HIPAA Privacy and Security Basics: Supervisor, Administrative Staff Training Presenter Notes: The reference to “workforce” in the title (a term of art under HIPAA’s implementing regulations) reflects that a covered entity’s (CE) or business associate’s (BA) training obligations extend not only to employees, but also to volunteers, trainees, and other individuals whose conduct, in performing work for the CE or BA, is under the direct control of the CE or BA. This is the rule regardless of whether the individual is paid by the CE or BA. February 2019

Overview What is Health Insurance Portability and Accountability Act (HIPAA)? Entities subject to HIPAA Information protected by HIPAA HIPAA Privacy Rule [Company Name] HIPAA Privacy Procedures HIPAA Breach Notification Storing and disposing HIPAA information Presenter Notes: In light of recent highly-publicized and expensive government enforcement investigations and settlements involving HIPAA privacy and security violations, this presentation is intended to train and/or re-familiarize employees and other workforce members on several key HIPAA compliance issues, as outlined on this slide. The presentation is not intended to make attendees experts on HIPAA privacy and security issues, but is intended to help familiarize attendees with HIPAA’s requirements so that they can assist the company in recognizing, reporting, and otherwise addressing situations that may place at risk health information protected by HIPAA, or that would otherwise violate HIPAA’s requirements.

What is HIPAA? Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and security standards Required implementing guidance to be issued by the Department of Health and Human Services (HHS) Health Information Technology for Economic and Clinical Health (HITECH) Act (2009) Expanded HIPAA’s privacy and security requirements Established notification rules for breaches of protected health information (PHI) Comprehensive final regulations (Jan. 2013) Presenter Notes: Part of HIPAA’s “administrative simplification,” the Privacy Rule established use and disclosure rules for HIPAA covered entities (for example, employer-sponsored group health plans) regarding protected health information (PHI) under HIPAA. The Privacy Rule also gave individuals rights regarding their PHI (for example, the right to obtain a copy of their health records and to request corrections), which will be addressed on later slides. Covered entities (CEs) also must have contracts in place with their business associates to safeguard PHI. The Security Rule governs PHI in electronic form and requires CEs to establish administrative, physical, and technical safeguards to protect electronic PHI (ePHI). CEs must have contracts in place with their business associates (BAs) under which the BAs provide assurances that they will safeguard the ePHI they create, receive, or transmit on a CE’s behalf. The HITECH Act built on existing HIPAA privacy and security rules. Among other provisions, the HITECH Act included notification standards involving breaches of unsecured PHI. In addition, comprehensive regulations issued in early 2013 strengthened HIPAA’s privacy and security protections. These final “omnibus” regulations also addressed stronger enforcement provisions under the HITECH Act. Why require HIPAA training? This slide is a good opportunity to emphasize the ultimate goals of HIPAA training for workforce members. Emphasize to attendees that when they are finished with the training, it is expected that they will be able to recognize HIPAA violations and report the violations to the appropriate responsible person (see final slide).

Health Information - Definitions There are three levels of health information defined: Health information means any information, whether oral or recorded in any form or medium, that: Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Example: I have the flu.

Health Information - Definitions There are three levels of health information defined: Individually identifiable health information means that subset of health information, including demographic information collected from an individual, and: Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and That identifies the individual; or With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and Employment records held by a covered entity in its role as employer. Example: I have the flu and he lives at __________ and my social security number is __________ and my employee ID is ______

Health Information - Definitions There are three levels of health information defined: Protected Health Information means individually identifiable health information: Except as provided in paragraph (2) of this definition, that is: Transmitted by electronic media; Maintained in any medium described in the definition of electronic media; or Transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information in: Education records covered by the Family Educational Right and Privacy Act, as amended, Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and Employment records held by a covered entity in its role as employer. Example: I have the flu and I live at __________ and my social security number is __________ and my employee ID is ______. This stored in the [Company Name]’s Benefits application and on [Health Care Provider]’s servers. This information is in my employee medical with my supervisor and in the Benefits department.

Definition: What is PHI? For all documents listing full social security numbers, driver’s license numbers, redact or remove all but the last 4 digits of the number

Time for ‘Quiz’ Question 1… Presenter Notes: Emphasize to employees (and other workforce members) that one of the reasons they are attending this HIPAA training session is because such training is required under HIPAA. As a result, employees should take the training session seriously. Noncompliance with HIPAA’s requirements can result in the CE being audited by HHS (and potentially by other agencies, such as the DOL). In many cases, government audits lead to expensive, highly publicized settlement agreements with HHS. (See later slides regarding HHS’s enforcement initiatives.)

