HIPAA 101 HIPAA Privacy and Security Awareness Training

HIPAA 101 HIPAA Privacy and Security Awareness Training

HIPAA Background • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Federal law • Designed to automate the health care industry • Establishes minimum nationwide standards for the Privacy and Security of Protected Health Information

Important Terms • Covered Entities: • Covered Entities are required to comply with HIPAA • Examples: Doctors, dentists, hospitals, and pharmacists, nursing homes • Any health care provider that bills electronically • Vascular Access Plus is a covered entity

Key Point • All Vascular Access Plus employees must follow and comply with HIPAA too!

Why Comply with HIPAA • It’s the law! • Our patients trust us to preserve the privacy of their most sensitive and personal information • Violations of HIPAA: • Could harm patients • Lead to personal penalties and sanctions, including termination • Put VAPlus at risk, harming it financially and harming its reputation

HIPAA Applies to • Verbal conversations in person or by phone • Written documents on paper or in other formats such as chart notes, prescriptions, EOBs • Information Technology applications – Electronic Health Records, appointment applications, billing software • Computer hardware/equipment – desktop computers, laptops, pagers, fax machines, photocopiers, printers, cell phones, tablets, servers, thumbdrives, other electronic storage

More Than Just HIPAA • It’s more than HIPAA, it is our culture and the way we work, it is also our: • Code of Business Conduct and Ethics • Company Integrity • Nursing Code of Ethics • Federal privacy laws, rules, and regulations • State and local privacy laws, rules, and regulations • Contracted facilities rules, and regulations

How HIPAA is Enforced • The Public. Our Notice of Privacy Practices informs the public of their rights. The public is educated. They can and will complain if we violate HIPAA. • Office for Civil Rights (OCR). Enforces the privacy and security regulations, receives and investigates complaints, provides guidance, audits and monitors compliance. • Department of Justice (DOJ). Prosecutes criminal privacy violations.

Who or What Protects PHI? • Federal Government protects PHI through HIPAA regulations • Civil penalties up to $1, 500, 000/year for identical types of violations. • Willful neglect violations are mandatory! • Criminal penalties: • $50, 000 fine and 1 year prison for knowingly obtaining and wrongfully sharing information. • $100, 000 fine and 5 years prison for obtaining and disclosing through false pretenses. • $250, 000 fine and 10 years prison for obtaining and disclosing for commercial advantage, personal gain, or malicious harm. • We and You do by following our policies and procedures.

Covered Entity Duties • Have a Privacy Officer and a Security Officer • VAPlus’s Privacy Officer is Shanna Shafer • Call with concerns 402 -499 -8553 • VAPlus’s Security Officer is Shanna Shafer • Call with concerns 402 -499 -8553

Important Terms • Individually Identifiable Health Information (IIHI) is health information created or received by a health care provider • About any physical or mental health or condition; • About care or provision of care; • About payment for care; and • Identifies a person or reasonably could be used to identify a person • Includes demographic information!

Protected Health Information (PHI) • Protected Health Information (PHI) is IIHI • Information in any format (verbal, hard copy, electronic) about a person’s health condition, treatment, or payment for services. • Always assume if it is IIHI it is PHI and subject to HIPAA protections.

HIPAA’s General Rule • PHI may not be used or disclosed unless an exception under HIPAA applies • Exceptions include • TPO • To the patient • As required by law • As authorized in writing by the patient • To VAPlus’s business associates • Etc.

Key Point • If you are not sure whether you can make a disclosure or use PHI for a given purpose, • Ask your supervisor before using or disclosing the information!

Example • You text to the VAPlus office about a particular assignment. You ask that someone at the office call you with the contact information for your 2 p. m. appointment. You don’t include the patient’s name in your message. • Does your text to the office contain PHI? No. • Is a call back from the office with a voice mail on your cell phone that contains the patient’s name, address, and phone number PHI? Yes.

Example • Is the following information PHI? • Patient Name • Zip code • Birthdate • Phone number • Fax number • Email address • SSN • MRN Yes!

• • • Names Medical Record Numbers Social Security Numbers Account Numbers License/Certification numbers Vehicle Identifiers/Serial numbers/License plate numbers Internet protocol addresses Health plan numbers Full face photographic images and any comparable images • Web universal resource locaters (URLs) • Any dates related to any individual (date of birth) • Telephone numbers • Fax numbers • Email addresses • Biometric identifiers including finger and voice prints • Any other unique identifying number, characteristic or code © Copyright HIPAA COW Patient Identifiers: 17

PHI • PHI is not PHI when it is de-identified • However, PHI is hard to de-identify! • Assume all health-related information of any kind is PHI and protect it from improper uses or disclosures! • Better safe than sorry!

