UAB HIPAA TRAINING

What are the 8 workstation responsibilities?

1. Arrange computer screens so that they are not visible by authorized persons. 2. Do not install or download any software or hardware without authorization. 3. Do not use remote control software (such as PC Anywhere) because it can lead to security breaches. 4. Do not disable or interfere with antivirus or automated patching software. 5. Store sensitive and confidential information secure in a directory on a secure network file server. Information stored on the hard drive of a computer or portable computing device can be lost or compromised. 6. Do not use portable computing devices (PCDs) without appropriate security protection. PCDs used for PHI must be encrypted. These devices include hand-held, notebook, and laptop computers, personal digital assistants (PDAs), and portable memory devices such as flash disks, thumb drives, jump drives, etc. Ask your information systems representative for help securing PCDs. 7. Log off or lock your computer when it is left unattended. 8. Log off before allowing coworkers to use your computer.

The HIPAA Security Rule enforces...?

1. Confidentiality- information is accessed only by authorized individuals with the understanding that they will disclose it only to other authorized individuals 2. Integrity- information is the same as in the source documents and has not been altered or destroyed in any unauthorized manner 3. Availability- information is accessible to authorized individuals when they need it

HIPAA Privacy and Security regulations apply to research involving human subjects and:

1. Impact the use and disclosure of PHI for research 2. Do not replace other federal research regulations; therefore, all existing regulations related to human research remain in effect. 3. Apply whether or not the research is funded by the government.

HIPAA civil penalties include fines from ___ to ____.

$100 to $1.5 million

What are the rules/guidelines related to passwords?

- Do not share your user account, password, token, or other means of system access with anyone. -Choose a new password each time. Do not reuse your expired passwords. -Use strong passwords which are at least 6-8 characters long and include upper and lower case alphanumeric characters and/or special characters. -Do not use pet names, birthdates, or other easily guessed passwords. -If you do write down your password, keep it locked up or in your waller protected like a credit card. -Only access PHI for business related purposes. -Do not use your system access to look up your own medical information or information on friends, family, or co-workers. -Notify your information systems representative immediately if you believe your access to UAB/UABHS information systems has been compromised. You are responsible for all activity under your login.

What are some examples of breaching?

1) Accessing PHI without a work-related need to know 2) Sharing PHI with those who do not ned it for work purposes 3) Copying or removing PHI from the appropriate area 4) Having patient-related conversations in public settings 5) Sending a fax containing PHI to the wrong destination 6) Loss or theft of records containing PHI

Often principal investigators are also clinicians. Therefore, additional guidance must be followed:

1) Principal investigators or their designees should not use their clinical access to search patient records for potential research participants. 2) Physicians who are involved in research activities may contact only their own patients while recruiting for research activities.

The only expectations to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons:

1) Treatment 2) Purposes for which a patient authorization is signed 3) Disclosures required by law 4) Sharing information to the patient about himself/herself

What are the 8 core standards that govern how UAB/UABHS and its personnel shall operate in order to meet the HIPAA Security Regulations?

1. Information System and Account Management 2. Internet and Email Use 3. Media Reallocation and Disposal 4. Information Systems and Network Access 5. Contingency Planning 6. Risk Analysis and Management of EPHI 7. Security Incident Response 8. Use of Portable Devices for Computing and Data Storage

What are the 18 PHI identifiers of an individual or of relatives, employers, or household members of the individual?

1. Name 2. Geographic subdivisions smaller than a state (street address, city, county, precinct, zip code, and equivalent geocodes) 3. All elements of dates (except year) including birth date, admission and discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age. 4. Telephone number 5. Fax numbers 6. Electronic mail address 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/License numbers 12. Vehicle identifiers and serial numbers including license plate numbers 13. Device identifiers and serial numbers 14. Web Universal Resource Locator (URLs) 15. Internet protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photographic images and any comparable images 18. Any other unique identifying number, characteristic, or code, except as allowed under the re-identifcation specifications

PHI can be sent via a fax machine if ...?

