Transcription
HIPAA & HITECH Training
Section 1: HIPAA Privacy Section 2: HIPAA Security Section 3: HITECH Section 4: Reporting a Breach Section 5: Disciplinary Actions Section 6: PDT Obligations & ResourcesPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWelcomeCompliance Training2
HIPAA PRIVACYProtection for the privacy of Protected HealthInformation (PHI) effective April 14, 2003(including standardization of electronic datainterchange in health care transactions, effectiveOctober 2003)HIPAA SECURITYProtection for the security of electronic ProtectedHealth Information (e-PHI) effective April 20, 2005Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedHIPAA Privacy & Security3
Privacy RuleSecurity Rule Sets the standardsfor how coveredentities andbusiness associates(BAs) are tomaintain theprivacy of ProtectedHealth Information(PHI) Defines thestandards whichrequire coveredentities toimplement basicsafeguards toprotect electronicProtected HealthInformation (e-PHI)Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedPrivacy vs. Security4
Section 1:HIPAA Privacy
The Health Insurance Portability and AccountabilityAct (HIPAA) of 1996 requires that PDT, including alldelegated entities, complete HIPAA training upon hireor contract and annually thereafter. What is HIPAA? Who has to follow the HIPAA law? What is considered PHI? How does HIPAA affect PDT? What does this mean to me? What are other uses and disclosures? How do we protect PHI?Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedHIPAA Privacy6
HIPAA is the HealthInsurance Portability andAccountability Act of1996. HIPAA is a Federal Law. HIPAA is a response, byCongress, to healthcarereform. HIPAA affects the healthcare industry. HIPAA is mandatory. Protects the privacy andsecurity of PHI. Provides for electronicand physical security ofPHI. Prevents health carefraud and abuse. Simplifies billing andother transactions,reducing health careadministrative costs.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWhat is HIPAA?7
Covered EntityBusiness Associate (BA) The health plan, IPA, PDT,participatingphysicians/clinicians, and allemployees and departmentsthat provide management,administrative, financial,legal, and operationalsupport services to theextent that such employeesand departments use anddisclose individuallyidentifiable healthinformation. A person or entity whichperforms certain functions,activities, or services for orto PDT (covered entity)involving the use and/ordisclosure of PHI, but theperson or entity is not a partof PDT or its workforce. PDTis required to haveagreements with businessassociates that protect apatient’s PHI.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWho Must Follow the HIPAA Law?8
ExamplesAll PDT departmentsand staffMedMCClearing HouseEffortless OfficeContracted ProvidersBAPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWho Must Follow the HIPAA Law?Covered EntityModern Postcard9
Who Must Follow the HIPAA Law? ElectronicallyPaper FormatOrallyCovered transactions include, but are not limited to Enrollment and dis-enrollmentPremium paymentsEligibilityReferrals and AuthorizationHealth ClaimsHealth Care Payment and Remittance AdvicePhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedUnder HIPAA, the Covered Entity is responsible for all ProtectedHealth Information (PHI), whether it is transmitted10
Protected Health Information (PHI) Relates to past, present, or future physical ormental conditions of an individual; provisions ofhealthcare to an individual; or for payment ofcare provided to an individual. Is transmitted or maintained in any form(electronic, paper, or oral representation.) Identifies, or can be used to identify theindividual.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWhat is Considered PHI?11
What is Considered PHI?NameAddress(including street,city, zip, etc.)Name of EmployerAny Date(birth, admit date,discharge date)Telephone & FaxNumbersE-mail AddressSocial SecurityNumberMedical RecordsMember IDNumberPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedExamples of PHI (Health Information with Identifiers)12
As part of a covered entity, we may NOT Use/disclose an individual's PHI except asotherwise permitted or required by law.But, we may use/disclose an individual’s PHI for Treatment of the Patient Payment of Healthcare Bills Business & Management Operations Disclosures Required by Law Public Health & Other Governmental ReportingPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedHow Does HIPAA Affect PDT?13
Treatment includes: Direct Patient Care Coordination of Care Consultations Referrals to Other Healthcare ProvidersPayment includes: Any activity required to bill and collect forhealthcare services provided to patients.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedHow Does HIPAA Affect PDT?14
Healthcare Operations includes: Business Management Administrative Activities Quality Improvement Compliance Competency TrainingPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedHow Does HIPAA Affect PDT?15
We must use or share only the minimum amount ofPHI necessary, except for requests made For treatment of the patient By the patient, or as requested by the patient toothers By the Secretary of the Department of Health &Human Services (DHHS) As required by law To complete standardized electronic transactions, asrequired by HIPAAPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedHow Does HIPAA Affect PDT?16
How Does HIPAA Affect PDT?The covered entitymust get signed authorizationfrom the patient.Authorization must Describe the PHI to be used Identify when theor releasedauthorization expires Identify who may use or Be signed by the patient orrelease the PHIsomeone making health care Identify who may receive thedecisions (personalPHIrepresentative) for the patient Describe the purposes of theuse or disclosurePhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedFor other uses or disclosures:17
