1. The Health Insurance Portability and Accountability Act (HIPAA) of 1996
Hello, and welcome to our presentation regarding the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. The objectives of this presentation are to understand the regulations governing protected health information and patient privacy rules, and to learn how HIPAA impacts vendors who visit health care facilities. After reviewing this lecture, you will be asked to complete a competency, on which you must score at least a 90%. You may repeat this exam as necessary. Once you pass, you may print out a certificate for your records.

2. HIPAA
Is a Federal Law;
Creates uniform standards for certain payment-related transactions (e.g., claims submissions and eligibility verification) and
Creates minimum standards for the privacy and security of patient information.
HIPAA is a federal law that was enacted by the US Congress in 1996, although several components did not take effect until more recently. This regulation largely impacts patients, health care providers, and other individuals working in health care, because it introduces new patient rights and provider responsibilities. One of HIPAA’s goals is to create a more efficient health care delivery system by standardizing electronic data interchange and creating uniform standards for managing payment-related transactions. For instance, HIPAA mandates that certain transaction sets be used for electronic claims submissions, to facilitate billing and payment. Additionally, HIPAA creates minimum standards that enhance the privacy and security of patient information. These privacy rules were established because Congress was concerned that the rise in electronic data interchange could potentially place patient confidentiality at risk.

3. Application of HIPAA – “Covered Entities” and “Business Associates”
Health Care Providers
Health Plans
Health Care Clearinghouses (e.g., Billing Companies)
Business Associates: Under recent changes to HIPAA, Business Associates must also comply with many of the HIPAA requirements.
Note: For purposes of this presentation, we are going to refer to each Covered Entity as the “Hospital”
HIPAA regulations apply to both covered entities and business associates. Covered entities include health care providers, health plans, and health care clearinghouses such as billing services and community health information systems. Note that for the purposes of this presentation, each of these covered entities will be referred to as “the hospital.” Recent changes to HIPAA have also extended the reach of its privacy and security requirements to business associates, or those who perform services on the hospital’s behalf. Because most hospitals often use the services of other persons or businesses, HIPAA regulations allow certain protected information to be disclosed to these business associates, provided that they use the information only to help the covered entity carry out its health care functions, and will safeguard it from misuse.

4. Who is a “Business Associate”
Definition:
A person who performs, or assists in the performance of, a function or activity involving the use or disclosure of protected health information (PHI) or any other function or activity regulated by HIPAA on behalf of the Hospital; or
A person who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the Hospital involving the disclosure of PHI.
Specifically, a business associate is any person who performs, or assists in the performance of, a function or activity involving the use or disclosure or protected health information or any other function or activity regulated by HIPAA on behalf of the hospital. A business associate may also be any person who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the hospital involving the disclosure of protected health information. Note that a detailed explanation of protected health information and what it constitutes will be provided later in this presentation.

5. Examples of Business Associates
Software Vendors, if they need or obtain access to PHI
Medical Equipment Vendors, if they are required to receive or create PHI
Administrative Service Providers, etc.
QA Agents and Consultants
Photocopy Companies
Providers who perform services other than treatment (e.g., a nurse who provides administrative services)
Examples of business associates include software vendors or medical equipment vendors that are required to access protected health information, administrative service providers, quality assurance agents and consultants who perform utilization reviews for the hospital, photocopy companies, attorneys whose legal services to the hospital involve access to protected health information, and any providers who perform services other than treatment and are required to receive or create PHI.

6. Training Requirement
The Hospital has policies and procedures that describe the HIPAA obligations of staff and Vendors. Copies of the HIPAA policies and procedures can be obtained from the Hospital’s Privacy Officer.
Compliance with the HIPAA regulations is the responsibility of the entire staff.
Everyone must take steps to protect the confidentiality and privacy of client information, and
Everyone is required to receive HIPAA training.
Each hospital has policies and procedures describing HIPAA obligations for its staff and vendors; copies of these polices may be obtained from the hospital’s privacy officer, who is responsible for implementing privacy policies and applying HIPAA regulations to day-to-day activities. It is important to remember that compliance with the HIPAA regulations is everyone’s responsibility. Thus, everyone must receive HIPAA training and must take steps to protect the privacy and confidentiality of patient information. Specific steps that can be taken to help ensure that patient information remains protected will be discussed throughout this presentation.