Entities Subject to HIPAA HIPAA covered entities (CEs) are: Health plans Health care clearinghouses Health care providers who conduct certain health care transactions in electronic form (e.g., fund transfers) For HIPAA purposes, health plans include: Health insurance companies Health maintenance organizations (HMOs) Employer-sponsored group health plans Medicare, Medicaid and other government health programs Presenter Notes: As discussed on later slides, many of HIPAA’s requirement also apply to a CE’s BAs.

HIPAA Privacy Rule The HIPAA Privacy Rule requires [Company Name] to: Adopt and implement privacy procedures; Train employees so they understand the [Company Name]’s privacy procedures; Designate an individual to ensure that the [Company Name]’s privacy procedures are adopted and followed (a similar requirement applies under the HIPAA Security Rule); and Secure records involving health information Presenter Notes: Emphasize to employees (and other workforce members) that one of the reasons they are attending this HIPAA training session is because such training is required under HIPAA. As a result, employees should take the training session seriously. Noncompliance with HIPAA’s requirements can result in the CE being audited by HHS (and potentially by other agencies, such as the DOL). In many cases, government audits lead to expensive, highly publicized settlement agreements with HHS. (See later slides regarding HHS’s enforcement initiatives.)

HIPAA Privacy Rule: The Privacy Officer [Company Name] must designate a privacy officer to develop and implement the [Company Name]’s policies and procedures [Company Name]'s Privacy Officers are: Director of Corporate Compliance and Ethics; and Director of Benefits Serve as the “buck-stops-here” representatives regarding the [Company Name]’s privacy-related compliance Presenter Notes: In implementing the HIPAA privacy regulations, HHS expressly declined to establish formal qualifications regarding who within a CE should be the privacy officer (65 Fed. Reg. 82461). -- CEs also must designate a contact person or office to receive complaints and provide additional information about matters addressed in the CE’s notices of privacy practices. However, that contact person may be the same person as the CE’s privacy officer.

[Company Name] HIPAA Privacy Procedures [Company Name] Supervisors, [other applicable position titles], and Administrative Staff can receive employee requests/forms for: Sick Leave; Workman’s Compensation claims; Family Medical Leave Act (FMLA); Short- / long-term disability claims; and Accident and Illness benefits (union only, and when all paid sick leave and vacation have been exhausted) Deemed as “The Beginning” part of the process Presenter Notes: Emphasize to employees (and other workforce members) that one of the reasons they are attending this HIPAA training session is because such training is required under HIPAA. As a result, employees should take the training session seriously. Noncompliance with HIPAA’s requirements can result in the CE being audited by HHS (and potentially by other agencies, such as the DOL). In many cases, government audits lead to expensive, highly publicized settlement agreements with HHS. (See later slides regarding HHS’s enforcement initiatives.)

[Company Name] HIPAA Privacy Procedures Completed employee requests/forms are submitted to and processed by: [Company Name] Benefits office; Employee’s physician(s); All diagnoses, x-rays, lab tests, prescriptions, and all other PHI are securely processed Supervisors and Administrative Staff must never see or accept these PHI documents from employee; Have employee place them in an envelope, seal it, mark it “CONFIDENTIAL” and interoffice mail to the requesting office (listed above) Deemed as “The Middle” part of the process Presenter Notes: Emphasize to employees (and other workforce members) that one of the reasons they are attending this HIPAA training session is because such training is required under HIPAA. As a result, employees should take the training session seriously. Noncompliance with HIPAA’s requirements can result in the CE being audited by HHS (and potentially by other agencies, such as the DOL). In many cases, government audits lead to expensive, highly publicized settlement agreements with HHS. (See later slides regarding HHS’s enforcement initiatives.)

