HIPAA PRIVACY & SECURITY TRAINING Professional Nursing Services

Course Objectives Privacy and Security Training explains: The requirements of the federal HIPAA/HITECH regulations State privacy laws Professional Nursing Services policies and procedures that protect the privacy and security of confidential data How these affect your job How you can protect confidential and sensitive information Your responsibilities for good computer and communication skills How to report privacy breaches and security incidents

What is HIPAA The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that specifies administrative simplification provisions that: Protect the privacy of patient information Provide electronic and physical security of protected health information (PHI) Require “minimum necessary use and disclosure” Specify patient rights to approve the access and use of their medical information

The 2009 HITECH Act This is an update to HIPAA. As part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology of Economic and Clinical Health (HITECH) updated federal privacy and security standards. The updates include: Breach notification requirements Fine and penalty increases for privacy violations Right to request copies of the electronic health care record in electronic format Mandates business associates are civilly and criminally liable for privacy and security violations.

Professional Nursing Services Fines & Penalties Privacy violations may carry penalties under federal, state privacy laws and PNS policies: HIPAA Criminal Penalties : $50,000-$1,500,000 fines, imprisonment up to 10 years HIPAA Civil Penalties: $100-$25,000 /year fines, more fines if multiple year violations State: States Attorney may bring legal action to collect attorney fees and damages for the individual How to report Privacy Breaches and Security Issues Professional Nursing Services 10615 York Rd, Cockeysville, MD 21030 Ann O’Shea @ 410-683-9770 Toll free: 888-329-0887 DHHS Office for Civil Rights 150 S. Independence Mall West – Suite 372 Philadelphia, PA 19106-3499 215-861-4441 OHCG Spring Field Hospital Center Bland Bryant Bldg. 55 Wade Ave, Catonsville, MD 21228 1-800-492-6005

How the Law Effects You HIPAA requires that PNS train all of its workforce members about HIPAA policies and specific procedures which may affect the work you do. These rules apply to you when you look at, use, or share Protected Health Information. What information must be protected? You must protect an individual’s PHI (Protected Health Information) which is collected or created as a consequence of health care operations. What is PHI? It is information related to a patient’s past, present or future physical and or mental health condition. Can be in any form: Written, spoken, or electronic including video, photographs and x-rays Includes at least one of the 18 personal identifiers in association THESE RULES APPLY TO YOU WHEN YOU USE, VIEW, OR SHARE PROTECTED HEALTH INFORMATION

Protected Health Information Identifiers IP addresses Health plan beneficiary numbers Device identifiers and their serial numbers Vehicle identifiers and serial numbers Biometrics (fingerprints, voice prints) Medical record numbers Full face photos and other comparable images Any unique number, code, or characteristic Name Postal Address Dates (excluding year) Telephone numbers Fax numbers E-mail addresses URL addresses Social Security numbers Account numbers License numbers

Notice of Privacy Practices for PHI The Notice of Privacy Practices (NOPP) allows PHI to be used and disclosed for purposes of TPO TREATMENT (T) , PAYMENT (P) , OPERATIONS (O) The TPO includes health care professionals directly involved in the team providing services to the client. I.e.. Case managers, equipment vendors, nurses, physicians, emergency personnel. For patient care and treatment, HIPAA does not impose restrictions on use and disclosure of PHI by health care providers. EXCEPTIONS: PSYCHOTHERAPY INFORMATION HIV TEST RESULTS SUBSTANCE ABUSE INFORMATION For anything else, HIPAA requires users to access the minimum amount of information necessary to perform their duties.

HIPAA “DO’s and DON’Ts” Communicate to medical personnel directly involved in the care of a client i.e. Case managers, Doctors, Nurses. Utilize caution when speaking in areas where information may be overheard by personnel not directly involved in the care of the client. Regards to computer use- utilize your password when accessing information. Protect client’s privacy disclosing the minimum necessary information when appropriate. Email communications should include a test email to confirm the correct email address is provided. Report all breaches immediately or within 5 days of the breach to PNS security officer/ Ann O’Shea @ 410-683-9770/1-888-329-0887. Don’ts Do not discuss clients to individuals not directly involved in the treatment, payment, or operations of the client. Do not discuss client information or any of the PHI information to anyone not involved in the care of the client. Do not discuss any patient information with anyone unless required for your job.

Once you have finished reviewing the previous information, please complete the HIPAA Training Acknowledgement form