04/19/23 1

County of San Bernardino County of San Bernardino Department of Public HealthDepartment of Public Health

Information SecurityInformation Security Health Insurance Portability and Health Insurance Portability and

Accountability ActAccountability Act

(HIPAA)(HIPAA)

Basic TrainingBasic Training Extra-Help EmployeesExtra-Help Employees

(Intended for extra-help employees who work for Public Health 30 days (Intended for extra-help employees who work for Public Health 30 days oror less) less)

04/19/23 2

IntroductionIntroduction

The purpose of this training is to provide Public Health (PH), extra-help employees (who work for PH 30 days or less) with essential information regarding the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA legislation requires all workforce members of HIPAA covered entities to receive HIPAA training.

You are required to take this training because you are now a workforce member of a PH HIPAA covered entity.

04/19/23 3

HIPAAHIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is

federal law created by Senate Bill 456.

It was developed to protect the confidentiality of an Individual's

private Information.

HIPAA states that individuals have a right to keep information about

themselves private.

This private information is referred to as:

Protected Health Information (PHI) or – Individually Identifiable Health Information (IIHI)

04/19/23 4

The Purpose of HIPAAThe Purpose of HIPAA

The purpose of the Health Insurance Portability and

Accountability Act (HIPAA) is to:

Give individuals more control over their protected health information (PHI)

Set boundaries on the use and disclosure of PHI

Establish safeguards to protect PHI

Hold HIPAA covered entities accountable with civil and

criminal penalties if they violate an individual's PHI

04/19/23 5

HIPAA National StandardsHIPAA National Standards

HIPAA sets national standards for the:

Use and disclosure of protected health information (PHI) and

The security of PHI

These standards determine:

When, how and under what circumstances a covered entity may use or disclose an individual’s PHI and

– How the PHI must be protected (i.e. Physical, Technical & Administrative Safeguards )

04/19/23 6

Examples of Why We Need HIPAA Examples of Why We Need HIPAA

After suffering from a work related injury to her wrist, a woman authorized her insurance company to release health information pertaining to her wrist. When reviewing her medical record, she discovered the entire medical file was disclosed including fertility treatment and a pregnancy loss.

A truck driver lost his job when his employer learned from his insurance company that he sought treatment for a drinking problem.

A banker who also served on his county’s health board, cross referenced customer accounts with patient information. He called due the mortgages of anyone suffering from cancer.

A public health worker walked away with a disk of 4,000 names of persons who tested positive for HIV and provided this list to two newspapers.

04/19/23 7

Why Why ““YouYou”” Need HIPAA Training! Need HIPAA Training!

Covered entities (including Public Health) are required to develop a

system of sanctions (discipline) for employees who violate HIPAA’s

privacy requirements.

Sanctions are:

penalties,

corrective action,

adverse action, or

criminal prosecution

that may result from violating HIPAA privacy requirements.

04/19/23 8

HIPAA HIPAA Federal PenaltiesFederal Penalties

The Federal Government also provides penalties for failureto comply with HIPAA. They include:

Civil$100 fine per person per violation

$25,000 fine per year for multiple violations

CriminalKnowingly or wrongfully disclosing or receiving IIHI protected by HIPAA: $50,000 and/or one year prison time

Commit offense under false pretenses: $100,000 fine and/or five years prison time

Intent to sell PHI protected by HIPAA or client lists for personal gain or malicious harm: $250,000 fine and/or ten years prison time

04/19/23 9

Protected Health InformationProtected Health Information

Protected health information (PHI) refers to any information that relates to the past, present or future:

o physical or mental condition of an individual, or

o payment for the provision of health care of an individual

This information is protected when it is used together with data that might identify the individual to whom the information

belongs.

Data that might identify an individual is referred to as “unique identifiers”.

