HIPAATRAINING
Confiden'ality,Privacy,andInforma'onSecurity
Proprietary&Confiden'al
Instruc'onsforThisOnlineCourse• Reviewthecontentofthiscourse• Attheendyoumustpassatesttocompletethecourse
Instruc'ons
Proprietary&Confiden'al
PrivacyandInforma'onSecurityarekeyelementsoftheBrightHeartHealth’scommitmenttoquality.• NomaIerwhereyouarelocatedwithinBrightHeartHealtheverystaffmemberisresponsibleforunderstandingandfollowingallprivacyandsecuritypolicies.
PrivacyandInforma'onSecurity
Proprietary&Confiden'al
Whenyoucompletethiscourse,youwillbeableto:• Iden'fytypesofconfiden'alinforma'on.• Describebestprac'cesforsafeguardinginforma'oninspoken,wriIenorelectronicformats.
• Understandyourresponsibilityfordataencryp'on.• Describeyourresponsibili'esforprotec'nginforma'onandrepor'ngviola'ons.
• Iden'fyconsequencesforviola'ons.• LocatestaffresponsibleforPrivacy,Informa'onSecurityand/orCompliance.
Objec'ves
Proprietary&Confiden'al
EveryBrightHeartHealthstaffmemberisresponsibleforprotec'ngconfiden'alinforma'on.• Therearedifferenttypesofconfiden'alinforma'on,including:– Pa'entInforma'on– EmployeeInforma'on– BrightHeartHealthInforma'on
• Financialandopera'onalinforma'on• Tradesecrets• Systemaccessandpasswords
PrivacyandSecurityInforma'on
Proprietary&Confiden'al
Iden%fiablePa%entInforma%onUniqueiden'fiersincluding:• Name• Address• datesofbirth,admission,discharge,death• telephoneandfaxnumbers,• emailaddress• medicalrecordnumber• healthplanbeneficiarynumber• SocialSecuritynumber• accountnumber• cer'ficate/licensenumber• anyvehicleorotherdeviceserialnumber• webURL• InternetProtocol(IP)address• fingerorvoiceprints,• photographicimages• Medicalhistory&treatment• Financialinforma'on(insurance,credit/debit
cardnumbers)
EmployeeInforma%on• Driver’slicensenumber• SocialSecuritynumber• Bankaccountnumbers• UserIDandpasswordsInforma%onAboutBrightHeartHealth• BrightHeartHealthCareInforma'on• Financialandopera'onalinforma'on• Tradesecrets• Systemaccesspasswords
PrivateandSensa'veInforma'on
Proprietary&Confiden'al
Thereare2thingstorememberaboutprotec'ngconfiden'alinforma'on:1. Accessinforma'ononlyifyouneedittodoyour
job.2. Shareinforma'ononlywithotherswhoneeditto
dotheirjobs.
Privacy&SecurityRuleofThumb
Proprietary&Confiden'al
Confiden'alinforma'onisstoredandsharedinthefollowingways:• VerbalCommunica'on(talking)• PaperDocuments• ElectronicData
Confiden'alInforma'on
Proprietary&Confiden'al
Whentalkingaboutconfiden'alinforma'onmakesureyouare:• Sharingonlywithsomeonewhoneedstoknowtheinforma'ontoperformtheirjob.
• Speakingwhereothers(includingpa'entfamilymembersandfriends)cannothear,ifpossible.
• Givingonlytheminimumamountofinforma'onnecessary.
VerbalCommunica'on
Proprietary&Confiden'al
VerbalCommunica'on• Whentalkingaboutconfiden'alinforma'onbeawareofyoursurroundings!
• AvoiddiscussingPersonalHealthInforma'on(PHI)inpublicareas.
• Whenconversa'onsinopenareascannotbeavoided,remembertokeepyourvoicelow.
VerbalCommunica'on
Proprietary&Confiden'al
GeneralInforma%on• CareCoordinatorsareprimarilyresponsibleforreleasing(ormakingavailable)PHI,butsome'mespersonnelinotherdepartmentsreleasePHI.
• Physicians,therapists,die''ans,andnursesmayreleasesomeinforma'ontothepa'ent.