1. Using an approved fax cover sheet that includes a confidentiality statement 2. No PHI on cover sheet 3. Limit PHI to the minimum necessary 4. Double check fax numbers before dialing and sending 5. Check confirmation sheets to verify that the transmission was successful and accurate 6. Ensure that confidential information is not left on the fax machine

What types of data are protected by HIPAA? (4)

1. Written documentation and all paper records, including labels from medicines and ID bracelets 2. Spoken and verbal information including voice mail messages. 3. Electronic databases and any electronic information, including research information, containing ePHI stored on a computer, PDA, memory card, USB drive, or other electronic media. 4. Photographs and digital images

All ages over _____ are indicative of age according to PHI

89

What is required before a covered entity can contract a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity's PHI?

A Business Associate Agreement (BAA)

What is the federal civil penalty for knowingly violating HIPAA Privacy and Security regulations?

A fine ranging from $100 up to $1.5 million per violation depending on the harmful intent of the violation.

What does a BAA do?

Binds the third party individual or vendor to the HIPAA regulations when performing the contracted services.

True or False - You can use your access to look up your own medical information or information on your family, friends, or co-workers.

False

True or False- it is okay to relate your work experiences, especially those dealing with patients or research participants, on social networking sites if you think that information is not important.

False Do not relate your work experiences, especially those dealing with patients or research participants, on social networking sites.

True or False- PHI may not be disclosed to other covered entities that have a relationship with the patient for certain healthcare operations such as quality improvement, credentialing, and compliance.

False, PHI may be disclosed to other covered entities that have a relationship with the patient for certain healthcare operations such as quality improvement, credentialing, and compliance.

True or False - Individual employees are authorized to sign contracts on behalf of UAB/UABHS.

False, individual employees are NOT authorized to sign contracts on behalf of UAB/UABHS.

True or False - PHI may always be disclosed to individuals involved in a patient's care or payment for care

False- not if a patient objects

T/F: Only employees of UAB must comply with HIPAA regulations.

False. All employees, students, and volunteers of the covered entities must comply with HIPAA regulations.

True or False - Deleting a file removes the data from the media.

False. Deleting a file does not actually remove the data from the media.

True or False- there is no harm in using public websites (Google, MS office) for storing PHI or research data.

False. Do not use public websites (Google, MS office) for storing PHI or research data.

True or False- It is never allowed to email PHI.

False. One exception to "Do not email PHI": Emails with PHI can be transmitted in the UAB/UABHS email systems if you and the person to whom you are sending an email both have email addresses ending in either "uab.edu" or "uabmc.edu." If you must send an email with PHI outside the UAB/UABHS email systems and your email addresses ending with "uabmc.edu." then enter "[encrypt]" anywhere in the subject line to encrypt the email.

True or False - Formatting constitutes sanitizing the media.

False. Formatting does not constitute sanitizing the media.

True or False- It is okay to discuss PHI outside of work or with other employees who do not need to know the information to perform their jobs as long as they do not tell.

False. Do not discuss PHI outside of work or with other employees who do not need to know the information to perform their jobs

As a rule, first contact _____ for PHI to be used for IRB-approved research protocols.

Health Information Management

What is HIPAA?

Health Insurance Portability and Accountability Act (HIPAA) addresses issues ranging from health insurance coverage to national standard identifiers for health care providers. MAIN PURPOSE: HIPAA protests the privacy and security of health data also called protected health information (PHI).

What happens to media (i.e. CDs, disks, or thumb drives) that contain PHI or other sensitive information that is no longer being used?

It must be cleaned or sanitized before reallocating or destroying. Once they are sanitized, place them in specially marked secure containers for destruction.

What happens to physical documents that contain PHI or other sensitive information that is no longer being used?

It must be shredded immediately or placed in securely locked boxes or rooms to await shredding.