7. HIPAA Privacy Basics General Privacy Rule
You may not USE or DISCLOSE Protected Health Information (“PHI”) except as permitted by the privacy regulations.
Note: We also refer to PHI as “Patient Information” in this presentation.
The privacy rule, which took effect in 2003, regulates the use and disclosure of protected health information, or patient information, by covered entities. Under this rule, hospitals may not use or disclose protected health information except as permitted. In addition, all patients must be given a privacy notice explaining their rights under HIPAA and the facility’s policies on the use and disclosure of their health information.

8. What Is Protected Health Information or “PHI?”
PHI is any information relating to a person’s health status, treatment or payment for health services which may identify the individual.
Includes: Oral, written and electronic records and communications.
According to the privacy rule, protected health information is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. This includes any information that can be used to identify a particular patient, and may be obtained through oral, written, or electronic records and communications. Furthermore, HIPAA covers 18 specific identifiers that can be used to identify, contact, or locate a single person, and can be used with other sources to uniquely identify a single individual. These identifiers include names, geographic information, dates, phone numbers, fax numbers, addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, license or certificate numbers, vehicle identifiers and serial numbers, device identifiers and serial numbers, URLs, IP address numbers, biometric identifiers, full-face photographs, and any other unique identifiers.

9. Covered Entity Permitted Purposes
A Covered Entity may use and disclose PHI without obtaining a HIPAA-compliant authorization for the following purposes:
Treatment, payment, and health care operations
To the patient’s family members, friends or personal representatives if the patient is incapacitated and the disclosure is in the best interest of the patient
If required by law
For certain limited health care oversight, public health, and law enforcement purposes
To report child abuse
Certain other limited and discreet purposes permitted under HIPAA
According to HIPAA regulations, there are explicit purposes for which protected health information may be disclosed without patient authorization. Primarily, this information may be used for treatment, payment, and health care operations. Treatment refers to the provision, coordination, or management of health care and related services among health care providers, and payment encompasses the various activities of health care providers to obtain payment or be reimbursed for their services. Health care operations consist of a covered entity’s administrative, financial, legal, and quality improvement activities that are necessary to run its business and to support the core functions of treatment and payment. Additionally, protected health information may be disclosed to a patient’s family, friends, or personal representative if the patient is incapacitated and disclosure is believed to be in the best interest of the patient. Note that patient consent IS necessary, however, if the patient is able to provide it. Other situations in which protected health information may be disclosed without authorization is: if it is required by law; for certain limited health care oversight, public health, and law enforcement purposes; to report child abuse; and under a select few other circumstances.

10. Permitted Disclosures for Vendor’s Use
A Vendor may use and disclose PHI without obtaining a HIPAA-compliant authorization form for purposes permitted in the Business Associate Agreement. Typically, this means that the Vendor may only access, use or disclose PHI to perform the services identified in the Services Agreement with the Hospital.
The Vendor cannot use or disclose PHI for purposes that would not be permitted if used or disclosed by the Hospital
As far as vendors are concerned, they may use and disclose protected health information without obtaining HIPAA-compliant authorization only for purposes permitted in the business associate agreement. Typically, this means that vendors may only access, use, or disclose protected health information to carry out the services they have been asked to perform. The business associate agreement is a contract outlining the permitted and required uses of protected health information by the business associate, or vendor. Vendors may not use or further disclose protected health information other than as permitted or required by the contract or as required by law. Furthermore, they must use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.  If a covered entity knows of a material breach or violation of the agreement, they may terminate the agreement with the vendor.

