Health Science Critchlow HIPAA
What does SOX stand for?
Sarbanes Oxley
Who enforces HIPAA?
US Department of Health and Human Services and the OCR Office for Human Rights
Where can malicious software be spread?
across a network
What is malicious software?
any software that could cause harm: virus, worm, or trojan horse
Does HIPAA require you to leave the room to avoid hearing a private conversation?
no but good privacy practice require consideration for coming back at a later time to avoid interfering in patient care
Can you email PHI to an unauthorized third party outside the company?
no this is strictly prohibited unless the email is encrypted
What do you do if you see a password and/or user ID posted where people can see it?
notify your supervisor
Where should you not place user names and/or passwords?
on a sticky note or under a keyboard
What are you supposed to look at and use?
only what you need to know
Where should you keep PHI?
out of public areas
What do you do if you need to page a patient?
pages should not include information that can allow others to identify the patient. Such as their name, department they are being treated in, or any information as to why they are there
How must offices containing confidential information be controlled?
physically
What is the second category of information?
proprietary: not confidential, public information with the company
What is the third category of information?
public: released by tenent
What must be done with PHI if it is used, disclosed, or requested?
reasonable efforts must be taken to determine how much information is sufficient for the intended purpose
What are the 7 information security policies?
record processing, user security, incident handling, physical access and protection, contingency planning controls, information security administration, technical security information
What are some tools to protect confidentiality?
records are kept locked, only people with a need to know are given access to the records, computerized records are not left logged in to the patient information system while not at their work station, and screens containing patient information are turned away from view
What does the patient have the rights to?
restrict access, amend PHI, accounting for disclosure of all PHI, and complain about a possible inappropriate disclosure of PHI
What should you do if you find records unattended?
return to the nursing supervisor
What should passwords not contain?
similar to the user ID, your name, spouse's name, child's name, pet's name, address, phone number, birthday, slang, numbers and/or letters in sequence
What are the two elements of physical security?
site or physical security and information asset
What are the symptoms of malicious software?
slower response time, unexpected sending or receiving of emails, internet interruptions, lost files, change in modification dates on files, increased file size, total failure
What can you do for software piracy detection and correction?
software audits done annually, review of software agreements, removal of illegal copies
Where should PHI papers not be placed?
trash can unshredded
What are some information asset security incidents?
unauthorized access to the system, malicious code such as virus or trojan horse, theft of a computer, misuse of information assets, sharing of user ID or passwords
What does tenent have standard policies and procedures in place, for routine uses, disclosure, and guidelines for?
use of oral, written, and electronic communication
What steps do you take while faxing PHI?
verify the fax number, make sure the person requesting the fax is valid, use a cover sheet with a confidentiality statement, and report immediately if the fax was sent to a wrong recipient to the compliance officer or privacy officer
What does tenet have the right to monitor access through?
video, electronic internet, downloads, and data access
What is the consequence for a civil violation?
$100 per violation
What is the consequence for a criminal violation?
$50,000 and 1 year in jail
When did HIPAA become a legal requirement?
1996
What does PHI include but not limited to?
name, address, age, SS#, etc.
When should you release patient information outside of the hospital?
never
Should you try to find out information for a friend?
no
What is PHI
Any information pertaining to the health of an individual combined with any information that identifies the individual.
What are the two questions you should ask yourself before looking at any patient information?
Do I need this to do my job? What is the least amount of information I need?
What do you do if you find PHI?
Gather the records and give to a superior to report and follow up
How do healthcare providers explain how their information will be used?
HIPAA requires healthcare providers to post a Notice of Privacy Practices
What does HIPAA stand for?
Health Insurance Portability Accountability Act
How do you ensure physical security?
ID badge, keep paper documentation containing confidential information in a secure location, transport documentation in a secure manner, keep doors locked or closed, report suspicious activity
What are users prohibited from?
Loading unlicensed software onto a company owned asset
What does NPP stand for?
Notice of Privacy Practices
How should hospital employees report information security identities?
Tell the hospital compliance officer, information security officer, or call the ethict action line
What are the top 5 software commandments?
Thou shall not pirate software Thou shall not install more software onto the company computer than the company has a license to use Thou shall not copy your friend's software to a company computer Thou shall report software piracy to your information security officer
What does TPO stand for?
Treatment payment operations
How can you keep discussions private?
closing doors, pull curtains, conduct discussions so that others cannot hear, patient medical records not left where others can easily see or access, and lab or test results kept private
What is most of this?
common sense (from the video not my words lol)
What do patients not have the right to keep private?
communicable diseases, child abuse, domestic violence, criminal investigation, and courts have the right to release PHI
What might loading unlicensed software onto a company computer subject you to?
company action up to termination
What are information assets?
computers, records, networks, services, electronic files, hardware, software
What is the first category of information?
confidential: PHI, payroll, personal files
What can happen due to failure to follow HIPAA?
corrective action and termination
What should you never do with any records from the facility
deliberately remove them
What is data?
information of any kind
What should passwords contain?
letters, numbers, at least 8 characters, one lower case letter, one upper case letter
Can a patient ask to not be listed on the directory?
yes
Does private policy apply to you?
yes even if you no longer work for tenent