What is the fine for criminal penalties for "wrongful disclosure"?

Large fines of $50K to $250K and up to 10 years in prison

What are privacy core standards?

Privacy core standards govern how UAB/UABHS and its workforce shall operate in order to meet the HIPAA Privacy Rule. In particular: 1) Use and Disclosure of Dealth Information 2) Use and Disclosure of Health Information for Marketing 3) Use and Disclosure of Health Information for Fundraising 4) Use and Disclosure of Identifiable Health Information for Research 5) Patient Health Information Rights

What information should never be sent via fax machine?

Privileged PHI

What is PHI?

Protected health information (PHI) is any information, including demographic information, that is transmitted or maintained in any medium (electronically, on paper, or via the spoken word) that is created or received by a health care provider, health plan, or health care clearinghouse that relates to or describes the past, present, or future physical or mental health conditions of an individual or past, present, or future payment for the provision of healthcare to the individual, and that can be used to identify the individual.

Routine requests and authorizations for PHI should be send through the _______ whenever possible.

Regular mail

What happens if I suspect a breach?

Report to any of the following: 1. Your administrative supervisor 2. Your HIPAA Entity Privacy Coordinator (EPC) or your HIPAA Entity Security Coordinator (ESC) 3. The appropriate information systems help desk 4. The Privacy Office, the Office of Corporate Compliance, or the Office of University Compliance 5. The Institutional Review Board (IRB) if research data are involved

________ also can pursue civil suits against persons who violate HIPAA privacy and security regulations.

State attorney generals

Which department is responsible for enforcing criminal penalties for noncompliance with the HIPAA Privacy Rule?

U.S. Department of Justice

Who are the owner's of our patients PHI?

UAB/UABHS

Any one of the 18 identifiers combined with ______ is PHI.

a reference to a diagnosis or medical condition

Which of the following is the acceptable guidance for emailing PHI? a. Do not email PHI unless the transmission is within the UAB/UABHS's email systems. For all other email, contact your information systems representative for assistance. b. PHI can always be sent in an attachment to an email c. Email is not an approved means of communication at UAB/UABHS d. None of the above

a. Do not email PHI unless the transmission is within the UAB/UABHS's email systems. For all other email, contact your information systems representative for assistance.

After using a clinic application on a shared workstation (nursing station), the user must take which of the following steps? a. logoff the application b. leave the application open for the next user c. turn off the monitor immediately d. relocate to a secure location

a. logoff the application

Define privacy.

an individual's right to keep certain information to himself or herself, with the understanding that their protected health information (PHI) will only be used or disclosed with their permission or as permitted by law.

What should I do if I need to see my personal medical record (electronic or paper record) or my spouse's record? a. ask a coworker to obtain the medical record b. contact Health Information Management or the physician's office for copies c. use my clinical access to view the record in the electronic system or clinical paper files d. call the hospital front desk

b. contact Health Information Management or the physician's office for copies

My password or other means of access to UAB/UABHS information systems can be shared with which of the following? a. my spouse b. no one c. my supervisor d. information technology staff

b. no one

PHI is to be accessed for _______ purposes only.

business and/or work-related purposes; those purposes that are for treatment, payment of that treatment, or health care operations (TPO)

Principle investigators or designated researchers must provide a ________ to the covered entity holding that data before the data can be released for research.

copy of the fully executed IRB approval form

PHI can be accessed ONLY for a. Looking up my own medical information b. Checking on my family and friends c. Determining any appointment date and time d. UAB/UABHS business/work-related purposes

d. UAB/UABHS business/work-related purposes

What steps should be taking before sending PHI via a fax machine? a. ensure you are using your entity's approved fax coversheet b. verify the fax number is correct c. limit the PHI contained in the fact to the minimum necessary, but do not put any PHI on the coversheet d. all of the above

d. all of the above

Which of the following is/are defined as PHI data elements under HIPAA? a. patient's name b. patient's photograph c. vehicle identifiers d. all of the above