• Physiciansandstaffwhohavereceivedtheappropriatetrainingmayalsoreleasetothepa'entaTreatmentSummary.
ReleasingPersonalHealthInforma'on(PHI)
Proprietary&Confiden'al
YourMedicalRecords• Toaccessyourownmedicalrecord,completeanauthoriza'onformand
submittotheClinicalDirector.• TheClinicalDirectorwillno'fyyouwhenyouareapprovedtoviewyour
medicalrecord.PHIforResearch• ResearchersthatrequestPHIforresearchmustsubmitappropriate
documenta'on.• DiscussanyrequestswiththeClinicalDirectorforspecificprocedures.Accoun%ngforDisclosures• IfyoureleasesPHIoutsideofBrightHeartHealthforreasonsotherthan
treatment,paymentorhealthcareopera'ons,youmayneedtotrackthosedisclosures.
• Documentthedisclosureonthepa'entshealthrecord.AlwaysCalltheClinicalDirectorwithques;onsaboutreleasingPHI.
ReleasingPersonalHealthInforma'on
Proprietary&Confiden'al
• Reviewinforma'onbeforesendingtomakesureyouareonlysendingwhatisnecessary.
• Double-checkthee-mailaddressorfaxnumber.Faxinginforma'ontothewrongnumbermayleadtodisciplinaryac'on.
• Faxonlywhenmaildeliveryisnotfastenoughtomeetthepa'ent’sneeds.
• AlwaysuseafaxcoversheetwithConfiden'alityNo'ce.
• Emailscanneddocumentstoyourselfbeforee-mailingthemtothefinalrecipient.
TipsforReleasingPHI
Proprietary&Confiden'al
Here’satesttodetermineifyoucanuseorsharePHIAsk:1.Isthedisclosurefortreatment,paymentorhealthopera'onspurposes?2.Ifnot,doyouhavewriIenauthoriza'onfromthepa'ent?3.Ifnot,isthereananotherlegalrequirementfordisclosure?Iftheansweris“No”toall3,donotaccess,useorsharethePHI.
APPLYTHISTEST
Proprietary&Confiden'al
Neverplaceconfiden'alinforma'oninthetrash!
Cross-cutshredorplaceinsecuredisposalbins:• Paper• Thumbdrivesandotherstoragedevices
DisposalofConfiden'alInforma'on
Proprietary&Confiden'al
DisposalofConfiden'alInforma'ononElectronicDevices:• Computerharddrivesmustbephysicallydestroyedor“electronicallyshredded.”Contactyourmanagerforassistance.
• Someleasedequipmenthasabilitytostoreinforma'on,e.g.,copiers.Whenleasedequipmentisreturnedtovendorbesureallconfiden'alinforma'onhasbeenremoved.
DisposalofComputersandElectronics
Proprietary&Confiden'al
Asubpoenaisadocumentissuedbyacourtthatrequiresapersontoappearincourtortogivesomekindofevidence.• Ifyoureceiveasubpoena,itiscri'caltoalertyour
managerandtheClinicalDirectororMedicalDirector.• Forbillingdocumentrequests,directtheperson
presen'ngthesubpoenatotheBillingDepartment.• Formedicalrecordrequests,directthepresentertothe
ClinicalDirector.• Forallothersubpoenas,directthepresentertotheCEO.• AsubpoenadoesnotremoveHIPAAprivacyprotec'ons.
Anauthoriza'onsignedbythepa'entoracourtordersignedbyajudgeisrequiredforreleasingconfiden'alinforma'on.ContacttheCEOforguidancebeforerespondingtoasubpoena.
ReleasingPHI:Subpoenas
Proprietary&Confiden'al
Confiden'alinforma'onstoredoncomputersandotherelectronicdevicesrequiresspecialmeasurestokeepitprivate.• Toprotectconfiden'alinforma'onstoredaselectronicdata,youshould:– Avoidinternetthreats– Ensuredataisencrypted– Usesocialmediaandbloggingsitesappropriately– Createstrongpasswords– Securecomputersandothermobiledevices
Protec'ngElectronicData
Proprietary&Confiden'al
Phishing• Phishingisunwantede-mail(”spam”)thattriestotrickyouintorevealingconfiden'alinforma'on,likepasswordsorcreditcardinforma'on.