04/19/23 10

Protected Health Information Protected Health Information Unique IdentifiersUnique Identifiers

Unique identifiers may include, but are not limited to, a person’s:

Name Finger or Voice Prints

Address or City Photographic Images

Birth Date Internet Protocol (IP) Address

Social Security Number Vehicle or Device Serial Number

Telephone Number Medical Record Number

Fax Number Health Plan Beneficiary Number

E-mail Address Account Number

Names of Relatives Certificate or License Number

Names of Employers

Any unique identifying numbers, codes or characteristics

04/19/23 11

Protected Health Information Protected Health Information

SummarySummary Protected health information is any information that relates

to the past, present or future:

physical or mental condition of an individual, or

payment for the provision of health care of an individual

and

used together with one or more unique identifiers [such as the individual’s name, address, birth date, social security

number, etc. (see previous slide)]

04/19/23 12

What What is notis not Protected Health Information Protected Health Information

Protected health information does not include information

contained in:

Education Records

Worker’s Compensation Records

The Individual’s Own Personal Records

04/19/23 13

HIPAA Covered EntityHIPAA Covered Entity

A HIPAA covered entity is a:

Health Care Provider who electronically transmits protected

health information in connection with a standard transaction. This includes physicians, hospitals, labs, public health departmentsThis excludes providers who submit transactions on paper

Health Plan who provides or pays the cost of medical care – This includes Medicaid, Medicare & Blue Cross

This excludes Workers’ Compensation, State disability, etc.

Health Care Clearinghouse is narrowly defined as those that

translate data from non-standard to standard format

04/19/23 14

Public Health HIPAA Covered EntitiesPublic Health HIPAA Covered Entities

01 PAS Program Analysis & Statistics

(Excluding Vital Statistics)

03 CAH Child & Adolescent Health

04 IMM Immunizations

05 SCH School Health

07 MH Maternal Health

08 RH Reproductive Health

11 STD Sexually Transmitted Diseases

12 TB Tuberculosis Control

13 EPI Epidemiology

14 PRC Primary Care

15 AID AIDS

16 AGE Aging

21 FAS Fiscal & Administrative Services

23 CCS California Children’s Services

31 CRD Chronic Disease

32 FSS Family Support Services

33 PAL Perinatal & Adolescent Life

34 PHN PH Nursing Field Services

37 ASP Administrative Services Program

04/19/23 15

Use & Disclosure of Use & Disclosure of Protected Health InformationProtected Health Information

Use refers to the internal sharing of protected health

information (PHI). That is to say:

Information created by a covered entity

Shared internally within the covered entity

To accomplish the purpose of the covered entity

Disclosure refers to the external sharing of PHI. That is to say:

– Sharing information – To organizations that are not part of the covered entity

04/19/23 16

““More Stringent RequirementMore Stringent Requirement””

If a HIPAA covered entity is faced with two conflicting laws governing the use or disclosure of protected health information, they must follow the law with the “more stringent” requirement.

The law is more stringent if it:Further limits the use or disclosure of PHI

Provides clients with:o Greater amount of informationo Greater rights of access or amendment

– Enhances authorization/consent protections

– Imposes greater record keeping requirements (e.g., accounting of disclosures, retention periods)

04/19/23 17

Required DisclosuresRequired Disclosures

HIPAA requires disclosure of protected health information in

only two circumstances:

When requested by the individual who is the subject of the information (some exceptions)

When required by the Secretary of United States Department of Health and Human Services (DHHS) to investigate or determine if the covered entity is in compliance with HIPAA legislation.

04/19/23 18

Permitted DisclosuresPermitted Disclosures

HIPAA permits disclosures of protected health information in

these three circumstances:

For treatment, payment, and health care operations or

With an Authorization for Release of Information or

For certain limited uses and disclosures for important governmental purposes

04/19/23 19

Permitted Disclosures Permitted Disclosures

TTreatment, reatment, PPayment Health Care ayment Health Care OOperationsperations

(TPO(TPO))

A Covered entity may use or disclose protected health

information:

For its own treatment, payment or health care operations

For the treatment activities of any health care provider

For the payment activities of any health care provider

For the health care operations of another covered entity under some circumstances

04/19/23 20

Permitted DisclosuresPermitted DisclosuresAuthorization for Release of InformationAuthorization for Release of Information

HIPAA prohibits covered entities from using or disclosing protected health information (PHI) without a valid Authorization for Release of Information.