d. all of the above

Why is it important to put away papers, such as folders, files, and reports, containing patient and other confidential information when you leave your work area? a. an unauthorized person could take the documents b. people with access to your area may not be authorized to access the information c. information could be mistakenly discarded d. all of the above

d. all of the above

What should I do if I suspect a breach involving protected health information? a. discuss it with my administrative supervisor b. report it to the privacy office, the office of corporate compliance, or the office of university compliance c. report it to my HIPAA ESC or EPC d. any of the above

d. any of the above

What can you do to avoid having unauthorized persons from overhearing your conversation about a patient? a. ask others to leave until you finish your conversation b. Write down the message on a small marker board, taking care to erase it when finished c. Don't talk to others about patients even if for patient care d. go to a more private area; lower your voice

d. go to a more private area; lower your voice

Under what circumstances are you free to repeat to others PHI you hear while performing your UAB/UABHS job responsibilities? a. after you no longer work at UAB/UABHS b. after a patient is discharged or dies c. only if you believe the patient doesn't mind sharing PHI d. only when authorized for business purposes (TPO)

d. only when authorized for business purposes (TPO)

When can PHI be sent via a fax machine?

if other more secure means of communication are not available

What is privileged PHI?

information about abuse or neglect, alcohol or drug abuse, sexually transmitted diseases, HIV, or psychiatric treatment

When HIPAA permits use or disclosure of PHI, a covered entity must use of disclose only the ________ PHI required to accomplish the purpose of the use or disclosure.

minimum necessary

What is a breach?

occurs when "unsecured PHI" is "acquired, accessed, used, or disclosed" in an unauthorized manner that compromises the security or privacy of the information

Covered entities are permitted to use or disclose PHI for research purposes if...?

the Institutional Review Board (IRB) has approved the research and one or more of the following conditions exists: 1. a signed patient authorization is recorded 2. the research is decedent research 3. the process is preparatory to research 4. The research utilizes a Limited Data Set with a Data Use Agreement 5. The IRB grants a waiver for the required patient/participant signed authorization

What does it mean to "sanitize"

to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media.

HIPAA states that PHI may be used and disclosed to facilitate...?

treatment, payment, and healthcare operations (TPO)

In addition, members of the UAB/UABHS work force are subject to what kind of disciplinary action?

up to and including termination of employment for noncompliance with HIPAA privacy and security regulations and standards

At UAB/UABHS, research is a _____ of PHI.

use

True or False- BAA must be approved in accordance with appropriate UAB/UABHS policies and procedures

True

True or False- It is never allowed to forward your UAB/UABHS email account to another email system (gmail, AOL, hotmail, etc.)

True

True or False- PHI may be disclosed to other covered entities for payment.

True

True or False- PHI may be disclosed to other providers for treatment.

True

What are examples of wrongful disclosures?

Accessing health information under false pretenses, releasing patient information with harmful intent, selling PHI, etc.

Which Department through the Office for Civil Rights enforces civil monetary penalties for noncompliance with HIPAA Privacy Rule and Security regulations?

Department of Health and Human Services

Who holds the responsibility for the privacy and security of our patients' PHI?

Everyone

True or False - HIPAA penalties and fines only apply to covered entities

FALSE - Penalties and fines apply to members of the work force and other individuals, NOT just to the covered entities.

True or False - A HIPAA covered entity must use or disclose only the minimum necessary PHI required to accomplish the business purpose of the use or disclosure.

True

True or False - UAB/UABHS has developed HIPAA core standards that govern how the organization and its personnel shall operate to comply with HIPAA regulations

True

If research study has been approved by the IRB, then a principle investigator can use her clinical access to view medical records (electronic or paper) to identify potential research participants but only from records of those patients for who she was directly involved in their care.

True

T/F: All types of protected health information (written, verbal, or spoken, and electronic) are protected by HIPAA.

True