• Donotreplytoanye-mailmessagethatmightbeaphishingaIempt.Callthesenderifindoubtoraskyourmanager.
InternetThreats!
Proprietary&Confiden'al
MalwareMalwareissoeware(computerprograms)designedtoharmyourcomputer.Typesofmalwareincludeviruses,wormsandspyware.Malwarecandestroyyourdataandexposeconfiden'alinforma'on.• Malwaregetsintoyourcomputerthroughe-mail
aIachments,compromisedwebsites,holesinsoewareandotherways.
• Thebestwaytoblockmalwareistoalwaysuseanup-to-datean'virusprogramandanan'spywarescanningprogram.
• IfyoususpectMalware,donotclickonanylinksoropenanyaIachments.
InternetThreats!
Proprietary&Confiden'al
CloudCompu%ng• “Cloud”Compu'ngletsyouaccesscomputerfilesandprogramsovertheInternet.
• Gmail,GoogleCalendar,GoogleDocs,Dropbox,Yahoo,Kareo,ZOOM,etc.arecloudservices.
• NEVERstoreconfiden'alinforma'ononpubliccloudservices.Onlystoreinforma'ononBrightHeartHealthcloudservices.
• BrightHeartHealthhasBusinessAssociatesAgreementinplacewithGoogle,ZOOM,Kareo,andSurveyGizmo.Donotstoreconfiden'alinforma'ononanyothercloudservice.
InternetThreats!
Proprietary&Confiden'al
PersonalE-mail• Donotusepersonale-mailaccountstoconductBright
HeartHealthbusinessortosendconfiden'alinforma'on.
• Yourpersonale-mailaccountisoeenlesssecurethanyourworkissuedaccount,sobesuretoavoidthreatsonpersonale-mailaccounts.
• BrightHeartHealthprohibitsauto-forwardingofe-mailtoapersonalaccount.
WhenitcomestotheInternet,ifyouarenotsureitissafe,donotclickonlinksordownloadfiles.
InternetThreats!
Proprietary&Confiden'al
PhishingExample
Proprietary&Confiden'al
WhatisEncryp'on?• Encryp'onmakeselectronicdata(oncomputersandmobiledevices,suchaslaptopsandsmartphones)unreadable.Onlyauthorizedusersofthedatawillhaveakeyto“unlock”theencryp'on.
Encryp'onRequirements• Anyconfiden'alinforma'onthatissentelectronicallymustbeencrypted.
• Thisincludese-mailandinforma'onsentoverpublicwirelessnetworks.
Encryp'on
Proprietary&Confiden'al
Confiden'aldatashouldnotbeemailedoutsideyourhealthcarenetwork.Ifyouhaveaneedtouseemailfortransmihngconfiden'alinforma'on,besureto:1)obtainapprovalfromyourmanagerorsupervisorand2)protectthecontentswithencryp'on.
Ifyoudonotknowhowtoprotectthecontentswithencryp'on,youshouldrefrainfromsendingconfiden'alinforma'onviaemail.ContactyouremailadministratororITstaffforassistance.Youareresponsibleforensuringthatyouareusingencryp'onwhennecessary.
EmailEncryp'on
Proprietary&Confiden'al
Socialmediasites(Facebook,TwiIer,LinkedIn,Google+,etc.)andblogsites(WordPress,Blogger,LiveJournal,etc.)allowyoutoeasilyshareinforma'onwithyourfriendsandthepublic.• Neverpostprotectedhealthinforma'onorconfiden'alinforma'onofanykindonsocialmediaorblogsites.
SocialMediaandBlogging
Proprietary&Confiden'al
A“strong”passwordisanimportantwaytoprotectconfiden'alinforma'onstoredaselectronicdata.Aweakpassword:ladybug1• Actualwords,dates,nicknamesandnamesoffamily,• friendsorpetsareeasilyguessed.Aweakpassword:abcde• Donotusesequences(12345,qwerty)orrepeated
characters(22222).• Makesurepasswordsareatleast8characterslong.Astrongpassword:1@dybu9!• Mixingnumbers,leIersandspecialcharacterscreatesa
strongerpassword.