11. Limit Your Access
You may not access PHI unless you have a specific job related purpose for doing so.
Both employees and vendors should take steps to limit their access to patient information. It is important to remember that protected health information should never be accessed, unless necessary for a job-related purpose.

12. Minimum Necessary Rule
In addition, you must limit the PHI which you use, disclose or request to the minimum necessary to accomplish your job responsibilities.
Example: When PHI is disclosed in response to a request from a health plan, only the information requested should be sent rather than the entire clinical record.
According to HIPAA’s minimum necessary rule, the covered entity must make a reasonable effort to access only the minimum necessary information required to achieve the task at hand, and health information may only be accessed by employees with a need to know. For example, when protected health information is disclosed in response to a request from a health plan, the patient’s entire medical record should not be sent; instead, only the information specifically requested should be provided.

13. How Do You Limit Access?
Do not look in a patient’s medical record unless specifically requested.
If you have access to the Hospital’s computer system, do not “look up” a patients information unless it is necessary to do your job (e.g., if a co-worker is having a medical problem and being treated at the hospital, you can not look up his medical information).
Do not ask Hospital staff about patient information they have encountered.
To appropriately limit access to protected health information, no one should look at a patient’s medical record unless specifically requested or required. Similarly, those who have access to the hospital’s computer system should not abuse this privilege. Employees or vendors should never look up a patient’s information unless it is necessary to do their job. Finally, vendors should never ask hospital staff about patient information they have encountered.

14. Prohibited Disclosure
You may not share PHI with anyone except as required by your job. This means:
You may not discuss patients with your fellow workers except as necessary for your job.
You may not carry patient information (written, electronic or oral) out of the office, or Hospital unless expressly authorized to do so.
You may not discuss patient information with family and friends.
Likewise, employees and vendors should not share protected health information with anyone except as required by their jobs. This means patient information should not be discussed with fellow workers, family members, or friends. Additionally, it may not be carried out of the hospital, in written, electronic, or oral form, without specific authorization.

15. Prohibited Disclosures
You may not talk about interesting cases you observe, even if you see the patient’s story on the news.
You may not tell co-workers, friends or family about patients they may know.
You many not discard trash containing PHI where it can be easily accessed by outside parties.
Interesting cases should not be publicly discussed, even if the story appears on the news or if the patient is someone whom friends or family may know. In addition, protected health information should never be discarded in open trash bins, where it may be accessible to unauthorized individuals. Instead, it should be shred or disposed of in a secure location.

16. HIPAA Hot Spots Reasonable Safeguards
Do not leave PHI in public view (e.g., lying around on desks or unattended on a fax machine), and take care when disposing of PHI (e.g., shred paper when feasible or place paper in waste baskets that are kept in secure places).
Moreover, charts and other private information should be protected from public view. Protected health information should never be left on an open desk or an unattended fax machine, because it may be picked up by someone whom it doesn’t belong to.

17. HIPAA Hot Spot Public Conversations
Avoid holding conversations about PHI in public areas such as lobbies, elevators, cafeterias and hallways. If you must do so, keep your voice low and be aware of people who may overhear your conversation.
It is important to try and avoid discussing private information loudly, or in public areas such as lobbies, elevators, cafeterias, and hallways. If absolutely necessary, reasonable precautions should be taken to prevent others from overhearing the conversation.
Note: Conversations between providers, and between providers and clients, are permissible, even if incidentally overheard, as long as reasonable precautions were taken.

18. Miscellaneous Requirements
Limit your own use and disclosure of or requests for information to the minimum necessary to perform the assigned task.
Verify that information is being provided to an authorized person.
Mitigate the harmful effects of HIPAA violations.
Again, use and disclosure of or requests for patient information should be limited to the minimum necessary to perform the assigned task. In addition, when disclosing protected health information, it is crucial to verify that it is being provided to an authorized individual.