Important Terms • Use and Disclosure: • We Use a patient’s health information when we share it with other people within Vascular Access Plus. • We Disclose a patient’s health information when we share it with other people or organizations outside of Vascular Access Plus.

Permitted Uses and Disclosures • We may use or disclose PHI for treatment, payment, or health care operations purposes • A patient’s authorization is not required for this. • Treatment – to provide care to a person • Payment – billing purposes or to help another covered entity in billing • Health care operations – VAPlus’s operations

Important Terms • Treatment, Payment and Operations • You may use or disclose PHI to: • Treat the patient: complete care orders, contact pharmacy or consult with the patient. • Send billing information to office. • VAPlus may also use or disclose PHI to: • Get paid for treating a patient • Improve or monitor VAPlus’s operations, for example, internal quality care audits

Example • You are assigned to assist at a facility in checking a patient’s access point for chemotherapy. You need to access a patient’s chart • This is an example of a treatment purpose • You may use PHI in the patient’s chart to perform the service for the patient. • You may share with the facility the information about your care in your care documentation in the facility chart or EHR

Minimum Necessary • It is very important to limit the uses or disclosures of PHI to just what is needed to do the job • This is called the “minimum necessary” rule • If a use or disclosure is allowed (example, for a treatment purpose), you must use or disclose the least possible amount of information, to the fewest number of people possible, as needed for you to do a given task. • Applies to both Uses (inside VAPlus) and Disclosures (outside of VAPlus). • Ask, does this person “need to know” the information?

Examples • 1 st Example: You are transitioning one patient to another VAPlus team member. • You share PHI about the patient with the team member that the team member needs to continue the patient’s care. • Is this OK? YES • 2 d Example: • You are transitioning the same patient to the same VAPlus team member • Something makes you remember another patient you cared for several years ago. • Can you share the other patient’s PHI with the team member? NO

Important Terms • Business Associates: • A Business Associate (BA) is a person or entity not part of Vascular Access Plus, that performs a service on our behalf and requires access to PHI to perform the service. • Each BA has a BA Agreement with Vascular Access Plus • Examples: legal counsel, accountants, billing companies • If you are not sure whether someone is a BA, ask your supervisor before you disclose PHI! • In fact, if a BA asks you for PHI, direct the BA to the Privacy Officer or Security Officer (Shanna Shafer)

Verification Requirement • Example: You are asked for PHI from a third party (not another care provider). What should you do? • Ask: • What’s the purpose for the disclosure? • Does an exception in HIPAA apply? • Is it your job to disclose information to those who are not other care providers? If not, don’t disclose! • Even if a disclosure is allowed and it is your job to make such disclosures, you must verify the requestor’s identity and authority first. • Make sure the requestor is who they say they are • Make sure they are authorized to request and receive the patient’s PHI • If you can’t verify, do not disclose!

If You are not Sure about a Request for PHI • Refer the request to the VAPlus office for follow-up • The Privacy Officer and Security Officer are trained in HIPAA’s requirements. • Let them handle the issue.

Protecting PHI • Documents with PHI should be locked-up when unattended • Don’t discuss patient information with co-workers unless they have a need to know. • Keep your passwords to yourself. • Do not send PHI by unencrypted email or text • Use a cover sheet when sending PHI by Fax. Make sure the fax number is correct and is keyed in correctly. Double check! • When in doubt, ASK!

Scenario Question • You travel to an out of area facility. You charted your patient record in the facility charts, however it’s really late when you get back into Omaha, you are exhausted, you decide you will drop off the Patient Notes at the office in the morning. You leave the equipment and patient paperwork in the backseat of your car. Does this pose any HIPAA risk? Answer • Yes. Never leave patient information unattended in a vehicle. HIPAA rules require all patient records to be properly secured at all times. If you know you will not be making it into the office in a timely manner. You should fax the patient information to the office, then shred the originals, thus removing any risk to patient privacy and HIPAA regulations. • Never mix VAPlus patient files with those of other facilities.

Similar Scenario Question • You travel to an out of area facility. You charted your patient record in the facility charts, however it’s really late when you get back into Omaha. You are exhausted. Your documentation is in your laptop that is encrypted and password protected. You decide you will transmit your documentation to the office in the morning. You leave the equipment in the backseat of your car. Does this pose any HIPAA risk? Answer • Yes. Even though your laptop is encrypted and password protected, having a laptop stolen is never a good thing. A word to the wise: Never leave any patient information or equipment containing patient information unattended in a vehicle. • If you know you will not be making it into the office in a timely manner. You should securely transmit the patient information to the office or to VAPlus’s secure cloud solution. Any hard copy PHI should be shredded.