Passwords
Proprietary&Confiden'al
Turnyourscreenawayfrompublicareas.• Logoutorlockyourcomputerwhenyouleave.• Becarefulwhenscreensharingnottoshowemail,orotherapplica'onsthatcontainPHI
SecurityforComputers
Proprietary&Confiden'al
Anymobiledevicewithconfiden'alinforma'ononitshouldbeencrypted.• Ifnotabletobeencrypted(e.g.,acamera)itshouldbephysicallysecuredwhennotinuseinalockeddrawerorsafe.
• Makesureyouknowwherethesedevicesareatall'mes.
• Reportanylossortheeofamobiledevicecontainingconfiden'alinforma'ontoyouraffiliate’scomputersupportcenterimmediately.
SecurityforMobileDevices
Proprietary&Confiden'al
• PowerPointpresenta'oncontainingpa'entPHIforwhichauthoriza'onhadnotbeenobtained.Thepresenta'onwasmadetoabout80people.
• Unauthorizedaccessofapa'ent’saccountbyaphysicianwhoassumeditwasokaybecausetheywerea“friendofthefamily.”
• Unauthorizedpa'entPHIusedinapublica'onthatwasmailedtoapproximately16,000recipients.
• Anexternalharddrivecontainingpa'entnames,medicalrecordnumbers,datesofadmission,medica'ons,diagnosisandtreatmentinforma'onwaslostorstolen.
ActualPrivacyandSecurityViola'ons
Proprietary&Confiden'al
• Accessofahighprofilepa'ent’saccountbyover60employeesofalllevels.
• AprintoutcontainingPHIleeonatableinacafé.• Thirty-onemedicalrecordslostbyaphysicianandfoundbyaDepartmentofCorrec'onsinmate.
• Disclosureofaverysensi'vediagnosistoindividualsnotauthorized.
• Lostand/orstolensmartphones,thumbdrivesandlaptopswhichwerenotpasswordprotectedorencrypted.
ActualPrivacyandSecurityViola'ons
Proprietary&Confiden'al
Remember,ifyouareawareoforsuspectaviola'on,youarerequiredtoreportittoanyofthepeoplebelow:• Yoursupervisor• ClinicalDirectororMedicalDirector• CEO
Supervisorsarerequiredtoreportanysuspectedviola;onreportedbyanemployeetotheCEO.
Repor'ngPrivacyandSecurityViola'ons
Proprietary&Confiden'al
Lossofconfiden'alinforma'onorequipmentcontainingconfiden'alinforma'on• Stolenlaptop• Lostsmartphone• Misplacedpa'entrecords• LosthospitalcontractMisuseofinforma'on,systemaccess,orsharingofpasswords• Co-workerssharingpasswordsAccidentalorunauthorizeddisclosuresofprotectedinforma'on• Misdirectedfaxesandmail• Humanerror• Overheardconversa'ons• Inappropriatesocialmediaposts
IssuesthatShouldBeReported
Proprietary&Confiden'al
Theconfiden'alityofSocialSecuritynumbershasspeciallegalprotec'on.• IfSocialSecuritynumbersarereleasedordisclosedtoanyonewhodoesnothaveaneedtoknowthemtoperformtheirjob,thismustbereportedimmediatelytoyoursupervisor,thePrivacyOfficeortheInforma'onSecurityOffice.
• BrightHeartHealthisrequiredtotakeaddi'onalstepsina'melymannerwhenSocialSecuritynumbersareinappropriatelyreleased.
SpecialRepor'ngRequirementsforSocialSecurityNumbers
Proprietary&Confiden'al
BrightHeartHealthdisciplinaryac'onuptoandincludingtermina'on.• Finesrange:$100-$50,000perviola'on.Oneincidentcouldresultinnumerousviola'onsandthereforemul'-milliondollarfines.
• Jail'me:1-10years
Failuretoreportaviola;onisaviola;on!
ConsequencesforViola'ons