[Company Name] HIPAA Privacy Procedures Once approval or disapproval decision is made: Supervisor and Administrative Staff should receive copy of approval/disapproval, including authorized Return to Work date Supervisors and Administrative Staff must never accept hospital/medical facility discharge documents from employee; they are not required Return to Work authorization can include list of authorized prescription and over-the-counter (OTC) medications, either from [Company Name]’s current Independent Medical Assessor (IAM) (currently [Third-party Provider’s Company Name]) or from another physician Once the IAM certifies employee can return to work while taking prescribed medications, medication list must be redacted or removed Deemed as “The End” part of the process Presenter Notes: Emphasize to employees (and other workforce members) that one of the reasons they are attending this HIPAA training session is because such training is required under HIPAA. As a result, employees should take the training session seriously. Noncompliance with HIPAA’s requirements can result in the CE being audited by HHS (and potentially by other agencies, such as the DOL). In many cases, government audits lead to expensive, highly publicized settlement agreements with HHS. (See later slides regarding HHS’s enforcement initiatives.)

HIPAA Breach Notification A “breach” is the unauthorized acquisition, access, use, or disclosure of PHI that compromises the PHI’s privacy or security If you know or suspect that a breach has occurred, notify the Director of Corporate Compliance & Ethics immediately Presenter Notes: HHS refers to its website posting of large breaches, which was required under the HITECH Act, as the “wall of shame” (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf).

Time for ‘Quiz’ Question 2… Presenter Notes: Emphasize to employees (and other workforce members) that one of the reasons they are attending this HIPAA training session is because such training is required under HIPAA. As a result, employees should take the training session seriously. Noncompliance with HIPAA’s requirements can result in the CE being audited by HHS (and potentially by other agencies, such as the DOL). In many cases, government audits lead to expensive, highly publicized settlement agreements with HHS. (See later slides regarding HHS’s enforcement initiatives.)

Storage of PHI Employee Medical Files: Contain all documentation for Sick Leave, Workman’s Compensation claim, Family Medical Leave Act (FMLA), Short-/long-term disability, and Accident and Illness benefit claims Cannot contain any detailed physician diagnoses, tests, other medical analyses, discharge papers, or prescribed medications. Must be stored: Separate from employee’s time/attendance/ performance files; and Double-locked, using any combination of supervisor file cabinet and office door locks Presenter Notes: In enforcement actions involving CEs that have potentially violated HIPAA's standards for PHI disposal, HHS typically requires the CE to train (or, if appropriate, re-train) employees.

Storage of PHI Employee Time/Attendance/Performance files contain: Time and attendance documentation; Accident/Incident reports; Performance plans and ratings; and Disciplinary action documentation Must be stored: Separate from employee’s medical file; and Double-locked, using any combination of supervisor file cabinet and office door locks Presenter Notes: In enforcement actions involving CEs that have potentially violated HIPAA's standards for PHI disposal, HHS typically requires the CE to train (or, if appropriate, re-train) employees.

Disposing of PHI For paper PHI records, place them in confidential shred bin To dispose of PHI on electronic media, contact: [Name], Director Corporate Compliance & Ethics [phone #] or via email [email address] DO NOT dispose any PHI in dumpsters or trash receptacles accessible by the public (e.g., recycling bins) Presenter Notes: As noted in discussing HIPAA’s Security Rule (see earlier slides), CEs must implement policies and procedures that address: The final disposition of ePHI and the hardware or electronic media on which it is stored. Removal of ePHI from electronic media before the media is made available for re-use.

Time for ‘Quiz’ Question 3… Presenter Notes: Emphasize to employees (and other workforce members) that one of the reasons they are attending this HIPAA training session is because such training is required under HIPAA. As a result, employees should take the training session seriously. Noncompliance with HIPAA’s requirements can result in the CE being audited by HHS (and potentially by other agencies, such as the DOL). In many cases, government audits lead to expensive, highly publicized settlement agreements with HHS. (See later slides regarding HHS’s enforcement initiatives.)

Recognizing and Reporting HIPAA Violations If you see become aware of a workplace situation that you believe may violate a requirement under HIPAA, please report it to: [Name], Director Corporate Compliance & Ethics [phone #] or via email [email address] [Name], Director of Benefits [phone #] or via email [email address] Questions? Presenter Notes: Although HHS’s implementing regulations generally do not dictate the content of a CE’s HIPAA training program, HHS has indicated that the training program should address the recognition and reporting of HIPAA violations to the appropriate responsible persons within the CE. As a result, this slide is intended to inform training attendees of who within the Company to contact if they experience a situation that they believe may violate HIPAA.