HIPAA Privacy & Security

Kay CarolinBarbara Ann Karmanos Cancer Center March 2009

Protected Health Information

• PHI include information:– On paper– In a computer– Orally communicated– In any other form

• EPHI includes information:– On your computer hard drive– On floppy disks, CDs or magnetic tapes– Sent via the Internet:

• By e-mail • Other means

Protected Health Information

• Name

• Street Address, City, County, Zip Code

• Dates:• Birth• Admission• Discharge • Death

• Numbers:• Social Security• Medical Record • Account (FIN)• Health Plan Beneficiary

• Telephone or Fax Numbers

• E-mail Address

Do’s & Don'ts for Securing PHI

• Do not:– share passwords or login ID.– write down passwords where others may access them.– send E-mail with PHI outside Karmanos Cancer Center– open any unknown attachments, files or unrecognizable e-mails.– install unapproved software/hardware– use unapproved email, such as Hotmail, Yahoo, etc.

• Do:– log-off your computer when you will be away for a period of time.

– position monitors out of view of the public eye.– change your password as defined in policy.– choose passwords that are not easily guessed.– use password protected screensavers and keyboard locks.– place disks or tapes in a secure location.– immediately report anyone outside of KCC asking for your

password.

Securing PHI

• Use caution and respect patients’ privacy when discussing protected health information in public.

• Read and understand the policies and procedures relating to HIPAA Privacy & Security.

• When using or disclosing protected health information, limit the PHI to the minimum necessary to accomplish the intended use.

• For Fax's:• Double check fax number.• Use cover page which includes your contact information.• If fax is received by the wrong location, have the fax destroyed or

returned to you.

Protecting your Computer & PHI

• Report any suspicious activity, such as new software or hardware appearing on your computer to the Help Desk.

• Contact your supervisor or the Help Desk if you believe someone may have logged onto your computer.

• Secure PDA’s and Laptops:– Always use a password protected screen saver.– Back-up data.– Install and use virus protection software.– Lock devices in a secure location when not in use.– If device is stolen, an incident report should be filed.

Emergency Downtime

• Karmanos Cancer Center has a contingency plan to address system access during power failures, disasters, weather hazards or other situations limiting access to patient data:

– Know the recovery plan as it relates to your job.

– Know the related policies.

– Know how to report emergencies.

– Know how the emergency may impact patient care.

Penalties

• Disciplinary action up to and including termination.

• Exclusion from participation in Medicare and Medicaid programs.

• Jail sentences for employees, administrators and physicians.

• HIPAA Specific: – Up to one year / $50,000 for misuse of protected health

information.

– Up to five years / $100,000 for misuse of PHI under false pretenses.

– Up to ten years / $250,000 for misuse with intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm.

HIPAA Reporting

• You are required to understand the law, and how it affects your job. Even an “accidental” disclosure could have consequences.

• As a condition of employment, employees agree to read and abide by the policies and procedures covering HIPAA.

• Individuals should immediately report any observed or suspected HIPAA breach to:– Your supervisor– Compliance Hotline at: 1-888-478-3555

• Safeguarding PHI is everyone’s job. • If you have questions or concerns about your responsibility in

protecting patient health information contact your supervisor.

Summary

We hope this Computer Based Learning course has been both informative and helpful. Feel free to review this course until you are confident about your knowledge of the material presented. Click the Take Test button on the left side when you are ready to complete the requirements for this course. Click on the My Records button to return to your CBL Courses to Complete list. Click the Exit button on the left to close the Student Interface.