An Authorization for Release of Information is: A document Providing an individual’s permission allowing a covered entity to

– Disclose the individual’s PHI

An authorization limits the amount of PHI to be released:– To the “minimum necessary” – To accomplish the purpose of the authorization

04/19/23 21

Miscellaneous Allowable DisclosuresMiscellaneous Allowable Disclosures HIPAA allows miscellaneous disclosures of protected health

information without an Authorization in the following instances:

Family Members for 1) location 2) general condition or 3) death

Location refers to a hospital or shelter. It does not apply to home address etc. – Required by Law– Public Health Surveillance Activities (includes CPS)– Report Adult Abuse, Neglect, or Domestic Violence– Judicial and Administrative Proceedings– Limited Law Enforcement Purposes– Decedents– Serious Threat to Health or Safety

Specialized Government Functions

Involves Workers’ Compensation information

04/19/23 22

When can When can ““YouYou”” Disclose Disclose Protected Health InformationProtected Health Information

Only with your supervisor’s approval

To ensure the confidentiality of our clients protected health information (PHI), the Public Health Department prohibits extra-help employees from disclosing PHI without the

expressed permission of their immediate supervisor.

If you are an extra-help employee you may not disclose PHI

without your immediate supervisor’s approval.

This rule protects you as well as the PHI.

It is intended to be a safeguard against the accidental disclosure of PHI.

04/19/23 23

HIPAA SafeguardsHIPAA Safeguards

HIPAA covered entities are required to safeguard an

individual’s protected health information (PHI).

This requires covered entities to:

Provide appropriate administrative, technical and physical measures, policies or procedures to protect the privacy of PHI which will

Reasonably safeguard PHI from any intentional or unintentional use or disclosure

04/19/23 24

HIPAA Safeguard Tips HIPAA Safeguard Tips

Close doors or draw privacy curtains/screens

Conduct discussions so that others may not overhear them

Do not leave medical records where others can see them or access them

Keep medical test results private

Protected Health Information (PHI) should NOT be shared or viewable in public areas

Do not leave copies of PHI at copy machines, printers, or fax machines

Do not leave PHI exposed in mail boxes or conference rooms

Do not share computer passwords or leave them visible

Do not leave computer files open when leaving unlocked or shared work area

Secure PHI when no one is in the area, lock file cabinets and office doors

Safeguard PHI when records are in your possession

Return medical records to appropriate location

Dispose of paper containing PHI properly Internet encryption of PHI

04/19/23 25

Client RightsClient Rights

Clients of HIPAA covered programs have the following rights:

Right to request alternative means of receiving information Right to request additional protections – restrictions Right to access, inspect, and copy their own protected health

information (PHI) Right to have PHI amended Right to request and receive an accounting of disclosures of

their PHI Right to receive a Notice of Privacy Practices (NOPP) Right to file a complaint with the County and/or Department of

Health and Human Services (DHHS), Office of Civil Rights (OCR)

04/19/23 26

Department of Public Health Department of Public Health Complaint Procedure Complaint Procedure

A person or organization who believes a covered entity is not

complying with HIPAA requirements may file a complaint by either

of the following actions:

Call: The Public Health Department @ (909) 387-6222 or

Contact: Jim Pesta, Ethics Resource Officer

504 North Mountain View Avenue

San Bernardino, CA 92415-0038

(909) 381-7960 – Direct or (909) 388-4281- FAX

jpesta@hss.sbcounty.gov or ethics@hss.sbcounty.gov

04/19/23 27

THE ENDTHE END