Patient Rights • Patients may: • Receive a Notice of Privacy Practices • Request restrictions on our use and disclosure of PHI • Request amendment of PHI • Access, inspect, obtain copies PHI • Request alternate forms of communication • Request an accounting of all disclosures of PHI • Complain to us, the facility, or Health and Human Services

Patient Rights • Refer patient questions or requests about their HIPAA rights to the VAPlus Administration or the VAPlus Privacy Officer or Security Officer for response.

Notice of Privacy Practices • Explains to the patient how we will use and disclose their information • Tells them how to file a complaint • Must be provided to the patient at the time of first service: • Because we are considered clinically integrated with the facilities we serve, the facilities provide patients with a copy of their Notices of Privacy Practices. • When we work within a facility, we follow the facility’s Notice of Privacy Practices • If we work in a patient’s home or outside of a facility, VAPlus’s Administrative Office provides a copy of VAPlus’s Notice of Privacy Practices before the first time a patient is seen by one of our team members

Processing Privacy Issues • Vascular Access Plus Administration monitors corporate compliance and handles all privacy situations. • If there are questions, contact Administration or the Privacy Officer or Security Officer. • Don’t “go it alone!”

The Security Rule • Protect our patients’ information when data is stored or transmitted electronically • If the information is on paper or shared in a conversation, it’s covered by the HIPAA Privacy Rule • The Security Rule applies to electronic information specifically. • The Privacy Rule requires us to keep non-electronic PHI confidential and secure too!

Important Terms • Electronic Protected Health Information or EPHI is PHI that is stored or transmitted electronically. • Vascular Access Plus uses Microsoft Teams, Whats. App and Box for EPHI. These are HIPAAcompliant cloud storage systems.

Security Rule • VAPlus must have in place administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information (EPHI) that is created, received, maintained or transmitted. • Protect against any reasonably anticipated threats or hazards to the security or integrity of EPHI. • Protect against any reasonably anticipated uses or disclosures of EPHI that are not permitted or required under the Privacy Rule. • Ensure compliance with security by its workforce.

Security Rule • Physical Safeguards – locked rooms, locked storage areas, privacy screens on monitors, etc. • Administrative Safeguards – policies and procedures, training of staff, enforcement of HIPAA compliance internally • Technical Safeguards – strong passwords, encryption of storage, firewalls, anti-virus/antimalware software, off-site back-up and storage

Passwords • Include special characters in all passwords • Upper case, lower case letters, numbers, and symbols • Success!$key (success is key) • Change passwords often • Every three months minimum • Look out for password security risks such as • Guessing • Shoulder Surfing • Never write down a password near a computer or where it can be found by others. Security • If you write a password down: • Don’t make it obvious • Keep it hidden • Don’t label it “Password list” • Lock all mobile devices used in patient care. • Smart phones, tablets, etc. • Use VAPlus-provided encryption

Things to Avoid • Never let a system or web site save or “remember” you password • Never use another person’s password. Never let someone else use your password • Never leave your system unattended while you’re logged-in. Security

How to Avoid Virus • Viruses pose threats to the privacy and security of PHI Security • Never disable automatic virus protection • Never open spam emails on a computer/server used for patient information • Watch out for “Phishing” • Have virus protection at home consistent with VAPlus requirements • Keep virus protection updated • Should update automatically on VAPlus computers, but verify

What If You Catch A Virus? • Don’t try to fix it yourself! • Immediately disconnect from the patient file storage systems and network • Turn off the computer • Contact VAPlus management • If using a personal computer contact your protection plan provider customer care. Inform VAPlus management of possible breach. Security

Scenario Security Question • You sometimes work from home, using your home computer to access VAPlus’s network, to work on spreadsheets, and do other VAPlus related work. You are always careful about opening email and you don’t use Instant Messaging. The risk of anyone getting into your home computer is low, but you haven’t bothered to install virus protection. Does the pose any HIPAA concerns? Answer • Yes. The HIPAA rules require that your home computer have at least the same level of protection as your computer at work. At a minimum, this means that you must have virus protection software installed on your home computer, and you must make sure that it remains current. • VAPlus supplies computers for employee use. As such it does not compensate employees who chose to use their personal computers the price of current virus protection. You are expected to provide virus protection on any personal devices you use in working for VAPlus.

