HIPAA TRAINING - Bright Heart Health · appropriate training may also release to the paent a...

HIPAATRAINING

Confiden'ality,Privacy,andInforma'onSecurity

Proprietary&Confiden'al

Instruc'onsforThisOnlineCourse•  Reviewthecontentofthiscourse•  Attheendyoumustpassatesttocompletethecourse

Instruc'ons


PrivacyandInforma'onSecurityarekeyelementsoftheBrightHeartHealth’scommitmenttoquality.•  NomaIerwhereyouarelocatedwithinBrightHeartHealtheverystaffmemberisresponsibleforunderstandingandfollowingallprivacyandsecuritypolicies.

PrivacyandInforma'onSecurity


Whenyoucompletethiscourse,youwillbeableto:•  Iden'fytypesofconfiden'alinforma'on.•  Describebestprac'cesforsafeguardinginforma'oninspoken,wriIenorelectronicformats.

•  Understandyourresponsibilityfordataencryp'on.•  Describeyourresponsibili'esforprotec'nginforma'onandrepor'ngviola'ons.

•  Iden'fyconsequencesforviola'ons.•  LocatestaffresponsibleforPrivacy,Informa'onSecurityand/orCompliance.

Objec'ves


EveryBrightHeartHealthstaffmemberisresponsibleforprotec'ngconfiden'alinforma'on.•  Therearedifferenttypesofconfiden'alinforma'on,including:–  Pa'entInforma'on–  EmployeeInforma'on–  BrightHeartHealthInforma'on

•  Financialandopera'onalinforma'on•  Tradesecrets•  Systemaccessandpasswords

PrivacyandSecurityInforma'on


Iden%fiablePa%entInforma%onUniqueiden'fiersincluding:•  Name•  Address•  datesofbirth,admission,discharge,death•  telephoneandfaxnumbers,•  emailaddress•  medicalrecordnumber•  healthplanbeneficiarynumber•  SocialSecuritynumber•  accountnumber•  cer'ficate/licensenumber•  anyvehicleorotherdeviceserialnumber•  webURL•  InternetProtocol(IP)address•  fingerorvoiceprints,•  photographicimages•  Medicalhistory&treatment•  Financialinforma'on(insurance,credit/debit

cardnumbers)

EmployeeInforma%on•  Driver’slicensenumber•  SocialSecuritynumber•  Bankaccountnumbers•  UserIDandpasswordsInforma%onAboutBrightHeartHealth•  BrightHeartHealthCareInforma'on•  Financialandopera'onalinforma'on•  Tradesecrets•  Systemaccesspasswords

PrivateandSensa'veInforma'on


Thereare2thingstorememberaboutprotec'ngconfiden'alinforma'on:1.  Accessinforma'ononlyifyouneedittodoyour

job.2.  Shareinforma'ononlywithotherswhoneeditto

dotheirjobs.

Privacy&SecurityRuleofThumb


Confiden'alinforma'onisstoredandsharedinthefollowingways:•  VerbalCommunica'on(talking)•  PaperDocuments•  ElectronicData

Confiden'alInforma'on


Whentalkingaboutconfiden'alinforma'onmakesureyouare:•  Sharingonlywithsomeonewhoneedstoknowtheinforma'ontoperformtheirjob.

•  Speakingwhereothers(includingpa'entfamilymembersandfriends)cannothear,ifpossible.

•  Givingonlytheminimumamountofinforma'onnecessary.

VerbalCommunica'on


VerbalCommunica'on•  Whentalkingaboutconfiden'alinforma'onbeawareofyoursurroundings!

•  AvoiddiscussingPersonalHealthInforma'on(PHI)inpublicareas.

•  Whenconversa'onsinopenareascannotbeavoided,remembertokeepyourvoicelow.

VerbalCommunica'on


GeneralInforma%on•  CareCoordinatorsareprimarilyresponsibleforreleasing(ormakingavailable)PHI,butsome'mespersonnelinotherdepartmentsreleasePHI.