The Covered Entity is required to: Give each patient a Notice of Privacy Practicesthat describes: How PDT can use and share his/her PHI The patient’s privacy rights Request every patient to sign a writtenacknowledgement that he/she has received theNotice of Privacy Practices.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedHow Does HIPAA Affect PDT?18
Notice of Privacy Practices explains what the coveredentity is authorized to do with PHI.Patient Privacy Rights include: The right to request restriction of PHI uses/disclosures The right to request alternative forms ofcommunications (mail to P.O. Box, not street address;no message on answering machine, etc.) The right to access and copy patient’s PHI The right to an accounting of the disclosures of PHI The right to request amendments to informationPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedHow Does HIPAA Affect PDT?19
Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWhat Does this Mean to Me?It is your job toprotect the privacy of the patient’s PHIOnly access PHI required todo your job!20
What are Some Other Uses & Disclosures? PDT may not authorize the use or disclosure of PHI forresearch purposes except: If the information is completely “de-identified.” If the information is partially de-identified into a “limiteddata set” and the recipient of the information signs adata use agreement to protect the privacy of suchinformation. If PDT has obtained valid authorization from theindividual subject of the information If the Institutional Review Board, IRB, approves a waiverof the individual authorization requirementPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedResearch21
What are Some Other Uses & Disclosures?A healthcare provider may use PHI to Communicate to the patient about a health-relatedproduct or service that PDT provides. Communicate to the patient about general health issues:disease prevention, wellness classes, etc.For all other marketing, patient authorization must beobtained, unless the communication is in the form of Face-to-face communication made by the provider to anindividual A promotional gift of nominal value provided by PDTPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedMarketing22
How Do We Protect PHI? Downloading, copying, or removing any PHI. Faxing information containing Drug/Alcohol Dependency Mental Illness or Psychological Information Sexually-Transmitted Disease (STD) Information HIV Status Including PHI in the subject line of electroniccommunication. (No exception)Remember to return all copies of PHI upontermination or restriction of access to PHI.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedAvoid (unless it is required for your job)23
How Do We Protect PHI? Include a cover sheet containing a ConfidentialityStatement when faxing. Limit faxing to when information is neededimmediately for patient care or other situationsconsidered urgent. Ensure you are faxing from a secure fax machine thatis not accessible to the public. Notify the Compliance Officer if information isinadvertently faxed to a patient-restricted party or arecipient where there is a risk of release of the PHI(e.g., newspaper)Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedAlways24
Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedPrivacy Scenario 125Adopted from UHC M&R 2017 Privacy Incidents for delegated Claims
Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedPrivacy Scenario 226Adopted from UHC M&R 2017 Privacy Incidents for delegated Claims
Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedPrivacy Scenario 327Adopted from UHC M&R 2017 Privacy Incidents for delegated Claims
Compliance Training Section 2: HIPAA Security Section 3: HITECH Section 4: Reporting a Breach Section 5: Disciplinary Actions Section 6: PDT Obligations & ResourcesPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibited Section 1: HIPAA Privacy28
Section 2:HIPAA Security Training
What is e-PHI and how do we protect it? Safeguard Best Practices Access Controls E-Mail Encryption Workstation Security Malware Acceptable Computer Use Data Management & Security RemindersPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSecurity: Safeguarding e-PHI30
Electronic Protected Health Information (e-PHI)Computer-based patient health information that isused, created, stored, received, or transmitted usingany type of electronic information resource.This includes Information in an electronic medical record Patient billing information transmitted to a payer Digital images and print outs Information when it is being sent by PDT to aprovider, payer, or researcherPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWhat is e-PHI & How to Protect it?31
We must maintain security of e-PHI by ensuringthe confidentiality, integrity, and availability ofinformation through safeguards. Confidentiality: Ensure the information will notbe disclosed without authorization. Integrity: Ensure the condition of informationhas not been altered or destroyed in anunauthorized manner and data is accuratelytransferred from one system to another. Availability: Ensure information is accessible andusable upon demand by authorized personnel.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWhat is e-PHI & How to Protect it?32
Unique User IdentifiersUsers are assigned a unique “UserID” for log-in purposes limitingaccess to the minimum required forthe job. Never use anyone else’s login or a computerwhen someone else is logged-on. Use of systems is audited for inappropriateaccess or use. Access is cancelled for terminated employees.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSafeguards: Access Controls33
Safeguards: Access Controls Passwords should be changed at least once every 6months, or immediately after a breach. Each system should have a unique password. Passwords should not be inserted into E-mailmessages or other forms of electroniccommunication. Personal Computers and other portable devicescontaining e-PHI must be password protected, ande-PHI encrypted.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedPassword Protection34