Protect Yourself. Protect Patients • Never mix patient information of files. • Never remove patient information from the facility where treatment was provided • Unless directed by management • Shred all nonessential documents with patient information after faxing or transmitting to management.

Google Voice • Google Voice is not HIPAAcompliant. Do not share patient identifying information when communicating through Google Voice.

Cell Phones • When taking pictures of patient information (CXR, visit record or progress note, or anything with patient identifiers on it), delete as soon as possible. Do not store items on your phone or in the “Cloud” outside of VAPlus-approved cloud, HIPAAcompliant storage. The “Cloud” is not necessarily secure for HIPAA purposes. • When taking pictures of CXRs do not include patient name or date of birth. • Do not include patient names on Sapiens images

Cell Phones • All cell phones used for VAPlus business must be password protected and encrypted. • Use of personal cell phones or any other personal electronic device to use or access VAPlus or patient information is subject to VAPlus’s Bring Your Own Device Policy

Environment • Be aware of your surroundings and who may be listening. Do not talk about identifiable patient information in public. If necessary, get a call back number then excuse yourself to a private area. • Do not write notes on back of papers that will go into another patient’s chart. • Do not bring charting from one facility into another. • DO NOT leave procedure records or patient rounding sheets in the open where they could be easily accessed by unauthorized persons. • Do NOT leave infusion records out in the open in other patients’ homes or in public.

Microsoft Teams, Whats. App, Email • Microsoft Teams is HIPAA-compliant, with BAA. • Whats. App channels for VA+ are encrypted and safe for PHI communication. • You may put any patient information in MS Teams and via VA+ email. • Documentation and images may be upload into MS Teams, Whats. App and VA+ email even into a specific patient record. • MS Teams and Whats. App are the VA+ approved method to save and transmit any patient PHI in electronic form. • Be safe and secure! Use it!

What to do When Something Goes Wrong • An impermissible use or disclosure of (unsecured) PHI is assumed to be a breach unless there is a low probability that the PHI has been compromised based on a risk assessment. • If you become aware of an improper use or disclosure of PHI, call the Privacy Officer or Security Officer immediately! • If you cannot reach Shanna Shafer, call the VA+ Admin on call immediately. • Time is critical!

Breach Situations • An ounce of Prevention is worth a pound of cure • Make sure that PHI that you use or access is secured at all times!

Is it a Breach? • Unsecured protected health information” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through a technology or a method required by the Breach Notification Rule. • Word to the wise: Keep PHI secured! • Use encryption and password protection for all electronic PHI • All hardcopy PHI should be under lock and key when not in use. Never leave it lying around!

Breach? • VA+ must take quick action once a breach becomes known. • Always immediately call the Privacy Officer, Security Officer, or the VA+ Office if you have a concern. They will conduct a risk assessment and take the proper compliance steps. • Your job: • Avoid a breach in the first place. Secure all PHI! • Immediately notify the Privacy/Security Officers if there are concerns • Take steps to retrieve the PHI or to mitigate any potential loss if possible

What Happens in Response? • VA+ conducts and documents a risk assessment to determine if a breach as defined by HIPAA occurred. • Steps are taken to mitigate the breach if possible. • If a breach is determined, VA+ notifies patients affected by the breach in writing. • Depending upon the scope and size of the breach, annual or immediate reporting may be required to HHS and notice may be required to the media.

Best Practices • Don’t get into a breach situation in the first place. • All EPHI on any electronic storage device including • Laptops must be encrypted as required by VA+ • Tablets • Cell Phones • Portable or other electronic storage • Desktop computers

If you have a question about HIPAA. . . • Please ask! • If you are uncertain, first call someone who can help!

Education Purposes • When taking pictures of vascular access devices in an actual patient, first ask if it okay with the patient that you take a picture for education purposes. Do not include patient’s face, wrist band or anything that could identify that patient. • Chart reviews are very beneficial for educating staff on what went right or what went wrong. It is okay to do a chart review from the facility EMR but do not include patient name, birth date or medical record number. This also applies when taking pictures of patient information from the EMR. • If you have printed off patient information (CXR report, labs, H & P) black out name, birthday and MRN from papers.

HIPAA Resources • Vascular Access Plus HIPAA Policy and Procedures. • For HIPAA Compliance Questions/Concerns contact • If there is an issue within a facility, contact Vascular Access Plus Administration, not hospital Administration. • Shanna Shafer – COO • 402 -499 -8553 • sshafer@vascularaccessplus. com

HIPAA 101 Complete Remember to sign the training attestation form and return to your HR manager!