•  Physicians,therapists,die''ans,andnursesmayreleasesomeinforma'ontothepa'ent.

•  Physiciansandstaffwhohavereceivedtheappropriatetrainingmayalsoreleasetothepa'entaTreatmentSummary.

ReleasingPersonalHealthInforma'on(PHI)


YourMedicalRecords•  Toaccessyourownmedicalrecord,completeanauthoriza'onformand

submittotheClinicalDirector.•  TheClinicalDirectorwillno'fyyouwhenyouareapprovedtoviewyour

medicalrecord.PHIforResearch•  ResearchersthatrequestPHIforresearchmustsubmitappropriate

documenta'on.•  DiscussanyrequestswiththeClinicalDirectorforspecificprocedures.Accoun%ngforDisclosures•  IfyoureleasesPHIoutsideofBrightHeartHealthforreasonsotherthan

treatment,paymentorhealthcareopera'ons,youmayneedtotrackthosedisclosures.

•  Documentthedisclosureonthepa'entshealthrecord.AlwaysCalltheClinicalDirectorwithques;onsaboutreleasingPHI.

ReleasingPersonalHealthInforma'on


•  Reviewinforma'onbeforesendingtomakesureyouareonlysendingwhatisnecessary.

•  Double-checkthee-mailaddressorfaxnumber.Faxinginforma'ontothewrongnumbermayleadtodisciplinaryac'on.

•  Faxonlywhenmaildeliveryisnotfastenoughtomeetthepa'ent’sneeds.

•  AlwaysuseafaxcoversheetwithConfiden'alityNo'ce.

•  Emailscanneddocumentstoyourselfbeforee-mailingthemtothefinalrecipient.

TipsforReleasingPHI


Here’satesttodetermineifyoucanuseorsharePHIAsk:1.Isthedisclosurefortreatment,paymentorhealthopera'onspurposes?2.Ifnot,doyouhavewriIenauthoriza'onfromthepa'ent?3.Ifnot,isthereananotherlegalrequirementfordisclosure?Iftheansweris“No”toall3,donotaccess,useorsharethePHI.

APPLYTHISTEST


Neverplaceconfiden'alinforma'oninthetrash!

Cross-cutshredorplaceinsecuredisposalbins:•  Paper•  Thumbdrivesandotherstoragedevices

DisposalofConfiden'alInforma'on


DisposalofConfiden'alInforma'ononElectronicDevices:•  Computerharddrivesmustbephysicallydestroyedor“electronicallyshredded.”Contactyourmanagerforassistance.

•  Someleasedequipmenthasabilitytostoreinforma'on,e.g.,copiers.Whenleasedequipmentisreturnedtovendorbesureallconfiden'alinforma'onhasbeenremoved.

DisposalofComputersandElectronics


Asubpoenaisadocumentissuedbyacourtthatrequiresapersontoappearincourtortogivesomekindofevidence.•  Ifyoureceiveasubpoena,itiscri'caltoalertyour

managerandtheClinicalDirectororMedicalDirector.•  Forbillingdocumentrequests,directtheperson

presen'ngthesubpoenatotheBillingDepartment.•  Formedicalrecordrequests,directthepresentertothe

ClinicalDirector.•  Forallothersubpoenas,directthepresentertotheCEO.•  AsubpoenadoesnotremoveHIPAAprivacyprotec'ons.

Anauthoriza'onsignedbythepa'entoracourtordersignedbyajudgeisrequiredforreleasingconfiden'alinforma'on.ContacttheCEOforguidancebeforerespondingtoasubpoena.

ReleasingPHI:Subpoenas


Confiden'alinforma'onstoredoncomputersandotherelectronicdevicesrequiresspecialmeasurestokeepitprivate.•  Toprotectconfiden'alinforma'onstoredaselectronicdata,youshould:–  Avoidinternetthreats–  Ensuredataisencrypted–  Usesocialmediaandbloggingsitesappropriately–  Createstrongpasswords–  Securecomputersandothermobiledevices

Protec'ngElectronicData


Phishing•  Phishingisunwantede-mail(”spam”)thattriestotrickyouintorevealingconfiden'alinforma'on,likepasswordsorcreditcardinforma'on.