Safeguards: Access Controls Default vendor passwords should be changedimmediately. If you think someone has accessed your account,notify the Help Desk and your manager, and changeyour password IMMEDIATELY You are responsible for everything that occurs underyour login.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedPassword Protection35
By default, E-mail within our exchange server isencrypted with SSL. E-mail sent outside our domain (pdtrust.com) musthave zsecure in the subject line. E-mail Encryption works only with “zsecure” in thesubject line It can be lowercase, uppercase, or mix case It can be anywhere in the subject line For Microsoft Outlook, you can set the messagesensitivity to confidential. Never include PHI in the subject line of an email.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSafeguards: E-mail Encryption36
Safeguards: Workstation Securitylaptops or desktop computers, or other devices thatperform similar functions, and electronic media storedin or near them.Physical Security Measures include Disaster Controls Physical Access Controls Device and Media ControlsPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWorkstations: Include electronic computing devices,37
Disaster ControlsPhysical AccessControlsDevice & MediaControlsProtect workstationsfrom natural andenvironmental hazardsLog-off before leaving aworkstationAuto log-off whenpossible & appropriateLocate equipmentabove ground level toprotect against floodsLock offices, windows,sensitive papers,laptops, etc.Set automatic screensavers which activateafter 5 minutesMove workstationsaway from overheadsprinklersUse encryption toolswhen physical securitiesare unavailableUse surge protectorsMaintain key controlPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSafeguards: Workstation Security38
Safeguards: Workstation Security Internet Firewall Anti-virus software (up-to-date) Install computer software updates Encrypt & password-protectportable devices (laptops, etc.) Lock office, file cabinets, or laptops Use auto log-off from programs Use password-protected screensavers Back up critical data & programsPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWorkstation Checklist39
When you take it with you Smart Phones Don’t store e-PHI on Smart Phones If you must, de-identify or encrypt and passwordprotect data Back up original files Synchronize with computers as often as practical Delete all unnecessary e-PHI Protect your device from loss or theft Always use a password on your phone!Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSafeguards: Workstation Security40
When you take it with you USB/Memory Stick Don’t store e-PHI on memory sticksIf you must, either de-identify or encrypt the dataDelete unnecessary e-PHIProtect devices from loss or damagePhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSafeguards: Workstation Security41
Malware Controls are measures taken to protectagainst any software that causes unintendedresultsMalwares include Viruses Worms Spyware Keystroke Loggers Remote Access TrojansPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSafeguards: Malware42
Safeguards: MalwareWormsSpread via securityholes from user touserSpywareMonitors habits andreports them tomarketing database.Can open ad windows.KeystrokeLoggersSoftware or hardwarethat logs everykeystrokeRemote Access Remote users connectTrojanto your computerPrevented byantivirus softwarePrevented bykeeping securityupdates installedDownload by userInstalled without useractionInstalled w/o userknowing during installof another program orbrowsing the internetDetected byantivirus orspyware programsHardware is physicallyinstalled betweenkeyboard and computerDetected by mostantivirus programsAppear as usefulsoftware, but will dodamage once installedPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedVirusesAttaches to a programor file. Attempts tospread throughsystem/network.43
Signs of Malware include Reduced performance (your computer slows or“freezes”) Windows opening by themselves Missing data Slow network performance Unusual toolbars added to your web browserContact the Help Desk if you suspect that yourcomputer has malware installed.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSafeguards: Malware44
Signs of Suspicious E-mail Any E-mail you receive with an attachment Any E-mail from someone whose name you donot recognize Phishing: Attempt to defraud the receiver byposing as a legitimate company.Contact the Help Desk if you suspect you have asuspicious E-mail.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSafeguards: Malware45
Signs of a Tampered Account Your account is locked when you try to open it Your password isn’t accepted You are missing data Your computer settings have mysteriouslychangedContact the Help Desk if you suspect youraccount has by tampered.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSafeguards: Malware46
Each individual is responsible for any violationsassociated with his or her User ID Use of computer system must be consistent withPDT goals All computer equipment and electronic data createdby it belongs to PDT All users must comply with all Federal/State laws,PDT rules and policies, terms of computingcontracts, and software licensing rules Take reasonable precautions to avoid introducingcomputer malware to the network, and participateand cooperate with the protection of ITinfrastructure.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSafeguards: Acceptable Computer Use47
Safeguards: Acceptable Computer Use Engage in any activity that jeopardizes theavailability, performance, integrity, or security of thecomputer system Use computing resources wastefully Use IT resources for personal gain or commercialactivities not related to your job Install, copy, or use any software in violation oflicensing agreements, copyrights, or contracts Try to access the files or E-mail of others unlessauthorized by the ownerPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedDO NOT Harass, intimidate, or threaten others through emessages48