19. Privacy Officer
If you become aware of any violations of the Hospital’s HIPAA policies, or receive any complaints about the confidentiality of PHI in the Hospital, you must notify the Hospital’s Privacy Officer.
Each hospital has a privacy officer that is responsible for investigating privacy-related concerns. Vendors who become aware of any violations of the hospital’s HIPAA policies, or receive any complaints about the confidentiality of protected health information in the hospital, must notify the privacy officer. Note that the name and number of a given facility’s privacy officer may be easily obtained at the front desk.

20. Breach Notification
A Business Associate is required to NOTIFY the Hospital of breaches that involve the Hospital’s unsecured protected health information.
If you become aware of a breach, notify the Privacy Officer as soon as possible.
The Hospital will be required to inform the affected patients of what occurred.
Business associates must notify the privacy officer as soon as possible if they discover a breach involving unsecured protected health information. A breach is defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. 

21. Breach Notification
The Business Associate must make such notification to the Hospital without unreasonable delay and in no case later than 60 calendar days after the breach is discovered by the Business Associate.
A breach is considered to be discovered when the incident became known (or should have become known with reasonable diligence), not when the Business Associate concludes the investigation.
The business associate must provide this notice without unreasonable delay and no later than 60 days from the discovery of the breach.  Note that a breach is considered to be discovered when the incident became known (or should have become known with reasonable diligence); not when the Business Associate concludes the investigation. If possible, the business associate should provide the identity of each individual affected by the breach, as well as any other pertinent information, as the hospital will be required to inform the affected patient or patients of what occurred.

22. Breach Notification
Timely reporting of potential breaches is essential for compliance with HIPAA!
Remember that timely reporting of potential breaches is essential for compliance with HIPAA.

23. Examples of Breaches
Lost or stolen laptop containing unencrypted patient information
Access to a patient’s information by a staff member who is not authorized to disclose such information
Disposal of patient information without destroying it properly (e.g., shredding paper, destroying discs) if such patient information is then accessed or used by a third party
Faxing information about a patient or patients to the wrong fax number
Examples of breaches include but are not limited to: lost or stolen laptops containing unencrypted patient information, access to a patient’s information by a staff member who is not authorized to disclose such information, improper disposal of patient information followed by third party use or access, and faxing patient information to an incorrect number.

24. Steps You Must Take to Protect The Security of PHI
Another component of HIPAA addresses security. The core objective of the HIPAA Security Rules is for all covered entities to support the confidentiality, integrity and availability of all protected health information.

25. HIPAA Security Basics
Security of PHI must be an ongoing and comprehensive process, not an event.
Securing protected health information must be an ongoing and comprehensive process that remains in place at all times. Any disruptions in security may lead to violations of patient confidentiality.

26. Security Rules
The Security Rules require the Hospital to implement administrative, physical and technical safeguards.
Administrative safeguards are policies, procedures and training regarding each employee and vendor’s obligations to protect PHI.
Physical safeguards are designed to protect the physical surroundings and environment where electronic PHI is stored (e.g., locks, security systems, ID Badges).
Technical safeguards are electronic mechanisms to protect electronic PHI such as passwords, automatic log-off, encryption and firewalls.
The security rules under HIPAA require hospitals to implement administrative, physical, and technical safeguards. Administrative safeguards are policies, procedures, and training requirements designed to enforce facility-wide standards for the handling and treatment of patient information by employees and vendors. Physical safeguards, on the other hand, are designed to protect the physical surroundings where electronic patient information is stored. For instance, these safeguards protect computers and buildings containing protected health information from theft, invasion, and environmental threats. Finally, technical safeguards are electronic mechanisms that protect patient information by controlling access to computer systems and preventing interception of electronic transmissions. Examples include passwords, automatic log-offs, encryption, and firewalls.

27. Do Not Share Your Computer Password if You Have One!
It is important never to share computer passwords, as this would bypass a technical safeguard, thereby jeopardizing patient privacy. Likewise, passwords should not be posted on the side of the computer or anywhere else that they may be easily accessible.

