
– An example includes any legal requests/with or without a subpoena
• Patient Services maintains a HIPAA log of all PHI releases
• Patient Services has the responsibility to provide the patient, Health Human Services (HHS), and/or Secretary/Office of Civil Rights with a record of any disclosures of PHI
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
HIPAA Authorization Form con’t
• A written authorization includes
– The description of PHI to be disclosed
– The name of the person authorized to make the disclosure
– The person receiving the information
• Written authorizations must have an expiration date and may be revoked by the patient at any time
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Release of Dental Records Form
Release of Dental Records Form gives consent to the office to release a copy of the dental record(s) to another dental office/health care provider
• Patient signs to transfer their dental records/PHI
• GEDC can charge for the duplication of the patient record
• It also provides an audit trail for released PHI • (Located on iSmile, Compliance & Risk folder)
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Practical HIPAA Exceptions
Daily routine requires communication with patients regarding their treatment, payment, or healthcare operations. Keep in mind . . .
– Communication by mail or phone is acceptable
– Appointment reminders are “ok”
• Leaving messages on answering machines
• Limit the amount of information shared
– GEDC, number and other information necessary to confirm appointment
– A message can be left with a family member or other person who answers unless patient specifically requests not to leave a message (note in patient file)
– PHI for treatment can be faxed with reasonable safeguards
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Conclusion
• Employee actions pose the greatest threat to information security!
• Protect all patient information as if it were your own!
• All PHI should be on a “need to know” basis – use only minimum information necessary to complete the task at hand
• Use your professional judgment and disclose the least amount of information to accomplish the intended purpose - Minimum Necessary Standard!
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information
HIPAA Training
Breach Contact Information
If you suspect an improper use or disclosure of PHI that compromises the security and privacy of that patient information, please contact Elaine Olejnik, RDH BS, Compliance Officer and Patient Services
• Elaine Olejnik RDH BS 248-203-1134 (or x. 71134)
Compliance Officer
• Patient Services 248-203-1100 (or x. 46178) • Joseph MacLean, General Counsel 248-237-7503 (or x. 73942)
• Information Technology Help Desk 248-203-1107 (or x. 77777)
Overview
Effective Date
Protected Health Information (PHI)
HIPAA Privacy Rule
Who Has These Rights?
Covered Entity
Covered Entity Requirements
Business Associate
HITECH
Security Rule
NEW Omnibus Rules
Good Security Measures
GEDC Privacy Notice
HIPAA Consent Form
HIPAA Authorization Form
Release of Dental Records
Practical HIPAA Exceptions
Conclusion
Breach Contact Information