•  Donotreplytoanye-mailmessagethatmightbeaphishingaIempt.Callthesenderifindoubtoraskyourmanager.

InternetThreats!


MalwareMalwareissoeware(computerprograms)designedtoharmyourcomputer.Typesofmalwareincludeviruses,wormsandspyware.Malwarecandestroyyourdataandexposeconfiden'alinforma'on.•  Malwaregetsintoyourcomputerthroughe-mail

aIachments,compromisedwebsites,holesinsoewareandotherways.

•  Thebestwaytoblockmalwareistoalwaysuseanup-to-datean'virusprogramandanan'spywarescanningprogram.

•  IfyoususpectMalware,donotclickonanylinksoropenanyaIachments.

InternetThreats!


CloudCompu%ng•  “Cloud”Compu'ngletsyouaccesscomputerfilesandprogramsovertheInternet.

•  Gmail,GoogleCalendar,GoogleDocs,Dropbox,Yahoo,Kareo,ZOOM,etc.arecloudservices.

•  NEVERstoreconfiden'alinforma'ononpubliccloudservices.Onlystoreinforma'ononBrightHeartHealthcloudservices.

•  BrightHeartHealthhasBusinessAssociatesAgreementinplacewithGoogle,ZOOM,Kareo,andSurveyGizmo.Donotstoreconfiden'alinforma'ononanyothercloudservice.

InternetThreats!


PersonalE-mail•  Donotusepersonale-mailaccountstoconductBright

HeartHealthbusinessortosendconfiden'alinforma'on.

•  Yourpersonale-mailaccountisoeenlesssecurethanyourworkissuedaccount,sobesuretoavoidthreatsonpersonale-mailaccounts.

•  BrightHeartHealthprohibitsauto-forwardingofe-mailtoapersonalaccount.

WhenitcomestotheInternet,ifyouarenotsureitissafe,donotclickonlinksordownloadfiles.

InternetThreats!


PhishingExample


WhatisEncryp'on?•  Encryp'onmakeselectronicdata(oncomputersandmobiledevices,suchaslaptopsandsmartphones)unreadable.Onlyauthorizedusersofthedatawillhaveakeyto“unlock”theencryp'on.

Encryp'onRequirements•  Anyconfiden'alinforma'onthatissentelectronicallymustbeencrypted.

•  Thisincludese-mailandinforma'onsentoverpublicwirelessnetworks.

Encryp'on


Confiden'aldatashouldnotbeemailedoutsideyourhealthcarenetwork.Ifyouhaveaneedtouseemailfortransmihngconfiden'alinforma'on,besureto:1)obtainapprovalfromyourmanagerorsupervisorand2)protectthecontentswithencryp'on.

Ifyoudonotknowhowtoprotectthecontentswithencryp'on,youshouldrefrainfromsendingconfiden'alinforma'onviaemail.ContactyouremailadministratororITstaffforassistance.Youareresponsibleforensuringthatyouareusingencryp'onwhennecessary.

EmailEncryp'on


Socialmediasites(Facebook,TwiIer,LinkedIn,Google+,etc.)andblogsites(WordPress,Blogger,LiveJournal,etc.)allowyoutoeasilyshareinforma'onwithyourfriendsandthepublic.•  Neverpostprotectedhealthinforma'onorconfiden'alinforma'onofanykindonsocialmediaorblogsites.

SocialMediaandBlogging


A“strong”passwordisanimportantwaytoprotectconfiden'alinforma'onstoredaselectronicdata.Aweakpassword:ladybug1•  Actualwords,dates,nicknamesandnamesoffamily,•  friendsorpetsareeasilyguessed.Aweakpassword:abcde•  Donotusesequences(12345,qwerty)orrepeated

characters(22222).•  Makesurepasswordsareatleast8characterslong.Astrongpassword:1@dybu9!•  Mixingnumbers,leIersandspecialcharacterscreatesa

strongerpassword.