28. Protect Work Areas
Be aware of who can look over your shoulder and view client information in your possession, on your desk or on your computer screen.
Do not leave unattended patient information unsecured.
Sign off your computer (or have automatic log off).
Turn computer screens away from public view.
Do not post your password on the side of your computer or anywhere in your work area.
Computer users should also be aware of who is in close proximity, and should always turn computer screens away from public view. It would also be prudent to log off whenever possible, to prevent unauthorized individuals from accessing protected health information.

29. ENCRYPTION
Whenever possible use encryption when sending PHI over the Internet or storing PHI on portable devices.
Additionally, protected health information that is sent over the internet or stored on portable devices should be encrypted whenever possible; this will provide an additional layer of security in case the information is somehow intercepted.

30. Other Suggested Security Practices
Wear your name tag.
Shred or discard PHI in secure trash bins.
Do not download PHI to computers outside of the hospital.
If you have a laptop or other remote source that contains the hospital’s PHI, do not leave it in your car or any other public place.
Other ways to help ensure security are to wear name tags for identification purposes, and to discard protected health information in secure trash bins. In general, patient information should not be downloaded to computers outside of the hospital; however, laptops or other remote sources that DO contain such information should never be left in public places.

31. Report Incidents It is your responsibility to report:
Unauthorized successful or unsuccessful log-ins to the system
Any breaches in the security of PHI of which you become aware
Sharing of passwords
Security Incidents can be reported to the Hospital’s security officer.
Violations or attempted violations of security should be reported immediately to the hospital’s security officer. This includes unauthorized successful or unsuccessful log-ins into the system, sharing of computer passwords, and any breaches in the security of protected health information.

32. Internal Sanctions
The Hospital is permitted to impose sanctions including termination of the Services Agreement for failure to comply with the Hospital’s HIPAA policies.
When vendors or other business associates fail to comply with the hospital’s HIPAA policies or violate the business associate contract (i.e., use or disclose protected health information in an unauthorized manner), the hospital may terminate the agreement with the vendor.

33. Federal Sanctions
Under HIPAA, violations may result in civil monetary penalties and criminal actions, depending on the nature and extent of the HIPAA violation.
Furthermore, federal regulations state that HIPAA violations may result in civil monetary penalties and criminal actions, depending on the nature and extent of the violation.

34. Criminal Penalties For “Knowing Misuse” of PHI: Three Degrees
Simple violations: up to $50,000 plus up to 1 year in prison
Violation committed under false pretenses: up to $100,000 plus up to 5 years in prison
Violation committed for gain or harm: up to $250,000 plus up to 10 years in prison
Enforcer: OIG/Department of Justice
Individuals who knowingly misuse individually identifiable health information may face serious criminal penalties. Specifically, simple violations result in fines of up to $50,000 and imprisonment for up to 1 year, while offenses committed under false pretenses result in fines of up to $100,000 and imprisonment for up to 5 years. Finally, violations committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permit fines of up to $250,000 and imprisonment for up to 10 years.

35. Summary
Protection of PHI is everyone’s responsibility. Here is a summary of a few topics that were discussed in this presentation:
Do not discuss patient information in public areas of the Hospital (e.g., cafeteria, lobby).
Do not discuss PHI at home or at social gatherings.
Do not share your password.
Do not leave PHI lying around unattended.
Do not send PHI over the internet unless authorized to do so.
Do inform the Privacy/Security Officer about any concerns you may have about release of PHI or about any breaches.
In summary, it is important to remember that protecting patient information is everyone’s responsibility. In order to do so, private information should not be discussed in public areas or the hospital, at home, or at social gatherings. Written patient information should never be left unattended, and electronic patient information should not be sent over the internet without authorization. In addition, computer passwords should never be shared, even with fellow employees. Finally, it is imperative that privacy concerns and security breaches be reported to the privacy or security officers of each facility respectively, to ensure that they are dealt with appropriately.

36. The End
This concludes our HIPAA presentation. Please proceed to the HIPAA competency, which can be found on the Vendor Resource Center website. Thank you.