Safeguards: Acceptable Computer Use Construct a false communication that appears to be fromsomeone else Send or forward unsolicited E-mail to lists of people youdon’t know Send, forward, or reply to E-mail chain letters Send out “Reply to all” mass E-mailings Create or transmit offensive, obscene, or indecentimages, data, or other material Re-transmit virus hoaxesEngaging in these activities could result indisciplinary action up to, and including, loss ofnetwork access, termination of employment, andcivil or criminal liabilityPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedDO NOT49
Safeguards: Data Management & Security Permanent copies of e-PHI should not be stored onportable equipment, such as laptop, smart phone, andmemory sticks If necessary, temporary copies can be used on portabledevices only while using the data and if encrypted tosafeguard the data if the device is lost or stolenData Disposal Destroy all e-PHI data which is no longer needed Know where to take hard drives, CDs, zip disks, or anybackup devices for appropriate safe disposal or recyclingPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedData Storage on Portable Devices:50
A good security standard to follow is the “90 / 10” Rule: 10% of security safeguards are technical 90% of security safeguards rely on the user (“YOU”) toadhere to good computing practicesExample: The lock on the door is the 10%. Your responsibilityis 90%: Remembering to lock the door, checking to see if it isclosed, ensuring others do not prop the door open, keepingcontrol of keys.10% security is worthless without YOU! Password protect yourcomputers and devices Backup your e-PHI Keep offices secured Keep portable storagelocked up Encrypt your e-PHI, ifapplicablePhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedSecurity Reminders51
Compliance Training Section 2: HIPAA Security Section 3: HITECH Section 4: Reporting a Breach Section 5: Disciplinary Actions Section 6: PDT Obligations & ResourcesPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibited Section 1: HIPAA Privacy52
Section 3:HITECH
What is HITECH? What Does HITECH Change? What is an Incident? What Constitutes a Breach? What Does the Law Cover? What Breach Exceptions Exist? What are PDT’s Breach Notification Obligations?Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedHITECH54
Health Information Technology for Economic &Clinical Health Act HITECH is a part of the American Recovery andReinvestment Act of 2009 It is a federal law that affects the healthcare industry Act allocated nearly 20 billion to health informationtechnology projects, expanded the reach of HIPAAby extending certain obligations to businessassociates, and imposed a nationwide securitybreach notification lawPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWhat is HITECH?55
Inclusion of a federal breach notification law forhealth information Many states, including California, have data breachlaws that require entities to notify individuals State laws typically only pertain to personalinformation (which does not necessarily includemedical information) The law requires covered entities and businessassociates to notify individuals, the Secretary ofHealth and Human Services, and, in some cases,the media in the event of a breach of unsecuredPHIPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWhat Does HITECH Change?56
Under HIPAA’s Final Security Rule a “SecurityIncident” is“The attempted or successful unauthorizedaccess, use, disclosure, modification, ordestruction of information or interference withsystem operations in an information system.’’ [45CFR 164.304]Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWhat is an Incident?57
A “Security Breach” is impermissible acquisition,access, use, or disclosure not permitted by theHIPAA Privacy Rule.Examples include Laptop containing PHI is stolenReceptionist who is not authorized to access PHI looksthrough patient files in order to learn of a person’streatmentNurse gives discharge papers to the wrong individualBilling statements containing PHI are mailed or faxed tothe wrong individual/entityPhysicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedWhat is a Breach?58
What is a Breach? Pose significant risk of financial, reputational, or otherharm to the individual whose PHI was used or disclosed. For example) If disclosed PHI included the name of an individualand the fact that he received services from a hospital, then thiswould constitute a violation of the Privacy Rule, but it may notconstitute a significant risk of financial or reputational harm tothe individual.If the information includes PHI that increases the risk of identitytheft (such as a social security number or date of birth) thenthere is a higher risk of impermissible use or disclosure. We are responsible for conducting a risk assessment thatshould be fact specific.Physicians DataTrust, Inc. proprietary material. Consent for use of this materialmust be obtained prior to use. Inappropriate use of this material is prohibitedFor an incident to be a breach it must 59
Exceptions include unintentional acquisition, access,use, or disclosure by a workforce member actingunder the authority of a covered entity or businessassociate Workforce members are “employees, volunteers,trainees, and other persons whose conduct, in theperformance of work for a covered entity, is under thedirect control of such entity, whether or not they arepaid by the covered entity” Example) Bill, a billing employee, receives and opens ane-mail containing PHI not intended for him. Bill noticeshe is not the intended recipient, alerts the sender of thee-mail, and then deletes it. Bill unintentionally accessedunauthorized PHI. How
What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA is a Federal Law. HIPAA is a response, by Congress, to healthcare reform. HIPAA affects the health care industry. HIPAA is mandatory. Protects the privacy and security of PHI. Provides for electronic and physical security of PHI.