Passwords


Turnyourscreenawayfrompublicareas.•  Logoutorlockyourcomputerwhenyouleave.•  Becarefulwhenscreensharingnottoshowemail,orotherapplica'onsthatcontainPHI

SecurityforComputers


Anymobiledevicewithconfiden'alinforma'ononitshouldbeencrypted.•  Ifnotabletobeencrypted(e.g.,acamera)itshouldbephysicallysecuredwhennotinuseinalockeddrawerorsafe.

•  Makesureyouknowwherethesedevicesareatall'mes.

•  Reportanylossortheeofamobiledevicecontainingconfiden'alinforma'ontoyouraffiliate’scomputersupportcenterimmediately.

SecurityforMobileDevices


•  PowerPointpresenta'oncontainingpa'entPHIforwhichauthoriza'onhadnotbeenobtained.Thepresenta'onwasmadetoabout80people.

•  Unauthorizedaccessofapa'ent’saccountbyaphysicianwhoassumeditwasokaybecausetheywerea“friendofthefamily.”

•  Unauthorizedpa'entPHIusedinapublica'onthatwasmailedtoapproximately16,000recipients.

•  Anexternalharddrivecontainingpa'entnames,medicalrecordnumbers,datesofadmission,medica'ons,diagnosisandtreatmentinforma'onwaslostorstolen.

ActualPrivacyandSecurityViola'ons


•  Accessofahighprofilepa'ent’saccountbyover60employeesofalllevels.

•  AprintoutcontainingPHIleeonatableinacafé.•  Thirty-onemedicalrecordslostbyaphysicianandfoundbyaDepartmentofCorrec'onsinmate.

•  Disclosureofaverysensi'vediagnosistoindividualsnotauthorized.

•  Lostand/orstolensmartphones,thumbdrivesandlaptopswhichwerenotpasswordprotectedorencrypted.

ActualPrivacyandSecurityViola'ons


Remember,ifyouareawareoforsuspectaviola'on,youarerequiredtoreportittoanyofthepeoplebelow:•  Yoursupervisor•  ClinicalDirectororMedicalDirector•  CEO

Supervisorsarerequiredtoreportanysuspectedviola;onreportedbyanemployeetotheCEO.

Repor'ngPrivacyandSecurityViola'ons


Lossofconfiden'alinforma'onorequipmentcontainingconfiden'alinforma'on•  Stolenlaptop•  Lostsmartphone•  Misplacedpa'entrecords•  LosthospitalcontractMisuseofinforma'on,systemaccess,orsharingofpasswords•  Co-workerssharingpasswordsAccidentalorunauthorizeddisclosuresofprotectedinforma'on•  Misdirectedfaxesandmail•  Humanerror•  Overheardconversa'ons•  Inappropriatesocialmediaposts

IssuesthatShouldBeReported


Theconfiden'alityofSocialSecuritynumbershasspeciallegalprotec'on.•  IfSocialSecuritynumbersarereleasedordisclosedtoanyonewhodoesnothaveaneedtoknowthemtoperformtheirjob,thismustbereportedimmediatelytoyoursupervisor,thePrivacyOfficeortheInforma'onSecurityOffice.

•  BrightHeartHealthisrequiredtotakeaddi'onalstepsina'melymannerwhenSocialSecuritynumbersareinappropriatelyreleased.

SpecialRepor'ngRequirementsforSocialSecurityNumbers


BrightHeartHealthdisciplinaryac'onuptoandincludingtermina'on.•  Finesrange:$100-$50,000perviola'on.Oneincidentcouldresultinnumerousviola'onsandthereforemul'-milliondollarfines.

•  Jail'me:1-10years

Failuretoreportaviola;onisaviola;on!

ConsequencesforViola'ons

Date post:	08-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times